Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1 | ---------------------- |
Willy Tarreau | 8317b28 | 2014-04-23 01:49:41 +0200 | [diff] [blame] | 2 | HAProxy |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 3 | Configuration Manual |
| 4 | ---------------------- |
Willy Tarreau | 9dc6b97 | 2019-06-16 21:49:47 +0200 | [diff] [blame] | 5 | version 2.1 |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 6 | willy tarreau |
Willy Tarreau | 8468132 | 2019-11-15 18:49:37 +0100 | [diff] [blame] | 7 | 2019/11/15 |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 8 | |
| 9 | |
| 10 | This document covers the configuration language as implemented in the version |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 11 | specified above. It does not provide any hints, examples, or advice. For such |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 12 | documentation, please refer to the Reference Manual or the Architecture Manual. |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 13 | The summary below is meant to help you find sections by name and navigate |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 14 | through the document. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 15 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 16 | Note to documentation contributors : |
Jamie Gloudon | aaa2100 | 2012-08-25 00:18:33 -0400 | [diff] [blame] | 17 | This document is formatted with 80 columns per line, with even number of |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 18 | spaces for indentation and without tabs. Please follow these rules strictly |
| 19 | so that it remains easily printable everywhere. If a line needs to be |
| 20 | printed verbatim and does not fit, please end each line with a backslash |
Willy Tarreau | 62a36c4 | 2010-08-17 15:53:10 +0200 | [diff] [blame] | 21 | ('\') and continue on next line, indented by two characters. It is also |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 22 | sometimes useful to prefix all output lines (logs, console outputs) with 3 |
| 23 | closing angle brackets ('>>>') in order to emphasize the difference between |
| 24 | inputs and outputs when they may be ambiguous. If you add sections, |
Willy Tarreau | 62a36c4 | 2010-08-17 15:53:10 +0200 | [diff] [blame] | 25 | please update the summary below for easier searching. |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 26 | |
| 27 | |
| 28 | Summary |
| 29 | ------- |
| 30 | |
| 31 | 1. Quick reminder about HTTP |
| 32 | 1.1. The HTTP transaction model |
| 33 | 1.2. HTTP request |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 34 | 1.2.1. The request line |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 35 | 1.2.2. The request headers |
| 36 | 1.3. HTTP response |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 37 | 1.3.1. The response line |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 38 | 1.3.2. The response headers |
| 39 | |
| 40 | 2. Configuring HAProxy |
| 41 | 2.1. Configuration file format |
William Lallemand | f9873ba | 2015-05-05 17:37:14 +0200 | [diff] [blame] | 42 | 2.2. Quoting and escaping |
William Lallemand | b2f0745 | 2015-05-12 14:27:13 +0200 | [diff] [blame] | 43 | 2.3. Environment variables |
| 44 | 2.4. Time format |
| 45 | 2.5. Examples |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 46 | |
| 47 | 3. Global parameters |
| 48 | 3.1. Process management and security |
| 49 | 3.2. Performance tuning |
| 50 | 3.3. Debugging |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 51 | 3.4. Userlists |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 52 | 3.5. Peers |
Cyril Bonté | 307ee1e | 2015-09-28 23:16:06 +0200 | [diff] [blame] | 53 | 3.6. Mailers |
William Lallemand | c951552 | 2019-06-12 16:32:11 +0200 | [diff] [blame] | 54 | 3.7. Programs |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 55 | |
| 56 | 4. Proxies |
| 57 | 4.1. Proxy keywords matrix |
| 58 | 4.2. Alphabetically sorted keywords reference |
| 59 | |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 60 | 5. Bind and server options |
Willy Tarreau | 086fbf5 | 2012-09-24 20:34:51 +0200 | [diff] [blame] | 61 | 5.1. Bind options |
| 62 | 5.2. Server and default-server options |
Baptiste Assmann | 1fa6666 | 2015-04-14 00:28:47 +0200 | [diff] [blame] | 63 | 5.3. Server DNS resolution |
| 64 | 5.3.1. Global overview |
| 65 | 5.3.2. The resolvers section |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 66 | |
Willy Tarreau | 74ca504 | 2013-06-11 23:12:07 +0200 | [diff] [blame] | 67 | 7. Using ACLs and fetching samples |
| 68 | 7.1. ACL basics |
| 69 | 7.1.1. Matching booleans |
| 70 | 7.1.2. Matching integers |
| 71 | 7.1.3. Matching strings |
| 72 | 7.1.4. Matching regular expressions (regexes) |
| 73 | 7.1.5. Matching arbitrary data blocks |
| 74 | 7.1.6. Matching IPv4 and IPv6 addresses |
| 75 | 7.2. Using ACLs to form conditions |
| 76 | 7.3. Fetching samples |
Thierry FOURNIER | 060762e | 2014-04-23 13:29:15 +0200 | [diff] [blame] | 77 | 7.3.1. Converters |
| 78 | 7.3.2. Fetching samples from internal states |
| 79 | 7.3.3. Fetching samples at Layer 4 |
| 80 | 7.3.4. Fetching samples at Layer 5 |
| 81 | 7.3.5. Fetching samples from buffer contents (Layer 6) |
| 82 | 7.3.6. Fetching HTTP samples (Layer 7) |
Willy Tarreau | 74ca504 | 2013-06-11 23:12:07 +0200 | [diff] [blame] | 83 | 7.4. Pre-defined ACLs |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 84 | |
Christopher Faulet | 87f1f3d | 2019-07-18 14:51:20 +0200 | [diff] [blame] | 85 | 6. Cache |
| 86 | 6.1. Limitation |
| 87 | 6.2. Setup |
| 88 | 6.2.1. Cache section |
| 89 | 6.2.2. Proxy section |
| 90 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 91 | 8. Logging |
| 92 | 8.1. Log levels |
| 93 | 8.2. Log formats |
| 94 | 8.2.1. Default log format |
| 95 | 8.2.2. TCP log format |
| 96 | 8.2.3. HTTP log format |
William Lallemand | 4894040 | 2012-01-30 16:47:22 +0100 | [diff] [blame] | 97 | 8.2.4. Custom log format |
Willy Tarreau | 5f51e1a | 2012-12-03 18:40:10 +0100 | [diff] [blame] | 98 | 8.2.5. Error log format |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 99 | 8.3. Advanced logging options |
| 100 | 8.3.1. Disabling logging of external tests |
| 101 | 8.3.2. Logging before waiting for the session to terminate |
| 102 | 8.3.3. Raising log level upon errors |
| 103 | 8.3.4. Disabling logging of successful connections |
| 104 | 8.4. Timing events |
| 105 | 8.5. Session state at disconnection |
| 106 | 8.6. Non-printable characters |
| 107 | 8.7. Capturing HTTP cookies |
| 108 | 8.8. Capturing HTTP headers |
| 109 | 8.9. Examples of logs |
| 110 | |
Christopher Faulet | c3fe533 | 2016-04-07 15:30:10 +0200 | [diff] [blame] | 111 | 9. Supported filters |
| 112 | 9.1. Trace |
| 113 | 9.2. HTTP compression |
Christopher Faulet | f7e4e7e | 2016-10-27 22:29:49 +0200 | [diff] [blame] | 114 | 9.3. Stream Processing Offload Engine (SPOE) |
Christopher Faulet | 99a17a2 | 2018-12-11 09:18:27 +0100 | [diff] [blame] | 115 | 9.4. Cache |
Christopher Faulet | b30b310 | 2019-09-12 23:03:09 +0200 | [diff] [blame] | 116 | 9.5. fcgi-app |
Christopher Faulet | c3fe533 | 2016-04-07 15:30:10 +0200 | [diff] [blame] | 117 | |
Christopher Faulet | b30b310 | 2019-09-12 23:03:09 +0200 | [diff] [blame] | 118 | 10. FastCGI applications |
| 119 | 10.1. Setup |
| 120 | 10.1.1. Fcgi-app section |
| 121 | 10.1.2. Proxy section |
| 122 | 10.1.3. Example |
| 123 | 10.2. Default parameters |
| 124 | 10.3. Limitations |
| 125 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 126 | |
| 127 | 1. Quick reminder about HTTP |
| 128 | ---------------------------- |
| 129 | |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 130 | When HAProxy is running in HTTP mode, both the request and the response are |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 131 | fully analyzed and indexed, thus it becomes possible to build matching criteria |
| 132 | on almost anything found in the contents. |
| 133 | |
| 134 | However, it is important to understand how HTTP requests and responses are |
| 135 | formed, and how HAProxy decomposes them. It will then become easier to write |
| 136 | correct rules and to debug existing configurations. |
| 137 | |
| 138 | |
| 139 | 1.1. The HTTP transaction model |
| 140 | ------------------------------- |
| 141 | |
| 142 | The HTTP protocol is transaction-driven. This means that each request will lead |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 143 | to one and only one response. Traditionally, a TCP connection is established |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 144 | from the client to the server, a request is sent by the client through the |
| 145 | connection, the server responds, and the connection is closed. A new request |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 146 | will involve a new connection : |
| 147 | |
| 148 | [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ... |
| 149 | |
| 150 | In this mode, called the "HTTP close" mode, there are as many connection |
| 151 | establishments as there are HTTP transactions. Since the connection is closed |
| 152 | by the server after the response, the client does not need to know the content |
| 153 | length. |
| 154 | |
| 155 | Due to the transactional nature of the protocol, it was possible to improve it |
| 156 | to avoid closing a connection between two subsequent transactions. In this mode |
| 157 | however, it is mandatory that the server indicates the content length for each |
| 158 | response so that the client does not wait indefinitely. For this, a special |
| 159 | header is used: "Content-length". This mode is called the "keep-alive" mode : |
| 160 | |
| 161 | [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ... |
| 162 | |
| 163 | Its advantages are a reduced latency between transactions, and less processing |
| 164 | power required on the server side. It is generally better than the close mode, |
| 165 | but not always because the clients often limit their concurrent connections to |
Patrick Mezard | 9ec2ec4 | 2010-06-12 17:02:45 +0200 | [diff] [blame] | 166 | a smaller value. |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 167 | |
Willy Tarreau | 95c4e14 | 2017-11-26 12:18:55 +0100 | [diff] [blame] | 168 | Another improvement in the communications is the pipelining mode. It still uses |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 169 | keep-alive, but the client does not wait for the first response to send the |
| 170 | second request. This is useful for fetching large number of images composing a |
| 171 | page : |
| 172 | |
| 173 | [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ... |
| 174 | |
| 175 | This can obviously have a tremendous benefit on performance because the network |
| 176 | latency is eliminated between subsequent requests. Many HTTP agents do not |
| 177 | correctly support pipelining since there is no way to associate a response with |
| 178 | the corresponding request in HTTP. For this reason, it is mandatory for the |
Cyril Bonté | 78caf84 | 2010-03-10 22:41:43 +0100 | [diff] [blame] | 179 | server to reply in the exact same order as the requests were received. |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 180 | |
Willy Tarreau | 95c4e14 | 2017-11-26 12:18:55 +0100 | [diff] [blame] | 181 | The next improvement is the multiplexed mode, as implemented in HTTP/2. This |
| 182 | time, each transaction is assigned a single stream identifier, and all streams |
| 183 | are multiplexed over an existing connection. Many requests can be sent in |
| 184 | parallel by the client, and responses can arrive in any order since they also |
| 185 | carry the stream identifier. |
| 186 | |
Willy Tarreau | 70dffda | 2014-01-30 03:07:23 +0100 | [diff] [blame] | 187 | By default HAProxy operates in keep-alive mode with regards to persistent |
| 188 | connections: for each connection it processes each request and response, and |
| 189 | leaves the connection idle on both sides between the end of a response and the |
Willy Tarreau | 95c4e14 | 2017-11-26 12:18:55 +0100 | [diff] [blame] | 190 | start of a new request. When it receives HTTP/2 connections from a client, it |
| 191 | processes all the requests in parallel and leaves the connection idling, |
| 192 | waiting for new requests, just as if it was a keep-alive HTTP connection. |
Patrick Mezard | 9ec2ec4 | 2010-06-12 17:02:45 +0200 | [diff] [blame] | 193 | |
Christopher Faulet | 315b39c | 2018-09-21 16:26:19 +0200 | [diff] [blame] | 194 | HAProxy supports 4 connection modes : |
Willy Tarreau | 70dffda | 2014-01-30 03:07:23 +0100 | [diff] [blame] | 195 | - keep alive : all requests and responses are processed (default) |
| 196 | - tunnel : only the first request and response are processed, |
Christopher Faulet | 6c9bbb2 | 2019-03-26 21:37:23 +0100 | [diff] [blame] | 197 | everything else is forwarded with no analysis (deprecated). |
Willy Tarreau | 70dffda | 2014-01-30 03:07:23 +0100 | [diff] [blame] | 198 | - server close : the server-facing connection is closed after the response. |
Christopher Faulet | 315b39c | 2018-09-21 16:26:19 +0200 | [diff] [blame] | 199 | - close : the connection is actively closed after end of response. |
Willy Tarreau | 70dffda | 2014-01-30 03:07:23 +0100 | [diff] [blame] | 200 | |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 201 | For HTTP/2, the connection mode resembles more the "server close" mode : given |
| 202 | the independence of all streams, there is currently no place to hook the idle |
Willy Tarreau | 95c4e14 | 2017-11-26 12:18:55 +0100 | [diff] [blame] | 203 | server connection after a response, so it is closed after the response. HTTP/2 |
| 204 | is only supported for incoming connections, not on connections going to |
| 205 | servers. |
| 206 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 207 | |
| 208 | 1.2. HTTP request |
| 209 | ----------------- |
| 210 | |
| 211 | First, let's consider this HTTP request : |
| 212 | |
| 213 | Line Contents |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 214 | number |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 215 | 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1 |
| 216 | 2 Host: www.mydomain.com |
| 217 | 3 User-agent: my small browser |
| 218 | 4 Accept: image/jpeg, image/gif |
| 219 | 5 Accept: image/png |
| 220 | |
| 221 | |
| 222 | 1.2.1. The Request line |
| 223 | ----------------------- |
| 224 | |
| 225 | Line 1 is the "request line". It is always composed of 3 fields : |
| 226 | |
| 227 | - a METHOD : GET |
| 228 | - a URI : /serv/login.php?lang=en&profile=2 |
| 229 | - a version tag : HTTP/1.1 |
| 230 | |
| 231 | All of them are delimited by what the standard calls LWS (linear white spaces), |
| 232 | which are commonly spaces, but can also be tabs or line feeds/carriage returns |
| 233 | followed by spaces/tabs. The method itself cannot contain any colon (':') and |
| 234 | is limited to alphabetic letters. All those various combinations make it |
| 235 | desirable that HAProxy performs the splitting itself rather than leaving it to |
| 236 | the user to write a complex or inaccurate regular expression. |
| 237 | |
| 238 | The URI itself can have several forms : |
| 239 | |
| 240 | - A "relative URI" : |
| 241 | |
| 242 | /serv/login.php?lang=en&profile=2 |
| 243 | |
| 244 | It is a complete URL without the host part. This is generally what is |
| 245 | received by servers, reverse proxies and transparent proxies. |
| 246 | |
| 247 | - An "absolute URI", also called a "URL" : |
| 248 | |
| 249 | http://192.168.0.12:8080/serv/login.php?lang=en&profile=2 |
| 250 | |
| 251 | It is composed of a "scheme" (the protocol name followed by '://'), a host |
| 252 | name or address, optionally a colon (':') followed by a port number, then |
| 253 | a relative URI beginning at the first slash ('/') after the address part. |
| 254 | This is generally what proxies receive, but a server supporting HTTP/1.1 |
| 255 | must accept this form too. |
| 256 | |
| 257 | - a star ('*') : this form is only accepted in association with the OPTIONS |
| 258 | method and is not relayable. It is used to inquiry a next hop's |
| 259 | capabilities. |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 260 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 261 | - an address:port combination : 192.168.0.12:80 |
| 262 | This is used with the CONNECT method, which is used to establish TCP |
| 263 | tunnels through HTTP proxies, generally for HTTPS, but sometimes for |
| 264 | other protocols too. |
| 265 | |
| 266 | In a relative URI, two sub-parts are identified. The part before the question |
| 267 | mark is called the "path". It is typically the relative path to static objects |
| 268 | on the server. The part after the question mark is called the "query string". |
| 269 | It is mostly used with GET requests sent to dynamic scripts and is very |
| 270 | specific to the language, framework or application in use. |
| 271 | |
Willy Tarreau | 95c4e14 | 2017-11-26 12:18:55 +0100 | [diff] [blame] | 272 | HTTP/2 doesn't convey a version information with the request, so the version is |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 273 | assumed to be the same as the one of the underlying protocol (i.e. "HTTP/2"). |
Willy Tarreau | 95c4e14 | 2017-11-26 12:18:55 +0100 | [diff] [blame] | 274 | However, haproxy natively processes HTTP/1.x requests and headers, so requests |
| 275 | received over an HTTP/2 connection are transcoded to HTTP/1.1 before being |
| 276 | processed. This explains why they still appear as "HTTP/1.1" in haproxy's logs |
| 277 | as well as in server logs. |
| 278 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 279 | |
| 280 | 1.2.2. The request headers |
| 281 | -------------------------- |
| 282 | |
| 283 | The headers start at the second line. They are composed of a name at the |
| 284 | beginning of the line, immediately followed by a colon (':'). Traditionally, |
| 285 | an LWS is added after the colon but that's not required. Then come the values. |
| 286 | Multiple identical headers may be folded into one single line, delimiting the |
| 287 | values with commas, provided that their order is respected. This is commonly |
| 288 | encountered in the "Cookie:" field. A header may span over multiple lines if |
| 289 | the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5 |
| 290 | define a total of 3 values for the "Accept:" header. |
| 291 | |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 292 | Contrary to a common misconception, header names are not case-sensitive, and |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 293 | their values are not either if they refer to other header names (such as the |
Willy Tarreau | 95c4e14 | 2017-11-26 12:18:55 +0100 | [diff] [blame] | 294 | "Connection:" header). In HTTP/2, header names are always sent in lower case, |
| 295 | as can be seen when running in debug mode. |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 296 | |
| 297 | The end of the headers is indicated by the first empty line. People often say |
| 298 | that it's a double line feed, which is not exact, even if a double line feed |
| 299 | is one valid form of empty line. |
| 300 | |
| 301 | Fortunately, HAProxy takes care of all these complex combinations when indexing |
| 302 | headers, checking values and counting them, so there is no reason to worry |
| 303 | about the way they could be written, but it is important not to accuse an |
| 304 | application of being buggy if it does unusual, valid things. |
| 305 | |
| 306 | Important note: |
Lukas Tribus | 2395368 | 2017-04-28 13:24:30 +0000 | [diff] [blame] | 307 | As suggested by RFC7231, HAProxy normalizes headers by replacing line breaks |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 308 | in the middle of headers by LWS in order to join multi-line headers. This |
| 309 | is necessary for proper analysis and helps less capable HTTP parsers to work |
| 310 | correctly and not to be fooled by such complex constructs. |
| 311 | |
| 312 | |
| 313 | 1.3. HTTP response |
| 314 | ------------------ |
| 315 | |
| 316 | An HTTP response looks very much like an HTTP request. Both are called HTTP |
| 317 | messages. Let's consider this HTTP response : |
| 318 | |
| 319 | Line Contents |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 320 | number |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 321 | 1 HTTP/1.1 200 OK |
| 322 | 2 Content-length: 350 |
| 323 | 3 Content-Type: text/html |
| 324 | |
Willy Tarreau | 816b979 | 2009-09-15 21:25:21 +0200 | [diff] [blame] | 325 | As a special case, HTTP supports so called "Informational responses" as status |
| 326 | codes 1xx. These messages are special in that they don't convey any part of the |
| 327 | response, they're just used as sort of a signaling message to ask a client to |
Willy Tarreau | 5843d1a | 2010-02-01 15:13:32 +0100 | [diff] [blame] | 328 | continue to post its request for instance. In the case of a status 100 response |
| 329 | the requested information will be carried by the next non-100 response message |
| 330 | following the informational one. This implies that multiple responses may be |
| 331 | sent to a single request, and that this only works when keep-alive is enabled |
| 332 | (1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to |
| 333 | correctly forward and skip them, and only process the next non-100 response. As |
| 334 | such, these messages are neither logged nor transformed, unless explicitly |
| 335 | state otherwise. Status 101 messages indicate that the protocol is changing |
| 336 | over the same connection and that haproxy must switch to tunnel mode, just as |
| 337 | if a CONNECT had occurred. Then the Upgrade header would contain additional |
| 338 | information about the type of protocol the connection is switching to. |
Willy Tarreau | 816b979 | 2009-09-15 21:25:21 +0200 | [diff] [blame] | 339 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 340 | |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 341 | 1.3.1. The response line |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 342 | ------------------------ |
