blob: 9aa7e1c6d27b373aece27ef61b965d0b62a9b5a2 [file] [log] [blame]
Willy Tarreau6a06a402007-07-15 20:15:28 +02001 ----------------------
2 HAProxy
3 Configuration Manual
4 ----------------------
Willy Tarreau21475e32010-05-23 08:46:08 +02005 version 1.5
Willy Tarreau6a06a402007-07-15 20:15:28 +02006 willy tarreau
Willy Tarreaua0564f32012-05-08 21:56:27 +02007 2012/05/08
Willy Tarreau6a06a402007-07-15 20:15:28 +02008
9
10This document covers the configuration language as implemented in the version
11specified above. It does not provide any hint, example or advice. For such
Willy Tarreau0ba27502007-12-24 16:55:16 +010012documentation, please refer to the Reference Manual or the Architecture Manual.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013The summary below is meant to help you search sections by name and navigate
14through the document.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015
Willy Tarreauc57f0e22009-05-10 13:12:33 +020016Note to documentation contributors :
17 This document is formated with 80 columns per line, with even number of
18 spaces for indentation and without tabs. Please follow these rules strictly
19 so that it remains easily printable everywhere. If a line needs to be
20 printed verbatim and does not fit, please end each line with a backslash
Willy Tarreau62a36c42010-08-17 15:53:10 +020021 ('\') and continue on next line, indented by two characters. It is also
22 sometimes useful to prefix all output lines (logs, console outs) with 3
23 closing angle brackets ('>>>') in order to help get the difference between
24 inputs and outputs when it can become ambiguous. If you add sections,
25 please update the summary below for easier searching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020026
27
28Summary
29-------
30
311. Quick reminder about HTTP
321.1. The HTTP transaction model
331.2. HTTP request
341.2.1. The Request line
351.2.2. The request headers
361.3. HTTP response
371.3.1. The Response line
381.3.2. The response headers
39
402. Configuring HAProxy
412.1. Configuration file format
422.2. Time format
Patrick Mezard35da19c2010-06-12 17:02:47 +0200432.3. Examples
Willy Tarreauc57f0e22009-05-10 13:12:33 +020044
453. Global parameters
463.1. Process management and security
473.2. Performance tuning
483.3. Debugging
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100493.4. Userlists
Cyril Bontédc4d9032012-04-08 21:57:39 +0200503.5. Peers
Willy Tarreauc57f0e22009-05-10 13:12:33 +020051
524. Proxies
534.1. Proxy keywords matrix
544.2. Alphabetically sorted keywords reference
55
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +0100565. Server and default-server options
Willy Tarreauc57f0e22009-05-10 13:12:33 +020057
586. HTTP header manipulation
59
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100607. Using ACLs and pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200617.1. Matching integers
627.2. Matching strings
637.3. Matching regular expressions (regexes)
Willy Tarreauceb4ac92012-04-28 00:41:46 +0200647.4. Matching IPv4 and IPv6 addresses
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200657.5. Available matching criteria
667.5.1. Matching at Layer 4 and below
677.5.2. Matching contents at Layer 4
687.5.3. Matching at Layer 7
697.6. Pre-defined ACLs
707.7. Using ACLs to form conditions
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100717.8. Pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +020072
738. Logging
748.1. Log levels
758.2. Log formats
768.2.1. Default log format
778.2.2. TCP log format
788.2.3. HTTP log format
William Lallemand48940402012-01-30 16:47:22 +0100798.2.4. Custom log format
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200808.3. Advanced logging options
818.3.1. Disabling logging of external tests
828.3.2. Logging before waiting for the session to terminate
838.3.3. Raising log level upon errors
848.3.4. Disabling logging of successful connections
858.4. Timing events
868.5. Session state at disconnection
878.6. Non-printable characters
888.7. Capturing HTTP cookies
898.8. Capturing HTTP headers
908.9. Examples of logs
91
929. Statistics and monitoring
939.1. CSV format
949.2. Unix Socket commands
95
96
971. Quick reminder about HTTP
98----------------------------
99
100When haproxy is running in HTTP mode, both the request and the response are
101fully analyzed and indexed, thus it becomes possible to build matching criteria
102on almost anything found in the contents.
103
104However, it is important to understand how HTTP requests and responses are
105formed, and how HAProxy decomposes them. It will then become easier to write
106correct rules and to debug existing configurations.
107
108
1091.1. The HTTP transaction model
110-------------------------------
111
112The HTTP protocol is transaction-driven. This means that each request will lead
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100113to one and only one response. Traditionally, a TCP connection is established
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200114from the client to the server, a request is sent by the client on the
115connection, the server responds and the connection is closed. A new request
116will involve a new connection :
117
118 [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
119
120In this mode, called the "HTTP close" mode, there are as many connection
121establishments as there are HTTP transactions. Since the connection is closed
122by the server after the response, the client does not need to know the content
123length.
124
125Due to the transactional nature of the protocol, it was possible to improve it
126to avoid closing a connection between two subsequent transactions. In this mode
127however, it is mandatory that the server indicates the content length for each
128response so that the client does not wait indefinitely. For this, a special
129header is used: "Content-length". This mode is called the "keep-alive" mode :
130
131 [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ...
132
133Its advantages are a reduced latency between transactions, and less processing
134power required on the server side. It is generally better than the close mode,
135but not always because the clients often limit their concurrent connections to
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200136a smaller value.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200137
138A last improvement in the communications is the pipelining mode. It still uses
139keep-alive, but the client does not wait for the first response to send the
140second request. This is useful for fetching large number of images composing a
141page :
142
143 [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ...
144
145This can obviously have a tremendous benefit on performance because the network
146latency is eliminated between subsequent requests. Many HTTP agents do not
147correctly support pipelining since there is no way to associate a response with
148the corresponding request in HTTP. For this reason, it is mandatory for the
Cyril Bonté78caf842010-03-10 22:41:43 +0100149server to reply in the exact same order as the requests were received.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200150
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200151By default HAProxy operates in a tunnel-like mode with regards to persistent
152connections: for each connection it processes the first request and forwards
153everything else (including additional requests) to selected server. Once
154established, the connection is persisted both on the client and server
155sides. Use "option http-server-close" to preserve client persistent connections
156while handling every incoming request individually, dispatching them one after
157another to servers, in HTTP close mode. Use "option httpclose" to switch both
158sides to HTTP close mode. "option forceclose" and "option
159http-pretend-keepalive" help working around servers misbehaving in HTTP close
160mode.
161
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200162
1631.2. HTTP request
164-----------------
165
166First, let's consider this HTTP request :
167
168 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100169 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200170 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1
171 2 Host: www.mydomain.com
172 3 User-agent: my small browser
173 4 Accept: image/jpeg, image/gif
174 5 Accept: image/png
175
176
1771.2.1. The Request line
178-----------------------
179
180Line 1 is the "request line". It is always composed of 3 fields :
181
182 - a METHOD : GET
183 - a URI : /serv/login.php?lang=en&profile=2
184 - a version tag : HTTP/1.1
185
186All of them are delimited by what the standard calls LWS (linear white spaces),
187which are commonly spaces, but can also be tabs or line feeds/carriage returns
188followed by spaces/tabs. The method itself cannot contain any colon (':') and
189is limited to alphabetic letters. All those various combinations make it
190desirable that HAProxy performs the splitting itself rather than leaving it to
191the user to write a complex or inaccurate regular expression.
192
193The URI itself can have several forms :
194
195 - A "relative URI" :
196
197 /serv/login.php?lang=en&profile=2
198
199 It is a complete URL without the host part. This is generally what is
200 received by servers, reverse proxies and transparent proxies.
201
202 - An "absolute URI", also called a "URL" :
203
204 http://192.168.0.12:8080/serv/login.php?lang=en&profile=2
205
206 It is composed of a "scheme" (the protocol name followed by '://'), a host
207 name or address, optionally a colon (':') followed by a port number, then
208 a relative URI beginning at the first slash ('/') after the address part.
209 This is generally what proxies receive, but a server supporting HTTP/1.1
210 must accept this form too.
211
212 - a star ('*') : this form is only accepted in association with the OPTIONS
213 method and is not relayable. It is used to inquiry a next hop's
214 capabilities.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100215
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200216 - an address:port combination : 192.168.0.12:80
217 This is used with the CONNECT method, which is used to establish TCP
218 tunnels through HTTP proxies, generally for HTTPS, but sometimes for
219 other protocols too.
220
221In a relative URI, two sub-parts are identified. The part before the question
222mark is called the "path". It is typically the relative path to static objects
223on the server. The part after the question mark is called the "query string".
224It is mostly used with GET requests sent to dynamic scripts and is very
225specific to the language, framework or application in use.
226
227
2281.2.2. The request headers
229--------------------------
230
231The headers start at the second line. They are composed of a name at the
232beginning of the line, immediately followed by a colon (':'). Traditionally,
233an LWS is added after the colon but that's not required. Then come the values.
234Multiple identical headers may be folded into one single line, delimiting the
235values with commas, provided that their order is respected. This is commonly
236encountered in the "Cookie:" field. A header may span over multiple lines if
237the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5
238define a total of 3 values for the "Accept:" header.
239
240Contrary to a common mis-conception, header names are not case-sensitive, and
241their values are not either if they refer to other header names (such as the
242"Connection:" header).
243
244The end of the headers is indicated by the first empty line. People often say
245that it's a double line feed, which is not exact, even if a double line feed
246is one valid form of empty line.
247
248Fortunately, HAProxy takes care of all these complex combinations when indexing
249headers, checking values and counting them, so there is no reason to worry
250about the way they could be written, but it is important not to accuse an
251application of being buggy if it does unusual, valid things.
252
253Important note:
254 As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks
255 in the middle of headers by LWS in order to join multi-line headers. This
256 is necessary for proper analysis and helps less capable HTTP parsers to work
257 correctly and not to be fooled by such complex constructs.
258
259
2601.3. HTTP response
261------------------
262
263An HTTP response looks very much like an HTTP request. Both are called HTTP
264messages. Let's consider this HTTP response :
265
266 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100267 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200268 1 HTTP/1.1 200 OK
269 2 Content-length: 350
270 3 Content-Type: text/html
271
Willy Tarreau816b9792009-09-15 21:25:21 +0200272As a special case, HTTP supports so called "Informational responses" as status
273codes 1xx. These messages are special in that they don't convey any part of the
274response, they're just used as sort of a signaling message to ask a client to
Willy Tarreau5843d1a2010-02-01 15:13:32 +0100275continue to post its request for instance. In the case of a status 100 response
276the requested information will be carried by the next non-100 response message
277following the informational one. This implies that multiple responses may be
278sent to a single request, and that this only works when keep-alive is enabled
279(1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to
280correctly forward and skip them, and only process the next non-100 response. As
281such, these messages are neither logged nor transformed, unless explicitly
282state otherwise. Status 101 messages indicate that the protocol is changing
283over the same connection and that haproxy must switch to tunnel mode, just as
284if a CONNECT had occurred. Then the Upgrade header would contain additional
285information about the type of protocol the connection is switching to.
Willy Tarreau816b9792009-09-15 21:25:21 +0200286
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200287
2881.3.1. The Response line
289------------------------
290
291Line 1 is the "response line". It is always composed of 3 fields :
292
293 - a version tag : HTTP/1.1
294 - a status code : 200
295 - a reason : OK
296
297The status code is always 3-digit. The first digit indicates a general status :
Willy Tarreau816b9792009-09-15 21:25:21 +0200298 - 1xx = informational message to be skipped (eg: 100, 101)
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200299 - 2xx = OK, content is following (eg: 200, 206)
300 - 3xx = OK, no content following (eg: 302, 304)
301 - 4xx = error caused by the client (eg: 401, 403, 404)
302 - 5xx = error caused by the server (eg: 500, 502, 503)
303
304Please refer to RFC2616 for the detailed meaning of all such codes. The
Willy Tarreaud72758d2010-01-12 10:42:19 +0100305"reason" field is just a hint, but is not parsed by clients. Anything can be
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200306found there, but it's a common practice to respect the well-established
307messages. It can be composed of one or multiple words, such as "OK", "Found",
308or "Authentication Required".
309
310Haproxy may emit the following status codes by itself :
311
312 Code When / reason
313 200 access to stats page, and when replying to monitoring requests
314 301 when performing a redirection, depending on the configured code
315 302 when performing a redirection, depending on the configured code
316 303 when performing a redirection, depending on the configured code
317 400 for an invalid or too large request
318 401 when an authentication is required to perform the action (when
319 accessing the stats page)
320 403 when a request is forbidden by a "block" ACL or "reqdeny" filter
321 408 when the request timeout strikes before the request is complete
322 500 when haproxy encounters an unrecoverable internal error, such as a
323 memory allocation failure, which should never happen
324 502 when the server returns an empty, invalid or incomplete response, or
325 when an "rspdeny" filter blocks the response.
326 503 when no server was available to handle the request, or in response to
327 monitoring requests which match the "monitor fail" condition
328 504 when the response timeout strikes before the server responds
329
330The error 4xx and 5xx codes above may be customized (see "errorloc" in section
3314.2).
332
333
3341.3.2. The response headers
335---------------------------
336
337Response headers work exactly like request headers, and as such, HAProxy uses
338the same parsing function for both. Please refer to paragraph 1.2.2 for more
339details.
340
341
3422. Configuring HAProxy
343----------------------
344
3452.1. Configuration file format
346------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200347
348HAProxy's configuration process involves 3 major sources of parameters :
349
350 - the arguments from the command-line, which always take precedence
351 - the "global" section, which sets process-wide parameters
352 - the proxies sections which can take form of "defaults", "listen",
353 "frontend" and "backend".
354
Willy Tarreau0ba27502007-12-24 16:55:16 +0100355The configuration file syntax consists in lines beginning with a keyword
356referenced in this manual, optionally followed by one or several parameters
357delimited by spaces. If spaces have to be entered in strings, then they must be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100358preceded by a backslash ('\') to be escaped. Backslashes also have to be
Willy Tarreau0ba27502007-12-24 16:55:16 +0100359escaped by doubling them.
360
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200361
3622.2. Time format
363----------------
364
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100365Some parameters involve values representing time, such as timeouts. These
Willy Tarreau0ba27502007-12-24 16:55:16 +0100366values are generally expressed in milliseconds (unless explicitly stated
367otherwise) but may be expressed in any other unit by suffixing the unit to the
368numeric value. It is important to consider this because it will not be repeated
369for every keyword. Supported units are :
370
371 - us : microseconds. 1 microsecond = 1/1000000 second
372 - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
373 - s : seconds. 1s = 1000ms
374 - m : minutes. 1m = 60s = 60000ms
375 - h : hours. 1h = 60m = 3600s = 3600000ms
376 - d : days. 1d = 24h = 1440m = 86400s = 86400000ms
377
378
Patrick Mezard35da19c2010-06-12 17:02:47 +02003792.3. Examples
380-------------
381
382 # Simple configuration for an HTTP proxy listening on port 80 on all
383 # interfaces and forwarding requests to a single backend "servers" with a
384 # single server "server1" listening on 127.0.0.1:8000
385 global
386 daemon
387 maxconn 256
388
389 defaults
390 mode http
391 timeout connect 5000ms
392 timeout client 50000ms
393 timeout server 50000ms
394
395 frontend http-in
396 bind *:80
397 default_backend servers
398
399 backend servers
400 server server1 127.0.0.1:8000 maxconn 32
401
402
403 # The same configuration defined with a single listen block. Shorter but
404 # less expressive, especially in HTTP mode.
405 global
406 daemon
407 maxconn 256
408
409 defaults
410 mode http
411 timeout connect 5000ms
412 timeout client 50000ms
413 timeout server 50000ms
414
415 listen http-in
416 bind *:80
417 server server1 127.0.0.1:8000 maxconn 32
418
419
420Assuming haproxy is in $PATH, test these configurations in a shell with:
421
Willy Tarreauccb289d2010-12-11 20:19:38 +0100422 $ sudo haproxy -f configuration.conf -c
Patrick Mezard35da19c2010-06-12 17:02:47 +0200423
424
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004253. Global parameters
Willy Tarreau6a06a402007-07-15 20:15:28 +0200426--------------------
427
428Parameters in the "global" section are process-wide and often OS-specific. They
429are generally set once for all and do not need being changed once correct. Some
430of them have command-line equivalents.
431
432The following keywords are supported in the "global" section :
433
434 * Process management and security
435 - chroot
436 - daemon
437 - gid
438 - group
439 - log
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100440 - log-send-hostname
Willy Tarreau6a06a402007-07-15 20:15:28 +0200441 - nbproc
442 - pidfile
443 - uid
444 - ulimit-n
445 - user
Willy Tarreaufbee7132007-10-18 13:53:22 +0200446 - stats
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200447 - node
448 - description
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100449 - unix-bind
Willy Tarreaud72758d2010-01-12 10:42:19 +0100450
Willy Tarreau6a06a402007-07-15 20:15:28 +0200451 * Performance tuning
452 - maxconn
Willy Tarreau81c25d02011-09-07 15:17:21 +0200453 - maxconnrate
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100454 - maxpipes
Willy Tarreau6a06a402007-07-15 20:15:28 +0200455 - noepoll
456 - nokqueue
457 - nopoll
458 - nosepoll
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100459 - nosplice
Willy Tarreaufe255b72007-10-14 23:09:26 +0200460 - spread-checks
Willy Tarreau27a674e2009-08-17 07:23:33 +0200461 - tune.bufsize
Willy Tarreau43961d52010-10-04 20:39:20 +0200462 - tune.chksize
Willy Tarreauac1932d2011-10-24 19:14:41 +0200463 - tune.http.maxhdr
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100464 - tune.maxaccept
465 - tune.maxpollevents
Willy Tarreau27a674e2009-08-17 07:23:33 +0200466 - tune.maxrewrite
Willy Tarreaubd9a0a72011-10-23 21:14:29 +0200467 - tune.pipesize
Willy Tarreaue803de22010-01-21 17:43:04 +0100468 - tune.rcvbuf.client
469 - tune.rcvbuf.server
470 - tune.sndbuf.client
471 - tune.sndbuf.server
Willy Tarreaud72758d2010-01-12 10:42:19 +0100472
Willy Tarreau6a06a402007-07-15 20:15:28 +0200473 * Debugging
474 - debug
475 - quiet
Willy Tarreau6a06a402007-07-15 20:15:28 +0200476
477
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004783.1. Process management and security
Willy Tarreau6a06a402007-07-15 20:15:28 +0200479------------------------------------
480
481chroot <jail dir>
482 Changes current directory to <jail dir> and performs a chroot() there before
483 dropping privileges. This increases the security level in case an unknown
484 vulnerability would be exploited, since it would make it very hard for the
485 attacker to exploit the system. This only works when the process is started
486 with superuser privileges. It is important to ensure that <jail_dir> is both
487 empty and unwritable to anyone.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100488
Willy Tarreau6a06a402007-07-15 20:15:28 +0200489daemon
490 Makes the process fork into background. This is the recommended mode of
491 operation. It is equivalent to the command line "-D" argument. It can be
492 disabled by the command line "-db" argument.
493
494gid <number>
495 Changes the process' group ID to <number>. It is recommended that the group
496 ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
497 be started with a user belonging to this group, or with superuser privileges.
498 See also "group" and "uid".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100499
Willy Tarreau6a06a402007-07-15 20:15:28 +0200500group <group name>
501 Similar to "gid" but uses the GID of group name <group name> from /etc/group.
502 See also "gid" and "user".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100503
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200504log <address> <facility> [max level [min level]]
Willy Tarreau6a06a402007-07-15 20:15:28 +0200505 Adds a global syslog server. Up to two global servers can be defined. They
506 will receive logs for startups and exits, as well as all logs from proxies
Robert Tsai81ae1952007-12-05 10:47:29 +0100507 configured with "log global".
508
509 <address> can be one of:
510
Willy Tarreau2769aa02007-12-27 18:26:09 +0100511 - An IPv4 address optionally followed by a colon and a UDP port. If
Robert Tsai81ae1952007-12-05 10:47:29 +0100512 no port is specified, 514 is used by default (the standard syslog
513 port).
514
David du Colombier24bb5f52011-03-17 10:40:23 +0100515 - An IPv6 address followed by a colon and optionally a UDP port. If
516 no port is specified, 514 is used by default (the standard syslog
517 port).
518
Robert Tsai81ae1952007-12-05 10:47:29 +0100519 - A filesystem path to a UNIX domain socket, keeping in mind
520 considerations for chroot (be sure the path is accessible inside
521 the chroot) and uid/gid (be sure the path is appropriately
522 writeable).
523
524 <facility> must be one of the 24 standard syslog facilities :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200525
526 kern user mail daemon auth syslog lpr news
527 uucp cron auth2 ftp ntp audit alert cron2
528 local0 local1 local2 local3 local4 local5 local6 local7
529
530 An optional level can be specified to filter outgoing messages. By default,
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200531 all messages are sent. If a maximum level is specified, only messages with a
532 severity at least as important as this level will be sent. An optional minimum
533 level can be specified. If it is set, logs emitted with a more severe level
534 than this one will be capped to this level. This is used to avoid sending
535 "emerg" messages on all terminals on some default syslog configurations.
536 Eight levels are known :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200537
Cyril Bontédc4d9032012-04-08 21:57:39 +0200538 emerg alert crit err warning notice info debug
Willy Tarreau6a06a402007-07-15 20:15:28 +0200539
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100540log-send-hostname [<string>]
541 Sets the hostname field in the syslog header. If optional "string" parameter
542 is set the header is set to the string contents, otherwise uses the hostname
543 of the system. Generally used if one is not relaying logs through an
544 intermediate syslog server or for simply customizing the hostname printed in
545 the logs.
546
Kevinm48936af2010-12-22 16:08:21 +0000547log-tag <string>
548 Sets the tag field in the syslog header to this string. It defaults to the
549 program name as launched from the command line, which usually is "haproxy".
550 Sometimes it can be useful to differentiate between multiple processes
551 running on the same host.
552
Willy Tarreau6a06a402007-07-15 20:15:28 +0200553nbproc <number>
554 Creates <number> processes when going daemon. This requires the "daemon"
555 mode. By default, only one process is created, which is the recommended mode
556 of operation. For systems limited to small sets of file descriptors per
557 process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES
558 IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon".
559
560pidfile <pidfile>
561 Writes pids of all daemons into file <pidfile>. This option is equivalent to
562 the "-p" command line argument. The file must be accessible to the user
563 starting the process. See also "daemon".
564
Willy Tarreaufbee7132007-10-18 13:53:22 +0200565stats socket <path> [{uid | user} <uid>] [{gid | group} <gid>] [mode <mode>]
Cyril Bontédc4d9032012-04-08 21:57:39 +0200566 [level <level>]
Willy Tarreau6162db22009-10-10 17:13:00 +0200567
Willy Tarreaufbee7132007-10-18 13:53:22 +0200568 Creates a UNIX socket in stream mode at location <path>. Any previously
569 existing socket will be backed up then replaced. Connections to this socket
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100570 will return various statistics outputs and even allow some commands to be
Willy Tarreau6162db22009-10-10 17:13:00 +0200571 issued. Please consult section 9.2 "Unix Socket commands" for more details.
572
573 An optional "level" parameter can be specified to restrict the nature of
574 the commands that can be issued on the socket :
575 - "user" is the least privileged level ; only non-sensitive stats can be
576 read, and no change is allowed. It would make sense on systems where it
577 is not easy to restrict access to the socket.
578
579 - "operator" is the default level and fits most common uses. All data can
Willy Tarreau3c92c5f2011-08-28 09:45:47 +0200580 be read, and only non-sensitive changes are permitted (eg: clear max
Willy Tarreau6162db22009-10-10 17:13:00 +0200581 counters).
582
583 - "admin" should be used with care, as everything is permitted (eg: clear
584 all counters).
Willy Tarreaua8efd362008-01-03 10:19:15 +0100585
586 On platforms which support it, it is possible to restrict access to this
587 socket by specifying numerical IDs after "uid" and "gid", or valid user and
588 group names after the "user" and "group" keywords. It is also possible to
589 restrict permissions on the socket by passing an octal value after the "mode"
590 keyword (same syntax as chmod). Depending on the platform, the permissions on
591 the socket will be inherited from the directory which hosts it, or from the
592 user the process is started with.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200593
594stats timeout <timeout, in milliseconds>
595 The default timeout on the stats socket is set to 10 seconds. It is possible
596 to change this value with "stats timeout". The value must be passed in
Willy Tarreaubefdff12007-12-02 22:27:38 +0100597 milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200598
599stats maxconn <connections>
600 By default, the stats socket is limited to 10 concurrent connections. It is
601 possible to change this value with "stats maxconn".
602
Willy Tarreau6a06a402007-07-15 20:15:28 +0200603uid <number>
604 Changes the process' user ID to <number>. It is recommended that the user ID
605 is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
606 be started with superuser privileges in order to be able to switch to another
607 one. See also "gid" and "user".
608
609ulimit-n <number>
610 Sets the maximum number of per-process file-descriptors to <number>. By
611 default, it is automatically computed, so it is recommended not to use this
612 option.
613
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100614unix-bind [ prefix <prefix> ] [ mode <mode> ] [ user <user> ] [ uid <uid> ]
615 [ group <group> ] [ gid <gid> ]
616
617 Fixes common settings to UNIX listening sockets declared in "bind" statements.
618 This is mainly used to simplify declaration of those UNIX sockets and reduce
619 the risk of errors, since those settings are most commonly required but are
620 also process-specific. The <prefix> setting can be used to force all socket
621 path to be relative to that directory. This might be needed to access another
622 component's chroot. Note that those paths are resolved before haproxy chroots
623 itself, so they are absolute. The <mode>, <user>, <uid>, <group> and <gid>
624 all have the same meaning as their homonyms used by the "bind" statement. If
625 both are specified, the "bind" statement has priority, meaning that the
626 "unix-bind" settings may be seen as process-wide default settings.
627
Willy Tarreau6a06a402007-07-15 20:15:28 +0200628user <user name>
629 Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
630 See also "uid" and "group".
631
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200632node <name>
633 Only letters, digits, hyphen and underscore are allowed, like in DNS names.
634
635 This statement is useful in HA configurations where two or more processes or
636 servers share the same IP address. By setting a different node-name on all
637 nodes, it becomes easy to immediately spot what server is handling the
638 traffic.
639
640description <text>
641 Add a text that describes the instance.
642
643 Please note that it is required to escape certain characters (# for example)
644 and this text is inserted into a html page so you should avoid using
645 "<" and ">" characters.
646
Willy Tarreau6a06a402007-07-15 20:15:28 +0200647
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006483.2. Performance tuning
Willy Tarreau6a06a402007-07-15 20:15:28 +0200649-----------------------
650
651maxconn <number>
652 Sets the maximum per-process number of concurrent connections to <number>. It
653 is equivalent to the command-line argument "-n". Proxies will stop accepting
654 connections when this limit is reached. The "ulimit-n" parameter is
655 automatically adjusted according to this value. See also "ulimit-n".
656
Willy Tarreau81c25d02011-09-07 15:17:21 +0200657maxconnrate <number>
658 Sets the maximum per-process number of connections per second to <number>.
659 Proxies will stop accepting connections when this limit is reached. It can be
660 used to limit the global capacity regardless of each frontend capacity. It is
661 important to note that this can only be used as a service protection measure,
662 as there will not necessarily be a fair share between frontends when the
663 limit is reached, so it's a good idea to also limit each frontend to some
664 value close to its expected share. Also, lowering tune.maxaccept can improve
665 fairness.
666
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100667maxpipes <number>
668 Sets the maximum per-process number of pipes to <number>. Currently, pipes
669 are only used by kernel-based tcp splicing. Since a pipe contains two file
670 descriptors, the "ulimit-n" value will be increased accordingly. The default
671 value is maxconn/4, which seems to be more than enough for most heavy usages.
672 The splice code dynamically allocates and releases pipes, and can fall back
673 to standard copy, so setting this value too low may only impact performance.
674
Willy Tarreau6a06a402007-07-15 20:15:28 +0200675noepoll
676 Disables the use of the "epoll" event polling system on Linux. It is
677 equivalent to the command-line argument "-de". The next polling system
678 used will generally be "poll". See also "nosepoll", and "nopoll".
679
680nokqueue
681 Disables the use of the "kqueue" event polling system on BSD. It is
682 equivalent to the command-line argument "-dk". The next polling system
683 used will generally be "poll". See also "nopoll".