| 343 | |
| 344 | Line 1 is the "response line". It is always composed of 3 fields : |
| 345 | |
| 346 | - a version tag : HTTP/1.1 |
| 347 | - a status code : 200 |
| 348 | - a reason : OK |
| 349 | |
| 350 | The status code is always 3-digit. The first digit indicates a general status : |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 351 | - 1xx = informational message to be skipped (e.g. 100, 101) |
| 352 | - 2xx = OK, content is following (e.g. 200, 206) |
| 353 | - 3xx = OK, no content following (e.g. 302, 304) |
| 354 | - 4xx = error caused by the client (e.g. 401, 403, 404) |
| 355 | - 5xx = error caused by the server (e.g. 500, 502, 503) |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 356 | |
Lukas Tribus | 2395368 | 2017-04-28 13:24:30 +0000 | [diff] [blame] | 357 | Please refer to RFC7231 for the detailed meaning of all such codes. The |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 358 | "reason" field is just a hint, but is not parsed by clients. Anything can be |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 359 | found there, but it's a common practice to respect the well-established |
| 360 | messages. It can be composed of one or multiple words, such as "OK", "Found", |
| 361 | or "Authentication Required". |
| 362 | |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 363 | HAProxy may emit the following status codes by itself : |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 364 | |
| 365 | Code When / reason |
| 366 | 200 access to stats page, and when replying to monitoring requests |
| 367 | 301 when performing a redirection, depending on the configured code |
| 368 | 302 when performing a redirection, depending on the configured code |
| 369 | 303 when performing a redirection, depending on the configured code |
Willy Tarreau | b67fdc4 | 2013-03-29 19:28:11 +0100 | [diff] [blame] | 370 | 307 when performing a redirection, depending on the configured code |
| 371 | 308 when performing a redirection, depending on the configured code |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 372 | 400 for an invalid or too large request |
| 373 | 401 when an authentication is required to perform the action (when |
| 374 | accessing the stats page) |
Christopher Faulet | 87f1f3d | 2019-07-18 14:51:20 +0200 | [diff] [blame] | 375 | 403 when a request is forbidden by a "http-request deny" rule |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 376 | 408 when the request timeout strikes before the request is complete |
| 377 | 500 when haproxy encounters an unrecoverable internal error, such as a |
| 378 | memory allocation failure, which should never happen |
| 379 | 502 when the server returns an empty, invalid or incomplete response, or |
Christopher Faulet | 87f1f3d | 2019-07-18 14:51:20 +0200 | [diff] [blame] | 380 | when an "http-response deny" rule blocks the response. |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 381 | 503 when no server was available to handle the request, or in response to |
| 382 | monitoring requests which match the "monitor fail" condition |
| 383 | 504 when the response timeout strikes before the server responds |
| 384 | |
| 385 | The error 4xx and 5xx codes above may be customized (see "errorloc" in section |
| 386 | 4.2). |
| 387 | |
| 388 | |
| 389 | 1.3.2. The response headers |
| 390 | --------------------------- |
| 391 | |
| 392 | Response headers work exactly like request headers, and as such, HAProxy uses |
| 393 | the same parsing function for both. Please refer to paragraph 1.2.2 for more |
| 394 | details. |
| 395 | |
| 396 | |
| 397 | 2. Configuring HAProxy |
| 398 | ---------------------- |
| 399 | |
| 400 | 2.1. Configuration file format |
| 401 | ------------------------------ |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 402 | |
| 403 | HAProxy's configuration process involves 3 major sources of parameters : |
| 404 | |
| 405 | - the arguments from the command-line, which always take precedence |
| 406 | - the "global" section, which sets process-wide parameters |
| 407 | - the proxies sections which can take form of "defaults", "listen", |
| 408 | "frontend" and "backend". |
| 409 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 410 | The configuration file syntax consists in lines beginning with a keyword |
| 411 | referenced in this manual, optionally followed by one or several parameters |
William Lallemand | f9873ba | 2015-05-05 17:37:14 +0200 | [diff] [blame] | 412 | delimited by spaces. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 413 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 414 | |
William Lallemand | f9873ba | 2015-05-05 17:37:14 +0200 | [diff] [blame] | 415 | 2.2. Quoting and escaping |
| 416 | ------------------------- |
| 417 | |
| 418 | HAProxy's configuration introduces a quoting and escaping system similar to |
| 419 | many programming languages. The configuration file supports 3 types: escaping |
| 420 | with a backslash, weak quoting with double quotes, and strong quoting with |
| 421 | single quotes. |
| 422 | |
| 423 | If spaces have to be entered in strings, then they must be escaped by preceding |
| 424 | them by a backslash ('\') or by quoting them. Backslashes also have to be |
| 425 | escaped by doubling or strong quoting them. |
| 426 | |
| 427 | Escaping is achieved by preceding a special character by a backslash ('\'): |
| 428 | |
| 429 | \ to mark a space and differentiate it from a delimiter |
| 430 | \# to mark a hash and differentiate it from a comment |
| 431 | \\ to use a backslash |
| 432 | \' to use a single quote and differentiate it from strong quoting |
| 433 | \" to use a double quote and differentiate it from weak quoting |
| 434 | |
| 435 | Weak quoting is achieved by using double quotes (""). Weak quoting prevents |
| 436 | the interpretation of: |
| 437 | |
| 438 | space as a parameter separator |
| 439 | ' single quote as a strong quoting delimiter |
| 440 | # hash as a comment start |
| 441 | |
William Lallemand | b2f0745 | 2015-05-12 14:27:13 +0200 | [diff] [blame] | 442 | Weak quoting permits the interpretation of variables, if you want to use a non |
| 443 | -interpreted dollar within a double quoted string, you should escape it with a |
| 444 | backslash ("\$"), it does not work outside weak quoting. |
| 445 | |
| 446 | Interpretation of escaping and special characters are not prevented by weak |
William Lallemand | f9873ba | 2015-05-05 17:37:14 +0200 | [diff] [blame] | 447 | quoting. |
| 448 | |
| 449 | Strong quoting is achieved by using single quotes (''). Inside single quotes, |
| 450 | nothing is interpreted, it's the efficient way to quote regexes. |
| 451 | |
| 452 | Quoted and escaped strings are replaced in memory by their interpreted |
| 453 | equivalent, it allows you to perform concatenation. |
| 454 | |
| 455 | Example: |
| 456 | # those are equivalents: |
| 457 | log-format %{+Q}o\ %t\ %s\ %{-Q}r |
| 458 | log-format "%{+Q}o %t %s %{-Q}r" |
| 459 | log-format '%{+Q}o %t %s %{-Q}r' |
| 460 | log-format "%{+Q}o %t"' %s %{-Q}r' |
| 461 | log-format "%{+Q}o %t"' %s'\ %{-Q}r |
| 462 | |
| 463 | # those are equivalents: |
| 464 | reqrep "^([^\ :]*)\ /static/(.*)" \1\ /\2 |
| 465 | reqrep "^([^ :]*)\ /static/(.*)" '\1 /\2' |
| 466 | reqrep "^([^ :]*)\ /static/(.*)" "\1 /\2" |
| 467 | reqrep "^([^ :]*)\ /static/(.*)" "\1\ /\2" |
| 468 | |
| 469 | |
William Lallemand | b2f0745 | 2015-05-12 14:27:13 +0200 | [diff] [blame] | 470 | 2.3. Environment variables |
| 471 | -------------------------- |
| 472 | |
| 473 | HAProxy's configuration supports environment variables. Those variables are |
| 474 | interpreted only within double quotes. Variables are expanded during the |
| 475 | configuration parsing. Variable names must be preceded by a dollar ("$") and |
| 476 | optionally enclosed with braces ("{}") similarly to what is done in Bourne |
| 477 | shell. Variable names can contain alphanumerical characters or the character |
| 478 | underscore ("_") but should not start with a digit. |
| 479 | |
| 480 | Example: |
| 481 | |
| 482 | bind "fd@${FD_APP1}" |
| 483 | |
| 484 | log "${LOCAL_SYSLOG}:514" local0 notice # send to local server |
| 485 | |
| 486 | user "$HAPROXY_USER" |
| 487 | |
William Lallemand | 4d03e43 | 2019-06-14 15:35:37 +0200 | [diff] [blame] | 488 | Some variables are defined by HAProxy, they can be used in the configuration |
| 489 | file, or could be inherited by a program (See 3.7. Programs): |
William Lallemand | daf4cd2 | 2018-04-17 16:46:13 +0200 | [diff] [blame] | 490 | |
William Lallemand | 4d03e43 | 2019-06-14 15:35:37 +0200 | [diff] [blame] | 491 | * HAPROXY_LOCALPEER: defined at the startup of the process which contains the |
| 492 | name of the local peer. (See "-L" in the management guide.) |
| 493 | |
| 494 | * HAPROXY_CFGFILES: list of the configuration files loaded by HAProxy, |
| 495 | separated by semicolons. Can be useful in the case you specified a |
| 496 | directory. |
| 497 | |
| 498 | * HAPROXY_MWORKER: In master-worker mode, this variable is set to 1. |
| 499 | |
John Roesler | fb2fce1 | 2019-07-10 15:45:51 -0500 | [diff] [blame] | 500 | * HAPROXY_CLI: configured listeners addresses of the stats socket for every |
William Lallemand | 4d03e43 | 2019-06-14 15:35:37 +0200 | [diff] [blame] | 501 | processes, separated by semicolons. |
| 502 | |
John Roesler | fb2fce1 | 2019-07-10 15:45:51 -0500 | [diff] [blame] | 503 | * HAPROXY_MASTER_CLI: In master-worker mode, listeners addresses of the master |
William Lallemand | 4d03e43 | 2019-06-14 15:35:37 +0200 | [diff] [blame] | 504 | CLI, separated by semicolons. |
| 505 | |
| 506 | See also "external-check command" for other variables. |
William Lallemand | b2f0745 | 2015-05-12 14:27:13 +0200 | [diff] [blame] | 507 | |
| 508 | 2.4. Time format |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 509 | ---------------- |
| 510 | |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 511 | Some parameters involve values representing time, such as timeouts. These |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 512 | values are generally expressed in milliseconds (unless explicitly stated |
| 513 | otherwise) but may be expressed in any other unit by suffixing the unit to the |
| 514 | numeric value. It is important to consider this because it will not be repeated |
| 515 | for every keyword. Supported units are : |
| 516 | |
| 517 | - us : microseconds. 1 microsecond = 1/1000000 second |
| 518 | - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default. |
| 519 | - s : seconds. 1s = 1000ms |
| 520 | - m : minutes. 1m = 60s = 60000ms |
| 521 | - h : hours. 1h = 60m = 3600s = 3600000ms |
| 522 | - d : days. 1d = 24h = 1440m = 86400s = 86400000ms |
| 523 | |
| 524 | |
Lukas Tribus | aa83a31 | 2017-03-21 09:25:09 +0000 | [diff] [blame] | 525 | 2.5. Examples |
Patrick Mezard | 35da19c | 2010-06-12 17:02:47 +0200 | [diff] [blame] | 526 | ------------- |
| 527 | |
| 528 | # Simple configuration for an HTTP proxy listening on port 80 on all |
| 529 | # interfaces and forwarding requests to a single backend "servers" with a |
| 530 | # single server "server1" listening on 127.0.0.1:8000 |
| 531 | global |
| 532 | daemon |
| 533 | maxconn 256 |
| 534 | |
| 535 | defaults |
| 536 | mode http |
| 537 | timeout connect 5000ms |
| 538 | timeout client 50000ms |
| 539 | timeout server 50000ms |
| 540 | |
| 541 | frontend http-in |
| 542 | bind *:80 |
| 543 | default_backend servers |
| 544 | |
| 545 | backend servers |
| 546 | server server1 127.0.0.1:8000 maxconn 32 |
| 547 | |
| 548 | |
| 549 | # The same configuration defined with a single listen block. Shorter but |
| 550 | # less expressive, especially in HTTP mode. |
| 551 | global |
| 552 | daemon |
| 553 | maxconn 256 |
| 554 | |
| 555 | defaults |
| 556 | mode http |
| 557 | timeout connect 5000ms |
| 558 | timeout client 50000ms |
| 559 | timeout server 50000ms |
| 560 | |
| 561 | listen http-in |
| 562 | bind *:80 |
| 563 | server server1 127.0.0.1:8000 maxconn 32 |
| 564 | |
| 565 | |
| 566 | Assuming haproxy is in $PATH, test these configurations in a shell with: |
| 567 | |
Willy Tarreau | ccb289d | 2010-12-11 20:19:38 +0100 | [diff] [blame] | 568 | $ sudo haproxy -f configuration.conf -c |
Patrick Mezard | 35da19c | 2010-06-12 17:02:47 +0200 | [diff] [blame] | 569 | |
| 570 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 571 | 3. Global parameters |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 572 | -------------------- |
| 573 | |
| 574 | Parameters in the "global" section are process-wide and often OS-specific. They |
| 575 | are generally set once for all and do not need being changed once correct. Some |
| 576 | of them have command-line equivalents. |
| 577 | |
| 578 | The following keywords are supported in the "global" section : |
| 579 | |
| 580 | * Process management and security |
Emeric Brun | c8e8d12 | 2012-10-02 18:42:10 +0200 | [diff] [blame] | 581 | - ca-base |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 582 | - chroot |
Emeric Brun | c8e8d12 | 2012-10-02 18:42:10 +0200 | [diff] [blame] | 583 | - crt-base |
Baptiste Assmann | 3493d0f | 2015-10-12 20:21:23 +0200 | [diff] [blame] | 584 | - cpu-map |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 585 | - daemon |
Baptiste Assmann | 3493d0f | 2015-10-12 20:21:23 +0200 | [diff] [blame] | 586 | - description |
| 587 | - deviceatlas-json-file |
| 588 | - deviceatlas-log-level |
| 589 | - deviceatlas-separator |
| 590 | - deviceatlas-properties-cookie |
Simon Horman | 98637e5 | 2014-06-20 12:30:16 +0900 | [diff] [blame] | 591 | - external-check |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 592 | - gid |
| 593 | - group |
Cyril Bonté | 203ec5a | 2017-03-23 22:44:13 +0100 | [diff] [blame] | 594 | - hard-stop-after |
Christopher Faulet | 98fbe95 | 2019-07-22 16:18:24 +0200 | [diff] [blame] | 595 | - h1-case-adjust |
| 596 | - h1-case-adjust-file |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 597 | - log |
Baptiste Assmann | 3493d0f | 2015-10-12 20:21:23 +0200 | [diff] [blame] | 598 | - log-tag |
Joe Williams | df5b38f | 2010-12-29 17:05:48 +0100 | [diff] [blame] | 599 | - log-send-hostname |
Baptiste Assmann | 3493d0f | 2015-10-12 20:21:23 +0200 | [diff] [blame] | 600 | - lua-load |
William Lallemand | 27edc4b | 2019-05-07 17:49:33 +0200 | [diff] [blame] | 601 | - mworker-max-reloads |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 602 | - nbproc |
Christopher Faulet | be0faa2 | 2017-08-29 15:37:10 +0200 | [diff] [blame] | 603 | - nbthread |
Baptiste Assmann | 3493d0f | 2015-10-12 20:21:23 +0200 | [diff] [blame] | 604 | - node |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 605 | - pidfile |
Willy Tarreau | 1d54972 | 2016-02-16 12:41:57 +0100 | [diff] [blame] | 606 | - presetenv |
| 607 | - resetenv |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 608 | - uid |
| 609 | - ulimit-n |
| 610 | - user |
Willy Tarreau | 636848a | 2019-04-15 19:38:50 +0200 | [diff] [blame] | 611 | - set-dumpable |
Willy Tarreau | 1d54972 | 2016-02-16 12:41:57 +0100 | [diff] [blame] | 612 | - setenv |
Willy Tarreau | fbee713 | 2007-10-18 13:53:22 +0200 | [diff] [blame] | 613 | - stats |
Baptiste Assmann | 3493d0f | 2015-10-12 20:21:23 +0200 | [diff] [blame] | 614 | - ssl-default-bind-ciphers |
Dirkjan Bussink | 415150f | 2018-09-14 11:14:21 +0200 | [diff] [blame] | 615 | - ssl-default-bind-ciphersuites |
Baptiste Assmann | 3493d0f | 2015-10-12 20:21:23 +0200 | [diff] [blame] | 616 | - ssl-default-bind-options |
| 617 | - ssl-default-server-ciphers |
Dirkjan Bussink | 415150f | 2018-09-14 11:14:21 +0200 | [diff] [blame] | 618 | - ssl-default-server-ciphersuites |
Baptiste Assmann | 3493d0f | 2015-10-12 20:21:23 +0200 | [diff] [blame] | 619 | - ssl-default-server-options |
| 620 | - ssl-dh-param-file |
Emeric Brun | 850efd5 | 2014-01-29 12:24:34 +0100 | [diff] [blame] | 621 | - ssl-server-verify |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 622 | - unix-bind |
Willy Tarreau | 1d54972 | 2016-02-16 12:41:57 +0100 | [diff] [blame] | 623 | - unsetenv |
Thomas Holmes | db04f19 | 2015-05-18 13:21:39 +0100 | [diff] [blame] | 624 | - 51degrees-data-file |
| 625 | - 51degrees-property-name-list |
Dragan Dosen | 93b38d9 | 2015-06-29 16:43:25 +0200 | [diff] [blame] | 626 | - 51degrees-property-separator |
Dragan Dosen | ae6d39a | 2015-06-29 16:43:27 +0200 | [diff] [blame] | 627 | - 51degrees-cache-size |
Willy Tarreau | b3cc9f2 | 2019-04-19 16:03:32 +0200 | [diff] [blame] | 628 | - wurfl-data-file |
| 629 | - wurfl-information-list |
| 630 | - wurfl-information-list-separator |
Willy Tarreau | b3cc9f2 | 2019-04-19 16:03:32 +0200 | [diff] [blame] | 631 | - wurfl-cache-size |
William Dauchy | 0fec3ab | 2019-10-27 20:08:11 +0100 | [diff] [blame] | 632 | - strict-limits |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 633 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 634 | * Performance tuning |
William Dauchy | 0a8824f | 2019-10-27 20:08:09 +0100 | [diff] [blame] | 635 | - busy-polling |
Willy Tarreau | 1746eec | 2014-04-25 10:46:47 +0200 | [diff] [blame] | 636 | - max-spread-checks |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 637 | - maxconn |
Willy Tarreau | 81c25d0 | 2011-09-07 15:17:21 +0200 | [diff] [blame] | 638 | - maxconnrate |
William Lallemand | d85f917 | 2012-11-09 17:05:39 +0100 | [diff] [blame] | 639 | - maxcomprate |
William Lallemand | 072a2bf | 2012-11-20 17:01:01 +0100 | [diff] [blame] | 640 | - maxcompcpuusage |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 641 | - maxpipes |
Willy Tarreau | 93e7c00 | 2013-10-07 18:51:07 +0200 | [diff] [blame] | 642 | - maxsessrate |
Willy Tarreau | 403edff | 2012-09-06 11:58:37 +0200 | [diff] [blame] | 643 | - maxsslconn |
Willy Tarreau | e43d532 | 2013-10-07 20:01:52 +0200 | [diff] [blame] | 644 | - maxsslrate |
Baptiste Assmann | 3493d0f | 2015-10-12 20:21:23 +0200 | [diff] [blame] | 645 | - maxzlibmem |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 646 | - noepoll |
| 647 | - nokqueue |
Emmanuel Hocdet | 0ba4f48 | 2019-04-08 16:53:32 +0000 | [diff] [blame] | 648 | - noevports |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 649 | - nopoll |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 650 | - nosplice |
Jarno Huuskonen | 0e82b92 | 2014-04-12 18:22:19 +0300 | [diff] [blame] | 651 | - nogetaddrinfo |
Lukas Tribus | a0bcbdc | 2016-09-12 21:42:20 +0000 | [diff] [blame] | 652 | - noreuseport |
Willy Tarreau | 75c62c2 | 2018-11-22 11:02:09 +0100 | [diff] [blame] | 653 | - profiling.tasks |
Willy Tarreau | fe255b7 | 2007-10-14 23:09:26 +0200 | [diff] [blame] | 654 | - spread-checks |
Baptiste Assmann | 5626f48 | 2015-08-23 10:00:10 +0200 | [diff] [blame] | 655 | - server-state-base |
Baptiste Assmann | ef1f0fc | 2015-08-23 10:06:39 +0200 | [diff] [blame] | 656 | - server-state-file |
Grant Zhang | 872f9c2 | 2017-01-21 01:10:18 +0000 | [diff] [blame] | 657 | - ssl-engine |
Grant Zhang | fa6c7ee | 2017-01-14 01:42:15 +0000 | [diff] [blame] | 658 | - ssl-mode-async |
Baptiste Assmann | 3493d0f | 2015-10-12 20:21:23 +0200 | [diff] [blame] | 659 | - tune.buffers.limit |
| 660 | - tune.buffers.reserve |
Willy Tarreau | 27a674e | 2009-08-17 07:23:33 +0200 | [diff] [blame] | 661 | - tune.bufsize |
Willy Tarreau | 43961d5 | 2010-10-04 20:39:20 +0200 | [diff] [blame] | 662 | - tune.chksize |
William Lallemand | f374783 | 2012-11-09 12:33:10 +0100 | [diff] [blame] | 663 | - tune.comp.maxlevel |
Willy Tarreau | fe20e5b | 2017-07-27 11:42:14 +0200 | [diff] [blame] | 664 | - tune.h2.header-table-size |
Willy Tarreau | e6baec0 | 2017-07-27 11:45:11 +0200 | [diff] [blame] | 665 | - tune.h2.initial-window-size |
Willy Tarreau | 5242ef8 | 2017-07-27 11:47:28 +0200 | [diff] [blame] | 666 | - tune.h2.max-concurrent-streams |
Willy Tarreau | 193b8c6 | 2012-11-22 00:17:38 +0100 | [diff] [blame] | 667 | - tune.http.cookielen |
Stéphane Cottin | 23e9e93 | 2017-05-18 08:58:41 +0200 | [diff] [blame] | 668 | - tune.http.logurilen |
Willy Tarreau | ac1932d | 2011-10-24 19:14:41 +0200 | [diff] [blame] | 669 | - tune.http.maxhdr |
Willy Tarreau | 7e31273 | 2014-02-12 16:35:14 +0100 | [diff] [blame] | 670 | - tune.idletimer |
Thierry FOURNIER | 90da191 | 2015-03-05 11:17:06 +0100 | [diff] [blame] | 671 | - tune.lua.forced-yield |
Willy Tarreau | 32f61e2 | 2015-03-18 17:54:59 +0100 | [diff] [blame] | 672 | - tune.lua.maxmem |
Thierry FOURNIER | 90da191 | 2015-03-05 11:17:06 +0100 | [diff] [blame] | 673 | - tune.lua.session-timeout |
| 674 | - tune.lua.task-timeout |
Thierry FOURNIER | 7dd784b | 2015-10-01 14:49:33 +0200 | [diff] [blame] | 675 | - tune.lua.service-timeout |
Willy Tarreau | a0250ba | 2008-01-06 11:22:57 +0100 | [diff] [blame] | 676 | - tune.maxaccept |
| 677 | - tune.maxpollevents |
Willy Tarreau | 27a674e | 2009-08-17 07:23:33 +0200 | [diff] [blame] | 678 | - tune.maxrewrite |
Willy Tarreau | f3045d2 | 2015-04-29 16:24:50 +0200 | [diff] [blame] | 679 | - tune.pattern.cache-size |
Willy Tarreau | bd9a0a7 | 2011-10-23 21:14:29 +0200 | [diff] [blame] | 680 | - tune.pipesize |
Willy Tarreau | e803de2 | 2010-01-21 17:43:04 +0100 | [diff] [blame] | 681 | - tune.rcvbuf.client |
| 682 | - tune.rcvbuf.server |
Willy Tarreau | b22fc30 | 2015-12-14 12:04:35 +0100 | [diff] [blame] | 683 | - tune.recv_enough |
Olivier Houchard | 1599b80 | 2018-05-24 18:59:04 +0200 | [diff] [blame] | 684 | - tune.runqueue-depth |
Willy Tarreau | e803de2 | 2010-01-21 17:43:04 +0100 | [diff] [blame] | 685 | - tune.sndbuf.client |
| 686 | - tune.sndbuf.server |
Willy Tarreau | 6ec58db | 2012-11-16 16:32:15 +0100 | [diff] [blame] | 687 | - tune.ssl.cachesize |
Willy Tarreau | bfd5946 | 2013-02-21 07:46:09 +0100 | [diff] [blame] | 688 | - tune.ssl.lifetime |
Emeric Brun | 8dc6039 | 2014-05-09 13:52:00 +0200 | [diff] [blame] | 689 | - tune.ssl.force-private-cache |
Willy Tarreau | bfd5946 | 2013-02-21 07:46:09 +0100 | [diff] [blame] | 690 | - tune.ssl.maxrecord |
Remi Gacogne | f46cd6e | 2014-06-12 14:58:40 +0200 | [diff] [blame] | 691 | - tune.ssl.default-dh-param |
Christopher Faulet | 31af49d | 2015-06-09 17:29:50 +0200 | [diff] [blame] | 692 | - tune.ssl.ssl-ctx-cache-size |
Thierry FOURNIER | 5bf7732 | 2017-02-25 12:45:22 +0100 | [diff] [blame] | 693 | - tune.ssl.capture-cipherlist-size |
Thierry FOURNIER | 4834bc7 | 2015-06-06 19:29:07 +0200 | [diff] [blame] | 694 | - tune.vars.global-max-size |
Christopher Faulet | ff2613e | 2016-11-09 11:36:17 +0100 | [diff] [blame] | 695 | - tune.vars.proc-max-size |
Thierry FOURNIER | 4834bc7 | 2015-06-06 19:29:07 +0200 | [diff] [blame] | 696 | - tune.vars.reqres-max-size |
| 697 | - tune.vars.sess-max-size |
| 698 | - tune.vars.txn-max-size |
William Lallemand | a509e4c | 2012-11-07 16:54:34 +0100 | [diff] [blame] | 699 | - tune.zlib.memlevel |
| 700 | - tune.zlib.windowsize |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 701 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 702 | * Debugging |
| 703 | - debug |
| 704 | - quiet |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 705 | |
| 706 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 707 | 3.1. Process management and security |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 708 | ------------------------------------ |
| 709 | |
Emeric Brun | c8e8d12 | 2012-10-02 18:42:10 +0200 | [diff] [blame] | 710 | ca-base <dir> |
| 711 | Assigns a default directory to fetch SSL CA certificates and CRLs from when a |
Emeric Brun | fd33a26 | 2012-10-11 16:28:27 +0200 | [diff] [blame] | 712 | relative path is used with "ca-file" or "crl-file" directives. Absolute |
| 713 | locations specified in "ca-file" and "crl-file" prevail and ignore "ca-base". |
Emeric Brun | c8e8d12 | 2012-10-02 18:42:10 +0200 | [diff] [blame] | 714 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 715 | chroot <jail dir> |
| 716 | Changes current directory to <jail dir> and performs a chroot() there before |
| 717 | dropping privileges. This increases the security level in case an unknown |
| 718 | vulnerability would be exploited, since it would make it very hard for the |
| 719 | attacker to exploit the system. This only works when the process is started |
| 720 | with superuser privileges. It is important to ensure that <jail_dir> is both |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 721 | empty and non-writable to anyone. |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 722 | |
Christopher Faulet | cb6a945 | 2017-11-22 16:50:41 +0100 | [diff] [blame] | 723 | cpu-map [auto:]<process-set>[/<thread-set>] <cpu-set>... |
| 724 | On Linux 2.6 and above, it is possible to bind a process or a thread to a |
| 725 | specific CPU set. This means that the process or the thread will never run on |
| 726 | other CPUs. The "cpu-map" directive specifies CPU sets for process or thread |
| 727 | sets. The first argument is a process set, eventually followed by a thread |
| 728 | set. These sets have the format |
| 729 | |
| 730 | all | odd | even | number[-[number]] |
| 731 | |
| 732 | <number>> must be a number between 1 and 32 or 64, depending on the machine's |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 733 | word size. Any process IDs above nbproc and any thread IDs above nbthread are |
Christopher Faulet | cb6a945 | 2017-11-22 16:50:41 +0100 | [diff] [blame] | 734 | ignored. It is possible to specify a range with two such number delimited by |
| 735 | a dash ('-'). It also is possible to specify all processes at once using |
Christopher Faulet | 1dcb9cb | 2017-11-22 10:24:40 +0100 | [diff] [blame] | 736 | "all", only odd numbers using "odd" or even numbers using "even", just like |
| 737 | with the "bind-process" directive. The second and forthcoming arguments are |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 738 | CPU sets. Each CPU set is either a unique number between 0 and 31 or 63 or a |
Christopher Faulet | 1dcb9cb | 2017-11-22 10:24:40 +0100 | [diff] [blame] | 739 | range with two such numbers delimited by a dash ('-'). Multiple CPU numbers |
Christopher Faulet | cb6a945 | 2017-11-22 16:50:41 +0100 | [diff] [blame] | 740 | or ranges may be specified, and the processes or threads will be allowed to |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 741 | bind to all of them. Obviously, multiple "cpu-map" directives may be |
Christopher Faulet | cb6a945 | 2017-11-22 16:50:41 +0100 | [diff] [blame] | 742 | specified. Each "cpu-map" directive will replace the previous ones when they |
| 743 | overlap. A thread will be bound on the intersection of its mapping and the |
| 744 | one of the process on which it is attached. If the intersection is null, no |
| 745 | specific binding will be set for the thread. |
Willy Tarreau | fc6c032 | 2012-11-16 16:12:27 +0100 | [diff] [blame] | 746 | |
Christopher Faulet | ff4121f | 2017-11-22 16:38:49 +0100 | [diff] [blame] | 747 | Ranges can be partially defined. The higher bound can be omitted. In such |
| 748 | case, it is replaced by the corresponding maximum value, 32 or 64 depending |
| 749 | on the machine's word size. |
| 750 | |
Christopher Faulet | 26028f6 | 2017-11-22 15:01:51 +0100 | [diff] [blame] | 751 | The prefix "auto:" can be added before the process set to let HAProxy |
Christopher Faulet | cb6a945 | 2017-11-22 16:50:41 +0100 | [diff] [blame] | 752 | automatically bind a process or a thread to a CPU by incrementing |
| 753 | process/thread and CPU sets. To be valid, both sets must have the same |
| 754 | size. No matter the declaration order of the CPU sets, it will be bound from |
| 755 | the lowest to the highest bound. Having a process and a thread range with the |
| 756 | "auto:" prefix is not supported. Only one range is supported, the other one |
| 757 | must be a fixed number. |
Christopher Faulet | 26028f6 | 2017-11-22 15:01:51 +0100 | [diff] [blame] | 758 | |
| 759 | Examples: |
Christopher Faulet | cb6a945 | 2017-11-22 16:50:41 +0100 | [diff] [blame] | 760 | cpu-map 1-4 0-3 # bind processes 1 to 4 on the first 4 CPUs |
| 761 | |
| 762 | cpu-map 1/all 0-3 # bind all threads of the first process on the |
| 763 | # first 4 CPUs |
| 764 | |
| 765 | cpu-map 1- 0- # will be replaced by "cpu-map 1-64 0-63" |
| 766 | # or "cpu-map 1-32 0-31" depending on the machine's |
| 767 | # word size. |
| 768 | |
Christopher Faulet | 26028f6 | 2017-11-22 15:01:51 +0100 | [diff] [blame] | 769 | # all these lines bind the process 1 to the cpu 0, the process 2 to cpu 1 |
Christopher Faulet | cb6a945 | 2017-11-22 16:50:41 +0100 | [diff] [blame] | 770 | # and so on. |
Christopher Faulet | 26028f6 | 2017-11-22 15:01:51 +0100 | [diff] [blame] | 771 | cpu-map auto:1-4 0-3 |
| 772 | cpu-map auto:1-4 0-1 2-3 |
| 773 | cpu-map auto:1-4 3 2 1 0 |
| 774 | |
Christopher Faulet | cb6a945 | 2017-11-22 16:50:41 +0100 | [diff] [blame] | 775 | # all these lines bind the thread 1 to the cpu 0, the thread 2 to cpu 1 |
| 776 | # and so on. |
| 777 | cpu-map auto:1/1-4 0-3 |
| 778 | cpu-map auto:1/1-4 0-1 2-3 |
| 779 | cpu-map auto:1/1-4 3 2 1 0 |
| 780 | |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 781 | # bind each process to exactly one CPU using all/odd/even keyword |
Christopher Faulet | 26028f6 | 2017-11-22 15:01:51 +0100 | [diff] [blame] | 782 | cpu-map auto:all 0-63 |
| 783 | cpu-map auto:even 0-31 |
| 784 | cpu-map auto:odd 32-63 |
| 785 | |
| 786 | # invalid cpu-map because process and CPU sets have different sizes. |
| 787 | cpu-map auto:1-4 0 # invalid |
| 788 | cpu-map auto:1 0-3 # invalid |
| 789 | |
Christopher Faulet | cb6a945 | 2017-11-22 16:50:41 +0100 | [diff] [blame] | 790 | # invalid cpu-map because automatic binding is used with a process range |
| 791 | # and a thread range. |
| 792 | cpu-map auto:all/all 0 # invalid |
| 793 | cpu-map auto:all/1-4 0 # invalid |
| 794 | cpu-map auto:1-4/all 0 # invalid |
| 795 | |
Emeric Brun | c8e8d12 | 2012-10-02 18:42:10 +0200 | [diff] [blame] | 796 | crt-base <dir> |
| 797 | Assigns a default directory to fetch SSL certificates from when a relative |
| 798 | path is used with "crtfile" directives. Absolute locations specified after |
| 799 | "crtfile" prevail and ignore "crt-base". |
| 800 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 801 | daemon |
| 802 | Makes the process fork into background. This is the recommended mode of |
| 803 | operation. It is equivalent to the command line "-D" argument. It can be |
Lukas Tribus | f46bf95 | 2017-11-21 12:39:34 +0100 | [diff] [blame] | 804 | disabled by the command line "-db" argument. This option is ignored in |
| 805 | systemd mode. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 806 | |
David Carlier | 8167f30 | 2015-06-01 13:50:06 +0200 | [diff] [blame] | 807 | deviceatlas-json-file <path> |
| 808 | Sets the path of the DeviceAtlas JSON data file to be loaded by the API. |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 809 | The path must be a valid JSON data file and accessible by HAProxy process. |
David Carlier | 8167f30 | 2015-06-01 13:50:06 +0200 | [diff] [blame] | 810 | |
| 811 | deviceatlas-log-level <value> |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 812 | Sets the level of information returned by the API. This directive is |
David Carlier | 8167f30 | 2015-06-01 13:50:06 +0200 | [diff] [blame] | 813 | optional and set to 0 by default if not set. |
| 814 | |
| 815 | deviceatlas-separator <char> |
| 816 | Sets the character separator for the API properties results. This directive |
| 817 | is optional and set to | by default if not set. |
| 818 | |
Cyril Bonté | 0306c4a | 2015-10-26 22:37:38 +0100 | [diff] [blame] | 819 | deviceatlas-properties-cookie <name> |
Cyril Bonté | 307ee1e | 2015-09-28 23:16:06 +0200 | [diff] [blame] | 820 | Sets the client cookie's name used for the detection if the DeviceAtlas |
| 821 | Client-side component was used during the request. This directive is optional |
| 822 | and set to DAPROPS by default if not set. |
David Carlier | 29b3ca3 | 2015-09-25 14:09:21 +0100 | [diff] [blame] | 823 | |
Simon Horman | 98637e5 | 2014-06-20 12:30:16 +0900 | [diff] [blame] | 824 | external-check |
| 825 | Allows the use of an external agent to perform health checks. |
| 826 | This is disabled by default as a security precaution. |
| 827 | See "option external-check". |
| 828 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 829 | gid <number> |
| 830 | Changes the process' group ID to <number>. It is recommended that the group |
| 831 | ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must |
| 832 | be started with a user belonging to this group, or with superuser privileges. |
Michael Scherer | ab012dd | 2013-01-12 18:35:19 +0100 | [diff] [blame] | 833 | Note that if haproxy is started from a user having supplementary groups, it |
| 834 | will only be able to drop these groups if started with superuser privileges. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 835 | See also "group" and "uid". |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 836 | |
Cyril Bonté | 203ec5a | 2017-03-23 22:44:13 +0100 | [diff] [blame] | 837 | hard-stop-after <time> |
| 838 | Defines the maximum time allowed to perform a clean soft-stop. |
| 839 | |
| 840 | Arguments : |
| 841 | <time> is the maximum time (by default in milliseconds) for which the |
| 842 | instance will remain alive when a soft-stop is received via the |
| 843 | SIGUSR1 signal. |
| 844 | |
| 845 | This may be used to ensure that the instance will quit even if connections |
| 846 | remain opened during a soft-stop (for example with long timeouts for a proxy |
| 847 | in tcp mode). It applies both in TCP and HTTP mode. |
| 848 | |
| 849 | Example: |
| 850 | global |
| 851 | hard-stop-after 30s |
| 852 | |
Christopher Faulet | 98fbe95 | 2019-07-22 16:18:24 +0200 | [diff] [blame] | 853 | h1-case-adjust <from> <to> |
| 854 | Defines the case adjustment to apply, when enabled, to the header name |
| 855 | <from>, to change it to <to> before sending it to HTTP/1 clients or |
| 856 | servers. <from> must be in lower case, and <from> and <to> must not differ |
| 857 | except for their case. It may be repeated if several header names need to be |
| 858 | ajusted. Duplicate entries are not allowed. If a lot of header names have to |
| 859 | be adjusted, it might be more convenient to use "h1-case-adjust-file". |
| 860 | Please note that no transformation will be applied unless "option |
| 861 | h1-case-adjust-bogus-client" or "option h1-case-adjust-bogus-server" is |
| 862 | specified in a proxy. |
| 863 | |
| 864 | There is no standard case for header names because, as stated in RFC7230, |
| 865 | they are case-insensitive. So applications must handle them in a case- |
| 866 | insensitive manner. But some bogus applications violate the standards and |
| 867 | erroneously rely on the cases most commonly used by browsers. This problem |
| 868 | becomes critical with HTTP/2 because all header names must be exchanged in |
| 869 | lower case, and HAProxy follows the same convention. All header names are |
| 870 | sent in lower case to clients and servers, regardless of the HTTP version. |
| 871 | |
| 872 | Applications which fail to properly process requests or responses may require |
| 873 | to temporarily use such workarounds to adjust header names sent to them for |
| 874 | the time it takes the application to be fixed. Please note that an |
| 875 | application which requires such workarounds might be vulnerable to content |
| 876 | smuggling attacks and must absolutely be fixed. |
| 877 | |
| 878 | Example: |
| 879 | global |
| 880 | h1-case-adjust content-length Content-Length |
| 881 | |
| 882 | See "h1-case-adjust-file", "option h1-case-adjust-bogus-client" and |
| 883 | "option h1-case-adjust-bogus-server". |
| 884 | |
| 885 | h1-case-adjust-file <hdrs-file> |
| 886 | Defines a file containing a list of key/value pairs used to adjust the case |
| 887 | of some header names before sending them to HTTP/1 clients or servers. The |
| 888 | file <hdrs-file> must contain 2 header names per line. The first one must be |
| 889 | in lower case and both must not differ except for their case. Lines which |
| 890 | start with '#' are ignored, just like empty lines. Leading and trailing tabs |
| 891 | and spaces are stripped. Duplicate entries are not allowed. Please note that |
| 892 | no transformation will be applied unless "option h1-case-adjust-bogus-client" |
| 893 | or "option h1-case-adjust-bogus-server" is specified in a proxy. |
| 894 | |
| 895 | If this directive is repeated, only the last one will be processed. It is an |
| 896 | alternative to the directive "h1-case-adjust" if a lot of header names need |
| 897 | to be adjusted. Please read the risks associated with using this. |
| 898 | |
| 899 | See "h1-case-adjust", "option h1-case-adjust-bogus-client" and |
| 900 | "option h1-case-adjust-bogus-server". |
| 901 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 902 | group <group name> |
| 903 | Similar to "gid" but uses the GID of group name <group name> from /etc/group. |
| 904 | See also "gid" and "user". |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 905 | |
Frédéric Lécaille | d690dfa | 2019-04-25 10:52:17 +0200 | [diff] [blame] | 906 | log <address> [len <length>] [format <format>] [sample <ranges>:<smp_size>] |
| 907 | <facility> [max level [min level]] |
Cyril Bonté | 3e95487 | 2018-03-20 23:30:27 +0100 | [diff] [blame] | 908 | Adds a global syslog server. Several global servers can be defined. They |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 909 | will receive logs for starts and exits, as well as all logs from proxies |
Robert Tsai | 81ae195 | 2007-12-05 10:47:29 +0100 | [diff] [blame] | 910 | configured with "log global". |
| 911 | |
| 912 | <address> can be one of: |
| 913 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 914 | - An IPv4 address optionally followed by a colon and a UDP port. If |
Robert Tsai | 81ae195 | 2007-12-05 10:47:29 +0100 | [diff] [blame] | 915 | no port is specified, 514 is used by default (the standard syslog |
| 916 | port). |
| 917 | |
David du Colombier | 24bb5f5 | 2011-03-17 10:40:23 +0100 | [diff] [blame] | 918 | - An IPv6 address followed by a colon and optionally a UDP port. If |
| 919 | no port is specified, 514 is used by default (the standard syslog |
| 920 | port). |
| 921 | |
Willy Tarreau | 5a32ecc | 2018-11-12 07:34:59 +0100 | [diff] [blame] | 922 | - A filesystem path to a datagram UNIX domain socket, keeping in mind |
Robert Tsai | 81ae195 | 2007-12-05 10:47:29 +0100 | [diff] [blame] | 923 | considerations for chroot (be sure the path is accessible inside |
| 924 | the chroot) and uid/gid (be sure the path is appropriately |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 925 | writable). |
Robert Tsai | 81ae195 | 2007-12-05 10:47:29 +0100 | [diff] [blame] | 926 | |
Willy Tarreau | 5a32ecc | 2018-11-12 07:34:59 +0100 | [diff] [blame] | 927 | - A file descriptor number in the form "fd@<number>", which may point |
| 928 | to a pipe, terminal, or socket. In this case unbuffered logs are used |
| 929 | and one writev() call per log is performed. This is a bit expensive |
| 930 | but acceptable for most workloads. Messages sent this way will not be |
| 931 | truncated but may be dropped, in which case the DroppedLogs counter |
| 932 | will be incremented. The writev() call is atomic even on pipes for |
| 933 | messages up to PIPE_BUF size, which POSIX recommends to be at least |
| 934 | 512 and which is 4096 bytes on most modern operating systems. Any |
| 935 | larger message may be interleaved with messages from other processes. |
| 936 | Exceptionally for debugging purposes the file descriptor may also be |
| 937 | directed to a file, but doing so will significantly slow haproxy down |
| 938 | as non-blocking calls will be ignored. Also there will be no way to |
| 939 | purge nor rotate this file without restarting the process. Note that |
| 940 | the configured syslog format is preserved, so the output is suitable |
Willy Tarreau | c1b0645 | 2018-11-12 11:57:56 +0100 | [diff] [blame] | 941 | for use with a TCP syslog server. See also the "short" and "raw" |
| 942 | format below. |
Willy Tarreau | 5a32ecc | 2018-11-12 07:34:59 +0100 | [diff] [blame] | 943 | |
| 944 | - "stdout" / "stderr", which are respectively aliases for "fd@1" and |
| 945 | "fd@2", see above. |
| 946 | |
Willy Tarreau | c046d16 | 2019-08-30 15:24:59 +0200 | [diff] [blame] | 947 | - A ring buffer in the form "ring@<name>", which will correspond to an |
| 948 | in-memory ring buffer accessible over the CLI using the "show events" |
| 949 | command, which will also list existing rings and their sizes. Such |
| 950 | buffers are lost on reload or restart but when used as a complement |
| 951 | this can help troubleshooting by having the logs instantly available. |
| 952 | |
William Lallemand | b2f0745 | 2015-05-12 14:27:13 +0200 | [diff] [blame] | 953 | You may want to reference some environment variables in the address |
| 954 | parameter, see section 2.3 about environment variables. |
Willy Tarreau | dad36a3 | 2013-03-11 01:20:04 +0100 | [diff] [blame] | 955 | |
Willy Tarreau | 18324f5 | 2014-06-27 18:10:07 +0200 | [diff] [blame] | 956 | <length> is an optional maximum line length. Log lines larger than this value |
| 957 | will be truncated before being sent. The reason is that syslog |
| 958 | servers act differently on log line length. All servers support the |
| 959 | default value of 1024, but some servers simply drop larger lines |
| 960 | while others do log them. If a server supports long lines, it may |
| 961 | make sense to set this value here in order to avoid truncating long |
| 962 | lines. Similarly, if a server drops long lines, it is preferable to |
| 963 | truncate them before sending them. Accepted values are 80 to 65535 |
| 964 | inclusive. The default value of 1024 is generally fine for all |
| 965 | standard usages. Some specific cases of long captures or |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 966 | JSON-formatted logs may require larger values. You may also need to |
| 967 | increase "tune.http.logurilen" if your request URIs are truncated. |
Willy Tarreau | 18324f5 | 2014-06-27 18:10:07 +0200 | [diff] [blame] | 968 | |
Dragan Dosen | 7ad3154 | 2015-09-28 17:16:47 +0200 | [diff] [blame] | 969 | <format> is the log format used when generating syslog messages. It may be |
| 970 | one of the following : |
| 971 | |
| 972 | rfc3164 The RFC3164 syslog message format. This is the default. |
| 973 | (https://tools.ietf.org/html/rfc3164) |
| 974 | |
| 975 | rfc5424 The RFC5424 syslog message format. |
| 976 | (https://tools.ietf.org/html/rfc5424) |
| 977 | |
Willy Tarreau | e8746a0 | 2018-11-12 08:45:00 +0100 | [diff] [blame] | 978 | short A message containing only a level between angle brackets such as |
| 979 | '<3>', followed by the text. The PID, date, time, process name |
| 980 | and system name are omitted. This is designed to be used with a |
| 981 | local log server. This format is compatible with what the systemd |
| 982 | logger consumes. |
| 983 | |
Willy Tarreau | c1b0645 | 2018-11-12 11:57:56 +0100 | [diff] [blame] | 984 | raw A message containing only the text. The level, PID, date, time, |
| 985 | process name and system name are omitted. This is designed to be |
| 986 | used in containers or during development, where the severity only |
| 987 | depends on the file descriptor used (stdout/stderr). |
| 988 | |
Frédéric Lécaille | d690dfa | 2019-04-25 10:52:17 +0200 | [diff] [blame] | 989 | <ranges> A list of comma-separated ranges to identify the logs to sample. |
| 990 | This is used to balance the load of the logs to send to the log |
| 991 | server. The limits of the ranges cannot be null. They are numbered |
| 992 | from 1. The size or period (in number of logs) of the sample must be |
| 993 | set with <sample_size> parameter. |
| 994 | |
| 995 | <sample_size> |
| 996 | The size of the sample in number of logs to consider when balancing |
| 997 | their logging loads. It is used to balance the load of the logs to |
| 998 | send to the syslog server. This size must be greater or equal to the |
| 999 | maximum of the high limits of the ranges. |
| 1000 | (see also <ranges> parameter). |
| 1001 | |