684
685nopoll
686 Disables the use of the "poll" event polling system. It is equivalent to the
687 command-line argument "-dp". The next polling system used will be "select".
Willy Tarreau0ba27502007-12-24 16:55:16 +0100688 It should never be needed to disable "poll" since it's available on all
Willy Tarreau6a06a402007-07-15 20:15:28 +0200689 platforms supported by HAProxy. See also "nosepoll", and "nopoll" and
690 "nokqueue".
691
692nosepoll
693 Disables the use of the "speculative epoll" event polling system on Linux. It
694 is equivalent to the command-line argument "-ds". The next polling system
695 used will generally be "epoll". See also "nosepoll", and "nopoll".
696
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100697nosplice
698 Disables the use of kernel tcp splicing between sockets on Linux. It is
699 equivalent to the command line argument "-dS". Data will then be copied
700 using conventional and more portable recv/send calls. Kernel tcp splicing is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100701 limited to some very recent instances of kernel 2.6. Most versions between
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100702 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not
703 be used. This option makes it easier to globally disable kernel splicing in
704 case of doubt. See also "option splice-auto", "option splice-request" and
705 "option splice-response".
706
Willy Tarreaufe255b72007-10-14 23:09:26 +0200707spread-checks <0..50, in percent>
708 Sometimes it is desirable to avoid sending health checks to servers at exact
709 intervals, for instance when many logical servers are located on the same
710 physical server. With the help of this parameter, it becomes possible to add
711 some randomness in the check interval between 0 and +/- 50%. A value between
712 2 and 5 seems to show good results. The default value remains at 0.
713
Willy Tarreau27a674e2009-08-17 07:23:33 +0200714tune.bufsize <number>
715 Sets the buffer size to this size (in bytes). Lower values allow more
716 sessions to coexist in the same amount of RAM, and higher values allow some
717 applications with very large cookies to work. The default value is 16384 and
718 can be changed at build time. It is strongly recommended not to change this
719 from the default value, as very low values will break some services such as
720 statistics, and values larger than default size will increase memory usage,
721 possibly causing the system to run out of memory. At least the global maxconn
722 parameter should be decreased by the same factor as this one is increased.
723
Willy Tarreau43961d52010-10-04 20:39:20 +0200724tune.chksize <number>
725 Sets the check buffer size to this size (in bytes). Higher values may help
726 find string or regex patterns in very large pages, though doing so may imply
727 more memory and CPU usage. The default value is 16384 and can be changed at
728 build time. It is not recommended to change this value, but to use better
729 checks whenever possible.
730
Willy Tarreauac1932d2011-10-24 19:14:41 +0200731tune.http.maxhdr <number>
732 Sets the maximum number of headers in a request. When a request comes with a
733 number of headers greater than this value (including the first line), it is
734 rejected with a "400 Bad Request" status code. Similarly, too large responses
735 are blocked with "502 Bad Gateway". The default value is 101, which is enough
736 for all usages, considering that the widely deployed Apache server uses the
737 same limit. It can be useful to push this limit further to temporarily allow
738 a buggy application to work by the time it gets fixed. Keep in mind that each
739 new header consumes 32bits of memory for each session, so don't push this
740 limit too high.
741
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100742tune.maxaccept <number>
743 Sets the maximum number of consecutive accepts that a process may perform on
744 a single wake up. High values give higher priority to high connection rates,
745 while lower values give higher priority to already established connections.
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100746 This value is limited to 100 by default in single process mode. However, in
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100747 multi-process mode (nbproc > 1), it defaults to 8 so that when one process
748 wakes up, it does not take all incoming connections for itself and leaves a
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100749 part of them to other processes. Setting this value to -1 completely disables
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100750 the limitation. It should normally not be needed to tweak this value.
751
752tune.maxpollevents <number>
753 Sets the maximum amount of events that can be processed at once in a call to
754 the polling system. The default value is adapted to the operating system. It
755 has been noticed that reducing it below 200 tends to slightly decrease
756 latency at the expense of network bandwidth, and increasing it above 200
757 tends to trade latency for slightly increased bandwidth.
758
Willy Tarreau27a674e2009-08-17 07:23:33 +0200759tune.maxrewrite <number>
760 Sets the reserved buffer space to this size in bytes. The reserved space is
761 used for header rewriting or appending. The first reads on sockets will never
762 fill more than bufsize-maxrewrite. Historically it has defaulted to half of
763 bufsize, though that does not make much sense since there are rarely large
764 numbers of headers to add. Setting it too high prevents processing of large
765 requests or responses. Setting it too low prevents addition of new headers
766 to already large requests or to POST requests. It is generally wise to set it
767 to about 1024. It is automatically readjusted to half of bufsize if it is
768 larger than that. This means you don't have to worry about it when changing
769 bufsize.
770
Willy Tarreaubd9a0a72011-10-23 21:14:29 +0200771tune.pipesize <number>
772 Sets the kernel pipe buffer size to this size (in bytes). By default, pipes
773 are the default size for the system. But sometimes when using TCP splicing,
774 it can improve performance to increase pipe sizes, especially if it is
775 suspected that pipes are not filled and that many calls to splice() are
776 performed. This has an impact on the kernel's memory footprint, so this must
777 not be changed if impacts are not understood.
778
Willy Tarreaue803de22010-01-21 17:43:04 +0100779tune.rcvbuf.client <number>
780tune.rcvbuf.server <number>
781 Forces the kernel socket receive buffer size on the client or the server side
782 to the specified value in bytes. This value applies to all TCP/HTTP frontends
783 and backends. It should normally never be set, and the default size (0) lets
784 the kernel autotune this value depending on the amount of available memory.
785 However it can sometimes help to set it to very low values (eg: 4096) in
786 order to save kernel memory by preventing it from buffering too large amounts
787 of received data. Lower values will significantly increase CPU usage though.
788
789tune.sndbuf.client <number>
790tune.sndbuf.server <number>
791 Forces the kernel socket send buffer size on the client or the server side to
792 the specified value in bytes. This value applies to all TCP/HTTP frontends
793 and backends. It should normally never be set, and the default size (0) lets
794 the kernel autotune this value depending on the amount of available memory.
795 However it can sometimes help to set it to very low values (eg: 4096) in
796 order to save kernel memory by preventing it from buffering too large amounts
797 of received data. Lower values will significantly increase CPU usage though.
798 Another use case is to prevent write timeouts with extremely slow clients due
799 to the kernel waiting for a large part of the buffer to be read before
800 notifying haproxy again.
801
Willy Tarreau6a06a402007-07-15 20:15:28 +0200802
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008033.3. Debugging
804--------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200805
806debug
807 Enables debug mode which dumps to stdout all exchanges, and disables forking
808 into background. It is the equivalent of the command-line argument "-d". It
809 should never be used in a production configuration since it may prevent full
810 system startup.
811
812quiet
813 Do not display any message during startup. It is equivalent to the command-
814 line argument "-q".
815
Emeric Brunf099e792010-09-27 12:05:28 +0200816
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01008173.4. Userlists
818--------------
819It is possible to control access to frontend/backend/listen sections or to
820http stats by allowing only authenticated and authorized users. To do this,
821it is required to create at least one userlist and to define users.
822
823userlist <listname>
Cyril Bonté78caf842010-03-10 22:41:43 +0100824 Creates new userlist with name <listname>. Many independent userlists can be
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100825 used to store authentication & authorization data for independent customers.
826
827group <groupname> [users <user>,<user>,(...)]
Cyril Bonté78caf842010-03-10 22:41:43 +0100828 Adds group <groupname> to the current userlist. It is also possible to
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100829 attach users to this group by using a comma separated list of names
830 proceeded by "users" keyword.
831
Cyril Bontéf0c60612010-02-06 14:44:47 +0100832user <username> [password|insecure-password <password>]
833 [groups <group>,<group>,(...)]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100834 Adds user <username> to the current userlist. Both secure (encrypted) and
835 insecure (unencrypted) passwords can be used. Encrypted passwords are
Cyril Bonté78caf842010-03-10 22:41:43 +0100836 evaluated using the crypt(3) function so depending of the system's
837 capabilities, different algorithms are supported. For example modern Glibc
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100838 based Linux system supports MD5, SHA-256, SHA-512 and of course classic,
839 DES-based method of crypting passwords.
840
841
842 Example:
Cyril Bontéf0c60612010-02-06 14:44:47 +0100843 userlist L1
844 group G1 users tiger,scott
845 group G2 users xdb,scott
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100846
Cyril Bontéf0c60612010-02-06 14:44:47 +0100847 user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91
848 user scott insecure-password elgato
849 user xdb insecure-password hello
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100850
Cyril Bontéf0c60612010-02-06 14:44:47 +0100851 userlist L2
852 group G1
853 group G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100854
Cyril Bontéf0c60612010-02-06 14:44:47 +0100855 user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1
856 user scott insecure-password elgato groups G1,G2
857 user xdb insecure-password hello groups G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100858
859 Please note that both lists are functionally identical.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200860
Emeric Brunf099e792010-09-27 12:05:28 +0200861
8623.5. Peers
Cyril Bontédc4d9032012-04-08 21:57:39 +0200863----------
Emeric Brunf099e792010-09-27 12:05:28 +0200864It is possible to synchronize server entries in stick tables between several
865haproxy instances over TCP connections in a multi-master fashion. Each instance
866pushes its local updates and insertions to remote peers. Server IDs are used to
867identify servers remotely, so it is important that configurations look similar
868or at least that the same IDs are forced on each server on all participants.
869Interrupted exchanges are automatically detected and recovered from the last
870known point. In addition, during a soft restart, the old process connects to
871the new one using such a TCP connection to push all its entries before the new
872process tries to connect to other peers. That ensures very fast replication
873during a reload, it typically takes a fraction of a second even for large
874tables.
875
876peers <peersect>
877 Creates a new peer list with name <peersect>. It is an independant section,
878 which is referenced by one or more stick-tables.
879
880peer <peername> <ip>:<port>
881 Defines a peer inside a peers section.
882 If <peername> is set to the local peer name (by default hostname, or forced
883 using "-L" command line option), haproxy will listen for incoming remote peer
884 connection on <ip>:<port>. Otherwise, <ip>:<port> defines where to connect to
885 to join the remote peer, and <peername> is used at the protocol level to
886 identify and validate the remote peer on the server side.
887
888 During a soft restart, local peer <ip>:<port> is used by the old instance to
889 connect the new one and initiate a complete replication (teaching process).
890
891 It is strongly recommended to have the exact same peers declaration on all
892 peers and to only rely on the "-L" command line argument to change the local
893 peer name. This makes it easier to maintain coherent configuration files
894 across all peers.
895
Cyril Bontédc4d9032012-04-08 21:57:39 +0200896 Example:
Emeric Brunf099e792010-09-27 12:05:28 +0200897 peers mypeers
Willy Tarreauf7b30a92010-12-06 22:59:17 +0100898 peer haproxy1 192.168.0.1:1024
899 peer haproxy2 192.168.0.2:1024
900 peer haproxy3 10.2.0.1:1024
Emeric Brunf099e792010-09-27 12:05:28 +0200901
902 backend mybackend
903 mode tcp
904 balance roundrobin
905 stick-table type ip size 20k peers mypeers
906 stick on src
907
Willy Tarreauf7b30a92010-12-06 22:59:17 +0100908 server srv1 192.168.0.30:80
909 server srv2 192.168.0.31:80
Emeric Brunf099e792010-09-27 12:05:28 +0200910
911
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009124. Proxies
Willy Tarreau6a06a402007-07-15 20:15:28 +0200913----------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100914
Willy Tarreau6a06a402007-07-15 20:15:28 +0200915Proxy configuration can be located in a set of sections :
916 - defaults <name>
917 - frontend <name>
918 - backend <name>
919 - listen <name>
920
921A "defaults" section sets default parameters for all other sections following
922its declaration. Those default parameters are reset by the next "defaults"
923section. See below for the list of parameters which can be set in a "defaults"
Willy Tarreau0ba27502007-12-24 16:55:16 +0100924section. The name is optional but its use is encouraged for better readability.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200925
926A "frontend" section describes a set of listening sockets accepting client
927connections.
928
929A "backend" section describes a set of servers to which the proxy will connect
930to forward incoming connections.
931
932A "listen" section defines a complete proxy with its frontend and backend
933parts combined in one section. It is generally useful for TCP-only traffic.
934
Willy Tarreau0ba27502007-12-24 16:55:16 +0100935All proxy names must be formed from upper and lower case letters, digits,
936'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
937case-sensitive, which means that "www" and "WWW" are two different proxies.
938
939Historically, all proxy names could overlap, it just caused troubles in the
940logs. Since the introduction of content switching, it is mandatory that two
941proxies with overlapping capabilities (frontend/backend) have different names.
942However, it is still permitted that a frontend and a backend share the same
943name, as this configuration seems to be commonly encountered.
944
945Right now, two major proxy modes are supported : "tcp", also known as layer 4,
946and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100947bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the
Willy Tarreau0ba27502007-12-24 16:55:16 +0100948protocol, and can interact with it by allowing, blocking, switching, adding,
949modifying, or removing arbitrary contents in requests or responses, based on
950arbitrary criteria.
951
Willy Tarreau0ba27502007-12-24 16:55:16 +0100952
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009534.1. Proxy keywords matrix
954--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100955
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200956The following list of keywords is supported. Most of them may only be used in a
957limited set of section types. Some of them are marked as "deprecated" because
958they are inherited from an old syntax which may be confusing or functionally
959limited, and there are new recommended keywords to replace them. Keywords
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100960marked with "(*)" can be optionally inverted using the "no" prefix, eg. "no
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200961option contstats". This makes sense when the option has been enabled by default
Willy Tarreau3842f002009-06-14 11:39:52 +0200962and must be disabled for a specific instance. Such options may also be prefixed
963with "default" in order to restore default settings regardless of what has been
964specified in a previous "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +0100965
Willy Tarreau6a06a402007-07-15 20:15:28 +0200966
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100967 keyword defaults frontend listen backend
968------------------------------------+----------+----------+---------+---------
969acl - X X X
970appsession - - X X
971backlog X X X -
972balance X - X X
973bind - X X -
974bind-process X X X X
975block - X X X
976capture cookie - X X -
977capture request header - X X -
978capture response header - X X -
979clitimeout (deprecated) X X X -
980contimeout (deprecated) X - X X
981cookie X - X X
982default-server X - X X
983default_backend X X X -
984description - X X X
985disabled X X X X
986dispatch - - X X
987enabled X X X X
988errorfile X X X X
989errorloc X X X X
990errorloc302 X X X X
991-- keyword -------------------------- defaults - frontend - listen -- backend -
992errorloc303 X X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +0200993force-persist - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100994fullconn X - X X
995grace X X X X
996hash-type X - X X
997http-check disable-on-404 X - X X
Willy Tarreaubd741542010-03-16 18:46:54 +0100998http-check expect - - X X
Willy Tarreau7ab6aff2010-10-12 06:30:16 +0200999http-check send-state X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001000http-request - X X X
1001id - X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001002ignore-persist - X X X
William Lallemand0f99e342011-10-12 17:50:54 +02001003log (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001004maxconn X X X -
1005mode X X X X
1006monitor fail - X X -
1007monitor-net X X X -
1008monitor-uri X X X -
1009option abortonclose (*) X - X X
1010option accept-invalid-http-request (*) X X X -
1011option accept-invalid-http-response (*) X - X X
1012option allbackups (*) X - X X
1013option checkcache (*) X - X X
1014option clitcpka (*) X X X -
1015option contstats (*) X X X -
1016option dontlog-normal (*) X X X -
1017option dontlognull (*) X X X -
1018option forceclose (*) X X X X
1019-- keyword -------------------------- defaults - frontend - listen -- backend -
1020option forwardfor X X X X
Willy Tarreau96e31212011-05-30 18:10:30 +02001021option http-no-delay (*) X X X X
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02001022option http-pretend-keepalive (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001023option http-server-close (*) X X X X
1024option http-use-proxy-header (*) X X X -
1025option httpchk X - X X
1026option httpclose (*) X X X X
1027option httplog X X X X
1028option http_proxy (*) X X X X
1029option independant-streams (*) X X X X
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02001030option ldap-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001031option log-health-checks (*) X - X X
1032option log-separate-errors (*) X X X -
1033option logasap (*) X X X -
1034option mysql-check X - X X
Rauf Kuliyev38b41562011-01-04 15:14:13 +01001035option pgsql-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001036option nolinger (*) X X X X
1037option originalto X X X X
1038option persist (*) X - X X
1039option redispatch (*) X - X X
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02001040option redis-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001041option smtpchk X - X X
1042option socket-stats (*) X X X -
1043option splice-auto (*) X X X X
1044option splice-request (*) X X X X
1045option splice-response (*) X X X X
1046option srvtcpka (*) X - X X
1047option ssl-hello-chk X - X X
1048-- keyword -------------------------- defaults - frontend - listen -- backend -
1049option tcp-smart-accept (*) X X X -
1050option tcp-smart-connect (*) X - X X
1051option tcpka X X X X
1052option tcplog X X X X
1053option transparent (*) X - X X
1054persist rdp-cookie X - X X
1055rate-limit sessions X X X -
1056redirect - X X X
1057redisp (deprecated) X - X X
1058redispatch (deprecated) X - X X
1059reqadd - X X X
1060reqallow - X X X
1061reqdel - X X X
1062reqdeny - X X X
1063reqiallow - X X X
1064reqidel - X X X
1065reqideny - X X X
1066reqipass - X X X
1067reqirep - X X X
1068reqisetbe - X X X
1069reqitarpit - X X X
1070reqpass - X X X
1071reqrep - X X X
1072-- keyword -------------------------- defaults - frontend - listen -- backend -
1073reqsetbe - X X X
1074reqtarpit - X X X
1075retries X - X X
1076rspadd - X X X
1077rspdel - X X X
1078rspdeny - X X X
1079rspidel - X X X
1080rspideny - X X X
1081rspirep - X X X
1082rsprep - X X X
1083server - - X X
1084source X - X X
1085srvtimeout (deprecated) X - X X
Cyril Bonté66c327d2010-10-12 00:14:37 +02001086stats admin - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001087stats auth X - X X
1088stats enable X - X X
1089stats hide-version X - X X
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02001090stats http-request - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001091stats realm X - X X
1092stats refresh X - X X
1093stats scope X - X X
1094stats show-desc X - X X
1095stats show-legends X - X X
1096stats show-node X - X X
1097stats uri X - X X
1098-- keyword -------------------------- defaults - frontend - listen -- backend -
1099stick match - - X X
1100stick on - - X X
1101stick store-request - - X X
Willy Tarreaud8dc99f2011-07-01 11:33:25 +02001102stick store-response - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001103stick-table - - X X
Willy Tarreaue9656522010-08-17 15:40:09 +02001104tcp-request connection - X X -
1105tcp-request content - X X X
Willy Tarreaua56235c2010-09-14 11:31:36 +02001106tcp-request inspect-delay - X X X
Emeric Brun0a3b67f2010-09-24 15:34:53 +02001107tcp-response content - - X X
1108tcp-response inspect-delay - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001109timeout check X - X X
1110timeout client X X X -
1111timeout clitimeout (deprecated) X X X -
1112timeout connect X - X X
1113timeout contimeout (deprecated) X - X X
1114timeout http-keep-alive X X X X
1115timeout http-request X X X X
1116timeout queue X - X X
1117timeout server X - X X
1118timeout srvtimeout (deprecated) X - X X
1119timeout tarpit X X X X
1120transparent (deprecated) X - X X
William Lallemanda73203e2012-03-12 12:48:57 +01001121unique-id-format X X X -
1122unique-id-header X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001123use_backend - X X -
Willy Tarreau4a5cade2012-04-05 21:09:48 +02001124use-server - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001125------------------------------------+----------+----------+---------+---------
1126 keyword defaults frontend listen backend
Willy Tarreau6a06a402007-07-15 20:15:28 +02001127
Willy Tarreau0ba27502007-12-24 16:55:16 +01001128
Willy Tarreauc57f0e22009-05-10 13:12:33 +020011294.2. Alphabetically sorted keywords reference
1130---------------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001131
1132This section provides a description of each keyword and its usage.
1133
1134
1135acl <aclname> <criterion> [flags] [operator] <value> ...
1136 Declare or complete an access list.
1137 May be used in sections : defaults | frontend | listen | backend
1138 no | yes | yes | yes
1139 Example:
1140 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1141 acl invalid_src src_port 0:1023
1142 acl local_dst hdr(host) -i localhost
1143
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001144 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001145
1146
Cyril Bontéb21570a2009-11-29 20:04:48 +01001147appsession <cookie> len <length> timeout <holdtime>
1148 [request-learn] [prefix] [mode <path-parameters|query-string>]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001149 Define session stickiness on an existing application cookie.
1150 May be used in sections : defaults | frontend | listen | backend
1151 no | no | yes | yes
1152 Arguments :
1153 <cookie> this is the name of the cookie used by the application and which
1154 HAProxy will have to learn for each new session.
1155
Cyril Bontéb21570a2009-11-29 20:04:48 +01001156 <length> this is the max number of characters that will be memorized and
Willy Tarreau0ba27502007-12-24 16:55:16 +01001157 checked in each cookie value.
1158
1159 <holdtime> this is the time after which the cookie will be removed from
1160 memory if unused. If no unit is specified, this time is in
1161 milliseconds.
1162
Cyril Bontébf47aeb2009-10-15 00:15:40 +02001163 request-learn
1164 If this option is specified, then haproxy will be able to learn
1165 the cookie found in the request in case the server does not
1166 specify any in response. This is typically what happens with
1167 PHPSESSID cookies, or when haproxy's session expires before
1168 the application's session and the correct server is selected.
1169 It is recommended to specify this option to improve reliability.
1170
Cyril Bontéb21570a2009-11-29 20:04:48 +01001171 prefix When this option is specified, haproxy will match on the cookie
1172 prefix (or URL parameter prefix). The appsession value is the
1173 data following this prefix.
1174
1175 Example :
1176 appsession ASPSESSIONID len 64 timeout 3h prefix
1177
1178 This will match the cookie ASPSESSIONIDXXXX=XXXXX,
1179 the appsession value will be XXXX=XXXXX.
1180
1181 mode This option allows to change the URL parser mode.
1182 2 modes are currently supported :
1183 - path-parameters :
1184 The parser looks for the appsession in the path parameters
1185 part (each parameter is separated by a semi-colon), which is
1186 convenient for JSESSIONID for example.
1187 This is the default mode if the option is not set.
1188 - query-string :
1189 In this mode, the parser will look for the appsession in the
1190 query string.
1191
Willy Tarreau0ba27502007-12-24 16:55:16 +01001192 When an application cookie is defined in a backend, HAProxy will check when
1193 the server sets such a cookie, and will store its value in a table, and
1194 associate it with the server's identifier. Up to <length> characters from
1195 the value will be retained. On each connection, haproxy will look for this
Cyril Bontéb21570a2009-11-29 20:04:48 +01001196 cookie both in the "Cookie:" headers, and as a URL parameter (depending on
1197 the mode used). If a known value is found, the client will be directed to the
1198 server associated with this value. Otherwise, the load balancing algorithm is
Willy Tarreau0ba27502007-12-24 16:55:16 +01001199 applied. Cookies are automatically removed from memory when they have been
1200 unused for a duration longer than <holdtime>.
1201
1202 The definition of an application cookie is limited to one per backend.
1203
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01001204 Note : Consider not using this feature in multi-process mode (nbproc > 1)
1205 unless you know what you do : memory is not shared between the
1206 processes, which can result in random behaviours.
1207
Willy Tarreau0ba27502007-12-24 16:55:16 +01001208 Example :
1209 appsession JSESSIONID len 52 timeout 3h
1210
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01001211 See also : "cookie", "capture cookie", "balance", "stick", "stick-table",
1212 "ignore-persist", "nbproc" and "bind-process".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001213
1214
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001215backlog <conns>
1216 Give hints to the system about the approximate listen backlog desired size
1217 May be used in sections : defaults | frontend | listen | backend
1218 yes | yes | yes | no
1219 Arguments :
1220 <conns> is the number of pending connections. Depending on the operating
1221 system, it may represent the number of already acknowledged
Cyril Bontédc4d9032012-04-08 21:57:39 +02001222 connections, of non-acknowledged ones, or both.
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001223
1224 In order to protect against SYN flood attacks, one solution is to increase
1225 the system's SYN backlog size. Depending on the system, sometimes it is just
1226 tunable via a system parameter, sometimes it is not adjustable at all, and
1227 sometimes the system relies on hints given by the application at the time of
1228 the listen() syscall. By default, HAProxy passes the frontend's maxconn value
1229 to the listen() syscall. On systems which can make use of this value, it can
1230 sometimes be useful to be able to specify a different value, hence this
1231 backlog parameter.
1232
1233 On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
1234 used as a hint and the system accepts up to the smallest greater power of
1235 two, and never more than some limits (usually 32768).
1236
1237 See also : "maxconn" and the target operating system's tuning guide.
1238
1239
Willy Tarreau0ba27502007-12-24 16:55:16 +01001240balance <algorithm> [ <arguments> ]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001241balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001242 Define the load balancing algorithm to be used in a backend.
1243 May be used in sections : defaults | frontend | listen | backend
1244 yes | no | yes | yes
1245 Arguments :
1246 <algorithm> is the algorithm used to select a server when doing load
1247 balancing. This only applies when no persistence information
1248 is available, or when a connection is redispatched to another
1249 server. <algorithm> may be one of the following :
1250
1251 roundrobin Each server is used in turns, according to their weights.
1252 This is the smoothest and fairest algorithm when the server's
1253 processing time remains equally distributed. This algorithm
1254 is dynamic, which means that server weights may be adjusted
Willy Tarreau9757a382009-10-03 12:56:50 +02001255 on the fly for slow starts for instance. It is limited by
1256 design to 4128 active servers per backend. Note that in some
1257 large farms, when a server becomes up after having been down
1258 for a very short time, it may sometimes take a few hundreds
1259 requests for it to be re-integrated into the farm and start
1260 receiving traffic. This is normal, though very rare. It is
1261 indicated here in case you would have the chance to observe
1262 it, so that you don't worry.
1263
1264 static-rr Each server is used in turns, according to their weights.
1265 This algorithm is as similar to roundrobin except that it is
1266 static, which means that changing a server's weight on the
1267 fly will have no effect. On the other hand, it has no design
1268 limitation on the number of servers, and when a server goes
1269 up, it is always immediately reintroduced into the farm, once
1270 the full map is recomputed. It also uses slightly less CPU to
1271 run (around -1%).
Willy Tarreau0ba27502007-12-24 16:55:16 +01001272
Willy Tarreau2d2a7f82008-03-17 12:07:56 +01001273 leastconn The server with the lowest number of connections receives the
1274 connection. Round-robin is performed within groups of servers
1275 of the same load to ensure that all servers will be used. Use
1276 of this algorithm is recommended where very long sessions are
1277 expected, such as LDAP, SQL, TSE, etc... but is not very well
1278 suited for protocols using short sessions such as HTTP. This
1279 algorithm is dynamic, which means that server weights may be
1280 adjusted on the fly for slow starts for instance.
1281
Willy Tarreauf09c6602012-02-13 17:12:08 +01001282 first The first server with available connection slots receives the
1283 connection. The servers are choosen from the lowest numeric
1284 identifier to the highest (see server parameter "id"), which
1285 defaults to the server's position in the farm. Once a server
Willy Tarreau64559c52012-04-07 09:08:45 +02001286 reaches its maxconn value, the next server is used. It does
Willy Tarreauf09c6602012-02-13 17:12:08 +01001287 not make sense to use this algorithm without setting maxconn.
1288 The purpose of this algorithm is to always use the smallest
1289 number of servers so that extra servers can be powered off
1290 during non-intensive hours. This algorithm ignores the server
1291 weight, and brings more benefit to long session such as RDP
Willy Tarreau64559c52012-04-07 09:08:45 +02001292 or IMAP than HTTP, though it can be useful there too. In
1293 order to use this algorithm efficiently, it is recommended
1294 that a cloud controller regularly checks server usage to turn
1295 them off when unused, and regularly checks backend queue to
1296 turn new servers on when the queue inflates. Alternatively,
1297 using "http-check send-state" may inform servers on the load.
Willy Tarreauf09c6602012-02-13 17:12:08 +01001298
Willy Tarreau0ba27502007-12-24 16:55:16 +01001299 source The source IP address is hashed and divided by the total
1300 weight of the running servers to designate which server will
1301 receive the request. This ensures that the same client IP
1302 address will always reach the same server as long as no
1303 server goes down or up. If the hash result changes due to the
1304 number of running servers changing, many clients will be
1305 directed to a different server. This algorithm is generally
1306 used in TCP mode where no cookie may be inserted. It may also
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001307 be used on the Internet to provide a best-effort stickiness
Willy Tarreau0ba27502007-12-24 16:55:16 +01001308 to clients which refuse session cookies. This algorithm is
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001309 static by default, which means that changing a server's
1310 weight on the fly will have no effect, but this can be
1311 changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001312
1313 uri The left part of the URI (before the question mark) is hashed
1314 and divided by the total weight of the running servers. The
1315 result designates which server will receive the request. This
1316 ensures that a same URI will always be directed to the same
1317 server as long as no server goes up or down. This is used
1318 with proxy caches and anti-virus proxies in order to maximize
1319 the cache hit rate. Note that this algorithm may only be used
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001320 in an HTTP backend. This algorithm is static by default,
1321 which means that changing a server's weight on the fly will
1322 have no effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001323
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001324 This algorithm support two optional parameters "len" and
1325 "depth", both followed by a positive integer number. These
1326 options may be helpful when it is needed to balance servers
1327 based on the beginning of the URI only. The "len" parameter
1328 indicates that the algorithm should only consider that many
1329 characters at the beginning of the URI to compute the hash.
1330 Note that having "len" set to 1 rarely makes sense since most
1331 URIs start with a leading "/".
1332
1333 The "depth" parameter indicates the maximum directory depth
1334 to be used to compute the hash. One level is counted for each
1335 slash in the request. If both parameters are specified, the
1336 evaluation stops when either is reached.
1337
Willy Tarreau0ba27502007-12-24 16:55:16 +01001338 url_param The URL parameter specified in argument will be looked up in
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001339 the query string of each HTTP GET request.
1340
1341 If the modifier "check_post" is used, then an HTTP POST
Cyril Bontédc4d9032012-04-08 21:57:39 +02001342 request entity will be searched for the parameter argument,
1343 when it is not found in a query string after a question mark
1344 ('?') in the URL. Optionally, specify a number of octets to
1345 wait for before attempting to search the message body. If the
1346 entity can not be searched, then round robin is used for each
1347 request. For instance, if your clients always send the LB
1348 parameter in the first 128 bytes, then specify that. The
1349 default is 48. The entity data will not be scanned until the
1350 required number of octets have arrived at the gateway, this
1351 is the minimum of: (default/max_wait, Content-Length or first
1352 chunk length). If Content-Length is missing or zero, it does
1353 not need to wait for more data than the client promised to
1354 send. When Content-Length is present and larger than
1355 <max_wait>, then waiting is limited to <max_wait> and it is
1356 assumed that this will be enough data to search for the
1357 presence of the parameter. In the unlikely event that
1358 Transfer-Encoding: chunked is used, only the first chunk is
1359 scanned. Parameter values separated by a chunk boundary, may
1360 be randomly balanced if at all.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001361
1362 If the parameter is found followed by an equal sign ('=') and
1363 a value, then the value is hashed and divided by the total
1364 weight of the running servers. The result designates which
1365 server will receive the request.
1366
1367 This is used to track user identifiers in requests and ensure
1368 that a same user ID will always be sent to the same server as
1369 long as no server goes up or down. If no value is found or if
1370 the parameter is not found, then a round robin algorithm is
1371 applied. Note that this algorithm may only be used in an HTTP
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001372 backend. This algorithm is static by default, which means
1373 that changing a server's weight on the fly will have no
1374 effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001375
Cyril Bontédc4d9032012-04-08 21:57:39 +02001376 hdr(<name>) The HTTP header <name> will be looked up in each HTTP
1377 request. Just as with the equivalent ACL 'hdr()' function,
1378 the header name in parenthesis is not case sensitive. If the
1379 header is absent or if it does not contain any value, the
1380 roundrobin algorithm is applied instead.
Benoitaffb4812009-03-25 13:02:10 +01001381
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001382 An optional 'use_domain_only' parameter is available, for
Benoitaffb4812009-03-25 13:02:10 +01001383 reducing the hash algorithm to the main domain part with some
1384 specific headers such as 'Host'. For instance, in the Host
1385 value "haproxy.1wt.eu", only "1wt" will be considered.
1386
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001387 This algorithm is static by default, which means that
1388 changing a server's weight on the fly will have no effect,
1389 but this can be changed using "hash-type".
1390
Emeric Brun736aa232009-06-30 17:56:00 +02001391 rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02001392 rdp-cookie(<name>)
Emeric Brun736aa232009-06-30 17:56:00 +02001393 The RDP cookie <name> (or "mstshash" if omitted) will be
1394 looked up and hashed for each incoming TCP request. Just as
1395 with the equivalent ACL 'req_rdp_cookie()' function, the name
1396 is not case-sensitive. This mechanism is useful as a degraded
1397 persistence mode, as it makes it possible to always send the
1398 same user (or the same session ID) to the same server. If the
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001399 cookie is not found, the normal roundrobin algorithm is
Emeric Brun736aa232009-06-30 17:56:00 +02001400 used instead.
1401
1402 Note that for this to work, the frontend must ensure that an
1403 RDP cookie is already present in the request buffer. For this
1404 you must use 'tcp-request content accept' rule combined with
1405 a 'req_rdp_cookie_cnt' ACL.
1406
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001407 This algorithm is static by default, which means that
1408 changing a server's weight on the fly will have no effect,
1409 but this can be changed using "hash-type".
1410
Cyril Bontédc4d9032012-04-08 21:57:39 +02001411 See also the rdp_cookie pattern fetch function.
Simon Hormanab814e02011-06-24 14:50:20 +09001412
Willy Tarreau0ba27502007-12-24 16:55:16 +01001413 <arguments> is an optional list of arguments which may be needed by some
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001414 algorithms. Right now, only "url_param" and "uri" support an
1415 optional argument.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001416
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001417 balance uri [len <len>] [depth <depth>]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001418 balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001419
Willy Tarreau3cd9af22009-03-15 14:06:41 +01001420 The load balancing algorithm of a backend is set to roundrobin when no other
1421 algorithm, mode nor option have been set. The algorithm may only be set once
1422 for each backend.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001423
1424 Examples :
1425 balance roundrobin
1426 balance url_param userid
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001427 balance url_param session_id check_post 64
Benoitaffb4812009-03-25 13:02:10 +01001428 balance hdr(User-Agent)
1429 balance hdr(host)
1430 balance hdr(Host) use_domain_only
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001431
1432 Note: the following caveats and limitations on using the "check_post"
1433 extension with "url_param" must be considered :
1434
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001435 - all POST requests are eligible for consideration, because there is no way
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001436 to determine if the parameters will be found in the body or entity which
1437 may contain binary data. Therefore another method may be required to
1438 restrict consideration of POST requests that have no URL parameters in
1439 the body. (see acl reqideny http_end)
1440
1441 - using a <max_wait> value larger than the request buffer size does not
1442 make sense and is useless. The buffer size is set at build time, and
1443 defaults to 16 kB.
1444
1445 - Content-Encoding is not supported, the parameter search will probably
1446 fail; and load balancing will fall back to Round Robin.
1447
1448 - Expect: 100-continue is not supported, load balancing will fall back to
1449 Round Robin.
1450
1451 - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk.
1452 If the entire parameter value is not present in the first chunk, the
1453 selection of server is undefined (actually, defined by how little
1454 actually appeared in the first chunk).
1455
1456 - This feature does not support generation of a 100, 411 or 501 response.
1457
1458 - In some cases, requesting "check_post" MAY attempt to scan the entire
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001459 contents of a message body. Scanning normally terminates when linear
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001460 white space or control characters are found, indicating the end of what
1461 might be a URL parameter list. This is probably not a concern with SGML
1462 type message bodies.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001463
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001464 See also : "dispatch", "cookie", "appsession", "transparent", "hash-type" and
1465 "http_proxy".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001466
1467
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001468bind [<address>]:<port_range> [, ...]
1469bind [<address>]:<port_range> [, ...] interface <interface>
1470bind [<address>]:<port_range> [, ...] mss <maxseg>
1471bind [<address>]:<port_range> [, ...] transparent
1472bind [<address>]:<port_range> [, ...] id <id>
1473bind [<address>]:<port_range> [, ...] name <name>
1474bind [<address>]:<port_range> [, ...] defer-accept
Willy Tarreau71c814e2010-10-29 21:56:16 +02001475bind [<address>]:<port_range> [, ...] accept-proxy
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001476bind /<path> [, ...]
1477bind /<path> [, ...] mode <mode>
1478bind /<path> [, ...] [ user <user> | uid <uid> ]
1479bind /<path> [, ...] [ group <user> | gid <gid> ]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001480 Define one or several listening addresses and/or ports in a frontend.
1481 May be used in sections : defaults | frontend | listen | backend
1482 no | yes | yes | no
1483 Arguments :
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001484 <address> is optional and can be a host name, an IPv4 address, an IPv6
1485 address, or '*'. It designates the address the frontend will
1486 listen on. If unset, all IPv4 addresses of the system will be
1487 listened on. The same will apply for '*' or the system's
David du Colombier9c938da2011-03-17 10:40:27 +01001488 special address "0.0.0.0". The IPv6 equivalent is '::'.
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001489
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001490 <port_range> is either a unique TCP port, or a port range for which the
1491 proxy will accept connections for the IP address specified
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001492 above. The port is mandatory for TCP listeners. Note that in
1493 the case of an IPv6 address, the port is always the number
1494 after the last colon (':'). A range can either be :
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001495 - a numerical port (ex: '80')
1496 - a dash-delimited ports range explicitly stating the lower
1497 and upper bounds (ex: '2000-2100') which are included in
1498 the range.
1499
1500 Particular care must be taken against port ranges, because
1501 every <address:port> couple consumes one socket (= a file
1502 descriptor), so it's easy to consume lots of descriptors
1503 with a simple range, and to run out of sockets. Also, each
1504 <address:port> couple must be used only once among all
1505 instances running on a same system. Please note that binding
1506 to ports lower than 1024 generally require particular
1507 privileges to start the program, which are independant of
1508 the 'uid' parameter.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001509
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001510 <path> is a UNIX socket path beginning with a slash ('/'). This is
1511 alternative to the TCP listening port. Haproxy will then
1512 receive UNIX connections on the socket located at this place.
1513 The path must begin with a slash and by default is absolute.
1514 It can be relative to the prefix defined by "unix-bind" in
1515 the global section. Note that the total length of the prefix
1516 followed by the socket path cannot exceed some system limits
1517 for UNIX sockets, which commonly are set to 107 characters.
1518
Willy Tarreau5e6e2042009-02-04 17:19:29 +01001519 <interface> is an optional physical interface name. This is currently
1520 only supported on Linux. The interface must be a physical
1521 interface, not an aliased interface. When specified, all
1522 addresses on the same line will only be accepted if the
1523 incoming packet physically come through the designated
1524 interface. It is also possible to bind multiple frontends to
1525 the same address if they are bound to different interfaces.
1526 Note that binding to a physical interface requires root
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001527 privileges. This parameter is only compatible with TCP
1528 sockets.
Willy Tarreau5e6e2042009-02-04 17:19:29 +01001529
Willy Tarreaube1b9182009-06-14 18:48:19 +02001530 <maxseg> is an optional TCP Maximum Segment Size (MSS) value to be
1531 advertised on incoming connections. This can be used to force
1532 a lower MSS for certain specific ports, for instance for
1533 connections passing through a VPN. Note that this relies on a
1534 kernel feature which is theorically supported under Linux but
1535 was buggy in all versions prior to 2.6.28. It may or may not
Willy Tarreau48a7e722010-12-24 15:26:39 +01001536 work on other operating systems. It may also not change the
1537 advertised value but change the effective size of outgoing
1538 segments. The commonly advertised value on Ethernet networks
1539 is 1460 = 1500(MTU) - 40(IP+TCP). If this value is positive,
1540 it will be used as the advertised MSS. If it is negative, it
1541 will indicate by how much to reduce the incoming connection's
1542 advertised MSS for outgoing segments. This parameter is only
1543 compatible with TCP sockets.
Willy Tarreaube1b9182009-06-14 18:48:19 +02001544
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02001545 <id> is a persistent value for socket ID. Must be positive and
1546 unique in the proxy. An unused value will automatically be
1547 assigned if unset. Can only be used when defining only a
1548 single socket.
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02001549
1550 <name> is an optional name provided for stats
1551
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001552 <mode> is the octal mode used to define access permissions on the
1553 UNIX socket. It can also be set by default in the global
1554 section's "unix-bind" statement. Note that some platforms
1555 simply ignore this.
1556
1557 <user> is the name of user that will be marked owner of the UNIX
1558 socket. It can also be set by default in the global
1559 section's "unix-bind" statement. Note that some platforms
1560 simply ignore this.
1561
1562 <group> is the name of a group that will be used to create the UNIX
1563 socket. It can also be set by default in the global section's
1564 "unix-bind" statement. Note that some platforms simply ignore
1565 this.
1566
1567 <uid> is the uid of user that will be marked owner of the UNIX
1568 socket. It can also be set by default in the global section's
1569 "unix-bind" statement. Note that some platforms simply ignore
1570 this.
1571
1572 <gid> is the gid of a group that will be used to create the UNIX
1573 socket. It can also be set by default in the global section's
1574 "unix-bind" statement. Note that some platforms simply ignore
1575 this.
1576
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001577 transparent is an optional keyword which is supported only on certain
1578 Linux kernels. It indicates that the addresses will be bound
1579 even if they do not belong to the local machine. Any packet
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001580 targeting any of these addresses will be caught just as if
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001581 the address was locally configured. This normally requires
1582 that IP forwarding is enabled. Caution! do not use this with
1583 the default address '*', as it would redirect any traffic for
1584 the specified port. This keyword is available only when
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001585 HAProxy is built with USE_LINUX_TPROXY=1. This parameter is
1586 only compatible with TCP sockets.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001587
Willy Tarreau59f89202010-10-02 11:54:00 +02001588 defer-accept is an optional keyword which is supported only on certain
Willy Tarreaucb6cd432009-10-13 07:34:14 +02001589 Linux kernels. It states that a connection will only be
1590 accepted once some data arrive on it, or at worst after the
1591 first retransmit. This should be used only on protocols for
1592 which the client talks first (eg: HTTP). It can slightly
1593 improve performance by ensuring that most of the request is
1594 already available when the connection is accepted. On the
1595 other hand, it will not be able to detect connections which
1596 don't talk. It is important to note that this option is
1597 broken in all kernels up to 2.6.31, as the connection is
1598 never accepted until the client talks. This can cause issues
1599 with front firewalls which would see an established
1600 connection while the proxy will only see it in SYN_RECV.
1601
Willy Tarreau71c814e2010-10-29 21:56:16 +02001602 accept-proxy is an optional keyword which enforces use of the PROXY
1603 protocol over any connection accepted by this listener. The
1604 PROXY protocol dictates the layer 3/4 addresses of the
1605 incoming connection to be used everywhere an address is used,
1606 with the only exception of "tcp-request connection" rules
1607 which will only see the real connection address. Logs will
1608 reflect the addresses indicated in the protocol, unless it is
1609 violated, in which case the real address will still be used.
1610 This keyword combined with support from external components
1611 can be used as an efficient and reliable alternative to the
1612 X-Forwarded-For mechanism which is not always reliable and
1613 not even always usable.
1614
Willy Tarreau0ba27502007-12-24 16:55:16 +01001615 It is possible to specify a list of address:port combinations delimited by
1616 commas. The frontend will then listen on all of these addresses. There is no
1617 fixed limit to the number of addresses and ports which can be listened on in
1618 a frontend, as well as there is no limit to the number of "bind" statements
1619 in a frontend.
1620
1621 Example :
1622 listen http_proxy
1623 bind :80,:443
1624 bind 10.0.0.1:10080,10.0.0.1:10443
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001625 bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy
Willy Tarreau0ba27502007-12-24 16:55:16 +01001626
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001627 See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol
Willy Tarreau71c814e2010-10-29 21:56:16 +02001628 documentation.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001629
1630
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001631bind-process [ all | odd | even | <number 1-32> ] ...
1632 Limit visibility of an instance to a certain set of processes numbers.
1633 May be used in sections : defaults | frontend | listen | backend
1634 yes | yes | yes | yes
1635 Arguments :
1636 all All process will see this instance. This is the default. It
1637 may be used to override a default value.
1638
1639 odd This instance will be enabled on processes 1,3,5,...31. This
1640 option may be combined with other numbers.
1641
1642 even This instance will be enabled on processes 2,4,6,...32. This
1643 option may be combined with other numbers. Do not use it
1644 with less than 2 processes otherwise some instances might be
1645 missing from all processes.
1646
1647 number The instance will be enabled on this process number, between
1648 1 and 32. You must be careful not to reference a process
1649 number greater than the configured global.nbproc, otherwise
1650 some instances might be missing from all processes.
1651
1652 This keyword limits binding of certain instances to certain processes. This
1653 is useful in order not to have too many processes listening to the same
1654 ports. For instance, on a dual-core machine, it might make sense to set
1655 'nbproc 2' in the global section, then distributes the listeners among 'odd'
1656 and 'even' instances.
1657
1658 At the moment, it is not possible to reference more than 32 processes using
1659 this keyword, but this should be more than enough for most setups. Please
1660 note that 'all' really means all processes and is not limited to the first
1661 32.
1662
1663 If some backends are referenced by frontends bound to other processes, the
1664 backend automatically inherits the frontend's processes.
1665
1666 Example :
1667 listen app_ip1
1668 bind 10.0.0.1:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001669 bind-process odd
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001670
1671 listen app_ip2
1672 bind 10.0.0.2:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001673 bind-process even
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001674
1675 listen management
1676 bind 10.0.0.3:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001677 bind-process 1 2 3 4
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001678
1679 See also : "nbproc" in global section.
1680
1681
Willy Tarreau0ba27502007-12-24 16:55:16 +01001682block { if | unless } <condition>
1683 Block a layer 7 request if/unless a condition is matched
1684 May be used in sections : defaults | frontend | listen | backend
1685 no | yes | yes | yes
1686
1687 The HTTP request will be blocked very early in the layer 7 processing
1688 if/unless <condition> is matched. A 403 error will be returned if the request
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001689 is blocked. The condition has to reference ACLs (see section 7). This is
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02001690 typically used to deny access to certain sensitive resources if some
Willy Tarreau0ba27502007-12-24 16:55:16 +01001691 conditions are met or not met. There is no fixed limit to the number of
1692 "block" statements per instance.
1693
1694 Example:
1695 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1696 acl invalid_src src_port 0:1023
1697 acl local_dst hdr(host) -i localhost
1698 block if invalid_src || local_dst
1699
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001700 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001701
1702
1703capture cookie <name> len <length>
1704 Capture and log a cookie in the request and in the response.
1705 May be used in sections : defaults | frontend | listen | backend
1706 no | yes | yes | no
1707 Arguments :
1708 <name> is the beginning of the name of the cookie to capture. In order
1709 to match the exact name, simply suffix the name with an equal
1710 sign ('='). The full name will appear in the logs, which is
1711 useful with application servers which adjust both the cookie name
1712 and value (eg: ASPSESSIONXXXXX).
1713
1714 <length> is the maximum number of characters to report in the logs, which
1715 include the cookie name, the equal sign and the value, all in the
1716 standard "name=value" form. The string will be truncated on the
1717 right if it exceeds <length>.
1718
1719 Only the first cookie is captured. Both the "cookie" request headers and the
1720 "set-cookie" response headers are monitored. This is particularly useful to
1721 check for application bugs causing session crossing or stealing between
1722 users, because generally the user's cookies can only change on a login page.
1723
1724 When the cookie was not presented by the client, the associated log column
1725 will report "-". When a request does not cause a cookie to be assigned by the
1726 server, a "-" is reported in the response column.
1727
1728 The capture is performed in the frontend only because it is necessary that
1729 the log format does not change for a given frontend depending on the
1730 backends. This may change in the future. Note that there can be only one
1731 "capture cookie" statement in a frontend. The maximum capture length is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001732 configured in the sources by default to 64 characters. It is not possible to
Willy Tarreau0ba27502007-12-24 16:55:16 +01001733 specify a capture in a "defaults" section.
1734
1735 Example:
1736 capture cookie ASPSESSION len 32
1737
1738 See also : "capture request header", "capture response header" as well as
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001739 section 8 about logging.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001740
1741
1742capture request header <name> len <length>
1743 Capture and log the first occurrence of the specified request header.
1744 May be used in sections : defaults | frontend | listen | backend
1745 no | yes | yes | no
1746 Arguments :
1747 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001748 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001749 appear in the requests, with the first letter of each word in
1750 upper case. The header name will not appear in the logs, only the
1751 value is reported, but the position in the logs is respected.
1752
1753 <length> is the maximum number of characters to extract from the value and
1754 report in the logs. The string will be truncated on the right if
1755 it exceeds <length>.
1756
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001757 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001758 value will be added to the logs between braces ('{}'). If multiple headers
1759 are captured, they will be delimited by a vertical bar ('|') and will appear
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001760 in the same order they were declared in the configuration. Non-existent
1761 headers will be logged just as an empty string. Common uses for request
1762 header captures include the "Host" field in virtual hosting environments, the
1763 "Content-length" when uploads are supported, "User-agent" to quickly
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001764 differentiate between real users and robots, and "X-Forwarded-For" in proxied
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001765 environments to find where the request came from.
1766
1767 Note that when capturing headers such as "User-agent", some spaces may be
1768 logged, making the log analysis more difficult. Thus be careful about what
1769 you log if you know your log parser is not smart enough to rely on the
1770 braces.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001771
1772 There is no limit to the number of captured request headers, but each capture
1773 is limited to 64 characters. In order to keep log format consistent for a
1774 same frontend, header captures can only be declared in a frontend. It is not
1775 possible to specify a capture in a "defaults" section.
1776
1777 Example:
1778 capture request header Host len 15
1779 capture request header X-Forwarded-For len 15
1780 capture request header Referrer len 15
1781
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001782 See also : "capture cookie", "capture response header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001783 about logging.
1784
1785
1786capture response header <name> len <length>
1787 Capture and log the first occurrence of the specified response header.
1788 May be used in sections : defaults | frontend | listen | backend
1789 no | yes | yes | no
1790 Arguments :
1791 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001792 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001793 appear in the response, with the first letter of each word in
1794 upper case. The header name will not appear in the logs, only the
1795 value is reported, but the position in the logs is respected.
1796
1797 <length> is the maximum number of characters to extract from the value and
1798 report in the logs. The string will be truncated on the right if
1799 it exceeds <length>.
1800
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001801 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001802 result will be added to the logs between braces ('{}') after the captured
1803 request headers. If multiple headers are captured, they will be delimited by
1804 a vertical bar ('|') and will appear in the same order they were declared in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001805 the configuration. Non-existent headers will be logged just as an empty
1806 string. Common uses for response header captures include the "Content-length"
1807 header which indicates how many bytes are expected to be returned, the
1808 "Location" header to track redirections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001809
1810 There is no limit to the number of captured response headers, but each
1811 capture is limited to 64 characters. In order to keep log format consistent
1812 for a same frontend, header captures can only be declared in a frontend. It
1813 is not possible to specify a capture in a "defaults" section.
1814
1815 Example:
1816 capture response header Content-length len 9
1817 capture response header Location len 15
1818
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001819 See also : "capture cookie", "capture request header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001820 about logging.
1821
1822
Cyril Bontéf0c60612010-02-06 14:44:47 +01001823clitimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01001824 Set the maximum inactivity time on the client side.
1825 May be used in sections : defaults | frontend | listen | backend
1826 yes | yes | yes | no
1827 Arguments :
1828 <timeout> is the timeout value is specified in milliseconds by default, but
1829 can be in any other unit if the number is suffixed by the unit,
1830 as explained at the top of this document.
1831
1832 The inactivity timeout applies when the client is expected to acknowledge or
1833 send data. In HTTP mode, this timeout is particularly important to consider
1834 during the first phase, when the client sends the request, and during the
1835 response while it is reading data sent by the server. The value is specified
1836 in milliseconds by default, but can be in any other unit if the number is
1837 suffixed by the unit, as specified at the top of this document. In TCP mode
1838 (and to a lesser extent, in HTTP mode), it is highly recommended that the
1839 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001840 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01001841 losses by specifying timeouts that are slightly above multiples of 3 seconds
1842 (eg: 4 or 5 seconds).
1843
1844 This parameter is specific to frontends, but can be specified once for all in
1845 "defaults" sections. This is in fact one of the easiest solutions not to
1846 forget about it. An unspecified timeout results in an infinite timeout, which
1847 is not recommended. Such a usage is accepted and works but reports a warning
1848 during startup because it may results in accumulation of expired sessions in
1849 the system if the system's timeouts are not configured either.
1850
1851 This parameter is provided for compatibility but is currently deprecated.
1852 Please use "timeout client" instead.
1853
Willy Tarreau036fae02008-01-06 13:24:40 +01001854 See also : "timeout client", "timeout http-request", "timeout server", and
1855 "srvtimeout".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001856
1857
Cyril Bontéf0c60612010-02-06 14:44:47 +01001858contimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01001859 Set the maximum time to wait for a connection attempt to a server to succeed.
1860 May be used in sections : defaults | frontend | listen | backend
1861 yes | no | yes | yes
1862 Arguments :
1863 <timeout> is the timeout value is specified in milliseconds by default, but
1864 can be in any other unit if the number is suffixed by the unit,
1865 as explained at the top of this document.
1866
1867 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001868 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01001869 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01001870 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
1871 connect timeout also presets the queue timeout to the same value if this one
1872 has not been specified. Historically, the contimeout was also used to set the
1873 tarpit timeout in a listen section, which is not possible in a pure frontend.
1874
1875 This parameter is specific to backends, but can be specified once for all in
1876 "defaults" sections. This is in fact one of the easiest solutions not to
1877 forget about it. An unspecified timeout results in an infinite timeout, which
1878 is not recommended. Such a usage is accepted and works but reports a warning
1879 during startup because it may results in accumulation of failed sessions in
1880 the system if the system's timeouts are not configured either.
1881
1882 This parameter is provided for backwards compatibility but is currently
1883 deprecated. Please use "timeout connect", "timeout queue" or "timeout tarpit"
1884 instead.
1885
1886 See also : "timeout connect", "timeout queue", "timeout tarpit",
1887 "timeout server", "contimeout".
1888
1889
Willy Tarreau55165fe2009-05-10 12:02:55 +02001890cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001891 [ postonly ] [ preserve ] [ domain <domain> ]*
Willy Tarreau996a92c2010-10-13 19:30:47 +02001892 [ maxidle <idle> ] [ maxlife <life> ]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001893 Enable cookie-based persistence in a backend.
1894 May be used in sections : defaults | frontend | listen | backend
1895 yes | no | yes | yes
1896 Arguments :
1897 <name> is the name of the cookie which will be monitored, modified or
1898 inserted in order to bring persistence. This cookie is sent to
1899 the client via a "Set-Cookie" header in the response, and is
1900 brought back by the client in a "Cookie" header in all requests.
1901 Special care should be taken to choose a name which does not
1902 conflict with any likely application cookie. Also, if the same
1903 backends are subject to be used by the same clients (eg:
1904 HTTP/HTTPS), care should be taken to use different cookie names
1905 between all backends if persistence between them is not desired.
1906
1907 rewrite This keyword indicates that the cookie will be provided by the
1908 server and that haproxy will have to modify its value to set the
1909 server's identifier in it. This mode is handy when the management
1910 of complex combinations of "Set-cookie" and "Cache-control"
1911 headers is left to the application. The application can then
1912 decide whether or not it is appropriate to emit a persistence
1913 cookie. Since all responses should be monitored, this mode only
1914 works in HTTP close mode. Unless the application behaviour is
1915 very complex and/or broken, it is advised not to start with this
1916 mode for new deployments. This keyword is incompatible with
1917 "insert" and "prefix".