Robert Tsai | 81ae195 | 2007-12-05 10:47:29 +0100 | [diff] [blame] | 1002 | <facility> must be one of the 24 standard syslog facilities : |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1003 | |
Willy Tarreau | e8746a0 | 2018-11-12 08:45:00 +0100 | [diff] [blame] | 1004 | kern user mail daemon auth syslog lpr news |
| 1005 | uucp cron auth2 ftp ntp audit alert cron2 |
| 1006 | local0 local1 local2 local3 local4 local5 local6 local7 |
| 1007 | |
Willy Tarreau | c1b0645 | 2018-11-12 11:57:56 +0100 | [diff] [blame] | 1008 | Note that the facility is ignored for the "short" and "raw" |
| 1009 | formats, but still required as a positional field. It is |
| 1010 | recommended to use "daemon" in this case to make it clear that |
| 1011 | it's only supposed to be used locally. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1012 | |
| 1013 | An optional level can be specified to filter outgoing messages. By default, |
Willy Tarreau | f7edefa | 2009-05-10 17:20:05 +0200 | [diff] [blame] | 1014 | all messages are sent. If a maximum level is specified, only messages with a |
| 1015 | severity at least as important as this level will be sent. An optional minimum |
| 1016 | level can be specified. If it is set, logs emitted with a more severe level |
| 1017 | than this one will be capped to this level. This is used to avoid sending |
| 1018 | "emerg" messages on all terminals on some default syslog configurations. |
| 1019 | Eight levels are known : |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1020 | |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 1021 | emerg alert crit err warning notice info debug |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1022 | |
Joe Williams | df5b38f | 2010-12-29 17:05:48 +0100 | [diff] [blame] | 1023 | log-send-hostname [<string>] |
| 1024 | Sets the hostname field in the syslog header. If optional "string" parameter |
| 1025 | is set the header is set to the string contents, otherwise uses the hostname |
| 1026 | of the system. Generally used if one is not relaying logs through an |
| 1027 | intermediate syslog server or for simply customizing the hostname printed in |
| 1028 | the logs. |
| 1029 | |
Kevinm | 48936af | 2010-12-22 16:08:21 +0000 | [diff] [blame] | 1030 | log-tag <string> |
| 1031 | Sets the tag field in the syslog header to this string. It defaults to the |
| 1032 | program name as launched from the command line, which usually is "haproxy". |
| 1033 | Sometimes it can be useful to differentiate between multiple processes |
Willy Tarreau | 094af4e | 2015-01-07 15:03:42 +0100 | [diff] [blame] | 1034 | running on the same host. See also the per-proxy "log-tag" directive. |
Kevinm | 48936af | 2010-12-22 16:08:21 +0000 | [diff] [blame] | 1035 | |
Thierry FOURNIER | 90da191 | 2015-03-05 11:17:06 +0100 | [diff] [blame] | 1036 | lua-load <file> |
| 1037 | This global directive loads and executes a Lua file. This directive can be |
| 1038 | used multiple times. |
| 1039 | |
William Lallemand | 4cfede8 | 2017-11-24 22:02:34 +0100 | [diff] [blame] | 1040 | master-worker [no-exit-on-failure] |
William Lallemand | e202b1e | 2017-06-01 17:38:56 +0200 | [diff] [blame] | 1041 | Master-worker mode. It is equivalent to the command line "-W" argument. |
| 1042 | This mode will launch a "master" which will monitor the "workers". Using |
| 1043 | this mode, you can reload HAProxy directly by sending a SIGUSR2 signal to |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1044 | the master. The master-worker mode is compatible either with the foreground |
William Lallemand | e202b1e | 2017-06-01 17:38:56 +0200 | [diff] [blame] | 1045 | or daemon mode. It is recommended to use this mode with multiprocess and |
| 1046 | systemd. |
William Lallemand | 4cfede8 | 2017-11-24 22:02:34 +0100 | [diff] [blame] | 1047 | By default, if a worker exits with a bad return code, in the case of a |
| 1048 | segfault for example, all workers will be killed, and the master will leave. |
| 1049 | It is convenient to combine this behavior with Restart=on-failure in a |
| 1050 | systemd unit file in order to relaunch the whole process. If you don't want |
| 1051 | this behavior, you must use the keyword "no-exit-on-failure". |
William Lallemand | e202b1e | 2017-06-01 17:38:56 +0200 | [diff] [blame] | 1052 | |
William Lallemand | 4cfede8 | 2017-11-24 22:02:34 +0100 | [diff] [blame] | 1053 | See also "-W" in the management guide. |
William Lallemand | e202b1e | 2017-06-01 17:38:56 +0200 | [diff] [blame] | 1054 | |
William Lallemand | 27edc4b | 2019-05-07 17:49:33 +0200 | [diff] [blame] | 1055 | mworker-max-reloads <number> |
| 1056 | In master-worker mode, this option limits the number of time a worker can |
John Roesler | fb2fce1 | 2019-07-10 15:45:51 -0500 | [diff] [blame] | 1057 | survive to a reload. If the worker did not leave after a reload, once its |
William Lallemand | 27edc4b | 2019-05-07 17:49:33 +0200 | [diff] [blame] | 1058 | number of reloads is greater than this number, the worker will receive a |
| 1059 | SIGTERM. This option helps to keep under control the number of workers. |
| 1060 | See also "show proc" in the Management Guide. |
| 1061 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1062 | nbproc <number> |
| 1063 | Creates <number> processes when going daemon. This requires the "daemon" |
| 1064 | mode. By default, only one process is created, which is the recommended mode |
| 1065 | of operation. For systems limited to small sets of file descriptors per |
Willy Tarreau | 149ab77 | 2019-01-26 14:27:06 +0100 | [diff] [blame] | 1066 | process, it may be needed to fork multiple daemons. When set to a value |
| 1067 | larger than 1, threads are automatically disabled. USING MULTIPLE PROCESSES |
Willy Tarreau | 1f672a8 | 2019-01-26 14:20:55 +0100 | [diff] [blame] | 1068 | IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon" and |
| 1069 | "nbthread". |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1070 | |
Christopher Faulet | be0faa2 | 2017-08-29 15:37:10 +0200 | [diff] [blame] | 1071 | nbthread <number> |
| 1072 | This setting is only available when support for threads was built in. It |
Willy Tarreau | 26f6ae1 | 2019-02-02 12:56:15 +0100 | [diff] [blame] | 1073 | makes haproxy run on <number> threads. This is exclusive with "nbproc". While |
| 1074 | "nbproc" historically used to be the only way to use multiple processors, it |
| 1075 | also involved a number of shortcomings related to the lack of synchronization |
| 1076 | between processes (health-checks, peers, stick-tables, stats, ...) which do |
| 1077 | not affect threads. As such, any modern configuration is strongly encouraged |
Willy Tarreau | 149ab77 | 2019-01-26 14:27:06 +0100 | [diff] [blame] | 1078 | to migrate away from "nbproc" to "nbthread". "nbthread" also works when |
| 1079 | HAProxy is started in foreground. On some platforms supporting CPU affinity, |
| 1080 | when nbproc is not used, the default "nbthread" value is automatically set to |
| 1081 | the number of CPUs the process is bound to upon startup. This means that the |
| 1082 | thread count can easily be adjusted from the calling process using commands |
| 1083 | like "taskset" or "cpuset". Otherwise, this value defaults to 1. The default |
| 1084 | value is reported in the output of "haproxy -vv". See also "nbproc". |
Christopher Faulet | be0faa2 | 2017-08-29 15:37:10 +0200 | [diff] [blame] | 1085 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1086 | pidfile <pidfile> |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1087 | Writes PIDs of all daemons into file <pidfile>. This option is equivalent to |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1088 | the "-p" command line argument. The file must be accessible to the user |
| 1089 | starting the process. See also "daemon". |
| 1090 | |
Willy Tarreau | 1d54972 | 2016-02-16 12:41:57 +0100 | [diff] [blame] | 1091 | presetenv <name> <value> |
| 1092 | Sets environment variable <name> to value <value>. If the variable exists, it |
| 1093 | is NOT overwritten. The changes immediately take effect so that the next line |
| 1094 | in the configuration file sees the new value. See also "setenv", "resetenv", |
| 1095 | and "unsetenv". |
| 1096 | |
| 1097 | resetenv [<name> ...] |
| 1098 | Removes all environment variables except the ones specified in argument. It |
| 1099 | allows to use a clean controlled environment before setting new values with |
| 1100 | setenv or unsetenv. Please note that some internal functions may make use of |
| 1101 | some environment variables, such as time manipulation functions, but also |
| 1102 | OpenSSL or even external checks. This must be used with extreme care and only |
| 1103 | after complete validation. The changes immediately take effect so that the |
| 1104 | next line in the configuration file sees the new environment. See also |
| 1105 | "setenv", "presetenv", and "unsetenv". |
| 1106 | |
Christopher Faulet | ff4121f | 2017-11-22 16:38:49 +0100 | [diff] [blame] | 1107 | stats bind-process [ all | odd | even | <process_num>[-[process_num>]] ] ... |
Willy Tarreau | 35b7b16 | 2012-10-22 23:17:18 +0200 | [diff] [blame] | 1108 | Limits the stats socket to a certain set of processes numbers. By default the |
| 1109 | stats socket is bound to all processes, causing a warning to be emitted when |
| 1110 | nbproc is greater than 1 because there is no way to select the target process |
| 1111 | when connecting. However, by using this setting, it becomes possible to pin |
| 1112 | the stats socket to a specific set of processes, typically the first one. The |
| 1113 | warning will automatically be disabled when this setting is used, whatever |
Willy Tarreau | a9db57e | 2013-01-18 11:29:29 +0100 | [diff] [blame] | 1114 | the number of processes used. The maximum process ID depends on the machine's |
Christopher Faulet | ff4121f | 2017-11-22 16:38:49 +0100 | [diff] [blame] | 1115 | word size (32 or 64). Ranges can be partially defined. The higher bound can |
| 1116 | be omitted. In such case, it is replaced by the corresponding maximum |
| 1117 | value. A better option consists in using the "process" setting of the "stats |
| 1118 | socket" line to force the process on each line. |
Willy Tarreau | 35b7b16 | 2012-10-22 23:17:18 +0200 | [diff] [blame] | 1119 | |
Baptiste Assmann | 5626f48 | 2015-08-23 10:00:10 +0200 | [diff] [blame] | 1120 | server-state-base <directory> |
| 1121 | Specifies the directory prefix to be prepended in front of all servers state |
Baptiste Assmann | 01c6cc3 | 2015-08-23 11:45:29 +0200 | [diff] [blame] | 1122 | file names which do not start with a '/'. See also "server-state-file", |
| 1123 | "load-server-state-from-file" and "server-state-file-name". |
Baptiste Assmann | ef1f0fc | 2015-08-23 10:06:39 +0200 | [diff] [blame] | 1124 | |
| 1125 | server-state-file <file> |
| 1126 | Specifies the path to the file containing state of servers. If the path starts |
| 1127 | with a slash ('/'), it is considered absolute, otherwise it is considered |
| 1128 | relative to the directory specified using "server-state-base" (if set) or to |
| 1129 | the current directory. Before reloading HAProxy, it is possible to save the |
| 1130 | servers' current state using the stats command "show servers state". The |
| 1131 | output of this command must be written in the file pointed by <file>. When |
| 1132 | starting up, before handling traffic, HAProxy will read, load and apply state |
| 1133 | for each server found in the file and available in its current running |
Baptiste Assmann | 01c6cc3 | 2015-08-23 11:45:29 +0200 | [diff] [blame] | 1134 | configuration. See also "server-state-base" and "show servers state", |
| 1135 | "load-server-state-from-file" and "server-state-file-name" |
Baptiste Assmann | 5626f48 | 2015-08-23 10:00:10 +0200 | [diff] [blame] | 1136 | |
Willy Tarreau | 1d54972 | 2016-02-16 12:41:57 +0100 | [diff] [blame] | 1137 | setenv <name> <value> |
| 1138 | Sets environment variable <name> to value <value>. If the variable exists, it |
| 1139 | is overwritten. The changes immediately take effect so that the next line in |
| 1140 | the configuration file sees the new value. See also "presetenv", "resetenv", |
| 1141 | and "unsetenv". |
| 1142 | |
Willy Tarreau | 636848a | 2019-04-15 19:38:50 +0200 | [diff] [blame] | 1143 | set-dumpable |
| 1144 | This option is better left disabled by default and enabled only upon a |
William Dauchy | ec73098 | 2019-10-27 20:08:10 +0100 | [diff] [blame] | 1145 | developer's request. If it has been enabled, it may still be forcibly |
| 1146 | disabled by prefixing it with the "no" keyword. It has no impact on |
| 1147 | performance nor stability but will try hard to re-enable core dumps that were |
| 1148 | possibly disabled by file size limitations (ulimit -f), core size limitations |
| 1149 | (ulimit -c), or "dumpability" of a process after changing its UID/GID (such |
| 1150 | as /proc/sys/fs/suid_dumpable on Linux). Core dumps might still be limited by |
| 1151 | the current directory's permissions (check what directory the file is started |
| 1152 | from), the chroot directory's permission (it may be needed to temporarily |
| 1153 | disable the chroot directive or to move it to a dedicated writable location), |
| 1154 | or any other system-specific constraint. For example, some Linux flavours are |
| 1155 | notorious for replacing the default core file with a path to an executable |
| 1156 | not even installed on the system (check /proc/sys/kernel/core_pattern). Often, |
| 1157 | simply writing "core", "core.%p" or "/var/log/core/core.%p" addresses the |
| 1158 | issue. When trying to enable this option waiting for a rare issue to |
| 1159 | re-appear, it's often a good idea to first try to obtain such a dump by |
| 1160 | issuing, for example, "kill -11" to the haproxy process and verify that it |
| 1161 | leaves a core where expected when dying. |
Willy Tarreau | 636848a | 2019-04-15 19:38:50 +0200 | [diff] [blame] | 1162 | |
Willy Tarreau | 610f04b | 2014-02-13 11:36:41 +0100 | [diff] [blame] | 1163 | ssl-default-bind-ciphers <ciphers> |
| 1164 | This setting is only available when support for OpenSSL was built in. It sets |
| 1165 | the default string describing the list of cipher algorithms ("cipher suite") |
Bertrand Jacquin | 8cf7c1e | 2019-02-03 18:35:25 +0000 | [diff] [blame] | 1166 | that are negotiated during the SSL/TLS handshake up to TLSv1.2 for all |
Dirkjan Bussink | 415150f | 2018-09-14 11:14:21 +0200 | [diff] [blame] | 1167 | "bind" lines which do not explicitly define theirs. The format of the string |
Bertrand Jacquin | 4f03ab0 | 2019-02-03 18:48:49 +0000 | [diff] [blame] | 1168 | is defined in "man 1 ciphers" from OpenSSL man pages. For background |
| 1169 | information and recommendations see e.g. |
| 1170 | (https://wiki.mozilla.org/Security/Server_Side_TLS) and |
| 1171 | (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3 |
| 1172 | cipher configuration, please check the "ssl-default-bind-ciphersuites" keyword. |
| 1173 | Please check the "bind" keyword for more information. |
Dirkjan Bussink | 415150f | 2018-09-14 11:14:21 +0200 | [diff] [blame] | 1174 | |
| 1175 | ssl-default-bind-ciphersuites <ciphersuites> |
| 1176 | This setting is only available when support for OpenSSL was built in and |
| 1177 | OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default string |
| 1178 | describing the list of cipher algorithms ("cipher suite") that are negotiated |
| 1179 | during the TLSv1.3 handshake for all "bind" lines which do not explicitly define |
| 1180 | theirs. The format of the string is defined in |
Bertrand Jacquin | 4f03ab0 | 2019-02-03 18:48:49 +0000 | [diff] [blame] | 1181 | "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For |
| 1182 | cipher configuration for TLSv1.2 and earlier, please check the |
| 1183 | "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more |
Dirkjan Bussink | 415150f | 2018-09-14 11:14:21 +0200 | [diff] [blame] | 1184 | information. |
Willy Tarreau | 610f04b | 2014-02-13 11:36:41 +0100 | [diff] [blame] | 1185 | |
Emeric Brun | 2c86cbf | 2014-10-30 15:56:50 +0100 | [diff] [blame] | 1186 | ssl-default-bind-options [<option>]... |
| 1187 | This setting is only available when support for OpenSSL was built in. It sets |
| 1188 | default ssl-options to force on all "bind" lines. Please check the "bind" |
| 1189 | keyword to see available options. |
| 1190 | |
| 1191 | Example: |
| 1192 | global |
Emmanuel Hocdet | e1c722b | 2017-03-31 15:02:54 +0200 | [diff] [blame] | 1193 | ssl-default-bind-options ssl-min-ver TLSv1.0 no-tls-tickets |
Emeric Brun | 2c86cbf | 2014-10-30 15:56:50 +0100 | [diff] [blame] | 1194 | |
Willy Tarreau | 610f04b | 2014-02-13 11:36:41 +0100 | [diff] [blame] | 1195 | ssl-default-server-ciphers <ciphers> |
| 1196 | This setting is only available when support for OpenSSL was built in. It |
| 1197 | sets the default string describing the list of cipher algorithms that are |
Bertrand Jacquin | 8cf7c1e | 2019-02-03 18:35:25 +0000 | [diff] [blame] | 1198 | negotiated during the SSL/TLS handshake up to TLSv1.2 with the server, |
Dirkjan Bussink | 415150f | 2018-09-14 11:14:21 +0200 | [diff] [blame] | 1199 | for all "server" lines which do not explicitly define theirs. The format of |
Bertrand Jacquin | 4f03ab0 | 2019-02-03 18:48:49 +0000 | [diff] [blame] | 1200 | the string is defined in "man 1 ciphers" from OpenSSL man pages. For background |
| 1201 | information and recommendations see e.g. |
| 1202 | (https://wiki.mozilla.org/Security/Server_Side_TLS) and |
| 1203 | (https://mozilla.github.io/server-side-tls/ssl-config-generator/). |
| 1204 | For TLSv1.3 cipher configuration, please check the |
| 1205 | "ssl-default-server-ciphersuites" keyword. Please check the "server" keyword |
| 1206 | for more information. |
Dirkjan Bussink | 415150f | 2018-09-14 11:14:21 +0200 | [diff] [blame] | 1207 | |
| 1208 | ssl-default-server-ciphersuites <ciphersuites> |
| 1209 | This setting is only available when support for OpenSSL was built in and |
| 1210 | OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default |
| 1211 | string describing the list of cipher algorithms that are negotiated during |
| 1212 | the TLSv1.3 handshake with the server, for all "server" lines which do not |
| 1213 | explicitly define theirs. The format of the string is defined in |
Bertrand Jacquin | 4f03ab0 | 2019-02-03 18:48:49 +0000 | [diff] [blame] | 1214 | "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For |
| 1215 | cipher configuration for TLSv1.2 and earlier, please check the |
| 1216 | "ssl-default-server-ciphers" keyword. Please check the "server" keyword for |
| 1217 | more information. |
Willy Tarreau | 610f04b | 2014-02-13 11:36:41 +0100 | [diff] [blame] | 1218 | |
Emeric Brun | 2c86cbf | 2014-10-30 15:56:50 +0100 | [diff] [blame] | 1219 | ssl-default-server-options [<option>]... |
| 1220 | This setting is only available when support for OpenSSL was built in. It sets |
| 1221 | default ssl-options to force on all "server" lines. Please check the "server" |
| 1222 | keyword to see available options. |
| 1223 | |
Remi Gacogne | 47783ef | 2015-05-29 15:53:22 +0200 | [diff] [blame] | 1224 | ssl-dh-param-file <file> |
| 1225 | This setting is only available when support for OpenSSL was built in. It sets |
| 1226 | the default DH parameters that are used during the SSL/TLS handshake when |
| 1227 | ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1228 | which do not explicitly define theirs. It will be overridden by custom DH |
Remi Gacogne | 47783ef | 2015-05-29 15:53:22 +0200 | [diff] [blame] | 1229 | parameters found in a bind certificate file if any. If custom DH parameters |
Cyril Bonté | 307ee1e | 2015-09-28 23:16:06 +0200 | [diff] [blame] | 1230 | are not specified either by using ssl-dh-param-file or by setting them |
| 1231 | directly in the certificate file, pre-generated DH parameters of the size |
| 1232 | specified by tune.ssl.default-dh-param will be used. Custom parameters are |
| 1233 | known to be more secure and therefore their use is recommended. |
Remi Gacogne | 47783ef | 2015-05-29 15:53:22 +0200 | [diff] [blame] | 1234 | Custom DH parameters may be generated by using the OpenSSL command |
| 1235 | "openssl dhparam <size>", where size should be at least 2048, as 1024-bit DH |
| 1236 | parameters should not be considered secure anymore. |
| 1237 | |
Emeric Brun | 850efd5 | 2014-01-29 12:24:34 +0100 | [diff] [blame] | 1238 | ssl-server-verify [none|required] |
| 1239 | The default behavior for SSL verify on servers side. If specified to 'none', |
| 1240 | servers certificates are not verified. The default is 'required' except if |
| 1241 | forced using cmdline option '-dV'. |
| 1242 | |
Willy Tarreau | abb175f | 2012-09-24 12:43:26 +0200 | [diff] [blame] | 1243 | stats socket [<address:port>|<path>] [param*] |
| 1244 | Binds a UNIX socket to <path> or a TCPv4/v6 address to <address:port>. |
| 1245 | Connections to this socket will return various statistics outputs and even |
| 1246 | allow some commands to be issued to change some runtime settings. Please |
Willy Tarreau | 1af20c7 | 2017-06-23 16:01:14 +0200 | [diff] [blame] | 1247 | consult section 9.3 "Unix Socket commands" of Management Guide for more |
Kevin Decherf | 949c720 | 2015-10-13 23:26:44 +0200 | [diff] [blame] | 1248 | details. |
Willy Tarreau | 6162db2 | 2009-10-10 17:13:00 +0200 | [diff] [blame] | 1249 | |
Willy Tarreau | abb175f | 2012-09-24 12:43:26 +0200 | [diff] [blame] | 1250 | All parameters supported by "bind" lines are supported, for instance to |
| 1251 | restrict access to some users or their access rights. Please consult |
| 1252 | section 5.1 for more information. |
Willy Tarreau | fbee713 | 2007-10-18 13:53:22 +0200 | [diff] [blame] | 1253 | |
| 1254 | stats timeout <timeout, in milliseconds> |
| 1255 | The default timeout on the stats socket is set to 10 seconds. It is possible |
| 1256 | to change this value with "stats timeout". The value must be passed in |
Willy Tarreau | befdff1 | 2007-12-02 22:27:38 +0100 | [diff] [blame] | 1257 | milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }. |
Willy Tarreau | fbee713 | 2007-10-18 13:53:22 +0200 | [diff] [blame] | 1258 | |