1918
1919 insert This keyword indicates that the persistence cookie will have to
Willy Tarreaua79094d2010-08-31 22:54:15 +02001920 be inserted by haproxy in server responses if the client did not
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001921
Willy Tarreaua79094d2010-08-31 22:54:15 +02001922 already have a cookie that would have permitted it to access this
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001923 server. When used without the "preserve" option, if the server
1924 emits a cookie with the same name, it will be remove before
1925 processing. For this reason, this mode can be used to upgrade
1926 existing configurations running in the "rewrite" mode. The cookie
1927 will only be a session cookie and will not be stored on the
1928 client's disk. By default, unless the "indirect" option is added,
1929 the server will see the cookies emitted by the client. Due to
1930 caching effects, it is generally wise to add the "nocache" or
1931 "postonly" keywords (see below). The "insert" keyword is not
1932 compatible with "rewrite" and "prefix".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001933
1934 prefix This keyword indicates that instead of relying on a dedicated
1935 cookie for the persistence, an existing one will be completed.
1936 This may be needed in some specific environments where the client
1937 does not support more than one single cookie and the application
1938 already needs it. In this case, whenever the server sets a cookie
1939 named <name>, it will be prefixed with the server's identifier
1940 and a delimiter. The prefix will be removed from all client
1941 requests so that the server still finds the cookie it emitted.
1942 Since all requests and responses are subject to being modified,
1943 this mode requires the HTTP close mode. The "prefix" keyword is
Willy Tarreau37229df2011-10-17 12:24:55 +02001944 not compatible with "rewrite" and "insert". Note: it is highly
1945 recommended not to use "indirect" with "prefix", otherwise server
1946 cookie updates would not be sent to clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001947
Willy Tarreaua79094d2010-08-31 22:54:15 +02001948 indirect When this option is specified, no cookie will be emitted to a
1949 client which already has a valid one for the server which has
1950 processed the request. If the server sets such a cookie itself,
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001951 it will be removed, unless the "preserve" option is also set. In
1952 "insert" mode, this will additionally remove cookies from the
1953 requests transmitted to the server, making the persistence
1954 mechanism totally transparent from an application point of view.
Willy Tarreau37229df2011-10-17 12:24:55 +02001955 Note: it is highly recommended not to use "indirect" with
1956 "prefix", otherwise server cookie updates would not be sent to
1957 clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001958
1959 nocache This option is recommended in conjunction with the insert mode
1960 when there is a cache between the client and HAProxy, as it
1961 ensures that a cacheable response will be tagged non-cacheable if
1962 a cookie needs to be inserted. This is important because if all
1963 persistence cookies are added on a cacheable home page for
1964 instance, then all customers will then fetch the page from an
1965 outer cache and will all share the same persistence cookie,
1966 leading to one server receiving much more traffic than others.
1967 See also the "insert" and "postonly" options.
1968
1969 postonly This option ensures that cookie insertion will only be performed
1970 on responses to POST requests. It is an alternative to the
1971 "nocache" option, because POST responses are not cacheable, so
1972 this ensures that the persistence cookie will never get cached.
1973 Since most sites do not need any sort of persistence before the
1974 first POST which generally is a login request, this is a very
1975 efficient method to optimize caching without risking to find a
1976 persistence cookie in the cache.
1977 See also the "insert" and "nocache" options.
1978
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001979 preserve This option may only be used with "insert" and/or "indirect". It
1980 allows the server to emit the persistence cookie itself. In this
1981 case, if a cookie is found in the response, haproxy will leave it
1982 untouched. This is useful in order to end persistence after a
1983 logout request for instance. For this, the server just has to
1984 emit a cookie with an invalid value (eg: empty) or with a date in
1985 the past. By combining this mechanism with the "disable-on-404"
1986 check option, it is possible to perform a completely graceful
1987 shutdown because users will definitely leave the server after
1988 they logout.
1989
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02001990 domain This option allows to specify the domain at which a cookie is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001991 inserted. It requires exactly one parameter: a valid domain
Willy Tarreau68a897b2009-12-03 23:28:34 +01001992 name. If the domain begins with a dot, the browser is allowed to
1993 use it for any host ending with that name. It is also possible to
1994 specify several domain names by invoking this option multiple
1995 times. Some browsers might have small limits on the number of
1996 domains, so be careful when doing that. For the record, sending
1997 10 domains to MSIE 6 or Firefox 2 works as expected.
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02001998
Willy Tarreau996a92c2010-10-13 19:30:47 +02001999 maxidle This option allows inserted cookies to be ignored after some idle
2000 time. It only works with insert-mode cookies. When a cookie is
2001 sent to the client, the date this cookie was emitted is sent too.
2002 Upon further presentations of this cookie, if the date is older
2003 than the delay indicated by the parameter (in seconds), it will
2004 be ignored. Otherwise, it will be refreshed if needed when the
2005 response is sent to the client. This is particularly useful to
2006 prevent users who never close their browsers from remaining for
2007 too long on the same server (eg: after a farm size change). When
2008 this option is set and a cookie has no date, it is always
2009 accepted, but gets refreshed in the response. This maintains the
2010 ability for admins to access their sites. Cookies that have a
2011 date in the future further than 24 hours are ignored. Doing so
2012 lets admins fix timezone issues without risking kicking users off
2013 the site.
2014
2015 maxlife This option allows inserted cookies to be ignored after some life
2016 time, whether they're in use or not. It only works with insert
2017 mode cookies. When a cookie is first sent to the client, the date
2018 this cookie was emitted is sent too. Upon further presentations
2019 of this cookie, if the date is older than the delay indicated by
2020 the parameter (in seconds), it will be ignored. If the cookie in
2021 the request has no date, it is accepted and a date will be set.
2022 Cookies that have a date in the future further than 24 hours are
2023 ignored. Doing so lets admins fix timezone issues without risking
2024 kicking users off the site. Contrary to maxidle, this value is
2025 not refreshed, only the first visit date counts. Both maxidle and
2026 maxlife may be used at the time. This is particularly useful to
2027 prevent users who never close their browsers from remaining for
2028 too long on the same server (eg: after a farm size change). This
2029 is stronger than the maxidle method in that it forces a
2030 redispatch after some absolute delay.
2031
Willy Tarreau0ba27502007-12-24 16:55:16 +01002032 There can be only one persistence cookie per HTTP backend, and it can be
2033 declared in a defaults section. The value of the cookie will be the value
2034 indicated after the "cookie" keyword in a "server" statement. If no cookie
2035 is declared for a given server, the cookie is not set.
Willy Tarreau6a06a402007-07-15 20:15:28 +02002036
Willy Tarreau0ba27502007-12-24 16:55:16 +01002037 Examples :
2038 cookie JSESSIONID prefix
2039 cookie SRV insert indirect nocache
2040 cookie SRV insert postonly indirect
Willy Tarreau996a92c2010-10-13 19:30:47 +02002041 cookie SRV insert indirect nocache maxidle 30m maxlife 8h
Willy Tarreau0ba27502007-12-24 16:55:16 +01002042
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02002043 See also : "appsession", "balance source", "capture cookie", "server"
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002044 and "ignore-persist".
Willy Tarreau0ba27502007-12-24 16:55:16 +01002045
Willy Tarreau983e01e2010-01-11 18:42:06 +01002046
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002047default-server [param*]
2048 Change default options for a server in a backend
2049 May be used in sections : defaults | frontend | listen | backend
2050 yes | no | yes | yes
2051 Arguments:
Willy Tarreau983e01e2010-01-11 18:42:06 +01002052 <param*> is a list of parameters for this server. The "default-server"
2053 keyword accepts an important number of options and has a complete
2054 section dedicated to it. Please refer to section 5 for more
2055 details.
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002056
Willy Tarreau983e01e2010-01-11 18:42:06 +01002057 Example :
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002058 default-server inter 1000 weight 13
2059
2060 See also: "server" and section 5 about server options
Willy Tarreau0ba27502007-12-24 16:55:16 +01002061
Willy Tarreau983e01e2010-01-11 18:42:06 +01002062
Willy Tarreau0ba27502007-12-24 16:55:16 +01002063default_backend <backend>
2064 Specify the backend to use when no "use_backend" rule has been matched.
2065 May be used in sections : defaults | frontend | listen | backend
2066 yes | yes | yes | no
2067 Arguments :
2068 <backend> is the name of the backend to use.
2069
2070 When doing content-switching between frontend and backends using the
2071 "use_backend" keyword, it is often useful to indicate which backend will be
2072 used when no rule has matched. It generally is the dynamic backend which
2073 will catch all undetermined requests.
2074
Willy Tarreau0ba27502007-12-24 16:55:16 +01002075 Example :
2076
2077 use_backend dynamic if url_dyn
2078 use_backend static if url_css url_img extension_img
2079 default_backend dynamic
2080
Willy Tarreau2769aa02007-12-27 18:26:09 +01002081 See also : "use_backend", "reqsetbe", "reqisetbe"
2082
Willy Tarreau0ba27502007-12-24 16:55:16 +01002083
2084disabled
2085 Disable a proxy, frontend or backend.
2086 May be used in sections : defaults | frontend | listen | backend
2087 yes | yes | yes | yes
2088 Arguments : none
2089
2090 The "disabled" keyword is used to disable an instance, mainly in order to
2091 liberate a listening port or to temporarily disable a service. The instance
2092 will still be created and its configuration will be checked, but it will be
2093 created in the "stopped" state and will appear as such in the statistics. It
2094 will not receive any traffic nor will it send any health-checks or logs. It
2095 is possible to disable many instances at once by adding the "disabled"
2096 keyword in a "defaults" section.
2097
2098 See also : "enabled"
2099
2100
Willy Tarreau5ce94572010-06-07 14:35:41 +02002101dispatch <address>:<port>
2102 Set a default server address
2103 May be used in sections : defaults | frontend | listen | backend
2104 no | no | yes | yes
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002105 Arguments :
Willy Tarreau5ce94572010-06-07 14:35:41 +02002106
2107 <address> is the IPv4 address of the default server. Alternatively, a
2108 resolvable hostname is supported, but this name will be resolved
2109 during start-up.
2110
2111 <ports> is a mandatory port specification. All connections will be sent
2112 to this port, and it is not permitted to use port offsets as is
2113 possible with normal servers.
2114
Willy Tarreau787aed52011-04-15 06:45:37 +02002115 The "dispatch" keyword designates a default server for use when no other
Willy Tarreau5ce94572010-06-07 14:35:41 +02002116 server can take the connection. In the past it was used to forward non
2117 persistent connections to an auxiliary load balancer. Due to its simple
2118 syntax, it has also been used for simple TCP relays. It is recommended not to
2119 use it for more clarity, and to use the "server" directive instead.
2120
2121 See also : "server"
2122
2123
Willy Tarreau0ba27502007-12-24 16:55:16 +01002124enabled
2125 Enable a proxy, frontend or backend.
2126 May be used in sections : defaults | frontend | listen | backend
2127 yes | yes | yes | yes
2128 Arguments : none
2129
2130 The "enabled" keyword is used to explicitly enable an instance, when the
2131 defaults has been set to "disabled". This is very rarely used.
2132
2133 See also : "disabled"
2134
2135
2136errorfile <code> <file>
2137 Return a file contents instead of errors generated by HAProxy
2138 May be used in sections : defaults | frontend | listen | backend
2139 yes | yes | yes | yes
2140 Arguments :
2141 <code> is the HTTP status code. Currently, HAProxy is capable of
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002142 generating codes 200, 400, 403, 408, 500, 502, 503, and 504.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002143
2144 <file> designates a file containing the full HTTP response. It is
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002145 recommended to follow the common practice of appending ".http" to
Willy Tarreau0ba27502007-12-24 16:55:16 +01002146 the filename so that people do not confuse the response with HTML
Willy Tarreau59140a22009-02-22 12:02:30 +01002147 error pages, and to use absolute paths, since files are read
2148 before any chroot is performed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002149
2150 It is important to understand that this keyword is not meant to rewrite
2151 errors returned by the server, but errors detected and returned by HAProxy.
2152 This is why the list of supported errors is limited to a small set.
2153
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002154 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2155
Willy Tarreau0ba27502007-12-24 16:55:16 +01002156 The files are returned verbatim on the TCP socket. This allows any trick such
2157 as redirections to another URL or site, as well as tricks to clean cookies,
2158 force enable or disable caching, etc... The package provides default error
2159 files returning the same contents as default errors.
2160
Willy Tarreau59140a22009-02-22 12:02:30 +01002161 The files should not exceed the configured buffer size (BUFSIZE), which
2162 generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
2163 not to put any reference to local contents (eg: images) in order to avoid
2164 loops between the client and HAProxy when all servers are down, causing an
2165 error to be returned instead of an image. For better HTTP compliance, it is
2166 recommended that all header lines end with CR-LF and not LF alone.
2167
Willy Tarreau0ba27502007-12-24 16:55:16 +01002168 The files are read at the same time as the configuration and kept in memory.
2169 For this reason, the errors continue to be returned even when the process is
2170 chrooted, and no file change is considered while the process is running. A
Willy Tarreauc27debf2008-01-06 08:57:02 +01002171 simple method for developing those files consists in associating them to the
Willy Tarreau0ba27502007-12-24 16:55:16 +01002172 403 status code and interrogating a blocked URL.
2173
2174 See also : "errorloc", "errorloc302", "errorloc303"
2175
Willy Tarreau59140a22009-02-22 12:02:30 +01002176 Example :
2177 errorfile 400 /etc/haproxy/errorfiles/400badreq.http
2178 errorfile 403 /etc/haproxy/errorfiles/403forbid.http
2179 errorfile 503 /etc/haproxy/errorfiles/503sorry.http
2180
Willy Tarreau2769aa02007-12-27 18:26:09 +01002181
2182errorloc <code> <url>
2183errorloc302 <code> <url>
2184 Return an HTTP redirection to a URL instead of errors generated by HAProxy
2185 May be used in sections : defaults | frontend | listen | backend
2186 yes | yes | yes | yes
2187 Arguments :
2188 <code> is the HTTP status code. Currently, HAProxy is capable of
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002189 generating codes 200, 400, 403, 408, 500, 502, 503, and 504.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002190
2191 <url> it is the exact contents of the "Location" header. It may contain
2192 either a relative URI to an error page hosted on the same site,
2193 or an absolute URI designating an error page on another site.
2194 Special care should be given to relative URIs to avoid redirect
2195 loops if the URI itself may generate the same error (eg: 500).
2196
2197 It is important to understand that this keyword is not meant to rewrite
2198 errors returned by the server, but errors detected and returned by HAProxy.
2199 This is why the list of supported errors is limited to a small set.
2200
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002201 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2202
Willy Tarreau2769aa02007-12-27 18:26:09 +01002203 Note that both keyword return the HTTP 302 status code, which tells the
2204 client to fetch the designated URL using the same HTTP method. This can be
2205 quite problematic in case of non-GET methods such as POST, because the URL
2206 sent to the client might not be allowed for something other than GET. To
2207 workaround this problem, please use "errorloc303" which send the HTTP 303
2208 status code, indicating to the client that the URL must be fetched with a GET
2209 request.
2210
2211 See also : "errorfile", "errorloc303"
2212
2213
2214errorloc303 <code> <url>
2215 Return an HTTP redirection to a URL instead of errors generated by HAProxy
2216 May be used in sections : defaults | frontend | listen | backend
2217 yes | yes | yes | yes
2218 Arguments :
2219 <code> is the HTTP status code. Currently, HAProxy is capable of
2220 generating codes 400, 403, 408, 500, 502, 503, and 504.
2221
2222 <url> it is the exact contents of the "Location" header. It may contain
2223 either a relative URI to an error page hosted on the same site,
2224 or an absolute URI designating an error page on another site.
2225 Special care should be given to relative URIs to avoid redirect
2226 loops if the URI itself may generate the same error (eg: 500).
2227
2228 It is important to understand that this keyword is not meant to rewrite
2229 errors returned by the server, but errors detected and returned by HAProxy.
2230 This is why the list of supported errors is limited to a small set.
2231
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002232 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2233
Willy Tarreau2769aa02007-12-27 18:26:09 +01002234 Note that both keyword return the HTTP 303 status code, which tells the
2235 client to fetch the designated URL using the same HTTP GET method. This
2236 solves the usual problems associated with "errorloc" and the 302 code. It is
2237 possible that some very old browsers designed before HTTP/1.1 do not support
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002238 it, but no such problem has been reported till now.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002239
2240 See also : "errorfile", "errorloc", "errorloc302"
2241
2242
Willy Tarreau4de91492010-01-22 19:10:05 +01002243force-persist { if | unless } <condition>
2244 Declare a condition to force persistence on down servers
2245 May be used in sections: defaults | frontend | listen | backend
2246 no | yes | yes | yes
2247
2248 By default, requests are not dispatched to down servers. It is possible to
2249 force this using "option persist", but it is unconditional and redispatches
2250 to a valid server if "option redispatch" is set. That leaves with very little
2251 possibilities to force some requests to reach a server which is artificially
2252 marked down for maintenance operations.
2253
2254 The "force-persist" statement allows one to declare various ACL-based
2255 conditions which, when met, will cause a request to ignore the down status of
2256 a server and still try to connect to it. That makes it possible to start a
2257 server, still replying an error to the health checks, and run a specially
2258 configured browser to test the service. Among the handy methods, one could
2259 use a specific source IP address, or a specific cookie. The cookie also has
2260 the advantage that it can easily be added/removed on the browser from a test
2261 page. Once the service is validated, it is then possible to open the service
2262 to the world by returning a valid response to health checks.
2263
2264 The forced persistence is enabled when an "if" condition is met, or unless an
2265 "unless" condition is met. The final redispatch is always disabled when this
2266 is used.
2267
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002268 See also : "option redispatch", "ignore-persist", "persist",
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02002269 and section 7 about ACL usage.
Willy Tarreau4de91492010-01-22 19:10:05 +01002270
2271
Willy Tarreau2769aa02007-12-27 18:26:09 +01002272fullconn <conns>
2273 Specify at what backend load the servers will reach their maxconn
2274 May be used in sections : defaults | frontend | listen | backend
2275 yes | no | yes | yes
2276 Arguments :
2277 <conns> is the number of connections on the backend which will make the
2278 servers use the maximal number of connections.
2279
Willy Tarreau198a7442008-01-17 12:05:32 +01002280 When a server has a "maxconn" parameter specified, it means that its number
Willy Tarreau2769aa02007-12-27 18:26:09 +01002281 of concurrent connections will never go higher. Additionally, if it has a
Willy Tarreau198a7442008-01-17 12:05:32 +01002282 "minconn" parameter, it indicates a dynamic limit following the backend's
Willy Tarreau2769aa02007-12-27 18:26:09 +01002283 load. The server will then always accept at least <minconn> connections,
2284 never more than <maxconn>, and the limit will be on the ramp between both
2285 values when the backend has less than <conns> concurrent connections. This
2286 makes it possible to limit the load on the servers during normal loads, but
2287 push it further for important loads without overloading the servers during
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002288 exceptional loads.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002289
Willy Tarreaufbb78422011-06-05 15:38:35 +02002290 Since it's hard to get this value right, haproxy automatically sets it to
2291 10% of the sum of the maxconns of all frontends that may branch to this
2292 backend. That way it's safe to leave it unset.
2293
Willy Tarreau2769aa02007-12-27 18:26:09 +01002294 Example :
2295 # The servers will accept between 100 and 1000 concurrent connections each
2296 # and the maximum of 1000 will be reached when the backend reaches 10000
2297 # connections.
2298 backend dynamic
2299 fullconn 10000
2300 server srv1 dyn1:80 minconn 100 maxconn 1000
2301 server srv2 dyn2:80 minconn 100 maxconn 1000
2302
2303 See also : "maxconn", "server"
2304
2305
2306grace <time>
2307 Maintain a proxy operational for some time after a soft stop
2308 May be used in sections : defaults | frontend | listen | backend
Cyril Bonté99ed3272010-01-24 23:29:44 +01002309 yes | yes | yes | yes
Willy Tarreau2769aa02007-12-27 18:26:09 +01002310 Arguments :
2311 <time> is the time (by default in milliseconds) for which the instance
2312 will remain operational with the frontend sockets still listening
2313 when a soft-stop is received via the SIGUSR1 signal.
2314
2315 This may be used to ensure that the services disappear in a certain order.
2316 This was designed so that frontends which are dedicated to monitoring by an
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002317 external equipment fail immediately while other ones remain up for the time
Willy Tarreau2769aa02007-12-27 18:26:09 +01002318 needed by the equipment to detect the failure.
2319
2320 Note that currently, there is very little benefit in using this parameter,
2321 and it may in fact complicate the soft-reconfiguration process more than
2322 simplify it.
2323
Willy Tarreau0ba27502007-12-24 16:55:16 +01002324
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002325hash-type <method>
2326 Specify a method to use for mapping hashes to servers
2327 May be used in sections : defaults | frontend | listen | backend
2328 yes | no | yes | yes
2329 Arguments :
2330 map-based the hash table is a static array containing all alive servers.
2331 The hashes will be very smooth, will consider weights, but will
2332 be static in that weight changes while a server is up will be
2333 ignored. This means that there will be no slow start. Also,
2334 since a server is selected by its position in the array, most
2335 mappings are changed when the server count changes. This means
2336 that when a server goes up or down, or when a server is added
2337 to a farm, most connections will be redistributed to different
2338 servers. This can be inconvenient with caches for instance.
2339
Willy Tarreau798a39c2010-11-24 15:04:29 +01002340 avalanche this mechanism uses the default map-based hashing described
2341 above but applies a full avalanche hash before performing the
2342 mapping. The result is a slightly less smooth hash for most
2343 situations, but the hash becomes better than pure map-based
2344 hashes when the number of servers is a multiple of the size of
2345 the input set. When using URI hash with a number of servers
2346 multiple of 64, it's desirable to change the hash type to
2347 this value.
2348
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002349 consistent the hash table is a tree filled with many occurrences of each
2350 server. The hash key is looked up in the tree and the closest
2351 server is chosen. This hash is dynamic, it supports changing
2352 weights while the servers are up, so it is compatible with the
2353 slow start feature. It has the advantage that when a server
2354 goes up or down, only its associations are moved. When a server
2355 is added to the farm, only a few part of the mappings are
2356 redistributed, making it an ideal algorithm for caches.
2357 However, due to its principle, the algorithm will never be very
2358 smooth and it may sometimes be necessary to adjust a server's
2359 weight or its ID to get a more balanced distribution. In order
2360 to get the same distribution on multiple load balancers, it is
2361 important that all servers have the same IDs.
2362
2363 The default hash type is "map-based" and is recommended for most usages.
2364
2365 See also : "balance", "server"
2366
2367
Willy Tarreau0ba27502007-12-24 16:55:16 +01002368http-check disable-on-404
2369 Enable a maintenance mode upon HTTP/404 response to health-checks
2370 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau2769aa02007-12-27 18:26:09 +01002371 yes | no | yes | yes
Willy Tarreau0ba27502007-12-24 16:55:16 +01002372 Arguments : none
2373
2374 When this option is set, a server which returns an HTTP code 404 will be
2375 excluded from further load-balancing, but will still receive persistent
2376 connections. This provides a very convenient method for Web administrators
2377 to perform a graceful shutdown of their servers. It is also important to note
2378 that a server which is detected as failed while it was in this mode will not
2379 generate an alert, just a notice. If the server responds 2xx or 3xx again, it
2380 will immediately be reinserted into the farm. The status on the stats page
2381 reports "NOLB" for a server in this mode. It is important to note that this
Willy Tarreaubd741542010-03-16 18:46:54 +01002382 option only works in conjunction with the "httpchk" option. If this option
2383 is used with "http-check expect", then it has precedence over it so that 404
2384 responses will still be considered as soft-stop.
2385
2386 See also : "option httpchk", "http-check expect"
2387
2388
2389http-check expect [!] <match> <pattern>
2390 Make HTTP health checks consider reponse contents or specific status codes
2391 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau1ee51a62011-08-19 20:04:17 +02002392 yes | no | yes | yes
Willy Tarreaubd741542010-03-16 18:46:54 +01002393 Arguments :
2394 <match> is a keyword indicating how to look for a specific pattern in the
2395 response. The keyword may be one of "status", "rstatus",
Cyril Bontédc4d9032012-04-08 21:57:39 +02002396 "string", or "rstring". The keyword may be preceeded by an
Willy Tarreaubd741542010-03-16 18:46:54 +01002397 exclamation mark ("!") to negate the match. Spaces are allowed
2398 between the exclamation mark and the keyword. See below for more
2399 details on the supported keywords.
2400
2401 <pattern> is the pattern to look for. It may be a string or a regular
2402 expression. If the pattern contains spaces, they must be escaped
2403 with the usual backslash ('\').
2404
2405 By default, "option httpchk" considers that response statuses 2xx and 3xx
2406 are valid, and that others are invalid. When "http-check expect" is used,
2407 it defines what is considered valid or invalid. Only one "http-check"
2408 statement is supported in a backend. If a server fails to respond or times
2409 out, the check obviously fails. The available matches are :
2410
2411 status <string> : test the exact string match for the HTTP status code.
2412 A health check respose will be considered valid if the
2413 response's status code is exactly this string. If the
2414 "status" keyword is prefixed with "!", then the response
2415 will be considered invalid if the status code matches.
2416
2417 rstatus <regex> : test a regular expression for the HTTP status code.
2418 A health check respose will be considered valid if the
2419 response's status code matches the expression. If the
2420 "rstatus" keyword is prefixed with "!", then the response
2421 will be considered invalid if the status code matches.
2422 This is mostly used to check for multiple codes.
2423
2424 string <string> : test the exact string match in the HTTP response body.
2425 A health check respose will be considered valid if the
2426 response's body contains this exact string. If the
2427 "string" keyword is prefixed with "!", then the response
2428 will be considered invalid if the body contains this
2429 string. This can be used to look for a mandatory word at
2430 the end of a dynamic page, or to detect a failure when a
2431 specific error appears on the check page (eg: a stack
2432 trace).
2433
2434 rstring <regex> : test a regular expression on the HTTP response body.
2435 A health check respose will be considered valid if the
2436 response's body matches this expression. If the "rstring"
2437 keyword is prefixed with "!", then the response will be
2438 considered invalid if the body matches the expression.
2439 This can be used to look for a mandatory word at the end
2440 of a dynamic page, or to detect a failure when a specific
2441 error appears on the check page (eg: a stack trace).
2442
2443 It is important to note that the responses will be limited to a certain size
2444 defined by the global "tune.chksize" option, which defaults to 16384 bytes.
2445 Thus, too large responses may not contain the mandatory pattern when using
2446 "string" or "rstring". If a large response is absolutely required, it is
2447 possible to change the default max size by setting the global variable.
2448 However, it is worth keeping in mind that parsing very large responses can
2449 waste some CPU cycles, especially when regular expressions are used, and that
2450 it is always better to focus the checks on smaller resources.
2451
2452 Last, if "http-check expect" is combined with "http-check disable-on-404",
2453 then this last one has precedence when the server responds with 404.
2454
2455 Examples :
2456 # only accept status 200 as valid
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002457 http-check expect status 200
Willy Tarreaubd741542010-03-16 18:46:54 +01002458
2459 # consider SQL errors as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002460 http-check expect ! string SQL\ Error
Willy Tarreaubd741542010-03-16 18:46:54 +01002461
2462 # consider status 5xx only as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002463 http-check expect ! rstatus ^5
Willy Tarreaubd741542010-03-16 18:46:54 +01002464
2465 # check that we have a correct hexadecimal tag before /html
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002466 http-check expect rstring <!--tag:[0-9a-f]*</html>
Willy Tarreau0ba27502007-12-24 16:55:16 +01002467
Willy Tarreaubd741542010-03-16 18:46:54 +01002468 See also : "option httpchk", "http-check disable-on-404"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002469
2470
Willy Tarreauef781042010-01-27 11:53:01 +01002471http-check send-state
2472 Enable emission of a state header with HTTP health checks
2473 May be used in sections : defaults | frontend | listen | backend
2474 yes | no | yes | yes
2475 Arguments : none
2476
2477 When this option is set, haproxy will systematically send a special header
2478 "X-Haproxy-Server-State" with a list of parameters indicating to each server
2479 how they are seen by haproxy. This can be used for instance when a server is
2480 manipulated without access to haproxy and the operator needs to know whether
2481 haproxy still sees it up or not, or if the server is the last one in a farm.
2482
2483 The header is composed of fields delimited by semi-colons, the first of which
2484 is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid
2485 checks on the total number before transition, just as appears in the stats
2486 interface. Next headers are in the form "<variable>=<value>", indicating in
2487 no specific order some values available in the stats interface :
2488 - a variable "name", containing the name of the backend followed by a slash
2489 ("/") then the name of the server. This can be used when a server is
2490 checked in multiple backends.
2491
2492 - a variable "node" containing the name of the haproxy node, as set in the
2493 global "node" variable, otherwise the system's hostname if unspecified.
2494
2495 - a variable "weight" indicating the weight of the server, a slash ("/")
2496 and the total weight of the farm (just counting usable servers). This
2497 helps to know if other servers are available to handle the load when this
2498 one fails.
2499
2500 - a variable "scur" indicating the current number of concurrent connections
2501 on the server, followed by a slash ("/") then the total number of
2502 connections on all servers of the same backend.
2503
2504 - a variable "qcur" indicating the current number of requests in the
2505 server's queue.
2506
2507 Example of a header received by the application server :
2508 >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \
2509 scur=13/22; qcur=0
2510
2511 See also : "option httpchk", "http-check disable-on-404"
2512
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02002513http-request { allow | deny | auth [realm <realm>] }
Cyril Bontéf0c60612010-02-06 14:44:47 +01002514 [ { if | unless } <condition> ]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002515 Access control for Layer 7 requests
2516
2517 May be used in sections: defaults | frontend | listen | backend
2518 no | yes | yes | yes
2519
2520 These set of options allow to fine control access to a
2521 frontend/listen/backend. Each option may be followed by if/unless and acl.
2522 First option with matched condition (or option without condition) is final.
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02002523 For "deny" a 403 error will be returned, for "allow" normal processing is
2524 performed, for "auth" a 401/407 error code is returned so the client
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002525 should be asked to enter a username and password.
2526
2527 There is no fixed limit to the number of http-request statements per
2528 instance.
2529
2530 Example:
Cyril Bonté78caf842010-03-10 22:41:43 +01002531 acl nagios src 192.168.129.3
2532 acl local_net src 192.168.0.0/16
2533 acl auth_ok http_auth(L1)
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002534
Cyril Bonté78caf842010-03-10 22:41:43 +01002535 http-request allow if nagios
2536 http-request allow if local_net auth_ok
2537 http-request auth realm Gimme if local_net auth_ok
2538 http-request deny
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002539
Cyril Bonté78caf842010-03-10 22:41:43 +01002540 Example:
2541 acl auth_ok http_auth_group(L1) G1
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002542
Cyril Bonté78caf842010-03-10 22:41:43 +01002543 http-request auth unless auth_ok
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002544
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02002545 See also : "stats http-request", section 3.4 about userlists and section 7
2546 about ACL usage.
Willy Tarreauef781042010-01-27 11:53:01 +01002547
Mark Lamourinec2247f02012-01-04 13:02:01 -05002548http-send-name-header [<header>]
2549 Add the server name to a request. Use the header string given by <header>
2550
2551 May be used in sections: defaults | frontend | listen | backend
2552 yes | no | yes | yes
2553
2554 Arguments :
2555
2556 <header> The header string to use to send the server name
2557
2558 The "http-send-name-header" statement causes the name of the target
2559 server to be added to the headers of an HTTP request. The name
2560 is added with the header string proved.
2561
2562 See also : "server"
2563
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01002564id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02002565 Set a persistent ID to a proxy.
2566 May be used in sections : defaults | frontend | listen | backend
2567 no | yes | yes | yes
2568 Arguments : none
2569
2570 Set a persistent ID for the proxy. This ID must be unique and positive.
2571 An unused ID will automatically be assigned if unset. The first assigned
2572 value will be 1. This ID is currently only returned in statistics.
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01002573
2574
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002575ignore-persist { if | unless } <condition>
2576 Declare a condition to ignore persistence
2577 May be used in sections: defaults | frontend | listen | backend
2578 no | yes | yes | yes
2579
2580 By default, when cookie persistence is enabled, every requests containing
2581 the cookie are unconditionally persistent (assuming the target server is up
2582 and running).
2583
2584 The "ignore-persist" statement allows one to declare various ACL-based
2585 conditions which, when met, will cause a request to ignore persistence.
2586 This is sometimes useful to load balance requests for static files, which
2587 oftenly don't require persistence. This can also be used to fully disable
2588 persistence for a specific User-Agent (for example, some web crawler bots).
2589
2590 Combined with "appsession", it can also help reduce HAProxy memory usage, as
2591 the appsession table won't grow if persistence is ignored.
2592
2593 The persistence is ignored when an "if" condition is met, or unless an
2594 "unless" condition is met.
2595
2596 See also : "force-persist", "cookie", and section 7 about ACL usage.
2597
2598
Willy Tarreau2769aa02007-12-27 18:26:09 +01002599log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002600log <address> <facility> [<level> [<minlevel>]]
William Lallemand0f99e342011-10-12 17:50:54 +02002601no log
Willy Tarreau2769aa02007-12-27 18:26:09 +01002602 Enable per-instance logging of events and traffic.
2603 May be used in sections : defaults | frontend | listen | backend
2604 yes | yes | yes | yes
William Lallemand0f99e342011-10-12 17:50:54 +02002605
2606 Prefix :
2607 no should be used when the logger list must be flushed. For example,
2608 if you don't want to inherit from the default logger list. This
2609 prefix does not allow arguments.
2610
Willy Tarreau2769aa02007-12-27 18:26:09 +01002611 Arguments :
2612 global should be used when the instance's logging parameters are the
2613 same as the global ones. This is the most common usage. "global"
2614 replaces <address>, <facility> and <level> with those of the log
2615 entries found in the "global" section. Only one "log global"
2616 statement may be used per instance, and this form takes no other
2617 parameter.
2618
2619 <address> indicates where to send the logs. It takes the same format as
2620 for the "global" section's logs, and can be one of :
2621
2622 - An IPv4 address optionally followed by a colon (':') and a UDP
2623 port. If no port is specified, 514 is used by default (the
2624 standard syslog port).
2625
David du Colombier24bb5f52011-03-17 10:40:23 +01002626 - An IPv6 address followed by a colon (':') and optionally a UDP
2627 port. If no port is specified, 514 is used by default (the
2628 standard syslog port).
2629
Willy Tarreau2769aa02007-12-27 18:26:09 +01002630 - A filesystem path to a UNIX domain socket, keeping in mind
2631 considerations for chroot (be sure the path is accessible
2632 inside the chroot) and uid/gid (be sure the path is
2633 appropriately writeable).
2634
2635 <facility> must be one of the 24 standard syslog facilities :
2636
2637 kern user mail daemon auth syslog lpr news
2638 uucp cron auth2 ftp ntp audit alert cron2
2639 local0 local1 local2 local3 local4 local5 local6 local7
2640
2641 <level> is optional and can be specified to filter outgoing messages. By
2642 default, all messages are sent. If a level is specified, only
2643 messages with a severity at least as important as this level
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002644 will be sent. An optional minimum level can be specified. If it
2645 is set, logs emitted with a more severe level than this one will
2646 be capped to this level. This is used to avoid sending "emerg"
2647 messages on all terminals on some default syslog configurations.
2648 Eight levels are known :
Willy Tarreau2769aa02007-12-27 18:26:09 +01002649
2650 emerg alert crit err warning notice info debug
2651
William Lallemand0f99e342011-10-12 17:50:54 +02002652 It is important to keep in mind that it is the frontend which decides what to
2653 log from a connection, and that in case of content switching, the log entries
2654 from the backend will be ignored. Connections are logged at level "info".
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002655
2656 However, backend log declaration define how and where servers status changes
2657 will be logged. Level "notice" will be used to indicate a server going up,
2658 "warning" will be used for termination signals and definitive service
2659 termination, and "alert" will be used for when a server goes down.
2660
2661 Note : According to RFC3164, messages are truncated to 1024 bytes before
2662 being emitted.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002663
2664 Example :
2665 log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002666 log 127.0.0.1:514 local0 notice # only send important events
2667 log 127.0.0.1:514 local0 notice notice # same but limit output level
Willy Tarreau2769aa02007-12-27 18:26:09 +01002668
William Lallemand48940402012-01-30 16:47:22 +01002669log-format <string>
2670 Allows you to custom a log line.
2671
2672 See also : Custom Log Format (8.2.4)
2673
Willy Tarreau2769aa02007-12-27 18:26:09 +01002674
2675maxconn <conns>
2676 Fix the maximum number of concurrent connections on a frontend
2677 May be used in sections : defaults | frontend | listen | backend
2678 yes | yes | yes | no
2679 Arguments :
2680 <conns> is the maximum number of concurrent connections the frontend will
2681 accept to serve. Excess connections will be queued by the system
2682 in the socket's listen queue and will be served once a connection
2683 closes.
2684
2685 If the system supports it, it can be useful on big sites to raise this limit
2686 very high so that haproxy manages connection queues, instead of leaving the
2687 clients with unanswered connection attempts. This value should not exceed the
2688 global maxconn. Also, keep in mind that a connection contains two buffers
2689 of 8kB each, as well as some other data resulting in about 17 kB of RAM being
2690 consumed per established connection. That means that a medium system equipped
2691 with 1GB of RAM can withstand around 40000-50000 concurrent connections if
2692 properly tuned.
2693
2694 Also, when <conns> is set to large values, it is possible that the servers
2695 are not sized to accept such loads, and for this reason it is generally wise
2696 to assign them some reasonable connection limits.
2697
2698 See also : "server", global section's "maxconn", "fullconn"
2699
2700
2701mode { tcp|http|health }
2702 Set the running mode or protocol of the instance
2703 May be used in sections : defaults | frontend | listen | backend
2704 yes | yes | yes | yes
2705 Arguments :
2706 tcp The instance will work in pure TCP mode. A full-duplex connection
2707 will be established between clients and servers, and no layer 7
2708 examination will be performed. This is the default mode. It
2709 should be used for SSL, SSH, SMTP, ...
2710
2711 http The instance will work in HTTP mode. The client request will be
2712 analyzed in depth before connecting to any server. Any request
2713 which is not RFC-compliant will be rejected. Layer 7 filtering,
2714 processing and switching will be possible. This is the mode which
2715 brings HAProxy most of its value.
2716
2717 health The instance will work in "health" mode. It will just reply "OK"
2718 to incoming connections and close the connection. Nothing will be
2719 logged. This mode is used to reply to external components health
2720 checks. This mode is deprecated and should not be used anymore as
2721 it is possible to do the same and even better by combining TCP or
2722 HTTP modes with the "monitor" keyword.
2723
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002724 When doing content switching, it is mandatory that the frontend and the
2725 backend are in the same mode (generally HTTP), otherwise the configuration
2726 will be refused.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002727
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002728 Example :
Willy Tarreau2769aa02007-12-27 18:26:09 +01002729 defaults http_instances
2730 mode http
2731
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002732 See also : "monitor", "monitor-net"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002733
Willy Tarreau0ba27502007-12-24 16:55:16 +01002734
Cyril Bontéf0c60612010-02-06 14:44:47 +01002735monitor fail { if | unless } <condition>
Willy Tarreau2769aa02007-12-27 18:26:09 +01002736 Add a condition to report a failure to a monitor HTTP request.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002737 May be used in sections : defaults | frontend | listen | backend
2738 no | yes | yes | no
Willy Tarreau0ba27502007-12-24 16:55:16 +01002739 Arguments :
2740 if <cond> the monitor request will fail if the condition is satisfied,
2741 and will succeed otherwise. The condition should describe a
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002742 combined test which must induce a failure if all conditions
Willy Tarreau0ba27502007-12-24 16:55:16 +01002743 are met, for instance a low number of servers both in a
2744 backend and its backup.
2745
2746 unless <cond> the monitor request will succeed only if the condition is
2747 satisfied, and will fail otherwise. Such a condition may be
2748 based on a test on the presence of a minimum number of active
2749 servers in a list of backends.
2750
2751 This statement adds a condition which can force the response to a monitor
2752 request to report a failure. By default, when an external component queries
2753 the URI dedicated to monitoring, a 200 response is returned. When one of the
2754 conditions above is met, haproxy will return 503 instead of 200. This is
2755 very useful to report a site failure to an external component which may base
2756 routing advertisements between multiple sites on the availability reported by
2757 haproxy. In this case, one would rely on an ACL involving the "nbsrv"
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002758 criterion. Note that "monitor fail" only works in HTTP mode. Both status
2759 messages may be tweaked using "errorfile" or "errorloc" if needed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002760
2761 Example:
2762 frontend www
Willy Tarreau2769aa02007-12-27 18:26:09 +01002763 mode http
Willy Tarreau0ba27502007-12-24 16:55:16 +01002764 acl site_dead nbsrv(dynamic) lt 2
2765 acl site_dead nbsrv(static) lt 2
2766 monitor-uri /site_alive
2767 monitor fail if site_dead
2768
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002769 See also : "monitor-net", "monitor-uri", "errorfile", "errorloc"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002770
2771
2772monitor-net <source>
2773 Declare a source network which is limited to monitor requests
2774 May be used in sections : defaults | frontend | listen | backend
2775 yes | yes | yes | no
2776 Arguments :
2777 <source> is the source IPv4 address or network which will only be able to
2778 get monitor responses to any request. It can be either an IPv4
2779 address, a host name, or an address followed by a slash ('/')
2780 followed by a mask.
2781
2782 In TCP mode, any connection coming from a source matching <source> will cause
2783 the connection to be immediately closed without any log. This allows another
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002784 equipment to probe the port and verify that it is still listening, without
Willy Tarreau2769aa02007-12-27 18:26:09 +01002785 forwarding the connection to a remote server.
2786
2787 In HTTP mode, a connection coming from a source matching <source> will be
2788 accepted, the following response will be sent without waiting for a request,
2789 then the connection will be closed : "HTTP/1.0 200 OK". This is normally
2790 enough for any front-end HTTP probe to detect that the service is UP and
2791 running without forwarding the request to a backend server.
2792
2793 Monitor requests are processed very early. It is not possible to block nor
2794 divert them using ACLs. They cannot be logged either, and it is the intended
2795 purpose. They are only used to report HAProxy's health to an upper component,
2796 nothing more. Right now, it is not possible to set failure conditions on
2797 requests caught by "monitor-net".
2798
Willy Tarreau95cd2832010-03-04 23:36:33 +01002799 Last, please note that only one "monitor-net" statement can be specified in
2800 a frontend. If more than one is found, only the last one will be considered.
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002801
Willy Tarreau2769aa02007-12-27 18:26:09 +01002802 Example :
2803 # addresses .252 and .253 are just probing us.
2804 frontend www
2805 monitor-net 192.168.0.252/31
2806
2807 See also : "monitor fail", "monitor-uri"
2808
2809
2810monitor-uri <uri>
2811 Intercept a URI used by external components' monitor requests
2812 May be used in sections : defaults | frontend | listen | backend
2813 yes | yes | yes | no
2814 Arguments :
2815 <uri> is the exact URI which we want to intercept to return HAProxy's
2816 health status instead of forwarding the request.
2817
2818 When an HTTP request referencing <uri> will be received on a frontend,
2819 HAProxy will not forward it nor log it, but instead will return either
2820 "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
2821 conditions defined with "monitor fail". This is normally enough for any
2822 front-end HTTP probe to detect that the service is UP and running without
2823 forwarding the request to a backend server. Note that the HTTP method, the
2824 version and all headers are ignored, but the request must at least be valid
2825 at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
2826
2827 Monitor requests are processed very early. It is not possible to block nor
2828 divert them using ACLs. They cannot be logged either, and it is the intended
2829 purpose. They are only used to report HAProxy's health to an upper component,
2830 nothing more. However, it is possible to add any number of conditions using
2831 "monitor fail" and ACLs so that the result can be adjusted to whatever check
2832 can be imagined (most often the number of available servers in a backend).
2833
2834 Example :
2835 # Use /haproxy_test to report haproxy's status
2836 frontend www
2837 mode http
2838 monitor-uri /haproxy_test
2839
2840 See also : "monitor fail", "monitor-net"
2841
Willy Tarreau0ba27502007-12-24 16:55:16 +01002842
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002843option abortonclose
2844no option abortonclose
2845 Enable or disable early dropping of aborted requests pending in queues.
2846 May be used in sections : defaults | frontend | listen | backend
2847 yes | no | yes | yes
2848 Arguments : none
2849
2850 In presence of very high loads, the servers will take some time to respond.
2851 The per-instance connection queue will inflate, and the response time will
2852 increase respective to the size of the queue times the average per-session
2853 response time. When clients will wait for more than a few seconds, they will
Willy Tarreau198a7442008-01-17 12:05:32 +01002854 often hit the "STOP" button on their browser, leaving a useless request in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002855 the queue, and slowing down other users, and the servers as well, because the
2856 request will eventually be served, then aborted at the first error
2857 encountered while delivering the response.
2858
2859 As there is no way to distinguish between a full STOP and a simple output
2860 close on the client side, HTTP agents should be conservative and consider
2861 that the client might only have closed its output channel while waiting for
2862 the response. However, this introduces risks of congestion when lots of users
2863 do the same, and is completely useless nowadays because probably no client at
2864 all will close the session while waiting for the response. Some HTTP agents
Willy Tarreaud72758d2010-01-12 10:42:19 +01002865 support this behaviour (Squid, Apache, HAProxy), and others do not (TUX, most
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002866 hardware-based load balancers). So the probability for a closed input channel
Willy Tarreau198a7442008-01-17 12:05:32 +01002867 to represent a user hitting the "STOP" button is close to 100%, and the risk
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002868 of being the single component to break rare but valid traffic is extremely
2869 low, which adds to the temptation to be able to abort a session early while
2870 still not served and not pollute the servers.
2871
2872 In HAProxy, the user can choose the desired behaviour using the option
2873 "abortonclose". By default (without the option) the behaviour is HTTP
2874 compliant and aborted requests will be served. But when the option is
2875 specified, a session with an incoming channel closed will be aborted while
2876 it is still possible, either pending in the queue for a connection slot, or
2877 during the connection establishment if the server has not yet acknowledged
2878 the connection request. This considerably reduces the queue size and the load
2879 on saturated servers when users are tempted to click on STOP, which in turn
Willy Tarreaud72758d2010-01-12 10:42:19 +01002880 reduces the response time for other users.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002881
2882 If this option has been enabled in a "defaults" section, it can be disabled
2883 in a specific instance by prepending the "no" keyword before it.
2884
2885 See also : "timeout queue" and server's "maxconn" and "maxqueue" parameters
2886
2887
Willy Tarreau4076a152009-04-02 15:18:36 +02002888option accept-invalid-http-request
2889no option accept-invalid-http-request
2890 Enable or disable relaxing of HTTP request parsing
2891 May be used in sections : defaults | frontend | listen | backend
2892 yes | yes | yes | no
2893 Arguments : none
2894
2895 By default, HAProxy complies with RFC2616 in terms of message parsing. This
2896 means that invalid characters in header names are not permitted and cause an
2897 error to be returned to the client. This is the desired behaviour as such
2898 forbidden characters are essentially used to build attacks exploiting server
2899 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
2900 server will emit invalid header names for whatever reason (configuration,
2901 implementation) and the issue will not be immediately fixed. In such a case,
2902 it is possible to relax HAProxy's header name parser to accept any character
Willy Tarreau422246e2012-01-07 23:54:13 +01002903 even if that does not make sense, by specifying this option. Similarly, the
2904 list of characters allowed to appear in a URI is well defined by RFC3986, and
2905 chars 0-31, 32 (space), 34 ('"'), 60 ('<'), 62 ('>'), 92 ('\'), 94 ('^'), 96
2906 ('`'), 123 ('{'), 124 ('|'), 125 ('}'), 127 (delete) and anything above are
2907 not allowed at all. Haproxy always blocks a number of them (0..32, 127). The
2908 remaining ones are blocked by default unless this option is enabled.
Willy Tarreau4076a152009-04-02 15:18:36 +02002909
2910 This option should never be enabled by default as it hides application bugs
2911 and open security breaches. It should only be deployed after a problem has
2912 been confirmed.
2913
2914 When this option is enabled, erroneous header names will still be accepted in
2915 requests, but the complete request will be captured in order to permit later
Willy Tarreau422246e2012-01-07 23:54:13 +01002916 analysis using the "show errors" request on the UNIX stats socket. Similarly,
2917 requests containing invalid chars in the URI part will be logged. Doing this
Willy Tarreau4076a152009-04-02 15:18:36 +02002918 also helps confirming that the issue has been solved.
2919
2920 If this option has been enabled in a "defaults" section, it can be disabled
2921 in a specific instance by prepending the "no" keyword before it.
2922
2923 See also : "option accept-invalid-http-response" and "show errors" on the
2924 stats socket.
2925
2926
2927option accept-invalid-http-response
2928no option accept-invalid-http-response
2929 Enable or disable relaxing of HTTP response parsing
2930 May be used in sections : defaults | frontend | listen | backend
2931 yes | no | yes | yes
2932 Arguments : none
2933
2934 By default, HAProxy complies with RFC2616 in terms of message parsing. This
2935 means that invalid characters in header names are not permitted and cause an
2936 error to be returned to the client. This is the desired behaviour as such
2937 forbidden characters are essentially used to build attacks exploiting server
2938 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
2939 server will emit invalid header names for whatever reason (configuration,
2940 implementation) and the issue will not be immediately fixed. In such a case,
2941 it is possible to relax HAProxy's header name parser to accept any character
2942 even if that does not make sense, by specifying this option.
2943
2944 This option should never be enabled by default as it hides application bugs
2945 and open security breaches. It should only be deployed after a problem has
2946 been confirmed.
2947
2948 When this option is enabled, erroneous header names will still be accepted in
2949 responses, but the complete response will be captured in order to permit
2950 later analysis using the "show errors" request on the UNIX stats socket.
2951 Doing this also helps confirming that the issue has been solved.
2952
2953 If this option has been enabled in a "defaults" section, it can be disabled
2954 in a specific instance by prepending the "no" keyword before it.
2955
2956 See also : "option accept-invalid-http-request" and "show errors" on the
2957 stats socket.
2958
2959
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002960option allbackups
2961no option allbackups
2962 Use either all backup servers at a time or only the first one
2963 May be used in sections : defaults | frontend | listen | backend
2964 yes | no | yes | yes
2965 Arguments : none
2966
2967 By default, the first operational backup server gets all traffic when normal
2968 servers are all down. Sometimes, it may be preferred to use multiple backups
2969 at once, because one will not be enough. When "option allbackups" is enabled,
2970 the load balancing will be performed among all backup servers when all normal
2971 ones are unavailable. The same load balancing algorithm will be used and the
2972 servers' weights will be respected. Thus, there will not be any priority
2973 order between the backup servers anymore.
2974
2975 This option is mostly used with static server farms dedicated to return a
2976 "sorry" page when an application is completely offline.
2977
2978 If this option has been enabled in a "defaults" section, it can be disabled
2979 in a specific instance by prepending the "no" keyword before it.
2980
2981
2982option checkcache
2983no option checkcache
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002984 Analyze all server responses and block requests with cacheable cookies
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002985 May be used in sections : defaults | frontend | listen | backend
2986 yes | no | yes | yes
2987 Arguments : none
2988
2989 Some high-level frameworks set application cookies everywhere and do not
2990 always let enough control to the developer to manage how the responses should
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002991 be cached. When a session cookie is returned on a cacheable object, there is a
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002992 high risk of session crossing or stealing between users traversing the same
2993 caches. In some situations, it is better to block the response than to let
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02002994 some sensitive session information go in the wild.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002995
2996 The option "checkcache" enables deep inspection of all server responses for
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002997 strict compliance with HTTP specification in terms of cacheability. It
Willy Tarreau198a7442008-01-17 12:05:32 +01002998 carefully checks "Cache-control", "Pragma" and "Set-cookie" headers in server
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002999 response to check if there's a risk of caching a cookie on a client-side
3000 proxy. When this option is enabled, the only responses which can be delivered
Willy Tarreau198a7442008-01-17 12:05:32 +01003001 to the client are :
3002 - all those without "Set-Cookie" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003003 - all those with a return code other than 200, 203, 206, 300, 301, 410,
Willy Tarreau198a7442008-01-17 12:05:32 +01003004 provided that the server has not set a "Cache-control: public" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003005 - all those that come from a POST request, provided that the server has not
3006 set a 'Cache-Control: public' header ;
3007 - those with a 'Pragma: no-cache' header
3008 - those with a 'Cache-control: private' header
3009 - those with a 'Cache-control: no-store' header
3010 - those with a 'Cache-control: max-age=0' header
3011 - those with a 'Cache-control: s-maxage=0' header
3012 - those with a 'Cache-control: no-cache' header
3013 - those with a 'Cache-control: no-cache="set-cookie"' header
3014 - those with a 'Cache-control: no-cache="set-cookie,' header
3015 (allowing other fields after set-cookie)
3016
3017 If a response doesn't respect these requirements, then it will be blocked
Willy Tarreau198a7442008-01-17 12:05:32 +01003018 just as if it was from an "rspdeny" filter, with an "HTTP 502 bad gateway".
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003019 The session state shows "PH--" meaning that the proxy blocked the response
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003020 during headers processing. Additionally, an alert will be sent in the logs so
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003021 that admins are informed that there's something to be fixed.
3022
3023 Due to the high impact on the application, the application should be tested
3024 in depth with the option enabled before going to production. It is also a
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01003025 good practice to always activate it during tests, even if it is not used in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003026 production, as it will report potentially dangerous application behaviours.
3027
3028 If this option has been enabled in a "defaults" section, it can be disabled
3029 in a specific instance by prepending the "no" keyword before it.
3030
3031
3032option clitcpka
3033no option clitcpka
3034 Enable or disable the sending of TCP keepalive packets on the client side
3035 May be used in sections : defaults | frontend | listen | backend
3036 yes | yes | yes | no
3037 Arguments : none
3038
3039 When there is a firewall or any session-aware component between a client and
3040 a server, and when the protocol involves very long sessions with long idle
3041 periods (eg: remote desktops), there is a risk that one of the intermediate
3042 components decides to expire a session which has remained idle for too long.
3043
3044 Enabling socket-level TCP keep-alives makes the system regularly send packets
3045 to the other end of the connection, leaving it active. The delay between
3046 keep-alive probes is controlled by the system only and depends both on the
3047 operating system and its tuning parameters.
3048
3049 It is important to understand that keep-alive packets are neither emitted nor
3050 received at the application level. It is only the network stacks which sees
3051 them. For this reason, even if one side of the proxy already uses keep-alives
3052 to maintain its connection alive, those keep-alive packets will not be
3053 forwarded to the other side of the proxy.
3054
3055 Please note that this has nothing to do with HTTP keep-alive.
3056
3057 Using option "clitcpka" enables the emission of TCP keep-alive probes on the
3058 client side of a connection, which should help when session expirations are
3059 noticed between HAProxy and a client.
3060
3061 If this option has been enabled in a "defaults" section, it can be disabled
3062 in a specific instance by prepending the "no" keyword before it.
3063
3064 See also : "option srvtcpka", "option tcpka"
3065
3066
Willy Tarreau0ba27502007-12-24 16:55:16 +01003067option contstats
3068 Enable continuous traffic statistics updates
3069 May be used in sections : defaults | frontend | listen | backend
3070 yes | yes | yes | no
3071 Arguments : none
3072
3073 By default, counters used for statistics calculation are incremented
3074 only when a session finishes. It works quite well when serving small
3075 objects, but with big ones (for example large images or archives) or
3076 with A/V streaming, a graph generated from haproxy counters looks like
3077 a hedgehog. With this option enabled counters get incremented continuously,
3078 during a whole session. Recounting touches a hotpath directly so
3079 it is not enabled by default, as it has small performance impact (~0.5%).
3080
3081
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003082option dontlog-normal
3083no option dontlog-normal
3084 Enable or disable logging of normal, successful connections
3085 May be used in sections : defaults | frontend | listen | backend
3086 yes | yes | yes | no
3087 Arguments : none
3088
3089 There are large sites dealing with several thousand connections per second
3090 and for which logging is a major pain. Some of them are even forced to turn
3091 logs off and cannot debug production issues. Setting this option ensures that
3092 normal connections, those which experience no error, no timeout, no retry nor
3093 redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
3094 mode, the response status code is checked and return codes 5xx will still be
3095 logged.