| 1259 | stats maxconn <connections> |
| 1260 | By default, the stats socket is limited to 10 concurrent connections. It is |
| 1261 | possible to change this value with "stats maxconn". |
| 1262 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1263 | uid <number> |
| 1264 | Changes the process' user ID to <number>. It is recommended that the user ID |
| 1265 | is dedicated to HAProxy or to a small set of similar daemons. HAProxy must |
| 1266 | be started with superuser privileges in order to be able to switch to another |
| 1267 | one. See also "gid" and "user". |
| 1268 | |
| 1269 | ulimit-n <number> |
| 1270 | Sets the maximum number of per-process file-descriptors to <number>. By |
| 1271 | default, it is automatically computed, so it is recommended not to use this |
| 1272 | option. |
| 1273 | |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 1274 | unix-bind [ prefix <prefix> ] [ mode <mode> ] [ user <user> ] [ uid <uid> ] |
| 1275 | [ group <group> ] [ gid <gid> ] |
| 1276 | |
| 1277 | Fixes common settings to UNIX listening sockets declared in "bind" statements. |
| 1278 | This is mainly used to simplify declaration of those UNIX sockets and reduce |
| 1279 | the risk of errors, since those settings are most commonly required but are |
| 1280 | also process-specific. The <prefix> setting can be used to force all socket |
| 1281 | path to be relative to that directory. This might be needed to access another |
| 1282 | component's chroot. Note that those paths are resolved before haproxy chroots |
| 1283 | itself, so they are absolute. The <mode>, <user>, <uid>, <group> and <gid> |
| 1284 | all have the same meaning as their homonyms used by the "bind" statement. If |
| 1285 | both are specified, the "bind" statement has priority, meaning that the |
| 1286 | "unix-bind" settings may be seen as process-wide default settings. |
| 1287 | |
Willy Tarreau | 1d54972 | 2016-02-16 12:41:57 +0100 | [diff] [blame] | 1288 | unsetenv [<name> ...] |
| 1289 | Removes environment variables specified in arguments. This can be useful to |
| 1290 | hide some sensitive information that are occasionally inherited from the |
| 1291 | user's environment during some operations. Variables which did not exist are |
| 1292 | silently ignored so that after the operation, it is certain that none of |
| 1293 | these variables remain. The changes immediately take effect so that the next |
| 1294 | line in the configuration file will not see these variables. See also |
| 1295 | "setenv", "presetenv", and "resetenv". |
| 1296 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1297 | user <user name> |
| 1298 | Similar to "uid" but uses the UID of user name <user name> from /etc/passwd. |
| 1299 | See also "uid" and "group". |
| 1300 | |
Krzysztof Piotr Oledzki | 48cb2ae | 2009-10-02 22:51:14 +0200 | [diff] [blame] | 1301 | node <name> |
| 1302 | Only letters, digits, hyphen and underscore are allowed, like in DNS names. |
| 1303 | |
| 1304 | This statement is useful in HA configurations where two or more processes or |
| 1305 | servers share the same IP address. By setting a different node-name on all |
| 1306 | nodes, it becomes easy to immediately spot what server is handling the |
| 1307 | traffic. |
| 1308 | |
| 1309 | description <text> |
| 1310 | Add a text that describes the instance. |
| 1311 | |
| 1312 | Please note that it is required to escape certain characters (# for example) |
| 1313 | and this text is inserted into a html page so you should avoid using |
| 1314 | "<" and ">" characters. |
| 1315 | |
Thomas Holmes | db04f19 | 2015-05-18 13:21:39 +0100 | [diff] [blame] | 1316 | 51degrees-data-file <file path> |
| 1317 | The path of the 51Degrees data file to provide device detection services. The |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1318 | file should be unzipped and accessible by HAProxy with relevant permissions. |
Thomas Holmes | db04f19 | 2015-05-18 13:21:39 +0100 | [diff] [blame] | 1319 | |
Dragan Dosen | ae6d39a | 2015-06-29 16:43:27 +0200 | [diff] [blame] | 1320 | Please note that this option is only available when haproxy has been |
Thomas Holmes | db04f19 | 2015-05-18 13:21:39 +0100 | [diff] [blame] | 1321 | compiled with USE_51DEGREES. |
| 1322 | |
Ben Shillito | f25e8e5 | 2016-12-02 14:25:37 +0000 | [diff] [blame] | 1323 | 51degrees-property-name-list [<string> ...] |
Thomas Holmes | db04f19 | 2015-05-18 13:21:39 +0100 | [diff] [blame] | 1324 | A list of 51Degrees property names to be load from the dataset. A full list |
| 1325 | of names is available on the 51Degrees website: |
| 1326 | https://51degrees.com/resources/property-dictionary |
| 1327 | |
Dragan Dosen | ae6d39a | 2015-06-29 16:43:27 +0200 | [diff] [blame] | 1328 | Please note that this option is only available when haproxy has been |
Thomas Holmes | db04f19 | 2015-05-18 13:21:39 +0100 | [diff] [blame] | 1329 | compiled with USE_51DEGREES. |
| 1330 | |
Dragan Dosen | 93b38d9 | 2015-06-29 16:43:25 +0200 | [diff] [blame] | 1331 | 51degrees-property-separator <char> |
Thomas Holmes | db04f19 | 2015-05-18 13:21:39 +0100 | [diff] [blame] | 1332 | A char that will be appended to every property value in a response header |
| 1333 | containing 51Degrees results. If not set that will be set as ','. |
| 1334 | |
Dragan Dosen | ae6d39a | 2015-06-29 16:43:27 +0200 | [diff] [blame] | 1335 | Please note that this option is only available when haproxy has been |
| 1336 | compiled with USE_51DEGREES. |
| 1337 | |
| 1338 | 51degrees-cache-size <number> |
| 1339 | Sets the size of the 51Degrees converter cache to <number> entries. This |
| 1340 | is an LRU cache which reminds previous device detections and their results. |
| 1341 | By default, this cache is disabled. |
| 1342 | |
| 1343 | Please note that this option is only available when haproxy has been |
Thomas Holmes | db04f19 | 2015-05-18 13:21:39 +0100 | [diff] [blame] | 1344 | compiled with USE_51DEGREES. |
| 1345 | |
Willy Tarreau | b3cc9f2 | 2019-04-19 16:03:32 +0200 | [diff] [blame] | 1346 | wurfl-data-file <file path> |
| 1347 | The path of the WURFL data file to provide device detection services. The |
| 1348 | file should be accessible by HAProxy with relevant permissions. |
| 1349 | |
| 1350 | Please note that this option is only available when haproxy has been compiled |
| 1351 | with USE_WURFL=1. |
| 1352 | |
| 1353 | wurfl-information-list [<capability>]* |
| 1354 | A space-delimited list of WURFL capabilities, virtual capabilities, property |
| 1355 | names we plan to use in injected headers. A full list of capability and |
| 1356 | virtual capability names is available on the Scientiamobile website : |
| 1357 | |
| 1358 | https://www.scientiamobile.com/wurflCapability |
| 1359 | |
| 1360 | Valid WURFL properties are: |
| 1361 | - wurfl_id Contains the device ID of the matched device. |
| 1362 | |
| 1363 | - wurfl_root_id Contains the device root ID of the matched |
| 1364 | device. |
| 1365 | |
| 1366 | - wurfl_isdevroot Tells if the matched device is a root device. |
| 1367 | Possible values are "TRUE" or "FALSE". |
| 1368 | |
| 1369 | - wurfl_useragent The original useragent coming with this |
| 1370 | particular web request. |
| 1371 | |
| 1372 | - wurfl_api_version Contains a string representing the currently |
| 1373 | used Libwurfl API version. |
| 1374 | |
Willy Tarreau | b3cc9f2 | 2019-04-19 16:03:32 +0200 | [diff] [blame] | 1375 | - wurfl_info A string containing information on the parsed |
| 1376 | wurfl.xml and its full path. |
| 1377 | |
| 1378 | - wurfl_last_load_time Contains the UNIX timestamp of the last time |
| 1379 | WURFL has been loaded successfully. |
| 1380 | |
| 1381 | - wurfl_normalized_useragent The normalized useragent. |
| 1382 | |
Willy Tarreau | b3cc9f2 | 2019-04-19 16:03:32 +0200 | [diff] [blame] | 1383 | Please note that this option is only available when haproxy has been compiled |
| 1384 | with USE_WURFL=1. |
| 1385 | |
| 1386 | wurfl-information-list-separator <char> |
| 1387 | A char that will be used to separate values in a response header containing |
| 1388 | WURFL results. If not set that a comma (',') will be used by default. |
| 1389 | |
| 1390 | Please note that this option is only available when haproxy has been compiled |
| 1391 | with USE_WURFL=1. |
| 1392 | |
| 1393 | wurfl-patch-file [<file path>] |
| 1394 | A list of WURFL patch file paths. Note that patches are loaded during startup |
| 1395 | thus before the chroot. |
| 1396 | |
| 1397 | Please note that this option is only available when haproxy has been compiled |
| 1398 | with USE_WURFL=1. |
| 1399 | |
paulborile | bad132c | 2019-04-18 11:57:04 +0200 | [diff] [blame] | 1400 | wurfl-cache-size <size> |
| 1401 | Sets the WURFL Useragent cache size. For faster lookups, already processed user |
| 1402 | agents are kept in a LRU cache : |
Willy Tarreau | b3cc9f2 | 2019-04-19 16:03:32 +0200 | [diff] [blame] | 1403 | - "0" : no cache is used. |
paulborile | bad132c | 2019-04-18 11:57:04 +0200 | [diff] [blame] | 1404 | - <size> : size of lru cache in elements. |
Willy Tarreau | b3cc9f2 | 2019-04-19 16:03:32 +0200 | [diff] [blame] | 1405 | |
| 1406 | Please note that this option is only available when haproxy has been compiled |
| 1407 | with USE_WURFL=1. |
| 1408 | |
William Dauchy | 0fec3ab | 2019-10-27 20:08:11 +0100 | [diff] [blame] | 1409 | strict-limits |
| 1410 | Makes process fail at startup when a setrlimit fails. Haproxy is tries to set |
| 1411 | the best setrlimit according to what has been calculated. If it fails, it |
| 1412 | will emit a warning. Use this option if you want an explicit failure of |
| 1413 | haproxy when those limits fail. This option is disabled by default. If it has |
| 1414 | been enabled, it may still be forcibly disabled by prefixing it with the "no" |
| 1415 | keyword. |
| 1416 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1417 | 3.2. Performance tuning |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1418 | ----------------------- |
| 1419 | |
Willy Tarreau | beb859a | 2018-11-22 18:07:59 +0100 | [diff] [blame] | 1420 | busy-polling |
| 1421 | In some situations, especially when dealing with low latency on processors |
| 1422 | supporting a variable frequency or when running inside virtual machines, each |
| 1423 | time the process waits for an I/O using the poller, the processor goes back |
| 1424 | to sleep or is offered to another VM for a long time, and it causes |
| 1425 | excessively high latencies. This option provides a solution preventing the |
| 1426 | processor from sleeping by always using a null timeout on the pollers. This |
| 1427 | results in a significant latency reduction (30 to 100 microseconds observed) |
| 1428 | at the expense of a risk to overheat the processor. It may even be used with |
| 1429 | threads, in which case improperly bound threads may heavily conflict, |
| 1430 | resulting in a worse performance and high values for the CPU stolen fields |
| 1431 | in "show info" output, indicating which threads are misconfigured. It is |
| 1432 | important not to let the process run on the same processor as the network |
| 1433 | interrupts when this option is used. It is also better to avoid using it on |
| 1434 | multiple CPU threads sharing the same core. This option is disabled by |
| 1435 | default. If it has been enabled, it may still be forcibly disabled by |
| 1436 | prefixing it with the "no" keyword. It is ignored by the "select" and |
| 1437 | "poll" pollers. |
| 1438 | |
Willy Tarreau | 1746eec | 2014-04-25 10:46:47 +0200 | [diff] [blame] | 1439 | max-spread-checks <delay in milliseconds> |
| 1440 | By default, haproxy tries to spread the start of health checks across the |
| 1441 | smallest health check interval of all the servers in a farm. The principle is |
| 1442 | to avoid hammering services running on the same server. But when using large |
| 1443 | check intervals (10 seconds or more), the last servers in the farm take some |
| 1444 | time before starting to be tested, which can be a problem. This parameter is |
| 1445 | used to enforce an upper bound on delay between the first and the last check, |
| 1446 | even if the servers' check intervals are larger. When servers run with |
| 1447 | shorter intervals, their intervals will be respected though. |
| 1448 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1449 | maxconn <number> |
| 1450 | Sets the maximum per-process number of concurrent connections to <number>. It |
| 1451 | is equivalent to the command-line argument "-n". Proxies will stop accepting |
| 1452 | connections when this limit is reached. The "ulimit-n" parameter is |
Willy Tarreau | 8274e10 | 2014-06-19 15:31:25 +0200 | [diff] [blame] | 1453 | automatically adjusted according to this value. See also "ulimit-n". Note: |
| 1454 | the "select" poller cannot reliably use more than 1024 file descriptors on |
| 1455 | some platforms. If your platform only supports select and reports "select |
| 1456 | FAILED" on startup, you need to reduce maxconn until it works (slightly |
Willy Tarreau | b28f344 | 2019-03-04 08:13:43 +0100 | [diff] [blame] | 1457 | below 500 in general). If this value is not set, it will automatically be |
| 1458 | calculated based on the current file descriptors limit reported by the |
| 1459 | "ulimit -n" command, possibly reduced to a lower value if a memory limit |
| 1460 | is enforced, based on the buffer size, memory allocated to compression, SSL |
| 1461 | cache size, and use or not of SSL and the associated maxsslconn (which can |
| 1462 | also be automatic). |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1463 | |
Willy Tarreau | 81c25d0 | 2011-09-07 15:17:21 +0200 | [diff] [blame] | 1464 | maxconnrate <number> |
| 1465 | Sets the maximum per-process number of connections per second to <number>. |
| 1466 | Proxies will stop accepting connections when this limit is reached. It can be |
| 1467 | used to limit the global capacity regardless of each frontend capacity. It is |
| 1468 | important to note that this can only be used as a service protection measure, |
| 1469 | as there will not necessarily be a fair share between frontends when the |
| 1470 | limit is reached, so it's a good idea to also limit each frontend to some |
| 1471 | value close to its expected share. Also, lowering tune.maxaccept can improve |
| 1472 | fairness. |
| 1473 | |
William Lallemand | d85f917 | 2012-11-09 17:05:39 +0100 | [diff] [blame] | 1474 | maxcomprate <number> |
| 1475 | Sets the maximum per-process input compression rate to <number> kilobytes |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1476 | per second. For each session, if the maximum is reached, the compression |
William Lallemand | d85f917 | 2012-11-09 17:05:39 +0100 | [diff] [blame] | 1477 | level will be decreased during the session. If the maximum is reached at the |
| 1478 | beginning of a session, the session will not compress at all. If the maximum |
| 1479 | is not reached, the compression level will be increased up to |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1480 | tune.comp.maxlevel. A value of zero means there is no limit, this is the |
William Lallemand | d85f917 | 2012-11-09 17:05:39 +0100 | [diff] [blame] | 1481 | default value. |
| 1482 | |
William Lallemand | 072a2bf | 2012-11-20 17:01:01 +0100 | [diff] [blame] | 1483 | maxcompcpuusage <number> |
| 1484 | Sets the maximum CPU usage HAProxy can reach before stopping the compression |
| 1485 | for new requests or decreasing the compression level of current requests. |
| 1486 | It works like 'maxcomprate' but measures CPU usage instead of incoming data |
| 1487 | bandwidth. The value is expressed in percent of the CPU used by haproxy. In |
| 1488 | case of multiple processes (nbproc > 1), each process manages its individual |
| 1489 | usage. A value of 100 disable the limit. The default value is 100. Setting |
| 1490 | a lower value will prevent the compression work from slowing the whole |
| 1491 | process down and from introducing high latencies. |
| 1492 | |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 1493 | maxpipes <number> |
| 1494 | Sets the maximum per-process number of pipes to <number>. Currently, pipes |
| 1495 | are only used by kernel-based tcp splicing. Since a pipe contains two file |
| 1496 | descriptors, the "ulimit-n" value will be increased accordingly. The default |
| 1497 | value is maxconn/4, which seems to be more than enough for most heavy usages. |
| 1498 | The splice code dynamically allocates and releases pipes, and can fall back |
| 1499 | to standard copy, so setting this value too low may only impact performance. |
| 1500 | |
Willy Tarreau | 93e7c00 | 2013-10-07 18:51:07 +0200 | [diff] [blame] | 1501 | maxsessrate <number> |
| 1502 | Sets the maximum per-process number of sessions per second to <number>. |
| 1503 | Proxies will stop accepting connections when this limit is reached. It can be |
| 1504 | used to limit the global capacity regardless of each frontend capacity. It is |
| 1505 | important to note that this can only be used as a service protection measure, |
| 1506 | as there will not necessarily be a fair share between frontends when the |
| 1507 | limit is reached, so it's a good idea to also limit each frontend to some |
| 1508 | value close to its expected share. Also, lowering tune.maxaccept can improve |
| 1509 | fairness. |
| 1510 | |
Willy Tarreau | 403edff | 2012-09-06 11:58:37 +0200 | [diff] [blame] | 1511 | maxsslconn <number> |
| 1512 | Sets the maximum per-process number of concurrent SSL connections to |
| 1513 | <number>. By default there is no SSL-specific limit, which means that the |
| 1514 | global maxconn setting will apply to all connections. Setting this limit |
| 1515 | avoids having openssl use too much memory and crash when malloc returns NULL |
| 1516 | (since it unfortunately does not reliably check for such conditions). Note |
| 1517 | that the limit applies both to incoming and outgoing connections, so one |
| 1518 | connection which is deciphered then ciphered accounts for 2 SSL connections. |
Willy Tarreau | d025648 | 2015-01-15 21:45:22 +0100 | [diff] [blame] | 1519 | If this value is not set, but a memory limit is enforced, this value will be |
| 1520 | automatically computed based on the memory limit, maxconn, the buffer size, |
| 1521 | memory allocated to compression, SSL cache size, and use of SSL in either |
| 1522 | frontends, backends or both. If neither maxconn nor maxsslconn are specified |
| 1523 | when there is a memory limit, haproxy will automatically adjust these values |
| 1524 | so that 100% of the connections can be made over SSL with no risk, and will |
| 1525 | consider the sides where it is enabled (frontend, backend, both). |
Willy Tarreau | 403edff | 2012-09-06 11:58:37 +0200 | [diff] [blame] | 1526 | |
Willy Tarreau | e43d532 | 2013-10-07 20:01:52 +0200 | [diff] [blame] | 1527 | maxsslrate <number> |
| 1528 | Sets the maximum per-process number of SSL sessions per second to <number>. |
| 1529 | SSL listeners will stop accepting connections when this limit is reached. It |
| 1530 | can be used to limit the global SSL CPU usage regardless of each frontend |
| 1531 | capacity. It is important to note that this can only be used as a service |
| 1532 | protection measure, as there will not necessarily be a fair share between |
| 1533 | frontends when the limit is reached, so it's a good idea to also limit each |
| 1534 | frontend to some value close to its expected share. It is also important to |
| 1535 | note that the sessions are accounted before they enter the SSL stack and not |
| 1536 | after, which also protects the stack against bad handshakes. Also, lowering |
| 1537 | tune.maxaccept can improve fairness. |
| 1538 | |
William Lallemand | 9d5f548 | 2012-11-07 16:12:57 +0100 | [diff] [blame] | 1539 | maxzlibmem <number> |
| 1540 | Sets the maximum amount of RAM in megabytes per process usable by the zlib. |
| 1541 | When the maximum amount is reached, future sessions will not compress as long |
| 1542 | as RAM is unavailable. When sets to 0, there is no limit. |
William Lallemand | e3a7d99 | 2012-11-20 11:25:20 +0100 | [diff] [blame] | 1543 | The default value is 0. The value is available in bytes on the UNIX socket |
| 1544 | with "show info" on the line "MaxZlibMemUsage", the memory used by zlib is |
| 1545 | "ZlibMemUsage" in bytes. |
| 1546 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1547 | noepoll |
| 1548 | Disables the use of the "epoll" event polling system on Linux. It is |
| 1549 | equivalent to the command-line argument "-de". The next polling system |
Willy Tarreau | e9f49e7 | 2012-11-11 17:42:00 +0100 | [diff] [blame] | 1550 | used will generally be "poll". See also "nopoll". |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1551 | |
| 1552 | nokqueue |
| 1553 | Disables the use of the "kqueue" event polling system on BSD. It is |
| 1554 | equivalent to the command-line argument "-dk". The next polling system |
| 1555 | used will generally be "poll". See also "nopoll". |
| 1556 | |
Emmanuel Hocdet | 0ba4f48 | 2019-04-08 16:53:32 +0000 | [diff] [blame] | 1557 | noevports |
| 1558 | Disables the use of the event ports event polling system on SunOS systems |
| 1559 | derived from Solaris 10 and later. It is equivalent to the command-line |
| 1560 | argument "-dv". The next polling system used will generally be "poll". See |
| 1561 | also "nopoll". |
| 1562 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1563 | nopoll |
| 1564 | Disables the use of the "poll" event polling system. It is equivalent to the |
| 1565 | command-line argument "-dp". The next polling system used will be "select". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1566 | It should never be needed to disable "poll" since it's available on all |
Emmanuel Hocdet | 0ba4f48 | 2019-04-08 16:53:32 +0000 | [diff] [blame] | 1567 | platforms supported by HAProxy. See also "nokqueue", "noepoll" and |
| 1568 | "noevports". |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1569 | |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 1570 | nosplice |