3096
3097 It is strongly discouraged to use this option as most of the time, the key to
3098 complex issues is in the normal logs which will not be logged here. If you
3099 need to separate logs, see the "log-separate-errors" option instead.
3100
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003101 See also : "log", "dontlognull", "log-separate-errors" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003102 logging.
3103
3104
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003105option dontlognull
3106no option dontlognull
3107 Enable or disable logging of null connections
3108 May be used in sections : defaults | frontend | listen | backend
3109 yes | yes | yes | no
3110 Arguments : none
3111
3112 In certain environments, there are components which will regularly connect to
3113 various systems to ensure that they are still alive. It can be the case from
3114 another load balancer as well as from monitoring systems. By default, even a
3115 simple port probe or scan will produce a log. If those connections pollute
3116 the logs too much, it is possible to enable option "dontlognull" to indicate
3117 that a connection on which no data has been transferred will not be logged,
3118 which typically corresponds to those probes.
3119
3120 It is generally recommended not to use this option in uncontrolled
3121 environments (eg: internet), otherwise scans and other malicious activities
3122 would not be logged.
3123
3124 If this option has been enabled in a "defaults" section, it can be disabled
3125 in a specific instance by prepending the "no" keyword before it.
3126
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003127 See also : "log", "monitor-net", "monitor-uri" and section 8 about logging.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003128
3129
3130option forceclose
3131no option forceclose
3132 Enable or disable active connection closing after response is transferred.
3133 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaua31e5df2009-12-30 01:10:35 +01003134 yes | yes | yes | yes
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003135 Arguments : none
3136
3137 Some HTTP servers do not necessarily close the connections when they receive
3138 the "Connection: close" set by "option httpclose", and if the client does not
3139 close either, then the connection remains open till the timeout expires. This
3140 causes high number of simultaneous connections on the servers and shows high
3141 global session times in the logs.
3142
3143 When this happens, it is possible to use "option forceclose". It will
Willy Tarreau82eeaf22009-12-29 12:09:05 +01003144 actively close the outgoing server channel as soon as the server has finished
Willy Tarreau0dfdf192010-01-05 11:33:11 +01003145 to respond. This option implicitly enables the "httpclose" option. Note that
3146 this option also enables the parsing of the full request and response, which
3147 means we can close the connection to the server very quickly, releasing some
3148 resources earlier than with httpclose.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003149
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02003150 This option may also be combined with "option http-pretend-keepalive", which
3151 will disable sending of the "Connection: close" header, but will still cause
3152 the connection to be closed once the whole response is received.
3153
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003154 If this option has been enabled in a "defaults" section, it can be disabled
3155 in a specific instance by prepending the "no" keyword before it.
3156
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02003157 See also : "option httpclose" and "option http-pretend-keepalive"
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003158
3159
Willy Tarreau87cf5142011-08-19 22:57:24 +02003160option forwardfor [ except <network> ] [ header <name> ] [ if-none ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01003161 Enable insertion of the X-Forwarded-For header to requests sent to servers
3162 May be used in sections : defaults | frontend | listen | backend
3163 yes | yes | yes | yes
3164 Arguments :
3165 <network> is an optional argument used to disable this option for sources
3166 matching <network>
Ross Westaf72a1d2008-08-03 10:51:45 +02003167 <name> an optional argument to specify a different "X-Forwarded-For"
Willy Tarreaud72758d2010-01-12 10:42:19 +01003168 header name.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003169
3170 Since HAProxy works in reverse-proxy mode, the servers see its IP address as
3171 their client address. This is sometimes annoying when the client's IP address
3172 is expected in server logs. To solve this problem, the well-known HTTP header
3173 "X-Forwarded-For" may be added by HAProxy to all requests sent to the server.
3174 This header contains a value representing the client's IP address. Since this
3175 header is always appended at the end of the existing header list, the server
3176 must be configured to always use the last occurrence of this header only. See
Ross Westaf72a1d2008-08-03 10:51:45 +02003177 the server's manual to find how to enable use of this standard header. Note
3178 that only the last occurrence of the header must be used, since it is really
3179 possible that the client has already brought one.
3180
Willy Tarreaud72758d2010-01-12 10:42:19 +01003181 The keyword "header" may be used to supply a different header name to replace
Ross Westaf72a1d2008-08-03 10:51:45 +02003182 the default "X-Forwarded-For". This can be useful where you might already
Willy Tarreaud72758d2010-01-12 10:42:19 +01003183 have a "X-Forwarded-For" header from a different application (eg: stunnel),
3184 and you need preserve it. Also if your backend server doesn't use the
Ross Westaf72a1d2008-08-03 10:51:45 +02003185 "X-Forwarded-For" header and requires different one (eg: Zeus Web Servers
3186 require "X-Cluster-Client-IP").
Willy Tarreauc27debf2008-01-06 08:57:02 +01003187
3188 Sometimes, a same HAProxy instance may be shared between a direct client
3189 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
3190 used to decrypt HTTPS traffic). It is possible to disable the addition of the
3191 header for a known source address or network by adding the "except" keyword
3192 followed by the network address. In this case, any source IP matching the
3193 network will not cause an addition of this header. Most common uses are with
3194 private networks or 127.0.0.1.
3195
Willy Tarreau87cf5142011-08-19 22:57:24 +02003196 Alternatively, the keyword "if-none" states that the header will only be
3197 added if it is not present. This should only be used in perfectly trusted
3198 environment, as this might cause a security issue if headers reaching haproxy
3199 are under the control of the end-user.
3200
Willy Tarreauc27debf2008-01-06 08:57:02 +01003201 This option may be specified either in the frontend or in the backend. If at
Ross Westaf72a1d2008-08-03 10:51:45 +02003202 least one of them uses it, the header will be added. Note that the backend's
3203 setting of the header subargument takes precedence over the frontend's if
Willy Tarreau87cf5142011-08-19 22:57:24 +02003204 both are defined. In the case of the "if-none" argument, if at least one of
3205 the frontend or the backend does not specify it, it wants the addition to be
3206 mandatory, so it wins.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003207
Willy Tarreau87cf5142011-08-19 22:57:24 +02003208 It is important to note that by default, HAProxy works in tunnel mode and
3209 only inspects the first request of a connection, meaning that only the first
3210 request will have the header appended, which is certainly not what you want.
3211 In order to fix this, ensure that any of the "httpclose", "forceclose" or
3212 "http-server-close" options is set when using this option.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003213
Ross Westaf72a1d2008-08-03 10:51:45 +02003214 Examples :
Willy Tarreauc27debf2008-01-06 08:57:02 +01003215 # Public HTTP address also used by stunnel on the same machine
3216 frontend www
3217 mode http
3218 option forwardfor except 127.0.0.1 # stunnel already adds the header
3219
Ross Westaf72a1d2008-08-03 10:51:45 +02003220 # Those servers want the IP Address in X-Client
3221 backend www
3222 mode http
3223 option forwardfor header X-Client
3224
Willy Tarreau87cf5142011-08-19 22:57:24 +02003225 See also : "option httpclose", "option http-server-close",
3226 "option forceclose"
Willy Tarreauc27debf2008-01-06 08:57:02 +01003227
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02003228
Willy Tarreau96e31212011-05-30 18:10:30 +02003229option http-no-delay
3230no option http-no-delay
3231 Instruct the system to favor low interactive delays over performance in HTTP
3232 May be used in sections : defaults | frontend | listen | backend
3233 yes | yes | yes | yes
3234 Arguments : none
3235
3236 In HTTP, each payload is unidirectional and has no notion of interactivity.
3237 Any agent is expected to queue data somewhat for a reasonably low delay.
3238 There are some very rare server-to-server applications that abuse the HTTP
3239 protocol and expect the payload phase to be highly interactive, with many
3240 interleaved data chunks in both directions within a single request. This is
3241 absolutely not supported by the HTTP specification and will not work across
3242 most proxies or servers. When such applications attempt to do this through
3243 haproxy, it works but they will experience high delays due to the network
3244 optimizations which favor performance by instructing the system to wait for
3245 enough data to be available in order to only send full packets. Typical
3246 delays are around 200 ms per round trip. Note that this only happens with
3247 abnormal uses. Normal uses such as CONNECT requests nor WebSockets are not
3248 affected.
3249
3250 When "option http-no-delay" is present in either the frontend or the backend
3251 used by a connection, all such optimizations will be disabled in order to
3252 make the exchanges as fast as possible. Of course this offers no guarantee on
3253 the functionality, as it may break at any other place. But if it works via
3254 HAProxy, it will work as fast as possible. This option should never be used
3255 by default, and should never be used at all unless such a buggy application
3256 is discovered. The impact of using this option is an increase of bandwidth
3257 usage and CPU usage, which may significantly lower performance in high
3258 latency environments.
3259
3260
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02003261option http-pretend-keepalive
3262no option http-pretend-keepalive
3263 Define whether haproxy will announce keepalive to the server or not
3264 May be used in sections : defaults | frontend | listen | backend
3265 yes | yes | yes | yes
3266 Arguments : none
3267
3268 When running with "option http-server-close" or "option forceclose", haproxy
3269 adds a "Connection: close" header to the request forwarded to the server.
3270 Unfortunately, when some servers see this header, they automatically refrain
3271 from using the chunked encoding for responses of unknown length, while this
3272 is totally unrelated. The immediate effect is that this prevents haproxy from
3273 maintaining the client connection alive. A second effect is that a client or
3274 a cache could receive an incomplete response without being aware of it, and
3275 consider the response complete.
3276
3277 By setting "option http-pretend-keepalive", haproxy will make the server
3278 believe it will keep the connection alive. The server will then not fall back
3279 to the abnormal undesired above. When haproxy gets the whole response, it
3280 will close the connection with the server just as it would do with the
3281 "forceclose" option. That way the client gets a normal response and the
3282 connection is correctly closed on the server side.
3283
3284 It is recommended not to enable this option by default, because most servers
3285 will more efficiently close the connection themselves after the last packet,
3286 and release its buffers slightly earlier. Also, the added packet on the
3287 network could slightly reduce the overall peak performance. However it is
3288 worth noting that when this option is enabled, haproxy will have slightly
3289 less work to do. So if haproxy is the bottleneck on the whole architecture,
3290 enabling this option might save a few CPU cycles.
3291
3292 This option may be set both in a frontend and in a backend. It is enabled if
3293 at least one of the frontend or backend holding a connection has it enabled.
Willy Tarreau22a95342010-09-29 14:31:41 +02003294 This option may be compbined with "option httpclose", which will cause
3295 keepalive to be announced to the server and close to be announced to the
3296 client. This practice is discouraged though.
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02003297
3298 If this option has been enabled in a "defaults" section, it can be disabled
3299 in a specific instance by prepending the "no" keyword before it.
3300
3301 See also : "option forceclose" and "option http-server-close"
3302
Willy Tarreauc27debf2008-01-06 08:57:02 +01003303
Willy Tarreaub608feb2010-01-02 22:47:18 +01003304option http-server-close
3305no option http-server-close
3306 Enable or disable HTTP connection closing on the server side
3307 May be used in sections : defaults | frontend | listen | backend
3308 yes | yes | yes | yes
3309 Arguments : none
3310
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02003311 By default, when a client communicates with a server, HAProxy will only
3312 analyze, log, and process the first request of each connection. Setting
3313 "option http-server-close" enables HTTP connection-close mode on the server
3314 side while keeping the ability to support HTTP keep-alive and pipelining on
3315 the client side. This provides the lowest latency on the client side (slow
3316 network) and the fastest session reuse on the server side to save server
3317 resources, similarly to "option forceclose". It also permits non-keepalive
3318 capable servers to be served in keep-alive mode to the clients if they
3319 conform to the requirements of RFC2616. Please note that some servers do not
3320 always conform to those requirements when they see "Connection: close" in the
3321 request. The effect will be that keep-alive will never be used. A workaround
3322 consists in enabling "option http-pretend-keepalive".
Willy Tarreaub608feb2010-01-02 22:47:18 +01003323
3324 At the moment, logs will not indicate whether requests came from the same
3325 session or not. The accept date reported in the logs corresponds to the end
3326 of the previous request, and the request time corresponds to the time spent
3327 waiting for a new request. The keep-alive request time is still bound to the
Willy Tarreaub16a5742010-01-10 14:46:16 +01003328 timeout defined by "timeout http-keep-alive" or "timeout http-request" if
3329 not set.
Willy Tarreaub608feb2010-01-02 22:47:18 +01003330
3331 This option may be set both in a frontend and in a backend. It is enabled if
3332 at least one of the frontend or backend holding a connection has it enabled.
Willy Tarreau0dfdf192010-01-05 11:33:11 +01003333 It is worth noting that "option forceclose" has precedence over "option
3334 http-server-close" and that combining "http-server-close" with "httpclose"
3335 basically achieve the same result as "forceclose".
Willy Tarreaub608feb2010-01-02 22:47:18 +01003336
3337 If this option has been enabled in a "defaults" section, it can be disabled
3338 in a specific instance by prepending the "no" keyword before it.
3339
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02003340 See also : "option forceclose", "option http-pretend-keepalive",
3341 "option httpclose" and "1.1. The HTTP transaction model".
Willy Tarreaub608feb2010-01-02 22:47:18 +01003342
3343
Willy Tarreau88d349d2010-01-25 12:15:43 +01003344option http-use-proxy-header
Cyril Bontéf0c60612010-02-06 14:44:47 +01003345no option http-use-proxy-header
Willy Tarreau88d349d2010-01-25 12:15:43 +01003346 Make use of non-standard Proxy-Connection header instead of Connection
3347 May be used in sections : defaults | frontend | listen | backend
3348 yes | yes | yes | no
3349 Arguments : none
3350
3351 While RFC2616 explicitly states that HTTP/1.1 agents must use the
3352 Connection header to indicate their wish of persistent or non-persistent
3353 connections, both browsers and proxies ignore this header for proxied
3354 connections and make use of the undocumented, non-standard Proxy-Connection
3355 header instead. The issue begins when trying to put a load balancer between
3356 browsers and such proxies, because there will be a difference between what
3357 haproxy understands and what the client and the proxy agree on.
3358
3359 By setting this option in a frontend, haproxy can automatically switch to use
3360 that non-standard header if it sees proxied requests. A proxied request is
3361 defined here as one where the URI begins with neither a '/' nor a '*'. The
3362 choice of header only affects requests passing through proxies making use of
3363 one of the "httpclose", "forceclose" and "http-server-close" options. Note
3364 that this option can only be specified in a frontend and will affect the
3365 request along its whole life.
3366
Willy Tarreau844a7e72010-01-31 21:46:18 +01003367 Also, when this option is set, a request which requires authentication will
3368 automatically switch to use proxy authentication headers if it is itself a
3369 proxied request. That makes it possible to check or enforce authentication in
3370 front of an existing proxy.
3371
Willy Tarreau88d349d2010-01-25 12:15:43 +01003372 This option should normally never be used, except in front of a proxy.
3373
3374 See also : "option httpclose", "option forceclose" and "option
3375 http-server-close".
3376
3377
Willy Tarreaud63335a2010-02-26 12:56:52 +01003378option httpchk
3379option httpchk <uri>
3380option httpchk <method> <uri>
3381option httpchk <method> <uri> <version>
3382 Enable HTTP protocol to check on the servers health
3383 May be used in sections : defaults | frontend | listen | backend
3384 yes | no | yes | yes
3385 Arguments :
3386 <method> is the optional HTTP method used with the requests. When not set,
3387 the "OPTIONS" method is used, as it generally requires low server
3388 processing and is easy to filter out from the logs. Any method
3389 may be used, though it is not recommended to invent non-standard
3390 ones.
3391
3392 <uri> is the URI referenced in the HTTP requests. It defaults to " / "
3393 which is accessible by default on almost any server, but may be
3394 changed to any other URI. Query strings are permitted.
3395
3396 <version> is the optional HTTP version string. It defaults to "HTTP/1.0"
3397 but some servers might behave incorrectly in HTTP 1.0, so turning
3398 it to HTTP/1.1 may sometimes help. Note that the Host field is
3399 mandatory in HTTP/1.1, and as a trick, it is possible to pass it
3400 after "\r\n" following the version string.
3401
3402 By default, server health checks only consist in trying to establish a TCP
3403 connection. When "option httpchk" is specified, a complete HTTP request is
3404 sent once the TCP connection is established, and responses 2xx and 3xx are
3405 considered valid, while all other ones indicate a server failure, including
3406 the lack of any response.
3407
3408 The port and interval are specified in the server configuration.
3409
3410 This option does not necessarily require an HTTP backend, it also works with
3411 plain TCP backends. This is particularly useful to check simple scripts bound
3412 to some dedicated ports using the inetd daemon.
3413
3414 Examples :
3415 # Relay HTTPS traffic to Apache instance and check service availability
3416 # using HTTP request "OPTIONS * HTTP/1.1" on port 80.
3417 backend https_relay
3418 mode tcp
3419 option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
3420 server apache1 192.168.1.1:443 check port 80
3421
3422 See also : "option ssl-hello-chk", "option smtpchk", "option mysql-check",
Rauf Kuliyev38b41562011-01-04 15:14:13 +01003423 "option pgsql-check", "http-check" and the "check", "port" and
3424 "inter" server options.
Willy Tarreaud63335a2010-02-26 12:56:52 +01003425
3426
Willy Tarreauc27debf2008-01-06 08:57:02 +01003427option httpclose
3428no option httpclose
3429 Enable or disable passive HTTP connection closing
3430 May be used in sections : defaults | frontend | listen | backend
3431 yes | yes | yes | yes
3432 Arguments : none
3433
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02003434 By default, when a client communicates with a server, HAProxy will only
3435 analyze, log, and process the first request of each connection. If "option
3436 httpclose" is set, it will check if a "Connection: close" header is already
3437 set in each direction, and will add one if missing. Each end should react to
3438 this by actively closing the TCP connection after each transfer, thus
3439 resulting in a switch to the HTTP close mode. Any "Connection" header
3440 different from "close" will also be removed.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003441
3442 It seldom happens that some servers incorrectly ignore this header and do not
Willy Tarreau0dfdf192010-01-05 11:33:11 +01003443 close the connection eventhough they reply "Connection: close". For this
3444 reason, they are not compatible with older HTTP 1.0 browsers. If this happens
3445 it is possible to use the "option forceclose" which actively closes the
3446 request connection once the server responds. Option "forceclose" also
3447 releases the server connection earlier because it does not have to wait for
3448 the client to acknowledge it.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003449
3450 This option may be set both in a frontend and in a backend. It is enabled if
3451 at least one of the frontend or backend holding a connection has it enabled.
3452 If "option forceclose" is specified too, it has precedence over "httpclose".
Willy Tarreau0dfdf192010-01-05 11:33:11 +01003453 If "option http-server-close" is enabled at the same time as "httpclose", it
3454 basically achieves the same result as "option forceclose".
Willy Tarreauc27debf2008-01-06 08:57:02 +01003455
3456 If this option has been enabled in a "defaults" section, it can be disabled
3457 in a specific instance by prepending the "no" keyword before it.
3458
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02003459 See also : "option forceclose", "option http-server-close" and
3460 "1.1. The HTTP transaction model".
Willy Tarreauc27debf2008-01-06 08:57:02 +01003461
3462
Emeric Brun3a058f32009-06-30 18:26:00 +02003463option httplog [ clf ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01003464 Enable logging of HTTP request, session state and timers
3465 May be used in sections : defaults | frontend | listen | backend
3466 yes | yes | yes | yes
Emeric Brun3a058f32009-06-30 18:26:00 +02003467 Arguments :
3468 clf if the "clf" argument is added, then the output format will be
3469 the CLF format instead of HAProxy's default HTTP format. You can
3470 use this when you need to feed HAProxy's logs through a specific
3471 log analyser which only support the CLF format and which is not
3472 extensible.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003473
3474 By default, the log output format is very poor, as it only contains the
3475 source and destination addresses, and the instance name. By specifying
3476 "option httplog", each log line turns into a much richer format including,
3477 but not limited to, the HTTP request, the connection timers, the session
3478 status, the connections numbers, the captured headers and cookies, the
3479 frontend, backend and server name, and of course the source address and
3480 ports.
3481
3482 This option may be set either in the frontend or the backend.
3483
Emeric Brun3a058f32009-06-30 18:26:00 +02003484 If this option has been enabled in a "defaults" section, it can be disabled
3485 in a specific instance by prepending the "no" keyword before it. Specifying
3486 only "option httplog" will automatically clear the 'clf' mode if it was set
3487 by default.
3488
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003489 See also : section 8 about logging.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003490
Willy Tarreau55165fe2009-05-10 12:02:55 +02003491
3492option http_proxy
3493no option http_proxy
3494 Enable or disable plain HTTP proxy mode
3495 May be used in sections : defaults | frontend | listen | backend
3496 yes | yes | yes | yes
3497 Arguments : none
3498
3499 It sometimes happens that people need a pure HTTP proxy which understands
3500 basic proxy requests without caching nor any fancy feature. In this case,
3501 it may be worth setting up an HAProxy instance with the "option http_proxy"
3502 set. In this mode, no server is declared, and the connection is forwarded to
3503 the IP address and port found in the URL after the "http://" scheme.
3504
3505 No host address resolution is performed, so this only works when pure IP
3506 addresses are passed. Since this option's usage perimeter is rather limited,
3507 it will probably be used only by experts who know they need exactly it. Last,
3508 if the clients are susceptible of sending keep-alive requests, it will be
Cyril Bonté2409e682010-12-14 22:47:51 +01003509 needed to add "option httpclose" to ensure that all requests will correctly
Willy Tarreau55165fe2009-05-10 12:02:55 +02003510 be analyzed.
3511
3512 If this option has been enabled in a "defaults" section, it can be disabled
3513 in a specific instance by prepending the "no" keyword before it.
3514
3515 Example :
3516 # this backend understands HTTP proxy requests and forwards them directly.
3517 backend direct_forward
3518 option httpclose
3519 option http_proxy
3520
3521 See also : "option httpclose"
3522
Willy Tarreau211ad242009-10-03 21:45:07 +02003523
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02003524option independant-streams
3525no option independant-streams
3526 Enable or disable independant timeout processing for both directions
3527 May be used in sections : defaults | frontend | listen | backend
3528 yes | yes | yes | yes
3529 Arguments : none
3530
3531 By default, when data is sent over a socket, both the write timeout and the
3532 read timeout for that socket are refreshed, because we consider that there is
3533 activity on that socket, and we have no other means of guessing if we should
3534 receive data or not.
3535
3536 While this default behaviour is desirable for almost all applications, there
3537 exists a situation where it is desirable to disable it, and only refresh the
3538 read timeout if there are incoming data. This happens on sessions with large
3539 timeouts and low amounts of exchanged data such as telnet session. If the
3540 server suddenly disappears, the output data accumulates in the system's
3541 socket buffers, both timeouts are correctly refreshed, and there is no way
3542 to know the server does not receive them, so we don't timeout. However, when
3543 the underlying protocol always echoes sent data, it would be enough by itself
3544 to detect the issue using the read timeout. Note that this problem does not
3545 happen with more verbose protocols because data won't accumulate long in the
3546 socket buffers.
3547
3548 When this option is set on the frontend, it will disable read timeout updates
3549 on data sent to the client. There probably is little use of this case. When
3550 the option is set on the backend, it will disable read timeout updates on
3551 data sent to the server. Doing so will typically break large HTTP posts from
3552 slow lines, so use it with caution.
3553
3554 See also : "timeout client" and "timeout server"
3555
3556
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02003557option ldap-check
3558 Use LDAPv3 health checks for server testing
3559 May be used in sections : defaults | frontend | listen | backend
3560 yes | no | yes | yes
3561 Arguments : none
3562
3563 It is possible to test that the server correctly talks LDAPv3 instead of just
3564 testing that it accepts the TCP connection. When this option is set, an
3565 LDAPv3 anonymous simple bind message is sent to the server, and the response
3566 is analyzed to find an LDAPv3 bind response message.
3567
3568 The server is considered valid only when the LDAP response contains success
3569 resultCode (http://tools.ietf.org/html/rfc4511#section-4.1.9).
3570
3571 Logging of bind requests is server dependent see your documentation how to
3572 configure it.
3573
3574 Example :
3575 option ldap-check
3576
3577 See also : "option httpchk"
3578
3579
Willy Tarreau211ad242009-10-03 21:45:07 +02003580option log-health-checks
3581no option log-health-checks
3582 Enable or disable logging of health checks
3583 May be used in sections : defaults | frontend | listen | backend
3584 yes | no | yes | yes
3585 Arguments : none
3586
3587 Enable health checks logging so it possible to check for example what
3588 was happening before a server crash. Failed health check are logged if
3589 server is UP and succeeded health checks if server is DOWN, so the amount
3590 of additional information is limited.
3591
3592 If health check logging is enabled no health check status is printed
3593 when servers is set up UP/DOWN/ENABLED/DISABLED.
3594
3595 See also: "log" and section 8 about logging.
3596
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003597
3598option log-separate-errors
3599no option log-separate-errors
3600 Change log level for non-completely successful connections
3601 May be used in sections : defaults | frontend | listen | backend
3602 yes | yes | yes | no
3603 Arguments : none
3604
3605 Sometimes looking for errors in logs is not easy. This option makes haproxy
3606 raise the level of logs containing potentially interesting information such
3607 as errors, timeouts, retries, redispatches, or HTTP status codes 5xx. The
3608 level changes from "info" to "err". This makes it possible to log them
3609 separately to a different file with most syslog daemons. Be careful not to
3610 remove them from the original file, otherwise you would lose ordering which
3611 provides very important information.
3612
3613 Using this option, large sites dealing with several thousand connections per
3614 second may log normal traffic to a rotating buffer and only archive smaller
3615 error logs.
3616
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003617 See also : "log", "dontlognull", "dontlog-normal" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003618 logging.
3619
Willy Tarreauc27debf2008-01-06 08:57:02 +01003620
3621option logasap
3622no option logasap
3623 Enable or disable early logging of HTTP requests
3624 May be used in sections : defaults | frontend | listen | backend
3625 yes | yes | yes | no
3626 Arguments : none
3627
3628 By default, HTTP requests are logged upon termination so that the total
3629 transfer time and the number of bytes appear in the logs. When large objects
3630 are being transferred, it may take a while before the request appears in the
3631 logs. Using "option logasap", the request gets logged as soon as the server
3632 sends the complete headers. The only missing information in the logs will be
3633 the total number of bytes which will indicate everything except the amount
3634 of data transferred, and the total time which will not take the transfer
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01003635 time into account. In such a situation, it's a good practice to capture the
Willy Tarreauc27debf2008-01-06 08:57:02 +01003636 "Content-Length" response header so that the logs at least indicate how many
3637 bytes are expected to be transferred.
3638
Willy Tarreaucc6c8912009-02-22 10:53:55 +01003639 Examples :
3640 listen http_proxy 0.0.0.0:80
3641 mode http
3642 option httplog
3643 option logasap
3644 log 192.168.2.200 local3
3645
3646 >>> Feb 6 12:14:14 localhost \
3647 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
3648 static/srv1 9/10/7/14/+30 200 +243 - - ---- 3/1/1/1/0 1/0 \
3649 "GET /image.iso HTTP/1.0"
3650
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003651 See also : "option httplog", "capture response header", and section 8 about
Willy Tarreauc27debf2008-01-06 08:57:02 +01003652 logging.
3653
3654
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02003655option mysql-check [ user <username> ]
3656 Use MySQL health checks for server testing
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01003657 May be used in sections : defaults | frontend | listen | backend
3658 yes | no | yes | yes
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02003659 Arguments :
Cyril Bonté108cf6e2012-04-21 23:30:29 +02003660 <username> This is the username which will be used when connecting to MySQL
3661 server.
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02003662
3663 If you specify a username, the check consists of sending two MySQL packet,
3664 one Client Authentication packet, and one QUIT packet, to correctly close
3665 MySQL session. We then parse the MySQL Handshake Initialisation packet and/or
3666 Error packet. It is a basic but useful test which does not produce error nor
3667 aborted connect on the server. However, it requires adding an authorization
3668 in the MySQL table, like this :
3669
3670 USE mysql;
3671 INSERT INTO user (Host,User) values ('<ip_of_haproxy>','<username>');
3672 FLUSH PRIVILEGES;
3673
3674 If you don't specify a username (it is deprecated and not recommended), the
3675 check only consists in parsing the Mysql Handshake Initialisation packet or
3676 Error packet, we don't send anything in this mode. It was reported that it
3677 can generate lockout if check is too frequent and/or if there is not enough
3678 traffic. In fact, you need in this case to check MySQL "max_connect_errors"
3679 value as if a connection is established successfully within fewer than MySQL
3680 "max_connect_errors" attempts after a previous connection was interrupted,
3681 the error count for the host is cleared to zero. If HAProxy's server get
3682 blocked, the "FLUSH HOSTS" statement is the only way to unblock it.