| 1571 | Disables the use of kernel tcp splicing between sockets on Linux. It is |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1572 | equivalent to the command line argument "-dS". Data will then be copied |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 1573 | using conventional and more portable recv/send calls. Kernel tcp splicing is |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1574 | limited to some very recent instances of kernel 2.6. Most versions between |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 1575 | 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not |
| 1576 | be used. This option makes it easier to globally disable kernel splicing in |
| 1577 | case of doubt. See also "option splice-auto", "option splice-request" and |
| 1578 | "option splice-response". |
| 1579 | |
Jarno Huuskonen | 0e82b92 | 2014-04-12 18:22:19 +0300 | [diff] [blame] | 1580 | nogetaddrinfo |
| 1581 | Disables the use of getaddrinfo(3) for name resolving. It is equivalent to |
| 1582 | the command line argument "-dG". Deprecated gethostbyname(3) will be used. |
| 1583 | |
Lukas Tribus | a0bcbdc | 2016-09-12 21:42:20 +0000 | [diff] [blame] | 1584 | noreuseport |
| 1585 | Disables the use of SO_REUSEPORT - see socket(7). It is equivalent to the |
| 1586 | command line argument "-dR". |
| 1587 | |
Willy Tarreau | d2d3348 | 2019-04-25 17:09:07 +0200 | [diff] [blame] | 1588 | profiling.tasks { auto | on | off } |
| 1589 | Enables ('on') or disables ('off') per-task CPU profiling. When set to 'auto' |
| 1590 | the profiling automatically turns on a thread when it starts to suffer from |
| 1591 | an average latency of 1000 microseconds or higher as reported in the |
| 1592 | "avg_loop_us" activity field, and automatically turns off when the latency |
John Roesler | fb2fce1 | 2019-07-10 15:45:51 -0500 | [diff] [blame] | 1593 | returns below 990 microseconds (this value is an average over the last 1024 |
Willy Tarreau | d2d3348 | 2019-04-25 17:09:07 +0200 | [diff] [blame] | 1594 | loops so it does not vary quickly and tends to significantly smooth short |
| 1595 | spikes). It may also spontaneously trigger from time to time on overloaded |
| 1596 | systems, containers, or virtual machines, or when the system swaps (which |
| 1597 | must absolutely never happen on a load balancer). |
| 1598 | |
| 1599 | CPU profiling per task can be very convenient to report where the time is |
| 1600 | spent and which requests have what effect on which other request. Enabling |
| 1601 | it will typically affect the overall's performance by less than 1%, thus it |
| 1602 | is recommended to leave it to the default 'auto' value so that it only |
| 1603 | operates when a problem is identified. This feature requires a system |
Willy Tarreau | 75c62c2 | 2018-11-22 11:02:09 +0100 | [diff] [blame] | 1604 | supporting the clock_gettime(2) syscall with clock identifiers |
| 1605 | CLOCK_MONOTONIC and CLOCK_THREAD_CPUTIME_ID, otherwise the reported time will |
| 1606 | be zero. This option may be changed at run time using "set profiling" on the |
| 1607 | CLI. |
| 1608 | |
Willy Tarreau | fe255b7 | 2007-10-14 23:09:26 +0200 | [diff] [blame] | 1609 | spread-checks <0..50, in percent> |
Simon Horman | d60d691 | 2013-11-25 10:46:36 +0900 | [diff] [blame] | 1610 | Sometimes it is desirable to avoid sending agent and health checks to |
| 1611 | servers at exact intervals, for instance when many logical servers are |
| 1612 | located on the same physical server. With the help of this parameter, it |
| 1613 | becomes possible to add some randomness in the check interval between 0 |
| 1614 | and +/- 50%. A value between 2 and 5 seems to show good results. The |
| 1615 | default value remains at 0. |
Willy Tarreau | fe255b7 | 2007-10-14 23:09:26 +0200 | [diff] [blame] | 1616 | |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1617 | ssl-engine <name> [algo <comma-separated list of algorithms>] |
Grant Zhang | 872f9c2 | 2017-01-21 01:10:18 +0000 | [diff] [blame] | 1618 | Sets the OpenSSL engine to <name>. List of valid values for <name> may be |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1619 | obtained using the command "openssl engine". This statement may be used |
Grant Zhang | 872f9c2 | 2017-01-21 01:10:18 +0000 | [diff] [blame] | 1620 | multiple times, it will simply enable multiple crypto engines. Referencing an |
| 1621 | unsupported engine will prevent haproxy from starting. Note that many engines |
| 1622 | will lead to lower HTTPS performance than pure software with recent |
| 1623 | processors. The optional command "algo" sets the default algorithms an ENGINE |
| 1624 | will supply using the OPENSSL function ENGINE_set_default_string(). A value |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1625 | of "ALL" uses the engine for all cryptographic operations. If no list of |
| 1626 | algo is specified then the value of "ALL" is used. A comma-separated list |
Grant Zhang | 872f9c2 | 2017-01-21 01:10:18 +0000 | [diff] [blame] | 1627 | of different algorithms may be specified, including: RSA, DSA, DH, EC, RAND, |
| 1628 | CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1. This is the same format that |
| 1629 | openssl configuration file uses: |
| 1630 | https://www.openssl.org/docs/man1.0.2/apps/config.html |
| 1631 | |
Grant Zhang | fa6c7ee | 2017-01-14 01:42:15 +0000 | [diff] [blame] | 1632 | ssl-mode-async |
| 1633 | Adds SSL_MODE_ASYNC mode to the SSL context. This enables asynchronous TLS |
Emeric Brun | 3854e01 | 2017-05-17 20:42:48 +0200 | [diff] [blame] | 1634 | I/O operations if asynchronous capable SSL engines are used. The current |
Emeric Brun | b5e42a8 | 2017-06-06 12:35:14 +0000 | [diff] [blame] | 1635 | implementation supports a maximum of 32 engines. The Openssl ASYNC API |
| 1636 | doesn't support moving read/write buffers and is not compliant with |
| 1637 | haproxy's buffer management. So the asynchronous mode is disabled on |
John Roesler | fb2fce1 | 2019-07-10 15:45:51 -0500 | [diff] [blame] | 1638 | read/write operations (it is only enabled during initial and renegotiation |
Emeric Brun | b5e42a8 | 2017-06-06 12:35:14 +0000 | [diff] [blame] | 1639 | handshakes). |
Grant Zhang | fa6c7ee | 2017-01-14 01:42:15 +0000 | [diff] [blame] | 1640 | |
Willy Tarreau | 33cb065 | 2014-12-23 22:52:37 +0100 | [diff] [blame] | 1641 | tune.buffers.limit <number> |
| 1642 | Sets a hard limit on the number of buffers which may be allocated per process. |
| 1643 | The default value is zero which means unlimited. The minimum non-zero value |
| 1644 | will always be greater than "tune.buffers.reserve" and should ideally always |
| 1645 | be about twice as large. Forcing this value can be particularly useful to |
| 1646 | limit the amount of memory a process may take, while retaining a sane |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1647 | behavior. When this limit is reached, sessions which need a buffer wait for |
Willy Tarreau | 33cb065 | 2014-12-23 22:52:37 +0100 | [diff] [blame] | 1648 | another one to be released by another session. Since buffers are dynamically |
| 1649 | allocated and released, the waiting time is very short and not perceptible |
| 1650 | provided that limits remain reasonable. In fact sometimes reducing the limit |
| 1651 | may even increase performance by increasing the CPU cache's efficiency. Tests |
| 1652 | have shown good results on average HTTP traffic with a limit to 1/10 of the |
| 1653 | expected global maxconn setting, which also significantly reduces memory |
| 1654 | usage. The memory savings come from the fact that a number of connections |
| 1655 | will not allocate 2*tune.bufsize. It is best not to touch this value unless |
| 1656 | advised to do so by an haproxy core developer. |
| 1657 | |
Willy Tarreau | 1058ae7 | 2014-12-23 22:40:40 +0100 | [diff] [blame] | 1658 | tune.buffers.reserve <number> |
| 1659 | Sets the number of buffers which are pre-allocated and reserved for use only |
| 1660 | during memory shortage conditions resulting in failed memory allocations. The |
| 1661 | minimum value is 2 and is also the default. There is no reason a user would |
| 1662 | want to change this value, it's mostly aimed at haproxy core developers. |
| 1663 | |
Willy Tarreau | 27a674e | 2009-08-17 07:23:33 +0200 | [diff] [blame] | 1664 | tune.bufsize <number> |
| 1665 | Sets the buffer size to this size (in bytes). Lower values allow more |
| 1666 | sessions to coexist in the same amount of RAM, and higher values allow some |
| 1667 | applications with very large cookies to work. The default value is 16384 and |
| 1668 | can be changed at build time. It is strongly recommended not to change this |
| 1669 | from the default value, as very low values will break some services such as |
| 1670 | statistics, and values larger than default size will increase memory usage, |
| 1671 | possibly causing the system to run out of memory. At least the global maxconn |
Willy Tarreau | 45a66cc | 2017-11-24 11:28:00 +0100 | [diff] [blame] | 1672 | parameter should be decreased by the same factor as this one is increased. In |
| 1673 | addition, use of HTTP/2 mandates that this value must be 16384 or more. If an |
| 1674 | HTTP request is larger than (tune.bufsize - tune.maxrewrite), haproxy will |
Dmitry Sivachenko | f6f4f7b | 2012-10-21 18:10:25 +0400 | [diff] [blame] | 1675 | return HTTP 400 (Bad Request) error. Similarly if an HTTP response is larger |
Willy Tarreau | c77d364 | 2018-12-12 06:19:42 +0100 | [diff] [blame] | 1676 | than this size, haproxy will return HTTP 502 (Bad Gateway). Note that the |
| 1677 | value set using this parameter will automatically be rounded up to the next |
| 1678 | multiple of 8 on 32-bit machines and 16 on 64-bit machines. |
Willy Tarreau | 27a674e | 2009-08-17 07:23:33 +0200 | [diff] [blame] | 1679 | |
Willy Tarreau | 43961d5 | 2010-10-04 20:39:20 +0200 | [diff] [blame] | 1680 | tune.chksize <number> |
| 1681 | Sets the check buffer size to this size (in bytes). Higher values may help |
| 1682 | find string or regex patterns in very large pages, though doing so may imply |
| 1683 | more memory and CPU usage. The default value is 16384 and can be changed at |
| 1684 | build time. It is not recommended to change this value, but to use better |
| 1685 | checks whenever possible. |
| 1686 | |
William Lallemand | f374783 | 2012-11-09 12:33:10 +0100 | [diff] [blame] | 1687 | tune.comp.maxlevel <number> |
| 1688 | Sets the maximum compression level. The compression level affects CPU |
| 1689 | usage during compression. This value affects CPU usage during compression. |
| 1690 | Each session using compression initializes the compression algorithm with |
| 1691 | this value. The default value is 1. |
| 1692 | |
Willy Tarreau | c299e1e | 2019-02-27 11:35:12 +0100 | [diff] [blame] | 1693 | tune.fail-alloc |
| 1694 | If compiled with DEBUG_FAIL_ALLOC, gives the percentage of chances an |
| 1695 | allocation attempt fails. Must be between 0 (no failure) and 100 (no |
| 1696 | success). This is useful to debug and make sure memory failures are handled |
| 1697 | gracefully. |
| 1698 | |
Willy Tarreau | fe20e5b | 2017-07-27 11:42:14 +0200 | [diff] [blame] | 1699 | tune.h2.header-table-size <number> |
| 1700 | Sets the HTTP/2 dynamic header table size. It defaults to 4096 bytes and |
| 1701 | cannot be larger than 65536 bytes. A larger value may help certain clients |
| 1702 | send more compact requests, depending on their capabilities. This amount of |
| 1703 | memory is consumed for each HTTP/2 connection. It is recommended not to |
| 1704 | change it. |
| 1705 | |
Willy Tarreau | e6baec0 | 2017-07-27 11:45:11 +0200 | [diff] [blame] | 1706 | tune.h2.initial-window-size <number> |
| 1707 | Sets the HTTP/2 initial window size, which is the number of bytes the client |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1708 | can upload before waiting for an acknowledgment from haproxy. This setting |
| 1709 | only affects payload contents (i.e. the body of POST requests), not headers. |
Willy Tarreau | e6baec0 | 2017-07-27 11:45:11 +0200 | [diff] [blame] | 1710 | The default value is 65535, which roughly allows up to 5 Mbps of upload |
| 1711 | bandwidth per client over a network showing a 100 ms ping time, or 500 Mbps |
| 1712 | over a 1-ms local network. It can make sense to increase this value to allow |
| 1713 | faster uploads, or to reduce it to increase fairness when dealing with many |
| 1714 | clients. It doesn't affect resource usage. |
| 1715 | |
Willy Tarreau | 5242ef8 | 2017-07-27 11:47:28 +0200 | [diff] [blame] | 1716 | tune.h2.max-concurrent-streams <number> |
| 1717 | Sets the HTTP/2 maximum number of concurrent streams per connection (ie the |
| 1718 | number of outstanding requests on a single connection). The default value is |
| 1719 | 100. A larger one may slightly improve page load time for complex sites when |
| 1720 | visited over high latency networks, but increases the amount of resources a |
| 1721 | single client may allocate. A value of zero disables the limit so a single |
| 1722 | client may create as many streams as allocatable by haproxy. It is highly |
| 1723 | recommended not to change this value. |
| 1724 | |
Willy Tarreau | a24b35c | 2019-02-21 13:24:36 +0100 | [diff] [blame] | 1725 | tune.h2.max-frame-size <number> |
| 1726 | Sets the HTTP/2 maximum frame size that haproxy announces it is willing to |
| 1727 | receive to its peers. The default value is the largest between 16384 and the |
| 1728 | buffer size (tune.bufsize). In any case, haproxy will not announce support |
| 1729 | for frame sizes larger than buffers. The main purpose of this setting is to |
| 1730 | allow to limit the maximum frame size setting when using large buffers. Too |
| 1731 | large frame sizes might have performance impact or cause some peers to |
| 1732 | misbehave. It is highly recommended not to change this value. |
| 1733 | |
Willy Tarreau | 193b8c6 | 2012-11-22 00:17:38 +0100 | [diff] [blame] | 1734 | tune.http.cookielen <number> |
| 1735 | Sets the maximum length of captured cookies. This is the maximum value that |
| 1736 | the "capture cookie xxx len yyy" will be allowed to take, and any upper value |
| 1737 | will automatically be truncated to this one. It is important not to set too |
| 1738 | high a value because all cookie captures still allocate this size whatever |
| 1739 | their configured value (they share a same pool). This value is per request |
| 1740 | per response, so the memory allocated is twice this value per connection. |
| 1741 | When not specified, the limit is set to 63 characters. It is recommended not |
| 1742 | to change this value. |
| 1743 | |
Stéphane Cottin | 23e9e93 | 2017-05-18 08:58:41 +0200 | [diff] [blame] | 1744 | tune.http.logurilen <number> |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1745 | Sets the maximum length of request URI in logs. This prevents truncating long |
| 1746 | request URIs with valuable query strings in log lines. This is not related |
Stéphane Cottin | 23e9e93 | 2017-05-18 08:58:41 +0200 | [diff] [blame] | 1747 | to syslog limits. If you increase this limit, you may also increase the |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1748 | 'log ... len yyy' parameter. Your syslog daemon may also need specific |
Stéphane Cottin | 23e9e93 | 2017-05-18 08:58:41 +0200 | [diff] [blame] | 1749 | configuration directives too. |
| 1750 | The default value is 1024. |
| 1751 | |
Willy Tarreau | ac1932d | 2011-10-24 19:14:41 +0200 | [diff] [blame] | 1752 | tune.http.maxhdr <number> |
| 1753 | Sets the maximum number of headers in a request. When a request comes with a |
| 1754 | number of headers greater than this value (including the first line), it is |
| 1755 | rejected with a "400 Bad Request" status code. Similarly, too large responses |
| 1756 | are blocked with "502 Bad Gateway". The default value is 101, which is enough |
| 1757 | for all usages, considering that the widely deployed Apache server uses the |
| 1758 | same limit. It can be useful to push this limit further to temporarily allow |
Christopher Faulet | 50174f3 | 2017-06-21 16:31:35 +0200 | [diff] [blame] | 1759 | a buggy application to work by the time it gets fixed. The accepted range is |
| 1760 | 1..32767. Keep in mind that each new header consumes 32bits of memory for |
| 1761 | each session, so don't push this limit too high. |
Willy Tarreau | ac1932d | 2011-10-24 19:14:41 +0200 | [diff] [blame] | 1762 | |
Willy Tarreau | 7e31273 | 2014-02-12 16:35:14 +0100 | [diff] [blame] | 1763 | tune.idletimer <timeout> |
| 1764 | Sets the duration after which haproxy will consider that an empty buffer is |
| 1765 | probably associated with an idle stream. This is used to optimally adjust |
| 1766 | some packet sizes while forwarding large and small data alternatively. The |
| 1767 | decision to use splice() or to send large buffers in SSL is modulated by this |
| 1768 | parameter. The value is in milliseconds between 0 and 65535. A value of zero |
| 1769 | means that haproxy will not try to detect idle streams. The default is 1000, |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1770 | which seems to correctly detect end user pauses (e.g. read a page before |
John Roesler | fb2fce1 | 2019-07-10 15:45:51 -0500 | [diff] [blame] | 1771 | clicking). There should be no reason for changing this value. Please check |
Willy Tarreau | 7e31273 | 2014-02-12 16:35:14 +0100 | [diff] [blame] | 1772 | tune.ssl.maxrecord below. |
| 1773 | |
Willy Tarreau | 7ac908b | 2019-02-27 12:02:18 +0100 | [diff] [blame] | 1774 | tune.listener.multi-queue { on | off } |
| 1775 | Enables ('on') or disables ('off') the listener's multi-queue accept which |
| 1776 | spreads the incoming traffic to all threads a "bind" line is allowed to run |
| 1777 | on instead of taking them for itself. This provides a smoother traffic |
| 1778 | distribution and scales much better, especially in environments where threads |
| 1779 | may be unevenly loaded due to external activity (network interrupts colliding |
| 1780 | with one thread for example). This option is enabled by default, but it may |
| 1781 | be forcefully disabled for troubleshooting or for situations where it is |
| 1782 | estimated that the operating system already provides a good enough |
| 1783 | distribution and connections are extremely short-lived. |
| 1784 | |
Thierry FOURNIER | 90da191 | 2015-03-05 11:17:06 +0100 | [diff] [blame] | 1785 | tune.lua.forced-yield <number> |
| 1786 | This directive forces the Lua engine to execute a yield each <number> of |
Tim Düsterhus | 4896c44 | 2016-11-29 02:15:19 +0100 | [diff] [blame] | 1787 | instructions executed. This permits interrupting a long script and allows the |
Thierry FOURNIER | 90da191 | 2015-03-05 11:17:06 +0100 | [diff] [blame] | 1788 | HAProxy scheduler to process other tasks like accepting connections or |
| 1789 | forwarding traffic. The default value is 10000 instructions. If HAProxy often |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1790 | executes some Lua code but more responsiveness is required, this value can be |
Thierry FOURNIER | 90da191 | 2015-03-05 11:17:06 +0100 | [diff] [blame] | 1791 | lowered. If the Lua code is quite long and its result is absolutely required |
| 1792 | to process the data, the <number> can be increased. |
| 1793 | |
Willy Tarreau | 32f61e2 | 2015-03-18 17:54:59 +0100 | [diff] [blame] | 1794 | tune.lua.maxmem |
| 1795 | Sets the maximum amount of RAM in megabytes per process usable by Lua. By |
| 1796 | default it is zero which means unlimited. It is important to set a limit to |
| 1797 | ensure that a bug in a script will not result in the system running out of |
| 1798 | memory. |
| 1799 | |
Thierry FOURNIER | 90da191 | 2015-03-05 11:17:06 +0100 | [diff] [blame] | 1800 | tune.lua.session-timeout <timeout> |
| 1801 | This is the execution timeout for the Lua sessions. This is useful for |
Thierry FOURNIER | 7dd784b | 2015-10-01 14:49:33 +0200 | [diff] [blame] | 1802 | preventing infinite loops or spending too much time in Lua. This timeout |
| 1803 | counts only the pure Lua runtime. If the Lua does a sleep, the sleep is |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1804 | not taken in account. The default timeout is 4s. |
Thierry FOURNIER | 90da191 | 2015-03-05 11:17:06 +0100 | [diff] [blame] | 1805 | |
| 1806 | tune.lua.task-timeout <timeout> |
| 1807 | Purpose is the same as "tune.lua.session-timeout", but this timeout is |
| 1808 | dedicated to the tasks. By default, this timeout isn't set because a task may |
| 1809 | remain alive during of the lifetime of HAProxy. For example, a task used to |
| 1810 | check servers. |
| 1811 | |
Thierry FOURNIER | 7dd784b | 2015-10-01 14:49:33 +0200 | [diff] [blame] | 1812 | tune.lua.service-timeout <timeout> |
| 1813 | This is the execution timeout for the Lua services. This is useful for |
| 1814 | preventing infinite loops or spending too much time in Lua. This timeout |
| 1815 | counts only the pure Lua runtime. If the Lua does a sleep, the sleep is |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1816 | not taken in account. The default timeout is 4s. |
Thierry FOURNIER | 7dd784b | 2015-10-01 14:49:33 +0200 | [diff] [blame] | 1817 | |
Willy Tarreau | a0250ba | 2008-01-06 11:22:57 +0100 | [diff] [blame] | 1818 | tune.maxaccept <number> |
Willy Tarreau | 16a2147 | 2012-11-19 12:39:59 +0100 | [diff] [blame] | 1819 | Sets the maximum number of consecutive connections a process may accept in a |
| 1820 | row before switching to other work. In single process mode, higher numbers |
| 1821 | give better performance at high connection rates. However in multi-process |
| 1822 | modes, keeping a bit of fairness between processes generally is better to |
| 1823 | increase performance. This value applies individually to each listener, so |
| 1824 | that the number of processes a listener is bound to is taken into account. |
| 1825 | This value defaults to 64. In multi-process mode, it is divided by twice |
| 1826 | the number of processes the listener is bound to. Setting this value to -1 |
| 1827 | completely disables the limitation. It should normally not be needed to tweak |
| 1828 | this value. |
Willy Tarreau | a0250ba | 2008-01-06 11:22:57 +0100 | [diff] [blame] | 1829 | |
| 1830 | tune.maxpollevents <number> |
| 1831 | Sets the maximum amount of events that can be processed at once in a call to |
| 1832 | the polling system. The default value is adapted to the operating system. It |
| 1833 | has been noticed that reducing it below 200 tends to slightly decrease |
| 1834 | latency at the expense of network bandwidth, and increasing it above 200 |
| 1835 | tends to trade latency for slightly increased bandwidth. |
| 1836 | |
Willy Tarreau | 27a674e | 2009-08-17 07:23:33 +0200 | [diff] [blame] | 1837 | tune.maxrewrite <number> |
| 1838 | Sets the reserved buffer space to this size in bytes. The reserved space is |
| 1839 | used for header rewriting or appending. The first reads on sockets will never |
| 1840 | fill more than bufsize-maxrewrite. Historically it has defaulted to half of |
| 1841 | bufsize, though that does not make much sense since there are rarely large |
| 1842 | numbers of headers to add. Setting it too high prevents processing of large |
| 1843 | requests or responses. Setting it too low prevents addition of new headers |
| 1844 | to already large requests or to POST requests. It is generally wise to set it |
| 1845 | to about 1024. It is automatically readjusted to half of bufsize if it is |
| 1846 | larger than that. This means you don't have to worry about it when changing |
| 1847 | bufsize. |
| 1848 | |
Willy Tarreau | f3045d2 | 2015-04-29 16:24:50 +0200 | [diff] [blame] | 1849 | tune.pattern.cache-size <number> |
| 1850 | Sets the size of the pattern lookup cache to <number> entries. This is an LRU |
| 1851 | cache which reminds previous lookups and their results. It is used by ACLs |
| 1852 | and maps on slow pattern lookups, namely the ones using the "sub", "reg", |
| 1853 | "dir", "dom", "end", "bin" match methods as well as the case-insensitive |
| 1854 | strings. It applies to pattern expressions which means that it will be able |
| 1855 | to memorize the result of a lookup among all the patterns specified on a |
| 1856 | configuration line (including all those loaded from files). It automatically |
| 1857 | invalidates entries which are updated using HTTP actions or on the CLI. The |
| 1858 | default cache size is set to 10000 entries, which limits its footprint to |
Willy Tarreau | 403bfbb | 2019-10-23 06:59:31 +0200 | [diff] [blame] | 1859 | about 5 MB per process/thread on 32-bit systems and 8 MB per process/thread |
| 1860 | on 64-bit systems, as caches are thread/process local. There is a very low |
Willy Tarreau | f3045d2 | 2015-04-29 16:24:50 +0200 | [diff] [blame] | 1861 | risk of collision in this cache, which is in the order of the size of the |
| 1862 | cache divided by 2^64. Typically, at 10000 requests per second with the |
| 1863 | default cache size of 10000 entries, there's 1% chance that a brute force |
| 1864 | attack could cause a single collision after 60 years, or 0.1% after 6 years. |
| 1865 | This is considered much lower than the risk of a memory corruption caused by |
| 1866 | aging components. If this is not acceptable, the cache can be disabled by |
| 1867 | setting this parameter to 0. |
| 1868 | |
Willy Tarreau | bd9a0a7 | 2011-10-23 21:14:29 +0200 | [diff] [blame] | 1869 | tune.pipesize <number> |
| 1870 | Sets the kernel pipe buffer size to this size (in bytes). By default, pipes |
| 1871 | are the default size for the system. But sometimes when using TCP splicing, |
| 1872 | it can improve performance to increase pipe sizes, especially if it is |
| 1873 | suspected that pipes are not filled and that many calls to splice() are |
| 1874 | performed. This has an impact on the kernel's memory footprint, so this must |
| 1875 | not be changed if impacts are not understood. |
| 1876 | |
Olivier Houchard | 88698d9 | 2019-04-16 19:07:22 +0200 | [diff] [blame] | 1877 | tune.pool-low-fd-ratio <number> |
| 1878 | This setting sets the max number of file descriptors (in percentage) used by |
| 1879 | haproxy globally against the maximum number of file descriptors haproxy can |
| 1880 | use before we stop putting connection into the idle pool for reuse. The |
| 1881 | default is 20. |
| 1882 | |
| 1883 | tune.pool-high-fd-ratio <number> |
| 1884 | This setting sets the max number of file descriptors (in percentage) used by |
| 1885 | haproxy globally against the maximum number of file descriptors haproxy can |
| 1886 | use before we start killing idle connections when we can't reuse a connection |
| 1887 | and we have to create a new one. The default is 25 (one quarter of the file |
| 1888 | descriptor will mean that roughly half of the maximum front connections can |
| 1889 | keep an idle connection behind, anything beyond this probably doesn't make |
John Roesler | fb2fce1 | 2019-07-10 15:45:51 -0500 | [diff] [blame] | 1890 | much sense in the general case when targeting connection reuse). |
Olivier Houchard | 88698d9 | 2019-04-16 19:07:22 +0200 | [diff] [blame] | 1891 | |
Willy Tarreau | e803de2 | 2010-01-21 17:43:04 +0100 | [diff] [blame] | 1892 | tune.rcvbuf.client <number> |
| 1893 | tune.rcvbuf.server <number> |
| 1894 | Forces the kernel socket receive buffer size on the client or the server side |
| 1895 | to the specified value in bytes. This value applies to all TCP/HTTP frontends |
| 1896 | and backends. It should normally never be set, and the default size (0) lets |
John Roesler | fb2fce1 | 2019-07-10 15:45:51 -0500 | [diff] [blame] | 1897 | the kernel auto-tune this value depending on the amount of available memory. |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1898 | However it can sometimes help to set it to very low values (e.g. 4096) in |
Willy Tarreau | e803de2 | 2010-01-21 17:43:04 +0100 | [diff] [blame] | 1899 | order to save kernel memory by preventing it from buffering too large amounts |
| 1900 | of received data. Lower values will significantly increase CPU usage though. |
| 1901 | |
Willy Tarreau | b22fc30 | 2015-12-14 12:04:35 +0100 | [diff] [blame] | 1902 | tune.recv_enough <number> |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1903 | HAProxy uses some hints to detect that a short read indicates the end of the |
Willy Tarreau | b22fc30 | 2015-12-14 12:04:35 +0100 | [diff] [blame] | 1904 | socket buffers. One of them is that a read returns more than <recv_enough> |
| 1905 | bytes, which defaults to 10136 (7 segments of 1448 each). This default value |
| 1906 | may be changed by this setting to better deal with workloads involving lots |
| 1907 | of short messages such as telnet or SSH sessions. |
| 1908 | |
Olivier Houchard | 1599b80 | 2018-05-24 18:59:04 +0200 | [diff] [blame] | 1909 | tune.runqueue-depth <number> |
John Roesler | fb2fce1 | 2019-07-10 15:45:51 -0500 | [diff] [blame] | 1910 | Sets the maximum amount of task that can be processed at once when running |
Olivier Houchard | 1599b80 | 2018-05-24 18:59:04 +0200 | [diff] [blame] | 1911 | tasks. The default value is 200. Increasing it may incur latency when |
| 1912 | dealing with I/Os, making it too small can incur extra overhead. |
| 1913 | |
Willy Tarreau | e803de2 | 2010-01-21 17:43:04 +0100 | [diff] [blame] | 1914 | tune.sndbuf.client <number> |
| 1915 | tune.sndbuf.server <number> |
| 1916 | Forces the kernel socket send buffer size on the client or the server side to |
| 1917 | the specified value in bytes. This value applies to all TCP/HTTP frontends |
| 1918 | and backends. It should normally never be set, and the default size (0) lets |
John Roesler | fb2fce1 | 2019-07-10 15:45:51 -0500 | [diff] [blame] | 1919 | the kernel auto-tune this value depending on the amount of available memory. |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1920 | However it can sometimes help to set it to very low values (e.g. 4096) in |
Willy Tarreau | e803de2 | 2010-01-21 17:43:04 +0100 | [diff] [blame] | 1921 | order to save kernel memory by preventing it from buffering too large amounts |
| 1922 | of received data. Lower values will significantly increase CPU usage though. |
| 1923 | Another use case is to prevent write timeouts with extremely slow clients due |
| 1924 | to the kernel waiting for a large part of the buffer to be read before |
| 1925 | notifying haproxy again. |
| 1926 | |
Willy Tarreau | 6ec58db | 2012-11-16 16:32:15 +0100 | [diff] [blame] | 1927 | tune.ssl.cachesize <number> |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 1928 | Sets the size of the global SSL session cache, in a number of blocks. A block |
| 1929 | is large enough to contain an encoded session without peer certificate. |
| 1930 | An encoded session with peer certificate is stored in multiple blocks |
Jarno Huuskonen | 0e82b92 | 2014-04-12 18:22:19 +0300 | [diff] [blame] | 1931 | depending on the size of the peer certificate. A block uses approximately |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 1932 | 200 bytes of memory. The default value may be forced at build time, otherwise |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1933 | defaults to 20000. When the cache is full, the most idle entries are purged |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 1934 | and reassigned. Higher values reduce the occurrence of such a purge, hence |
| 1935 | the number of CPU-intensive SSL handshakes by ensuring that all users keep |
| 1936 | their session as long as possible. All entries are pre-allocated upon startup |
Emeric Brun | 22890a1 | 2012-12-28 14:41:32 +0100 | [diff] [blame] | 1937 | and are shared between all processes if "nbproc" is greater than 1. Setting |
| 1938 | this value to 0 disables the SSL session cache. |
Willy Tarreau | 6ec58db | 2012-11-16 16:32:15 +0100 | [diff] [blame] | 1939 | |
Emeric Brun | 8dc6039 | 2014-05-09 13:52:00 +0200 | [diff] [blame] | 1940 | tune.ssl.force-private-cache |
Lukas Tribus | 2793578 | 2018-10-01 02:00:16 +0200 | [diff] [blame] | 1941 | This option disables SSL session cache sharing between all processes. It |
Emeric Brun | 8dc6039 | 2014-05-09 13:52:00 +0200 | [diff] [blame] | 1942 | should normally not be used since it will force many renegotiations due to |
| 1943 | clients hitting a random process. But it may be required on some operating |
| 1944 | systems where none of the SSL cache synchronization method may be used. In |
| 1945 | this case, adding a first layer of hash-based load balancing before the SSL |
| 1946 | layer might limit the impact of the lack of session sharing. |
| 1947 | |
Emeric Brun | 4f65bff | 2012-11-16 15:11:00 +0100 | [diff] [blame] | 1948 | tune.ssl.lifetime <timeout> |
| 1949 | Sets how long a cached SSL session may remain valid. This time is expressed |
Jarno Huuskonen | 0e82b92 | 2014-04-12 18:22:19 +0300 | [diff] [blame] | 1950 | in seconds and defaults to 300 (5 min). It is important to understand that it |
Emeric Brun | 4f65bff | 2012-11-16 15:11:00 +0100 | [diff] [blame] | 1951 | does not guarantee that sessions will last that long, because if the cache is |
| 1952 | full, the longest idle sessions will be purged despite their configured |
| 1953 | lifetime. The real usefulness of this setting is to prevent sessions from |
| 1954 | being used for too long. |
| 1955 | |
Willy Tarreau | bfd5946 | 2013-02-21 07:46:09 +0100 | [diff] [blame] | 1956 | tune.ssl.maxrecord <number> |
| 1957 | Sets the maximum amount of bytes passed to SSL_write() at a time. Default |
| 1958 | value 0 means there is no limit. Over SSL/TLS, the client can decipher the |
| 1959 | data only once it has received a full record. With large records, it means |
| 1960 | that clients might have to download up to 16kB of data before starting to |
| 1961 | process them. Limiting the value can improve page load times on browsers |
| 1962 | located over high latency or low bandwidth networks. It is suggested to find |
| 1963 | optimal values which fit into 1 or 2 TCP segments (generally 1448 bytes over |
| 1964 | Ethernet with TCP timestamps enabled, or 1460 when timestamps are disabled), |
| 1965 | keeping in mind that SSL/TLS add some overhead. Typical values of 1419 and |
| 1966 | 2859 gave good results during tests. Use "strace -e trace=write" to find the |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 1967 | best value. HAProxy will automatically switch to this setting after an idle |
Willy Tarreau | 7e31273 | 2014-02-12 16:35:14 +0100 | [diff] [blame] | 1968 | stream has been detected (see tune.idletimer above). |
Willy Tarreau | bfd5946 | 2013-02-21 07:46:09 +0100 | [diff] [blame] | 1969 | |
Remi Gacogne | f46cd6e | 2014-06-12 14:58:40 +0200 | [diff] [blame] | 1970 | tune.ssl.default-dh-param <number> |
| 1971 | Sets the maximum size of the Diffie-Hellman parameters used for generating |
| 1972 | the ephemeral/temporary Diffie-Hellman key in case of DHE key exchange. The |
| 1973 | final size will try to match the size of the server's RSA (or DSA) key (e.g, |
| 1974 | a 2048 bits temporary DH key for a 2048 bits RSA key), but will not exceed |
| 1975 | this maximum value. Default value if 1024. Only 1024 or higher values are |
| 1976 | allowed. Higher values will increase the CPU load, and values greater than |
| 1977 | 1024 bits are not supported by Java 7 and earlier clients. This value is not |
Remi Gacogne | 47783ef | 2015-05-29 15:53:22 +0200 | [diff] [blame] | 1978 | used if static Diffie-Hellman parameters are supplied either directly |
| 1979 | in the certificate file or by using the ssl-dh-param-file parameter. |
Remi Gacogne | f46cd6e | 2014-06-12 14:58:40 +0200 | [diff] [blame] | 1980 | |
Christopher Faulet | 31af49d | 2015-06-09 17:29:50 +0200 | [diff] [blame] | 1981 | tune.ssl.ssl-ctx-cache-size <number> |
| 1982 | Sets the size of the cache used to store generated certificates to <number> |
| 1983 | entries. This is a LRU cache. Because generating a SSL certificate |
| 1984 | dynamically is expensive, they are cached. The default cache size is set to |
| 1985 | 1000 entries. |
| 1986 | |
Thierry FOURNIER | 5bf7732 | 2017-02-25 12:45:22 +0100 | [diff] [blame] | 1987 | tune.ssl.capture-cipherlist-size <number> |
| 1988 | Sets the maximum size of the buffer used for capturing client-hello cipher |
| 1989 | list. If the value is 0 (default value) the capture is disabled, otherwise |
| 1990 | a buffer is allocated for each SSL/TLS connection. |
| 1991 | |
Thierry FOURNIER | 4834bc7 | 2015-06-06 19:29:07 +0200 | [diff] [blame] | 1992 | tune.vars.global-max-size <size> |
Christopher Faulet | ff2613e | 2016-11-09 11:36:17 +0100 | [diff] [blame] | 1993 | tune.vars.proc-max-size <size> |
Thierry FOURNIER | 4834bc7 | 2015-06-06 19:29:07 +0200 | [diff] [blame] | 1994 | tune.vars.reqres-max-size <size> |
| 1995 | tune.vars.sess-max-size <size> |
| 1996 | tune.vars.txn-max-size <size> |
Christopher Faulet | ff2613e | 2016-11-09 11:36:17 +0100 | [diff] [blame] | 1997 | These five tunes help to manage the maximum amount of memory used by the |
| 1998 | variables system. "global" limits the overall amount of memory available for |
| 1999 | all scopes. "proc" limits the memory for the process scope, "sess" limits the |
| 2000 | memory for the session scope, "txn" for the transaction scope, and "reqres" |
| 2001 | limits the memory for each request or response processing. |
| 2002 | Memory accounting is hierarchical, meaning more coarse grained limits include |
| 2003 | the finer grained ones: "proc" includes "sess", "sess" includes "txn", and |
| 2004 | "txn" includes "reqres". |
Thierry FOURNIER | 4834bc7 | 2015-06-06 19:29:07 +0200 | [diff] [blame] | 2005 | |
Daniel Schneller | 0b54705 | 2016-03-21 20:46:57 +0100 | [diff] [blame] | 2006 | For example, when "tune.vars.sess-max-size" is limited to 100, |
| 2007 | "tune.vars.txn-max-size" and "tune.vars.reqres-max-size" cannot exceed |
| 2008 | 100 either. If we create a variable "txn.var" that contains 100 bytes, |
| 2009 | all available space is consumed. |
| 2010 | Notice that exceeding the limits at runtime will not result in an error |
| 2011 | message, but values might be cut off or corrupted. So make sure to accurately |
| 2012 | plan for the amount of space needed to store all your variables. |
Thierry FOURNIER | 4834bc7 | 2015-06-06 19:29:07 +0200 | [diff] [blame] | 2013 | |
William Lallemand | a509e4c | 2012-11-07 16:54:34 +0100 | [diff] [blame] | 2014 | tune.zlib.memlevel <number> |
| 2015 | Sets the memLevel parameter in zlib initialization for each session. It |
Jarno Huuskonen | 0e82b92 | 2014-04-12 18:22:19 +0300 | [diff] [blame] | 2016 | defines how much memory should be allocated for the internal compression |
William Lallemand | a509e4c | 2012-11-07 16:54:34 +0100 | [diff] [blame] | 2017 | state. A value of 1 uses minimum memory but is slow and reduces compression |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 2018 | ratio, a value of 9 uses maximum memory for optimal speed. Can be a value |
William Lallemand | a509e4c | 2012-11-07 16:54:34 +0100 | [diff] [blame] | 2019 | between 1 and 9. The default value is 8. |
| 2020 | |
| 2021 | tune.zlib.windowsize <number> |
| 2022 | Sets the window size (the size of the history buffer) as a parameter of the |
| 2023 | zlib initialization for each session. Larger values of this parameter result |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 2024 | in better compression at the expense of memory usage. Can be a value between |
| 2025 | 8 and 15. The default value is 15. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 2026 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 2027 | 3.3. Debugging |
| 2028 | -------------- |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 2029 | |
| 2030 | debug |
| 2031 | Enables debug mode which dumps to stdout all exchanges, and disables forking |
| 2032 | into background. It is the equivalent of the command-line argument "-d". It |
| 2033 | should never be used in a production configuration since it may prevent full |
| 2034 | system startup. |
| 2035 | |
| 2036 | quiet |
| 2037 | Do not display any message during startup. It is equivalent to the command- |
| 2038 | line argument "-q". |
| 2039 | |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 2040 | |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 2041 | 3.4. Userlists |
| 2042 | -------------- |
| 2043 | It is possible to control access to frontend/backend/listen sections or to |
| 2044 | http stats by allowing only authenticated and authorized users. To do this, |
| 2045 | it is required to create at least one userlist and to define users. |
| 2046 | |
| 2047 | userlist <listname> |
Cyril Bonté | 78caf84 | 2010-03-10 22:41:43 +0100 | [diff] [blame] | 2048 | Creates new userlist with name <listname>. Many independent userlists can be |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 2049 | used to store authentication & authorization data for independent customers. |
| 2050 | |
| 2051 | group <groupname> [users <user>,<user>,(...)] |
Cyril Bonté | 78caf84 | 2010-03-10 22:41:43 +0100 | [diff] [blame] | 2052 | Adds group <groupname> to the current userlist. It is also possible to |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 2053 | attach users to this group by using a comma separated list of names |
| 2054 | proceeded by "users" keyword. |
| 2055 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 2056 | user <username> [password|insecure-password <password>] |
| 2057 | [groups <group>,<group>,(...)] |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 2058 | Adds user <username> to the current userlist. Both secure (encrypted) and |
| 2059 | insecure (unencrypted) passwords can be used. Encrypted passwords are |
Daniel Schneller | d06f31c | 2017-11-06 16:51:04 +0100 | [diff] [blame] | 2060 | evaluated using the crypt(3) function, so depending on the system's |
| 2061 | capabilities, different algorithms are supported. For example, modern Glibc |
| 2062 | based Linux systems support MD5, SHA-256, SHA-512, and, of course, the |
| 2063 | classic DES-based method of encrypting passwords. |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 2064 | |
Daniel Schneller | d06f31c | 2017-11-06 16:51:04 +0100 | [diff] [blame] | 2065 | Attention: Be aware that using encrypted passwords might cause significantly |
| 2066 | increased CPU usage, depending on the number of requests, and the algorithm |
| 2067 | used. For any of the hashed variants, the password for each request must |
| 2068 | be processed through the chosen algorithm, before it can be compared to the |
| 2069 | value specified in the config file. Most current algorithms are deliberately |
| 2070 | designed to be expensive to compute to achieve resistance against brute |
| 2071 | force attacks. They do not simply salt/hash the clear text password once, |
| 2072 | but thousands of times. This can quickly become a major factor in haproxy's |
| 2073 | overall CPU consumption! |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 2074 | |
| 2075 | Example: |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 2076 | userlist L1 |
| 2077 | group G1 users tiger,scott |
| 2078 | group G2 users xdb,scott |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 2079 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 2080 | user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91 |
| 2081 | user scott insecure-password elgato |
| 2082 | user xdb insecure-password hello |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 2083 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 2084 | userlist L2 |
| 2085 | group G1 |
| 2086 | group G2 |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 2087 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 2088 | user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1 |
| 2089 | user scott insecure-password elgato groups G1,G2 |
| 2090 | user xdb insecure-password hello groups G2 |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 2091 | |
| 2092 | Please note that both lists are functionally identical. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 2093 | |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 2094 | |