3683
3684 Remember that this does not check database presence nor database consistency.
3685 To do this, you can use an external check with xinetd for example.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01003686
Hervé COMMOWICK212f7782011-06-10 14:05:59 +02003687 The check requires MySQL >=3.22, for older version, please use TCP check.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01003688
3689 Most often, an incoming MySQL server needs to see the client's IP address for
3690 various purposes, including IP privilege matching and connection logging.
3691 When possible, it is often wise to masquerade the client's IP address when
3692 connecting to the server using the "usesrc" argument of the "source" keyword,
3693 which requires the cttproxy feature to be compiled in, and the MySQL server
3694 to route the client via the machine hosting haproxy.
3695
3696 See also: "option httpchk"
3697
Rauf Kuliyev38b41562011-01-04 15:14:13 +01003698option pgsql-check [ user <username> ]
3699 Use PostgreSQL health checks for server testing
3700 May be used in sections : defaults | frontend | listen | backend
3701 yes | no | yes | yes
3702 Arguments :
Cyril Bonté108cf6e2012-04-21 23:30:29 +02003703 <username> This is the username which will be used when connecting to
3704 PostgreSQL server.
Rauf Kuliyev38b41562011-01-04 15:14:13 +01003705
3706 The check sends a PostgreSQL StartupMessage and waits for either
3707 Authentication request or ErrorResponse message. It is a basic but useful
3708 test which does not produce error nor aborted connect on the server.
3709 This check is identical with the "mysql-check".
3710
3711 See also: "option httpchk"
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01003712
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003713option nolinger
3714no option nolinger
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003715 Enable or disable immediate session resource cleaning after close
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003716 May be used in sections: defaults | frontend | listen | backend
3717 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003718 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003719
3720 When clients or servers abort connections in a dirty way (eg: they are
3721 physically disconnected), the session timeouts triggers and the session is
3722 closed. But it will remain in FIN_WAIT1 state for some time in the system,
3723 using some resources and possibly limiting the ability to establish newer
3724 connections.
3725
3726 When this happens, it is possible to activate "option nolinger" which forces
3727 the system to immediately remove any socket's pending data on close. Thus,
3728 the session is instantly purged from the system's tables. This usually has
3729 side effects such as increased number of TCP resets due to old retransmits
3730 getting immediately rejected. Some firewalls may sometimes complain about
3731 this too.
3732
3733 For this reason, it is not recommended to use this option when not absolutely
3734 needed. You know that you need it when you have thousands of FIN_WAIT1
3735 sessions on your system (TIME_WAIT ones do not count).
3736
3737 This option may be used both on frontends and backends, depending on the side
3738 where it is required. Use it on the frontend for clients, and on the backend
3739 for servers.
3740
3741 If this option has been enabled in a "defaults" section, it can be disabled
3742 in a specific instance by prepending the "no" keyword before it.
3743
3744
Willy Tarreau55165fe2009-05-10 12:02:55 +02003745option originalto [ except <network> ] [ header <name> ]
3746 Enable insertion of the X-Original-To header to requests sent to servers
3747 May be used in sections : defaults | frontend | listen | backend
3748 yes | yes | yes | yes
3749 Arguments :
3750 <network> is an optional argument used to disable this option for sources
3751 matching <network>
3752 <name> an optional argument to specify a different "X-Original-To"
3753 header name.
3754
3755 Since HAProxy can work in transparent mode, every request from a client can
3756 be redirected to the proxy and HAProxy itself can proxy every request to a
3757 complex SQUID environment and the destination host from SO_ORIGINAL_DST will
3758 be lost. This is annoying when you want access rules based on destination ip
3759 addresses. To solve this problem, a new HTTP header "X-Original-To" may be
3760 added by HAProxy to all requests sent to the server. This header contains a
3761 value representing the original destination IP address. Since this must be
3762 configured to always use the last occurrence of this header only. Note that
3763 only the last occurrence of the header must be used, since it is really
3764 possible that the client has already brought one.
3765
3766 The keyword "header" may be used to supply a different header name to replace
3767 the default "X-Original-To". This can be useful where you might already
3768 have a "X-Original-To" header from a different application, and you need
3769 preserve it. Also if your backend server doesn't use the "X-Original-To"
3770 header and requires different one.
3771
3772 Sometimes, a same HAProxy instance may be shared between a direct client
3773 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
3774 used to decrypt HTTPS traffic). It is possible to disable the addition of the
3775 header for a known source address or network by adding the "except" keyword
3776 followed by the network address. In this case, any source IP matching the
3777 network will not cause an addition of this header. Most common uses are with
3778 private networks or 127.0.0.1.
3779
3780 This option may be specified either in the frontend or in the backend. If at
3781 least one of them uses it, the header will be added. Note that the backend's
3782 setting of the header subargument takes precedence over the frontend's if
3783 both are defined.
3784
Willy Tarreau87cf5142011-08-19 22:57:24 +02003785 It is important to note that by default, HAProxy works in tunnel mode and
3786 only inspects the first request of a connection, meaning that only the first
3787 request will have the header appended, which is certainly not what you want.
3788 In order to fix this, ensure that any of the "httpclose", "forceclose" or
3789 "http-server-close" options is set when using this option.
Willy Tarreau55165fe2009-05-10 12:02:55 +02003790
3791 Examples :
3792 # Original Destination address
3793 frontend www
3794 mode http
3795 option originalto except 127.0.0.1
3796
3797 # Those servers want the IP Address in X-Client-Dst
3798 backend www
3799 mode http
3800 option originalto header X-Client-Dst
3801
Willy Tarreau87cf5142011-08-19 22:57:24 +02003802 See also : "option httpclose", "option http-server-close",
3803 "option forceclose"
Willy Tarreau55165fe2009-05-10 12:02:55 +02003804
3805
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003806option persist
3807no option persist
3808 Enable or disable forced persistence on down servers
3809 May be used in sections: defaults | frontend | listen | backend
3810 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003811 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003812
3813 When an HTTP request reaches a backend with a cookie which references a dead
3814 server, by default it is redispatched to another server. It is possible to
3815 force the request to be sent to the dead server first using "option persist"
3816 if absolutely needed. A common use case is when servers are under extreme
3817 load and spend their time flapping. In this case, the users would still be
3818 directed to the server they opened the session on, in the hope they would be
3819 correctly served. It is recommended to use "option redispatch" in conjunction
3820 with this option so that in the event it would not be possible to connect to
3821 the server at all (server definitely dead), the client would finally be
3822 redirected to another valid server.
3823
3824 If this option has been enabled in a "defaults" section, it can be disabled
3825 in a specific instance by prepending the "no" keyword before it.
3826
Willy Tarreau4de91492010-01-22 19:10:05 +01003827 See also : "option redispatch", "retries", "force-persist"
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003828
3829
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003830option redispatch
3831no option redispatch
3832 Enable or disable session redistribution in case of connection failure
3833 May be used in sections: defaults | frontend | listen | backend
3834 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003835 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003836
3837 In HTTP mode, if a server designated by a cookie is down, clients may
3838 definitely stick to it because they cannot flush the cookie, so they will not
3839 be able to access the service anymore.
3840
3841 Specifying "option redispatch" will allow the proxy to break their
3842 persistence and redistribute them to a working server.
3843
3844 It also allows to retry last connection to another server in case of multiple
3845 connection failures. Of course, it requires having "retries" set to a nonzero
3846 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01003847
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003848 This form is the preferred form, which replaces both the "redispatch" and
3849 "redisp" keywords.
3850
3851 If this option has been enabled in a "defaults" section, it can be disabled
3852 in a specific instance by prepending the "no" keyword before it.
3853
Willy Tarreau4de91492010-01-22 19:10:05 +01003854 See also : "redispatch", "retries", "force-persist"
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003855
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003856
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02003857option redis-check
3858 Use redis health checks for server testing
3859 May be used in sections : defaults | frontend | listen | backend
3860 yes | no | yes | yes
3861 Arguments : none
3862
3863 It is possible to test that the server correctly talks REDIS protocol instead
3864 of just testing that it accepts the TCP connection. When this option is set,
3865 a PING redis command is sent to the server, and the response is analyzed to
3866 find the "+PONG" response message.
3867
3868 Example :
3869 option redis-check
3870
3871 See also : "option httpchk"
3872
3873
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003874option smtpchk
3875option smtpchk <hello> <domain>
3876 Use SMTP health checks for server testing
3877 May be used in sections : defaults | frontend | listen | backend
3878 yes | no | yes | yes
Willy Tarreaud72758d2010-01-12 10:42:19 +01003879 Arguments :
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003880 <hello> is an optional argument. It is the "hello" command to use. It can
3881 be either "HELO" (for SMTP) or "EHLO" (for ESTMP). All other
3882 values will be turned into the default command ("HELO").
3883
3884 <domain> is the domain name to present to the server. It may only be
3885 specified (and is mandatory) if the hello command has been
3886 specified. By default, "localhost" is used.
3887
3888 When "option smtpchk" is set, the health checks will consist in TCP
3889 connections followed by an SMTP command. By default, this command is
3890 "HELO localhost". The server's return code is analyzed and only return codes
3891 starting with a "2" will be considered as valid. All other responses,
3892 including a lack of response will constitute an error and will indicate a
3893 dead server.
3894
3895 This test is meant to be used with SMTP servers or relays. Depending on the
3896 request, it is possible that some servers do not log each connection attempt,
3897 so you may want to experiment to improve the behaviour. Using telnet on port
3898 25 is often easier than adjusting the configuration.
3899
3900 Most often, an incoming SMTP server needs to see the client's IP address for
3901 various purposes, including spam filtering, anti-spoofing and logging. When
3902 possible, it is often wise to masquerade the client's IP address when
3903 connecting to the server using the "usesrc" argument of the "source" keyword,
3904 which requires the cttproxy feature to be compiled in.
3905
3906 Example :
3907 option smtpchk HELO mydomain.org
3908
3909 See also : "option httpchk", "source"
3910
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003911
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02003912option socket-stats
3913no option socket-stats
3914
3915 Enable or disable collecting & providing separate statistics for each socket.
3916 May be used in sections : defaults | frontend | listen | backend
3917 yes | yes | yes | no
3918
3919 Arguments : none
3920
3921
Willy Tarreauff4f82d2009-02-06 11:28:13 +01003922option splice-auto
3923no option splice-auto
3924 Enable or disable automatic kernel acceleration on sockets in both directions
3925 May be used in sections : defaults | frontend | listen | backend
3926 yes | yes | yes | yes
3927 Arguments : none
3928
3929 When this option is enabled either on a frontend or on a backend, haproxy
3930 will automatically evaluate the opportunity to use kernel tcp splicing to
3931 forward data between the client and the server, in either direction. Haproxy
3932 uses heuristics to estimate if kernel splicing might improve performance or
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003933 not. Both directions are handled independently. Note that the heuristics used
Willy Tarreauff4f82d2009-02-06 11:28:13 +01003934 are not much aggressive in order to limit excessive use of splicing. This
3935 option requires splicing to be enabled at compile time, and may be globally
3936 disabled with the global option "nosplice". Since splice uses pipes, using it
3937 requires that there are enough spare pipes.
3938
3939 Important note: kernel-based TCP splicing is a Linux-specific feature which
3940 first appeared in kernel 2.6.25. It offers kernel-based acceleration to
3941 transfer data between sockets without copying these data to user-space, thus
3942 providing noticeable performance gains and CPU cycles savings. Since many
3943 early implementations are buggy, corrupt data and/or are inefficient, this
3944 feature is not enabled by default, and it should be used with extreme care.
3945 While it is not possible to detect the correctness of an implementation,
3946 2.6.29 is the first version offering a properly working implementation. In
3947 case of doubt, splicing may be globally disabled using the global "nosplice"
3948 keyword.
3949
3950 Example :
3951 option splice-auto
3952
3953 If this option has been enabled in a "defaults" section, it can be disabled
3954 in a specific instance by prepending the "no" keyword before it.
3955
3956 See also : "option splice-request", "option splice-response", and global
3957 options "nosplice" and "maxpipes"
3958
3959
3960option splice-request
3961no option splice-request
3962 Enable or disable automatic kernel acceleration on sockets for requests
3963 May be used in sections : defaults | frontend | listen | backend
3964 yes | yes | yes | yes
3965 Arguments : none
3966
3967 When this option is enabled either on a frontend or on a backend, haproxy
3968 will user kernel tcp splicing whenever possible to forward data going from
3969 the client to the server. It might still use the recv/send scheme if there
3970 are no spare pipes left. This option requires splicing to be enabled at
3971 compile time, and may be globally disabled with the global option "nosplice".
3972 Since splice uses pipes, using it requires that there are enough spare pipes.
3973
3974 Important note: see "option splice-auto" for usage limitations.
3975
3976 Example :
3977 option splice-request
3978
3979 If this option has been enabled in a "defaults" section, it can be disabled
3980 in a specific instance by prepending the "no" keyword before it.
3981
3982 See also : "option splice-auto", "option splice-response", and global options
3983 "nosplice" and "maxpipes"
3984
3985
3986option splice-response
3987no option splice-response
3988 Enable or disable automatic kernel acceleration on sockets for responses
3989 May be used in sections : defaults | frontend | listen | backend
3990 yes | yes | yes | yes
3991 Arguments : none
3992
3993 When this option is enabled either on a frontend or on a backend, haproxy
3994 will user kernel tcp splicing whenever possible to forward data going from
3995 the server to the client. It might still use the recv/send scheme if there
3996 are no spare pipes left. This option requires splicing to be enabled at
3997 compile time, and may be globally disabled with the global option "nosplice".
3998 Since splice uses pipes, using it requires that there are enough spare pipes.
3999
4000 Important note: see "option splice-auto" for usage limitations.
4001
4002 Example :
4003 option splice-response
4004
4005 If this option has been enabled in a "defaults" section, it can be disabled
4006 in a specific instance by prepending the "no" keyword before it.
4007
4008 See also : "option splice-auto", "option splice-request", and global options
4009 "nosplice" and "maxpipes"
4010
4011
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004012option srvtcpka
4013no option srvtcpka
4014 Enable or disable the sending of TCP keepalive packets on the server side
4015 May be used in sections : defaults | frontend | listen | backend
4016 yes | no | yes | yes
4017 Arguments : none
4018
4019 When there is a firewall or any session-aware component between a client and
4020 a server, and when the protocol involves very long sessions with long idle
4021 periods (eg: remote desktops), there is a risk that one of the intermediate
4022 components decides to expire a session which has remained idle for too long.
4023
4024 Enabling socket-level TCP keep-alives makes the system regularly send packets
4025 to the other end of the connection, leaving it active. The delay between
4026 keep-alive probes is controlled by the system only and depends both on the
4027 operating system and its tuning parameters.
4028
4029 It is important to understand that keep-alive packets are neither emitted nor
4030 received at the application level. It is only the network stacks which sees
4031 them. For this reason, even if one side of the proxy already uses keep-alives
4032 to maintain its connection alive, those keep-alive packets will not be
4033 forwarded to the other side of the proxy.
4034
4035 Please note that this has nothing to do with HTTP keep-alive.
4036
4037 Using option "srvtcpka" enables the emission of TCP keep-alive probes on the
4038 server side of a connection, which should help when session expirations are
4039 noticed between HAProxy and a server.
4040
4041 If this option has been enabled in a "defaults" section, it can be disabled
4042 in a specific instance by prepending the "no" keyword before it.
4043
4044 See also : "option clitcpka", "option tcpka"
4045
4046
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004047option ssl-hello-chk
4048 Use SSLv3 client hello health checks for server testing
4049 May be used in sections : defaults | frontend | listen | backend
4050 yes | no | yes | yes
4051 Arguments : none
4052
4053 When some SSL-based protocols are relayed in TCP mode through HAProxy, it is
4054 possible to test that the server correctly talks SSL instead of just testing
4055 that it accepts the TCP connection. When "option ssl-hello-chk" is set, pure
4056 SSLv3 client hello messages are sent once the connection is established to
4057 the server, and the response is analyzed to find an SSL server hello message.
4058 The server is considered valid only when the response contains this server
4059 hello message.
4060
4061 All servers tested till there correctly reply to SSLv3 client hello messages,
4062 and most servers tested do not even log the requests containing only hello
4063 messages, which is appreciable.
4064
4065 See also: "option httpchk"
4066
4067
Willy Tarreau9ea05a72009-06-14 12:07:01 +02004068option tcp-smart-accept
4069no option tcp-smart-accept
4070 Enable or disable the saving of one ACK packet during the accept sequence
4071 May be used in sections : defaults | frontend | listen | backend
4072 yes | yes | yes | no
4073 Arguments : none
4074
4075 When an HTTP connection request comes in, the system acknowledges it on
4076 behalf of HAProxy, then the client immediately sends its request, and the
4077 system acknowledges it too while it is notifying HAProxy about the new
4078 connection. HAProxy then reads the request and responds. This means that we
4079 have one TCP ACK sent by the system for nothing, because the request could
4080 very well be acknowledged by HAProxy when it sends its response.
4081
4082 For this reason, in HTTP mode, HAProxy automatically asks the system to avoid
4083 sending this useless ACK on platforms which support it (currently at least
4084 Linux). It must not cause any problem, because the system will send it anyway
4085 after 40 ms if the response takes more time than expected to come.
4086
4087 During complex network debugging sessions, it may be desirable to disable
4088 this optimization because delayed ACKs can make troubleshooting more complex
4089 when trying to identify where packets are delayed. It is then possible to
4090 fall back to normal behaviour by specifying "no option tcp-smart-accept".
4091
4092 It is also possible to force it for non-HTTP proxies by simply specifying
4093 "option tcp-smart-accept". For instance, it can make sense with some services
4094 such as SMTP where the server speaks first.
4095
4096 It is recommended to avoid forcing this option in a defaults section. In case
4097 of doubt, consider setting it back to automatic values by prepending the
4098 "default" keyword before it, or disabling it using the "no" keyword.
4099
Willy Tarreaud88edf22009-06-14 15:48:17 +02004100 See also : "option tcp-smart-connect"
4101
4102
4103option tcp-smart-connect
4104no option tcp-smart-connect
4105 Enable or disable the saving of one ACK packet during the connect sequence
4106 May be used in sections : defaults | frontend | listen | backend
4107 yes | no | yes | yes
4108 Arguments : none
4109
4110 On certain systems (at least Linux), HAProxy can ask the kernel not to
4111 immediately send an empty ACK upon a connection request, but to directly
4112 send the buffer request instead. This saves one packet on the network and
4113 thus boosts performance. It can also be useful for some servers, because they
4114 immediately get the request along with the incoming connection.
4115
4116 This feature is enabled when "option tcp-smart-connect" is set in a backend.
4117 It is not enabled by default because it makes network troubleshooting more
4118 complex.
4119
4120 It only makes sense to enable it with protocols where the client speaks first
4121 such as HTTP. In other situations, if there is no data to send in place of
4122 the ACK, a normal ACK is sent.
4123
4124 If this option has been enabled in a "defaults" section, it can be disabled
4125 in a specific instance by prepending the "no" keyword before it.
4126
4127 See also : "option tcp-smart-accept"
4128
Willy Tarreau9ea05a72009-06-14 12:07:01 +02004129
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004130option tcpka
4131 Enable or disable the sending of TCP keepalive packets on both sides
4132 May be used in sections : defaults | frontend | listen | backend
4133 yes | yes | yes | yes
4134 Arguments : none
4135
4136 When there is a firewall or any session-aware component between a client and
4137 a server, and when the protocol involves very long sessions with long idle
4138 periods (eg: remote desktops), there is a risk that one of the intermediate
4139 components decides to expire a session which has remained idle for too long.
4140
4141 Enabling socket-level TCP keep-alives makes the system regularly send packets
4142 to the other end of the connection, leaving it active. The delay between
4143 keep-alive probes is controlled by the system only and depends both on the
4144 operating system and its tuning parameters.
4145
4146 It is important to understand that keep-alive packets are neither emitted nor
4147 received at the application level. It is only the network stacks which sees
4148 them. For this reason, even if one side of the proxy already uses keep-alives
4149 to maintain its connection alive, those keep-alive packets will not be
4150 forwarded to the other side of the proxy.
4151
4152 Please note that this has nothing to do with HTTP keep-alive.
4153
4154 Using option "tcpka" enables the emission of TCP keep-alive probes on both
4155 the client and server sides of a connection. Note that this is meaningful
4156 only in "defaults" or "listen" sections. If this option is used in a
4157 frontend, only the client side will get keep-alives, and if this option is
4158 used in a backend, only the server side will get keep-alives. For this
4159 reason, it is strongly recommended to explicitly use "option clitcpka" and
4160 "option srvtcpka" when the configuration is split between frontends and
4161 backends.
4162
4163 See also : "option clitcpka", "option srvtcpka"
4164
Willy Tarreau844e3c52008-01-11 16:28:18 +01004165
4166option tcplog
4167 Enable advanced logging of TCP connections with session state and timers
4168 May be used in sections : defaults | frontend | listen | backend
4169 yes | yes | yes | yes
4170 Arguments : none
4171
4172 By default, the log output format is very poor, as it only contains the
4173 source and destination addresses, and the instance name. By specifying
4174 "option tcplog", each log line turns into a much richer format including, but
4175 not limited to, the connection timers, the session status, the connections
4176 numbers, the frontend, backend and server name, and of course the source
4177 address and ports. This option is useful for pure TCP proxies in order to
4178 find which of the client or server disconnects or times out. For normal HTTP
4179 proxies, it's better to use "option httplog" which is even more complete.
4180
4181 This option may be set either in the frontend or the backend.
4182
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004183 See also : "option httplog", and section 8 about logging.
Willy Tarreau844e3c52008-01-11 16:28:18 +01004184
4185
Willy Tarreau844e3c52008-01-11 16:28:18 +01004186option transparent
4187no option transparent
4188 Enable client-side transparent proxying
4189 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01004190 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01004191 Arguments : none
4192
4193 This option was introduced in order to provide layer 7 persistence to layer 3
4194 load balancers. The idea is to use the OS's ability to redirect an incoming
4195 connection for a remote address to a local process (here HAProxy), and let
4196 this process know what address was initially requested. When this option is
4197 used, sessions without cookies will be forwarded to the original destination
4198 IP address of the incoming request (which should match that of another
4199 equipment), while requests with cookies will still be forwarded to the
4200 appropriate server.
4201
4202 Note that contrary to a common belief, this option does NOT make HAProxy
4203 present the client's IP to the server when establishing the connection.
4204
Willy Tarreaua1146052011-03-01 09:51:54 +01004205 See also: the "usesrc" argument of the "source" keyword, and the
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004206 "transparent" option of the "bind" keyword.
Willy Tarreau844e3c52008-01-11 16:28:18 +01004207
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004208
Emeric Brun647caf12009-06-30 17:57:00 +02004209persist rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02004210persist rdp-cookie(<name>)
Emeric Brun647caf12009-06-30 17:57:00 +02004211 Enable RDP cookie-based persistence
4212 May be used in sections : defaults | frontend | listen | backend
4213 yes | no | yes | yes
4214 Arguments :
4215 <name> is the optional name of the RDP cookie to check. If omitted, the
Willy Tarreau61e28f22010-05-16 22:31:05 +02004216 default cookie name "msts" will be used. There currently is no
4217 valid reason to change this name.
Emeric Brun647caf12009-06-30 17:57:00 +02004218
4219 This statement enables persistence based on an RDP cookie. The RDP cookie
4220 contains all information required to find the server in the list of known
4221 servers. So when this option is set in the backend, the request is analysed
4222 and if an RDP cookie is found, it is decoded. If it matches a known server
4223 which is still UP (or if "option persist" is set), then the connection is
4224 forwarded to this server.
4225
4226 Note that this only makes sense in a TCP backend, but for this to work, the
4227 frontend must have waited long enough to ensure that an RDP cookie is present
4228 in the request buffer. This is the same requirement as with the "rdp-cookie"
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004229 load-balancing method. Thus it is highly recommended to put all statements in
Emeric Brun647caf12009-06-30 17:57:00 +02004230 a single "listen" section.
4231
Willy Tarreau61e28f22010-05-16 22:31:05 +02004232 Also, it is important to understand that the terminal server will emit this
4233 RDP cookie only if it is configured for "token redirection mode", which means
4234 that the "IP address redirection" option is disabled.
4235
Emeric Brun647caf12009-06-30 17:57:00 +02004236 Example :
4237 listen tse-farm
4238 bind :3389
4239 # wait up to 5s for an RDP cookie in the request
4240 tcp-request inspect-delay 5s
4241 tcp-request content accept if RDP_COOKIE
4242 # apply RDP cookie persistence
4243 persist rdp-cookie
4244 # if server is unknown, let's balance on the same cookie.
Cyril Bontédc4d9032012-04-08 21:57:39 +02004245 # alternatively, "balance leastconn" may be useful too.
Emeric Brun647caf12009-06-30 17:57:00 +02004246 balance rdp-cookie
4247 server srv1 1.1.1.1:3389
4248 server srv2 1.1.1.2:3389
4249
Simon Hormanab814e02011-06-24 14:50:20 +09004250 See also : "balance rdp-cookie", "tcp-request", the "req_rdp_cookie" ACL and
4251 the rdp_cookie pattern fetch function.
Emeric Brun647caf12009-06-30 17:57:00 +02004252
4253
Willy Tarreau3a7d2072009-03-05 23:48:25 +01004254rate-limit sessions <rate>
4255 Set a limit on the number of new sessions accepted per second on a frontend
4256 May be used in sections : defaults | frontend | listen | backend
4257 yes | yes | yes | no
4258 Arguments :
4259 <rate> The <rate> parameter is an integer designating the maximum number
4260 of new sessions per second to accept on the frontend.
4261
4262 When the frontend reaches the specified number of new sessions per second, it
4263 stops accepting new connections until the rate drops below the limit again.
4264 During this time, the pending sessions will be kept in the socket's backlog
4265 (in system buffers) and haproxy will not even be aware that sessions are
4266 pending. When applying very low limit on a highly loaded service, it may make
4267 sense to increase the socket's backlog using the "backlog" keyword.
4268
4269 This feature is particularly efficient at blocking connection-based attacks
4270 or service abuse on fragile servers. Since the session rate is measured every
4271 millisecond, it is extremely accurate. Also, the limit applies immediately,
4272 no delay is needed at all to detect the threshold.
4273
4274 Example : limit the connection rate on SMTP to 10 per second max
4275 listen smtp
4276 mode tcp
4277 bind :25
4278 rate-limit sessions 10
4279 server 127.0.0.1:1025
4280
Willy Tarreaua17c2d92011-07-25 08:16:20 +02004281 Note : when the maximum rate is reached, the frontend's status is not changed
4282 but its sockets appear as "WAITING" in the statistics if the
4283 "socket-stats" option is enabled.
Willy Tarreau3a7d2072009-03-05 23:48:25 +01004284
4285 See also : the "backlog" keyword and the "fe_sess_rate" ACL criterion.
4286
4287
Willy Tarreauf285f542010-01-03 20:03:03 +01004288redirect location <to> [code <code>] <option> [{if | unless} <condition>]
4289redirect prefix <to> [code <code>] <option> [{if | unless} <condition>]
Willy Tarreaub463dfb2008-06-07 23:08:56 +02004290 Return an HTTP redirection if/unless a condition is matched
4291 May be used in sections : defaults | frontend | listen | backend
4292 no | yes | yes | yes
4293
4294 If/unless the condition is matched, the HTTP request will lead to a redirect
Willy Tarreauf285f542010-01-03 20:03:03 +01004295 response. If no condition is specified, the redirect applies unconditionally.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02004296
Willy Tarreau0140f252008-11-19 21:07:09 +01004297 Arguments :
4298 <to> With "redirect location", the exact value in <to> is placed into
4299 the HTTP "Location" header. In case of "redirect prefix", the
4300 "Location" header is built from the concatenation of <to> and the
4301 complete URI, including the query string, unless the "drop-query"
Willy Tarreaufe651a52008-11-19 21:15:17 +01004302 option is specified (see below). As a special case, if <to>
4303 equals exactly "/" in prefix mode, then nothing is inserted
4304 before the original URI. It allows one to redirect to the same
4305 URL.
Willy Tarreau0140f252008-11-19 21:07:09 +01004306
4307 <code> The code is optional. It indicates which type of HTTP redirection
4308 is desired. Only codes 301, 302 and 303 are supported, and 302 is
4309 used if no code is specified. 301 means "Moved permanently", and
4310 a browser may cache the Location. 302 means "Moved permanently"
4311 and means that the browser should not cache the redirection. 303
4312 is equivalent to 302 except that the browser will fetch the
4313 location with a GET method.