| 2095 | 3.5. Peers |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 2096 | ---------- |
Emeric Brun | 9490095 | 2015-06-11 18:25:54 +0200 | [diff] [blame] | 2097 | It is possible to propagate entries of any data-types in stick-tables between |
| 2098 | several haproxy instances over TCP connections in a multi-master fashion. Each |
| 2099 | instance pushes its local updates and insertions to remote peers. The pushed |
| 2100 | values overwrite remote ones without aggregation. Interrupted exchanges are |
| 2101 | automatically detected and recovered from the last known point. |
| 2102 | In addition, during a soft restart, the old process connects to the new one |
| 2103 | using such a TCP connection to push all its entries before the new process |
| 2104 | tries to connect to other peers. That ensures very fast replication during a |
| 2105 | reload, it typically takes a fraction of a second even for large tables. |
| 2106 | Note that Server IDs are used to identify servers remotely, so it is important |
| 2107 | that configurations look similar or at least that the same IDs are forced on |
| 2108 | each server on all participants. |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 2109 | |
| 2110 | peers <peersect> |
Jamie Gloudon | 801a0a3 | 2012-08-25 00:18:33 -0400 | [diff] [blame] | 2111 | Creates a new peer list with name <peersect>. It is an independent section, |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 2112 | which is referenced by one or more stick-tables. |
| 2113 | |
Frédéric Lécaille | 2f167b3 | 2019-01-11 14:13:54 +0100 | [diff] [blame] | 2114 | bind [<address>]:<port_range> [, ...] [param*] |
| 2115 | Defines the binding parameters of the local peer of this "peers" section. |
| 2116 | Such lines are not supported with "peer" line in the same "peers" section. |
| 2117 | |
Willy Tarreau | 77e4bd1 | 2015-05-01 20:02:17 +0200 | [diff] [blame] | 2118 | disabled |
| 2119 | Disables a peers section. It disables both listening and any synchronization |
| 2120 | related to this section. This is provided to disable synchronization of stick |
| 2121 | tables without having to comment out all "peers" references. |
| 2122 | |
Frédéric Lécaille | 2f167b3 | 2019-01-11 14:13:54 +0100 | [diff] [blame] | 2123 | default-bind [param*] |
| 2124 | Defines the binding parameters for the local peer, excepted its address. |
| 2125 | |
| 2126 | default-server [param*] |
| 2127 | Change default options for a server in a "peers" section. |
| 2128 | |
| 2129 | Arguments: |
| 2130 | <param*> is a list of parameters for this server. The "default-server" |
| 2131 | keyword accepts an important number of options and has a complete |
| 2132 | section dedicated to it. Please refer to section 5 for more |
| 2133 | details. |
| 2134 | |
| 2135 | |
| 2136 | See also: "server" and section 5 about server options |
| 2137 | |
Willy Tarreau | 77e4bd1 | 2015-05-01 20:02:17 +0200 | [diff] [blame] | 2138 | enable |
| 2139 | This re-enables a disabled peers section which was previously disabled. |
| 2140 | |
Frédéric Lécaille | b6f759b | 2019-11-05 09:57:45 +0100 | [diff] [blame] | 2141 | log <address> [len <length>] [format <format>] [sample <ranges>:<smp_size>] |
| 2142 | <facility> [<level> [<minlevel>]] |
| 2143 | "peers" sections support the same "log" keyword as for the proxies to |
| 2144 | log information about the "peers" listener. See "log" option for proxies for |
| 2145 | more details. |
| 2146 | |
Frédéric Lécaille | 2f167b3 | 2019-01-11 14:13:54 +0100 | [diff] [blame] | 2147 | peer <peername> <ip>:<port> [param*] |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 2148 | Defines a peer inside a peers section. |
| 2149 | If <peername> is set to the local peer name (by default hostname, or forced |
| 2150 | using "-L" command line option), haproxy will listen for incoming remote peer |
| 2151 | connection on <ip>:<port>. Otherwise, <ip>:<port> defines where to connect to |
| 2152 | to join the remote peer, and <peername> is used at the protocol level to |
| 2153 | identify and validate the remote peer on the server side. |
| 2154 | |
| 2155 | During a soft restart, local peer <ip>:<port> is used by the old instance to |
| 2156 | connect the new one and initiate a complete replication (teaching process). |
| 2157 | |
| 2158 | It is strongly recommended to have the exact same peers declaration on all |
| 2159 | peers and to only rely on the "-L" command line argument to change the local |
| 2160 | peer name. This makes it easier to maintain coherent configuration files |
| 2161 | across all peers. |
| 2162 | |
William Lallemand | b2f0745 | 2015-05-12 14:27:13 +0200 | [diff] [blame] | 2163 | You may want to reference some environment variables in the address |
| 2164 | parameter, see section 2.3 about environment variables. |
Willy Tarreau | dad36a3 | 2013-03-11 01:20:04 +0100 | [diff] [blame] | 2165 | |
Frédéric Lécaille | 2f167b3 | 2019-01-11 14:13:54 +0100 | [diff] [blame] | 2166 | Note: "peer" keyword may transparently be replaced by "server" keyword (see |
| 2167 | "server" keyword explanation below). |
| 2168 | |
| 2169 | server <peername> [<ip>:<port>] [param*] |
Michael Prokop | 4438c60 | 2019-05-24 10:25:45 +0200 | [diff] [blame] | 2170 | As previously mentioned, "peer" keyword may be replaced by "server" keyword |
Frédéric Lécaille | 2f167b3 | 2019-01-11 14:13:54 +0100 | [diff] [blame] | 2171 | with a support for all "server" parameters found in 5.2 paragraph. |
| 2172 | If the underlying peer is local, <ip>:<port> parameters must not be present. |
| 2173 | These parameters must be provided on a "bind" line (see "bind" keyword |
| 2174 | of this "peers" section). |
| 2175 | Some of these parameters are irrelevant for "peers" sections. |
| 2176 | |
| 2177 | |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 2178 | Example: |
Frédéric Lécaille | 2f167b3 | 2019-01-11 14:13:54 +0100 | [diff] [blame] | 2179 | # The old way. |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 2180 | peers mypeers |
Willy Tarreau | f7b30a9 | 2010-12-06 22:59:17 +0100 | [diff] [blame] | 2181 | peer haproxy1 192.168.0.1:1024 |
| 2182 | peer haproxy2 192.168.0.2:1024 |
| 2183 | peer haproxy3 10.2.0.1:1024 |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 2184 | |
| 2185 | backend mybackend |
| 2186 | mode tcp |
| 2187 | balance roundrobin |
| 2188 | stick-table type ip size 20k peers mypeers |
| 2189 | stick on src |
| 2190 | |
Willy Tarreau | f7b30a9 | 2010-12-06 22:59:17 +0100 | [diff] [blame] | 2191 | server srv1 192.168.0.30:80 |
| 2192 | server srv2 192.168.0.31:80 |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 2193 | |
Frédéric Lécaille | 2f167b3 | 2019-01-11 14:13:54 +0100 | [diff] [blame] | 2194 | Example: |
| 2195 | peers mypeers |
| 2196 | bind 127.0.0.11:10001 ssl crt mycerts/pem |
| 2197 | default-server ssl verify none |
| 2198 | server hostA 127.0.0.10:10000 |
| 2199 | server hostB #local peer |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 2200 | |
Frédéric Lécaille | 4f5b77c | 2019-03-18 14:05:58 +0100 | [diff] [blame] | 2201 | |
| 2202 | table <tablename> type {ip | integer | string [len <length>] | binary [len <length>]} |
| 2203 | size <size> [expire <expire>] [nopurge] [store <data_type>]* |
| 2204 | |
| 2205 | Configure a stickiness table for the current section. This line is parsed |
| 2206 | exactly the same way as the "stick-table" keyword in others section, except |
John Roesler | fb2fce1 | 2019-07-10 15:45:51 -0500 | [diff] [blame] | 2207 | for the "peers" argument which is not required here and with an additional |
Frédéric Lécaille | 4f5b77c | 2019-03-18 14:05:58 +0100 | [diff] [blame] | 2208 | mandatory first parameter to designate the stick-table. Contrary to others |
| 2209 | sections, there may be several "table" lines in "peers" sections (see also |
| 2210 | "stick-table" keyword). |
| 2211 | |
| 2212 | Also be aware of the fact that "peers" sections have their own stick-table |
| 2213 | namespaces to avoid collisions between stick-table names identical in |
| 2214 | different "peers" section. This is internally handled prepending the "peers" |
| 2215 | sections names to the name of the stick-tables followed by a '/' character. |
| 2216 | If somewhere else in the configuration file you have to refer to such |
| 2217 | stick-tables declared in "peers" sections you must use the prefixed version |
| 2218 | of the stick-table name as follows: |
| 2219 | |
| 2220 | peers mypeers |
| 2221 | peer A ... |
| 2222 | peer B ... |
| 2223 | table t1 ... |
| 2224 | |
| 2225 | frontend fe1 |
| 2226 | tcp-request content track-sc0 src table mypeers/t1 |
| 2227 | |
| 2228 | This is also this prefixed version of the stick-table names which must be |
| 2229 | used to refer to stick-tables through the CLI. |
| 2230 | |
| 2231 | About "peers" protocol, as only "peers" belonging to the same section may |
| 2232 | communicate with each others, there is no need to do such a distinction. |
| 2233 | Several "peers" sections may declare stick-tables with the same name. |
| 2234 | This is shorter version of the stick-table name which is sent over the network. |
| 2235 | There is only a '/' character as prefix to avoid stick-table name collisions between |
| 2236 | stick-tables declared as backends and stick-table declared in "peers" sections |
| 2237 | as follows in this weird but supported configuration: |
| 2238 | |
| 2239 | peers mypeers |
| 2240 | peer A ... |
| 2241 | peer B ... |
| 2242 | table t1 type string size 10m store gpc0 |
| 2243 | |
| 2244 | backend t1 |
| 2245 | stick-table type string size 10m store gpc0 peers mypeers |
| 2246 | |
| 2247 | Here "t1" table declared in "mypeeers" section has "mypeers/t1" as global name. |
| 2248 | "t1" table declared as a backend as "t1" as global name. But at peer protocol |
| 2249 | level the former table is named "/t1", the latter is again named "t1". |
| 2250 | |
Simon Horman | 51a1cf6 | 2015-02-03 13:00:44 +0900 | [diff] [blame] | 2251 | 3.6. Mailers |
| 2252 | ------------ |
| 2253 | It is possible to send email alerts when the state of servers changes. |
| 2254 | If configured email alerts are sent to each mailer that is configured |
| 2255 | in a mailers section. Email is sent to mailers using SMTP. |
| 2256 | |
Pieter Baauw | 386a127 | 2015-08-16 15:26:24 +0200 | [diff] [blame] | 2257 | mailers <mailersect> |
Simon Horman | 51a1cf6 | 2015-02-03 13:00:44 +0900 | [diff] [blame] | 2258 | Creates a new mailer list with the name <mailersect>. It is an |
| 2259 | independent section which is referenced by one or more proxies. |
| 2260 | |
| 2261 | mailer <mailername> <ip>:<port> |
| 2262 | Defines a mailer inside a mailers section. |
| 2263 | |
| 2264 | Example: |
| 2265 | mailers mymailers |
| 2266 | mailer smtp1 192.168.0.1:587 |
| 2267 | mailer smtp2 192.168.0.2:587 |
| 2268 | |
| 2269 | backend mybackend |
| 2270 | mode tcp |
| 2271 | balance roundrobin |
| 2272 | |
| 2273 | email-alert mailers mymailers |
| 2274 | email-alert from test1@horms.org |
| 2275 | email-alert to test2@horms.org |
| 2276 | |
| 2277 | server srv1 192.168.0.30:80 |
| 2278 | server srv2 192.168.0.31:80 |
| 2279 | |
Pieter Baauw | 235fcfc | 2016-02-13 15:33:40 +0100 | [diff] [blame] | 2280 | timeout mail <time> |
| 2281 | Defines the time available for a mail/connection to be made and send to |
| 2282 | the mail-server. If not defined the default value is 10 seconds. To allow |
| 2283 | for at least two SYN-ACK packets to be send during initial TCP handshake it |
| 2284 | is advised to keep this value above 4 seconds. |
| 2285 | |
| 2286 | Example: |
| 2287 | mailers mymailers |
| 2288 | timeout mail 20s |
| 2289 | mailer smtp1 192.168.0.1:587 |
Simon Horman | 51a1cf6 | 2015-02-03 13:00:44 +0900 | [diff] [blame] | 2290 | |
William Lallemand | c951552 | 2019-06-12 16:32:11 +0200 | [diff] [blame] | 2291 | 3.7. Programs |
| 2292 | ------------- |
| 2293 | In master-worker mode, it is possible to launch external binaries with the |
| 2294 | master, these processes are called programs. These programs are launched and |
| 2295 | managed the same way as the workers. |
| 2296 | |
| 2297 | During a reload of HAProxy, those processes are dealing with the same |
| 2298 | sequence as a worker: |
| 2299 | |
| 2300 | - the master is re-executed |
| 2301 | - the master sends a SIGUSR1 signal to the program |
| 2302 | - if "option start-on-reload" is not disabled, the master launches a new |
| 2303 | instance of the program |
| 2304 | |
| 2305 | During a stop, or restart, a SIGTERM is sent to the programs. |
| 2306 | |
| 2307 | program <name> |
| 2308 | This is a new program section, this section will create an instance <name> |
| 2309 | which is visible in "show proc" on the master CLI. (See "9.4. Master CLI" in |
| 2310 | the management guide). |
| 2311 | |
| 2312 | command <command> [arguments*] |
| 2313 | Define the command to start with optional arguments. The command is looked |
| 2314 | up in the current PATH if it does not include an absolute path. This is a |
| 2315 | mandatory option of the program section. Arguments containing spaces must |
| 2316 | be enclosed in quotes or double quotes or be prefixed by a backslash. |
| 2317 | |
Andrew Heberle | 9723696 | 2019-07-12 11:50:26 +0800 | [diff] [blame] | 2318 | user <user name> |
| 2319 | Changes the executed command user ID to the <user name> from /etc/passwd. |
| 2320 | See also "group". |
| 2321 | |
| 2322 | group <group name> |
| 2323 | Changes the executed command group ID to the <group name> from /etc/group. |
| 2324 | See also "user". |
| 2325 | |
William Lallemand | c951552 | 2019-06-12 16:32:11 +0200 | [diff] [blame] | 2326 | option start-on-reload |
| 2327 | no option start-on-reload |
| 2328 | Start (or not) a new instance of the program upon a reload of the master. |
| 2329 | The default is to start a new instance. This option may only be used in a |
| 2330 | program section. |
| 2331 | |
| 2332 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 2333 | 4. Proxies |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 2334 | ---------- |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2335 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 2336 | Proxy configuration can be located in a set of sections : |
William Lallemand | 6e62fb6 | 2015-04-28 16:55:23 +0200 | [diff] [blame] | 2337 | - defaults [<name>] |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 2338 | - frontend <name> |
| 2339 | - backend <name> |
| 2340 | - listen <name> |
| 2341 | |
| 2342 | A "defaults" section sets default parameters for all other sections following |
| 2343 | its declaration. Those default parameters are reset by the next "defaults" |
| 2344 | section. See below for the list of parameters which can be set in a "defaults" |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2345 | section. The name is optional but its use is encouraged for better readability. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 2346 | |
| 2347 | A "frontend" section describes a set of listening sockets accepting client |
| 2348 | connections. |
| 2349 | |
| 2350 | A "backend" section describes a set of servers to which the proxy will connect |
| 2351 | to forward incoming connections. |
| 2352 | |
| 2353 | A "listen" section defines a complete proxy with its frontend and backend |
| 2354 | parts combined in one section. It is generally useful for TCP-only traffic. |
| 2355 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2356 | All proxy names must be formed from upper and lower case letters, digits, |
| 2357 | '-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are |
| 2358 | case-sensitive, which means that "www" and "WWW" are two different proxies. |
| 2359 | |
| 2360 | Historically, all proxy names could overlap, it just caused troubles in the |
| 2361 | logs. Since the introduction of content switching, it is mandatory that two |
| 2362 | proxies with overlapping capabilities (frontend/backend) have different names. |
| 2363 | However, it is still permitted that a frontend and a backend share the same |
| 2364 | name, as this configuration seems to be commonly encountered. |
| 2365 | |
| 2366 | Right now, two major proxy modes are supported : "tcp", also known as layer 4, |
| 2367 | and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 2368 | bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2369 | protocol, and can interact with it by allowing, blocking, switching, adding, |
| 2370 | modifying, or removing arbitrary contents in requests or responses, based on |
| 2371 | arbitrary criteria. |
| 2372 | |
Willy Tarreau | 70dffda | 2014-01-30 03:07:23 +0100 | [diff] [blame] | 2373 | In HTTP mode, the processing applied to requests and responses flowing over |
| 2374 | a connection depends in the combination of the frontend's HTTP options and |
Christopher Faulet | 315b39c | 2018-09-21 16:26:19 +0200 | [diff] [blame] | 2375 | the backend's. HAProxy supports 4 connection modes : |
Willy Tarreau | 70dffda | 2014-01-30 03:07:23 +0100 | [diff] [blame] | 2376 | |
| 2377 | - KAL : keep alive ("option http-keep-alive") which is the default mode : all |
| 2378 | requests and responses are processed, and connections remain open but idle |
| 2379 | between responses and new requests. |
| 2380 | |
Willy Tarreau | 70dffda | 2014-01-30 03:07:23 +0100 | [diff] [blame] | 2381 | - SCL: server close ("option http-server-close") : the server-facing |
| 2382 | connection is closed after the end of the response is received, but the |
| 2383 | client-facing connection remains open. |
| 2384 | |
Christopher Faulet | 315b39c | 2018-09-21 16:26:19 +0200 | [diff] [blame] | 2385 | - CLO: close ("option httpclose"): the connection is closed after the end of |
| 2386 | the response and "Connection: close" appended in both directions. |
Willy Tarreau | 70dffda | 2014-01-30 03:07:23 +0100 | [diff] [blame] | 2387 | |
| 2388 | The effective mode that will be applied to a connection passing through a |
| 2389 | frontend and a backend can be determined by both proxy modes according to the |
| 2390 | following matrix, but in short, the modes are symmetric, keep-alive is the |
Christopher Faulet | 315b39c | 2018-09-21 16:26:19 +0200 | [diff] [blame] | 2391 | weakest option and close is the strongest. |
Willy Tarreau | 70dffda | 2014-01-30 03:07:23 +0100 | [diff] [blame] | 2392 | |
Christopher Faulet | 315b39c | 2018-09-21 16:26:19 +0200 | [diff] [blame] | 2393 | Backend mode |
Willy Tarreau | 70dffda | 2014-01-30 03:07:23 +0100 | [diff] [blame] | 2394 | |
Christopher Faulet | 315b39c | 2018-09-21 16:26:19 +0200 | [diff] [blame] | 2395 | | KAL | SCL | CLO |
| 2396 | ----+-----+-----+---- |
| 2397 | KAL | KAL | SCL | CLO |
| 2398 | ----+-----+-----+---- |
Christopher Faulet | 315b39c | 2018-09-21 16:26:19 +0200 | [diff] [blame] | 2399 | mode SCL | SCL | SCL | CLO |
| 2400 | ----+-----+-----+---- |
| 2401 | CLO | CLO | CLO | CLO |
Willy Tarreau | 70dffda | 2014-01-30 03:07:23 +0100 | [diff] [blame] | 2402 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2403 | |
Willy Tarreau | 70dffda | 2014-01-30 03:07:23 +0100 | [diff] [blame] | 2404 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 2405 | 4.1. Proxy keywords matrix |
| 2406 | -------------------------- |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2407 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 2408 | The following list of keywords is supported. Most of them may only be used in a |
| 2409 | limited set of section types. Some of them are marked as "deprecated" because |
| 2410 | they are inherited from an old syntax which may be confusing or functionally |
| 2411 | limited, and there are new recommended keywords to replace them. Keywords |
Davor Ocelic | e9ed281 | 2017-12-25 17:49:28 +0100 | [diff] [blame] | 2412 | marked with "(*)" can be optionally inverted using the "no" prefix, e.g. "no |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 2413 | option contstats". This makes sense when the option has been enabled by default |
Willy Tarreau | 3842f00 | 2009-06-14 11:39:52 +0200 | [diff] [blame] | 2414 | and must be disabled for a specific instance. Such options may also be prefixed |
| 2415 | with "default" in order to restore default settings regardless of what has been |
| 2416 | specified in a previous "defaults" section. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2417 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 2418 | |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 2419 | keyword defaults frontend listen backend |
| 2420 | ------------------------------------+----------+----------+---------+--------- |
| 2421 | acl - X X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 2422 | backlog X X X - |
| 2423 | balance X - X X |
| 2424 | bind - X X - |
| 2425 | bind-process X X X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 2426 | capture cookie - X X - |
| 2427 | capture request header - X X - |
| 2428 | capture response header - X X - |
William Lallemand | 82fe75c | 2012-10-23 10:25:10 +0200 | [diff] [blame] | 2429 | compression X X X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 2430 | cookie X - X X |
Thierry FOURNIER | a0a1b75 | 2015-05-26 17:44:32 +0200 | [diff] [blame] | 2431 | declare capture - X X - |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 2432 | default-server X - X X |
| 2433 | default_backend X X X - |
| 2434 | description - X X X |
| 2435 | disabled X X X X |
| 2436 | dispatch - - X X |
Simon Horman | 51a1cf6 | 2015-02-03 13:00:44 +0900 | [diff] [blame] | 2437 | email-alert from X X X X |
Simon Horman | 64e3416 | 2015-02-06 11:11:57 +0900 | [diff] [blame] | 2438 | email-alert level X X X X |
Simon Horman | 51a1cf6 | 2015-02-03 13:00:44 +0900 | [diff] [blame] | 2439 | email-alert mailers X X X X |
| 2440 | email-alert myhostname X X X X |
| 2441 | email-alert to X X X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 2442 | enabled X X X X |
| 2443 | errorfile X X X X |
| 2444 | errorloc X X X X |
| 2445 | errorloc302 X X X X |
| 2446 | -- keyword -------------------------- defaults - frontend - listen -- backend - |
| 2447 | errorloc303 X X X X |
Cyril Bonté | |