4314
4315 <option> There are several options which can be specified to adjust the
4316 expected behaviour of a redirection :
4317
4318 - "drop-query"
4319 When this keyword is used in a prefix-based redirection, then the
4320 location will be set without any possible query-string, which is useful
4321 for directing users to a non-secure page for instance. It has no effect
4322 with a location-type redirect.
4323
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01004324 - "append-slash"
4325 This keyword may be used in conjunction with "drop-query" to redirect
4326 users who use a URL not ending with a '/' to the same one with the '/'.
4327 It can be useful to ensure that search engines will only see one URL.
4328 For this, a return code 301 is preferred.
4329
Willy Tarreau0140f252008-11-19 21:07:09 +01004330 - "set-cookie NAME[=value]"
4331 A "Set-Cookie" header will be added with NAME (and optionally "=value")
4332 to the response. This is sometimes used to indicate that a user has
4333 been seen, for instance to protect against some types of DoS. No other
4334 cookie option is added, so the cookie will be a session cookie. Note
4335 that for a browser, a sole cookie name without an equal sign is
4336 different from a cookie with an equal sign.
4337
4338 - "clear-cookie NAME[=]"
4339 A "Set-Cookie" header will be added with NAME (and optionally "="), but
4340 with the "Max-Age" attribute set to zero. This will tell the browser to
4341 delete this cookie. It is useful for instance on logout pages. It is
4342 important to note that clearing the cookie "NAME" will not remove a
4343 cookie set with "NAME=value". You have to clear the cookie "NAME=" for
4344 that, because the browser makes the difference.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02004345
4346 Example: move the login URL only to HTTPS.
4347 acl clear dst_port 80
4348 acl secure dst_port 8080
4349 acl login_page url_beg /login
Willy Tarreau0140f252008-11-19 21:07:09 +01004350 acl logout url_beg /logout
Willy Tarreau79da4692008-11-19 20:03:04 +01004351 acl uid_given url_reg /login?userid=[^&]+
Willy Tarreau0140f252008-11-19 21:07:09 +01004352 acl cookie_set hdr_sub(cookie) SEEN=1
4353
4354 redirect prefix https://mysite.com set-cookie SEEN=1 if !cookie_set
Willy Tarreau79da4692008-11-19 20:03:04 +01004355 redirect prefix https://mysite.com if login_page !secure
4356 redirect prefix http://mysite.com drop-query if login_page !uid_given
4357 redirect location http://mysite.com/ if !login_page secure
Willy Tarreau0140f252008-11-19 21:07:09 +01004358 redirect location / clear-cookie USERID= if logout
Willy Tarreaub463dfb2008-06-07 23:08:56 +02004359
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01004360 Example: send redirects for request for articles without a '/'.
4361 acl missing_slash path_reg ^/article/[^/]*$
4362 redirect code 301 prefix / drop-query append-slash if missing_slash
4363
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004364 See section 7 about ACL usage.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02004365
4366
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004367redisp (deprecated)
4368redispatch (deprecated)
4369 Enable or disable session redistribution in case of connection failure
4370 May be used in sections: defaults | frontend | listen | backend
4371 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004372 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004373
4374 In HTTP mode, if a server designated by a cookie is down, clients may
4375 definitely stick to it because they cannot flush the cookie, so they will not
4376 be able to access the service anymore.
4377
4378 Specifying "redispatch" will allow the proxy to break their persistence and
4379 redistribute them to a working server.
4380
4381 It also allows to retry last connection to another server in case of multiple
4382 connection failures. Of course, it requires having "retries" set to a nonzero
4383 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01004384
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004385 This form is deprecated, do not use it in any new configuration, use the new
4386 "option redispatch" instead.
4387
4388 See also : "option redispatch"
4389
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004390
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01004391reqadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01004392 Add a header at the end of the HTTP request
4393 May be used in sections : defaults | frontend | listen | backend
4394 no | yes | yes | yes
4395 Arguments :
4396 <string> is the complete line to be added. Any space or known delimiter
4397 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004398 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004399
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01004400 <cond> is an optional matching condition built from ACLs. It makes it
4401 possible to ignore this rule when other conditions are not met.
4402
Willy Tarreau303c0352008-01-17 19:01:39 +01004403 A new line consisting in <string> followed by a line feed will be added after
4404 the last header of an HTTP request.
4405
4406 Header transformations only apply to traffic which passes through HAProxy,
4407 and not to traffic generated by HAProxy, such as health-checks or error
4408 responses.
4409
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01004410 Example : add "X-Proto: SSL" to requests coming via port 81
4411 acl is-ssl dst_port 81
4412 reqadd X-Proto:\ SSL if is-ssl
4413
4414 See also: "rspadd", section 6 about HTTP header manipulation, and section 7
4415 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004416
4417
Willy Tarreau5321c422010-01-28 20:35:13 +01004418reqallow <search> [{if | unless} <cond>]
4419reqiallow <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004420 Definitely allow an HTTP request if a line matches a regular expression
4421 May be used in sections : defaults | frontend | listen | backend
4422 no | yes | yes | yes
4423 Arguments :
4424 <search> is the regular expression applied to HTTP headers and to the
4425 request line. This is an extended regular expression. Parenthesis
4426 grouping is supported and no preliminary backslash is required.
4427 Any space or known delimiter must be escaped using a backslash
4428 ('\'). The pattern applies to a full line at a time. The
4429 "reqallow" keyword strictly matches case while "reqiallow"
4430 ignores case.
4431
Willy Tarreau5321c422010-01-28 20:35:13 +01004432 <cond> is an optional matching condition built from ACLs. It makes it
4433 possible to ignore this rule when other conditions are not met.
4434
Willy Tarreau303c0352008-01-17 19:01:39 +01004435 A request containing any line which matches extended regular expression
4436 <search> will mark the request as allowed, even if any later test would
4437 result in a deny. The test applies both to the request line and to request
4438 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01004439 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01004440
4441 It is easier, faster and more powerful to use ACLs to write access policies.
4442 Reqdeny, reqallow and reqpass should be avoided in new designs.
4443
4444 Example :
4445 # allow www.* but refuse *.local
4446 reqiallow ^Host:\ www\.
4447 reqideny ^Host:\ .*\.local
4448
Willy Tarreau5321c422010-01-28 20:35:13 +01004449 See also: "reqdeny", "block", section 6 about HTTP header manipulation, and
4450 section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004451
4452
Willy Tarreau5321c422010-01-28 20:35:13 +01004453reqdel <search> [{if | unless} <cond>]
4454reqidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004455 Delete all headers matching a regular expression in an HTTP request
4456 May be used in sections : defaults | frontend | listen | backend
4457 no | yes | yes | yes
4458 Arguments :
4459 <search> is the regular expression applied to HTTP headers and to the
4460 request line. This is an extended regular expression. Parenthesis
4461 grouping is supported and no preliminary backslash is required.
4462 Any space or known delimiter must be escaped using a backslash
4463 ('\'). The pattern applies to a full line at a time. The "reqdel"
4464 keyword strictly matches case while "reqidel" ignores case.
4465
Willy Tarreau5321c422010-01-28 20:35:13 +01004466 <cond> is an optional matching condition built from ACLs. It makes it
4467 possible to ignore this rule when other conditions are not met.
4468
Willy Tarreau303c0352008-01-17 19:01:39 +01004469 Any header line matching extended regular expression <search> in the request
4470 will be completely deleted. Most common use of this is to remove unwanted
4471 and/or dangerous headers or cookies from a request before passing it to the
4472 next servers.
4473
4474 Header transformations only apply to traffic which passes through HAProxy,
4475 and not to traffic generated by HAProxy, such as health-checks or error
4476 responses. Keep in mind that header names are not case-sensitive.
4477
4478 Example :
4479 # remove X-Forwarded-For header and SERVER cookie
4480 reqidel ^X-Forwarded-For:.*
4481 reqidel ^Cookie:.*SERVER=
4482
Willy Tarreau5321c422010-01-28 20:35:13 +01004483 See also: "reqadd", "reqrep", "rspdel", section 6 about HTTP header
4484 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004485
4486
Willy Tarreau5321c422010-01-28 20:35:13 +01004487reqdeny <search> [{if | unless} <cond>]
4488reqideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004489 Deny an HTTP request if a line matches a regular expression
4490 May be used in sections : defaults | frontend | listen | backend
4491 no | yes | yes | yes
4492 Arguments :
4493 <search> is the regular expression applied to HTTP headers and to the
4494 request line. This is an extended regular expression. Parenthesis
4495 grouping is supported and no preliminary backslash is required.
4496 Any space or known delimiter must be escaped using a backslash
4497 ('\'). The pattern applies to a full line at a time. The
4498 "reqdeny" keyword strictly matches case while "reqideny" ignores
4499 case.
4500
Willy Tarreau5321c422010-01-28 20:35:13 +01004501 <cond> is an optional matching condition built from ACLs. It makes it
4502 possible to ignore this rule when other conditions are not met.
4503
Willy Tarreau303c0352008-01-17 19:01:39 +01004504 A request containing any line which matches extended regular expression
4505 <search> will mark the request as denied, even if any later test would
4506 result in an allow. The test applies both to the request line and to request
4507 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01004508 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01004509
Willy Tarreauced27012008-01-17 20:35:34 +01004510 A denied request will generate an "HTTP 403 forbidden" response once the
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004511 complete request has been parsed. This is consistent with what is practiced
Willy Tarreaud72758d2010-01-12 10:42:19 +01004512 using ACLs.
Willy Tarreauced27012008-01-17 20:35:34 +01004513
Willy Tarreau303c0352008-01-17 19:01:39 +01004514 It is easier, faster and more powerful to use ACLs to write access policies.
4515 Reqdeny, reqallow and reqpass should be avoided in new designs.
4516
4517 Example :
4518 # refuse *.local, then allow www.*
4519 reqideny ^Host:\ .*\.local
4520 reqiallow ^Host:\ www\.
4521
Willy Tarreau5321c422010-01-28 20:35:13 +01004522 See also: "reqallow", "rspdeny", "block", section 6 about HTTP header
4523 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004524
4525
Willy Tarreau5321c422010-01-28 20:35:13 +01004526reqpass <search> [{if | unless} <cond>]
4527reqipass <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004528 Ignore any HTTP request line matching a regular expression in next rules
4529 May be used in sections : defaults | frontend | listen | backend
4530 no | yes | yes | yes
4531 Arguments :
4532 <search> is the regular expression applied to HTTP headers and to the
4533 request line. This is an extended regular expression. Parenthesis
4534 grouping is supported and no preliminary backslash is required.
4535 Any space or known delimiter must be escaped using a backslash
4536 ('\'). The pattern applies to a full line at a time. The
4537 "reqpass" keyword strictly matches case while "reqipass" ignores
4538 case.
4539
Willy Tarreau5321c422010-01-28 20:35:13 +01004540 <cond> is an optional matching condition built from ACLs. It makes it
4541 possible to ignore this rule when other conditions are not met.
4542
Willy Tarreau303c0352008-01-17 19:01:39 +01004543 A request containing any line which matches extended regular expression
4544 <search> will skip next rules, without assigning any deny or allow verdict.
4545 The test applies both to the request line and to request headers. Keep in
4546 mind that URLs in request line are case-sensitive while header names are not.
4547
4548 It is easier, faster and more powerful to use ACLs to write access policies.
4549 Reqdeny, reqallow and reqpass should be avoided in new designs.
4550
4551 Example :
4552 # refuse *.local, then allow www.*, but ignore "www.private.local"
4553 reqipass ^Host:\ www.private\.local
4554 reqideny ^Host:\ .*\.local
4555 reqiallow ^Host:\ www\.
4556
Willy Tarreau5321c422010-01-28 20:35:13 +01004557 See also: "reqallow", "reqdeny", "block", section 6 about HTTP header
4558 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004559
4560
Willy Tarreau5321c422010-01-28 20:35:13 +01004561reqrep <search> <string> [{if | unless} <cond>]
4562reqirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004563 Replace a regular expression with a string in an HTTP request line
4564 May be used in sections : defaults | frontend | listen | backend
4565 no | yes | yes | yes
4566 Arguments :
4567 <search> is the regular expression applied to HTTP headers and to the
4568 request line. This is an extended regular expression. Parenthesis
4569 grouping is supported and no preliminary backslash is required.
4570 Any space or known delimiter must be escaped using a backslash
4571 ('\'). The pattern applies to a full line at a time. The "reqrep"
4572 keyword strictly matches case while "reqirep" ignores case.
4573
4574 <string> is the complete line to be added. Any space or known delimiter
4575 must be escaped using a backslash ('\'). References to matched
4576 pattern groups are possible using the common \N form, with N
4577 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004578 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004579
Willy Tarreau5321c422010-01-28 20:35:13 +01004580 <cond> is an optional matching condition built from ACLs. It makes it
4581 possible to ignore this rule when other conditions are not met.
4582
Willy Tarreau303c0352008-01-17 19:01:39 +01004583 Any line matching extended regular expression <search> in the request (both
4584 the request line and header lines) will be completely replaced with <string>.
4585 Most common use of this is to rewrite URLs or domain names in "Host" headers.
4586
4587 Header transformations only apply to traffic which passes through HAProxy,
4588 and not to traffic generated by HAProxy, such as health-checks or error
4589 responses. Note that for increased readability, it is suggested to add enough
4590 spaces between the request and the response. Keep in mind that URLs in
4591 request line are case-sensitive while header names are not.
4592
4593 Example :
4594 # replace "/static/" with "/" at the beginning of any request path.
4595 reqrep ^([^\ ]*)\ /static/(.*) \1\ /\2
4596 # replace "www.mydomain.com" with "www" in the host name.
4597 reqirep ^Host:\ www.mydomain.com Host:\ www
4598
Willy Tarreau5321c422010-01-28 20:35:13 +01004599 See also: "reqadd", "reqdel", "rsprep", section 6 about HTTP header
4600 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004601
4602
Willy Tarreau5321c422010-01-28 20:35:13 +01004603reqtarpit <search> [{if | unless} <cond>]
4604reqitarpit <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004605 Tarpit an HTTP request containing a line matching a regular expression
4606 May be used in sections : defaults | frontend | listen | backend
4607 no | yes | yes | yes
4608 Arguments :
4609 <search> is the regular expression applied to HTTP headers and to the
4610 request line. This is an extended regular expression. Parenthesis
4611 grouping is supported and no preliminary backslash is required.
4612 Any space or known delimiter must be escaped using a backslash
4613 ('\'). The pattern applies to a full line at a time. The
4614 "reqtarpit" keyword strictly matches case while "reqitarpit"
4615 ignores case.
4616
Willy Tarreau5321c422010-01-28 20:35:13 +01004617 <cond> is an optional matching condition built from ACLs. It makes it
4618 possible to ignore this rule when other conditions are not met.
4619
Willy Tarreau303c0352008-01-17 19:01:39 +01004620 A request containing any line which matches extended regular expression
4621 <search> will be tarpitted, which means that it will connect to nowhere, will
Willy Tarreauced27012008-01-17 20:35:34 +01004622 be kept open for a pre-defined time, then will return an HTTP error 500 so
4623 that the attacker does not suspect it has been tarpitted. The status 500 will
4624 be reported in the logs, but the completion flags will indicate "PT". The
Willy Tarreau303c0352008-01-17 19:01:39 +01004625 delay is defined by "timeout tarpit", or "timeout connect" if the former is
4626 not set.
4627
4628 The goal of the tarpit is to slow down robots attacking servers with
4629 identifiable requests. Many robots limit their outgoing number of connections
4630 and stay connected waiting for a reply which can take several minutes to
4631 come. Depending on the environment and attack, it may be particularly
4632 efficient at reducing the load on the network and firewalls.
4633
Willy Tarreau5321c422010-01-28 20:35:13 +01004634 Examples :
Willy Tarreau303c0352008-01-17 19:01:39 +01004635 # ignore user-agents reporting any flavour of "Mozilla" or "MSIE", but
4636 # block all others.
4637 reqipass ^User-Agent:\.*(Mozilla|MSIE)
4638 reqitarpit ^User-Agent:
4639
Willy Tarreau5321c422010-01-28 20:35:13 +01004640 # block bad guys
4641 acl badguys src 10.1.0.3 172.16.13.20/28
4642 reqitarpit . if badguys
4643
4644 See also: "reqallow", "reqdeny", "reqpass", section 6 about HTTP header
4645 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004646
4647
Willy Tarreaue5c5ce92008-06-20 17:27:19 +02004648retries <value>
4649 Set the number of retries to perform on a server after a connection failure
4650 May be used in sections: defaults | frontend | listen | backend
4651 yes | no | yes | yes
4652 Arguments :
4653 <value> is the number of times a connection attempt should be retried on
4654 a server when a connection either is refused or times out. The
4655 default value is 3.
4656
4657 It is important to understand that this value applies to the number of
4658 connection attempts, not full requests. When a connection has effectively
4659 been established to a server, there will be no more retry.
4660
4661 In order to avoid immediate reconnections to a server which is restarting,
4662 a turn-around timer of 1 second is applied before a retry occurs.
4663
4664 When "option redispatch" is set, the last retry may be performed on another
4665 server even if a cookie references a different server.
4666
4667 See also : "option redispatch"
4668
4669
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004670rspadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01004671 Add a header at the end of the HTTP response
4672 May be used in sections : defaults | frontend | listen | backend
4673 no | yes | yes | yes
4674 Arguments :
4675 <string> is the complete line to be added. Any space or known delimiter
4676 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004677 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004678
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004679 <cond> is an optional matching condition built from ACLs. It makes it
4680 possible to ignore this rule when other conditions are not met.
4681
Willy Tarreau303c0352008-01-17 19:01:39 +01004682 A new line consisting in <string> followed by a line feed will be added after
4683 the last header of an HTTP response.
4684
4685 Header transformations only apply to traffic which passes through HAProxy,
4686 and not to traffic generated by HAProxy, such as health-checks or error
4687 responses.
4688
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004689 See also: "reqadd", section 6 about HTTP header manipulation, and section 7
4690 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004691
4692
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004693rspdel <search> [{if | unless} <cond>]
4694rspidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004695 Delete all headers matching a regular expression in an HTTP response
4696 May be used in sections : defaults | frontend | listen | backend
4697 no | yes | yes | yes
4698 Arguments :
4699 <search> is the regular expression applied to HTTP headers and to the
4700 response line. This is an extended regular expression, so
4701 parenthesis grouping is supported and no preliminary backslash
4702 is required. Any space or known delimiter must be escaped using
4703 a backslash ('\'). The pattern applies to a full line at a time.
4704 The "rspdel" keyword strictly matches case while "rspidel"
4705 ignores case.
4706
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004707 <cond> is an optional matching condition built from ACLs. It makes it
4708 possible to ignore this rule when other conditions are not met.
4709
Willy Tarreau303c0352008-01-17 19:01:39 +01004710 Any header line matching extended regular expression <search> in the response
4711 will be completely deleted. Most common use of this is to remove unwanted
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02004712 and/or sensitive headers or cookies from a response before passing it to the
Willy Tarreau303c0352008-01-17 19:01:39 +01004713 client.
4714
4715 Header transformations only apply to traffic which passes through HAProxy,
4716 and not to traffic generated by HAProxy, such as health-checks or error
4717 responses. Keep in mind that header names are not case-sensitive.
4718
4719 Example :
4720 # remove the Server header from responses
4721 reqidel ^Server:.*
4722
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004723 See also: "rspadd", "rsprep", "reqdel", section 6 about HTTP header
4724 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004725
4726
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004727rspdeny <search> [{if | unless} <cond>]
4728rspideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004729 Block an HTTP response if a line matches a regular expression
4730 May be used in sections : defaults | frontend | listen | backend
4731 no | yes | yes | yes
4732 Arguments :
4733 <search> is the regular expression applied to HTTP headers and to the
4734 response line. This is an extended regular expression, so
4735 parenthesis grouping is supported and no preliminary backslash
4736 is required. Any space or known delimiter must be escaped using
4737 a backslash ('\'). The pattern applies to a full line at a time.
4738 The "rspdeny" keyword strictly matches case while "rspideny"
4739 ignores case.
4740
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004741 <cond> is an optional matching condition built from ACLs. It makes it
4742 possible to ignore this rule when other conditions are not met.
4743
Willy Tarreau303c0352008-01-17 19:01:39 +01004744 A response containing any line which matches extended regular expression
4745 <search> will mark the request as denied. The test applies both to the
4746 response line and to response headers. Keep in mind that header names are not
4747 case-sensitive.
4748
4749 Main use of this keyword is to prevent sensitive information leak and to
Willy Tarreauced27012008-01-17 20:35:34 +01004750 block the response before it reaches the client. If a response is denied, it
4751 will be replaced with an HTTP 502 error so that the client never retrieves
4752 any sensitive data.
Willy Tarreau303c0352008-01-17 19:01:39 +01004753
4754 It is easier, faster and more powerful to use ACLs to write access policies.
4755 Rspdeny should be avoided in new designs.
4756
4757 Example :
4758 # Ensure that no content type matching ms-word will leak
4759 rspideny ^Content-type:\.*/ms-word
4760
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004761 See also: "reqdeny", "acl", "block", section 6 about HTTP header manipulation
4762 and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004763
4764
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004765rsprep <search> <string> [{if | unless} <cond>]
4766rspirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004767 Replace a regular expression with a string in an HTTP response line
4768 May be used in sections : defaults | frontend | listen | backend
4769 no | yes | yes | yes
4770 Arguments :
4771 <search> is the regular expression applied to HTTP headers and to the
4772 response line. This is an extended regular expression, so
4773 parenthesis grouping is supported and no preliminary backslash
4774 is required. Any space or known delimiter must be escaped using
4775 a backslash ('\'). The pattern applies to a full line at a time.
4776 The "rsprep" keyword strictly matches case while "rspirep"
4777 ignores case.
4778
4779 <string> is the complete line to be added. Any space or known delimiter
4780 must be escaped using a backslash ('\'). References to matched
4781 pattern groups are possible using the common \N form, with N
4782 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004783 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004784
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004785 <cond> is an optional matching condition built from ACLs. It makes it
4786 possible to ignore this rule when other conditions are not met.
4787
Willy Tarreau303c0352008-01-17 19:01:39 +01004788 Any line matching extended regular expression <search> in the response (both
4789 the response line and header lines) will be completely replaced with
4790 <string>. Most common use of this is to rewrite Location headers.
4791
4792 Header transformations only apply to traffic which passes through HAProxy,
4793 and not to traffic generated by HAProxy, such as health-checks or error
4794 responses. Note that for increased readability, it is suggested to add enough
4795 spaces between the request and the response. Keep in mind that header names
4796 are not case-sensitive.
4797
4798 Example :
4799 # replace "Location: 127.0.0.1:8080" with "Location: www.mydomain.com"
4800 rspirep ^Location:\ 127.0.0.1:8080 Location:\ www.mydomain.com
4801
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004802 See also: "rspadd", "rspdel", "reqrep", section 6 about HTTP header
4803 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004804
4805
David du Colombier486df472011-03-17 10:40:26 +01004806server <name> <address>[:[port]] [param*]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004807 Declare a server in a backend
4808 May be used in sections : defaults | frontend | listen | backend
4809 no | no | yes | yes
4810 Arguments :
4811 <name> is the internal name assigned to this server. This name will
Mark Lamourinec2247f02012-01-04 13:02:01 -05004812 appear in logs and alerts. If "http-send-server-name" is
4813 set, it will be added to the request header sent to the server.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004814
David du Colombier486df472011-03-17 10:40:26 +01004815 <address> is the IPv4 or IPv6 address of the server. Alternatively, a
4816 resolvable hostname is supported, but this name will be resolved
4817 during start-up. Address "0.0.0.0" or "*" has a special meaning.
4818 It indicates that the connection will be forwarded to the same IP
Willy Tarreaud669a4f2010-07-13 14:49:50 +02004819 address as the one from the client connection. This is useful in
4820 transparent proxy architectures where the client's connection is
4821 intercepted and haproxy must forward to the original destination
4822 address. This is more or less what the "transparent" keyword does
4823 except that with a server it's possible to limit concurrency and
4824 to report statistics.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004825
4826 <ports> is an optional port specification. If set, all connections will
4827 be sent to this port. If unset, the same port the client
4828 connected to will be used. The port may also be prefixed by a "+"
4829 or a "-". In this case, the server's port will be determined by
4830 adding this value to the client's port.
4831
4832 <param*> is a list of parameters for this server. The "server" keywords
4833 accepts an important number of options and has a complete section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004834 dedicated to it. Please refer to section 5 for more details.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004835
4836 Examples :
4837 server first 10.1.1.1:1080 cookie first check inter 1000
4838 server second 10.1.1.2:1080 cookie second check inter 1000
4839
Mark Lamourinec2247f02012-01-04 13:02:01 -05004840 See also: "default-server", "http-send-name-header" and section 5 about
4841 server options
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004842
4843
4844source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02004845source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreaud53f96b2009-02-04 18:46:54 +01004846source <addr>[:<port>] [interface <name>]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004847 Set the source address for outgoing connections
4848 May be used in sections : defaults | frontend | listen | backend
4849 yes | no | yes | yes
4850 Arguments :
4851 <addr> is the IPv4 address HAProxy will bind to before connecting to a
4852 server. This address is also used as a source for health checks.
4853 The default value of 0.0.0.0 means that the system will select
4854 the most appropriate address to reach its destination.
4855
4856 <port> is an optional port. It is normally not needed but may be useful
4857 in some very specific contexts. The default value of zero means
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02004858 the system will select a free port. Note that port ranges are not
4859 supported in the backend. If you want to force port ranges, you
4860 have to specify them on each "server" line.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004861
4862 <addr2> is the IP address to present to the server when connections are
4863 forwarded in full transparent proxy mode. This is currently only
4864 supported on some patched Linux kernels. When this address is
4865 specified, clients connecting to the server will be presented
4866 with this address, while health checks will still use the address
4867 <addr>.
4868
4869 <port2> is the optional port to present to the server when connections
4870 are forwarded in full transparent proxy mode (see <addr2> above).
4871 The default value of zero means the system will select a free
4872 port.
4873
Willy Tarreaubce70882009-09-07 11:51:47 +02004874 <hdr> is the name of a HTTP header in which to fetch the IP to bind to.
4875 This is the name of a comma-separated header list which can
4876 contain multiple IP addresses. By default, the last occurrence is
4877 used. This is designed to work with the X-Forwarded-For header
4878 and to automatically bind to the the client's IP address as seen
4879 by previous proxy, typically Stunnel. In order to use another
4880 occurrence from the last one, please see the <occ> parameter
4881 below. When the header (or occurrence) is not found, no binding
4882 is performed so that the proxy's default IP address is used. Also
4883 keep in mind that the header name is case insensitive, as for any
4884 HTTP header.
4885
4886 <occ> is the occurrence number of a value to be used in a multi-value
4887 header. This is to be used in conjunction with "hdr_ip(<hdr>)",
4888 in order to specificy which occurrence to use for the source IP
4889 address. Positive values indicate a position from the first
4890 occurrence, 1 being the first one. Negative values indicate
4891 positions relative to the last one, -1 being the last one. This
4892 is helpful for situations where an X-Forwarded-For header is set
4893 at the entry point of an infrastructure and must be used several
4894 proxy layers away. When this value is not specified, -1 is
4895 assumed. Passing a zero here disables the feature.
4896
Willy Tarreaud53f96b2009-02-04 18:46:54 +01004897 <name> is an optional interface name to which to bind to for outgoing
4898 traffic. On systems supporting this features (currently, only
4899 Linux), this allows one to bind all traffic to the server to
4900 this interface even if it is not the one the system would select
4901 based on routing tables. This should be used with extreme care.
4902 Note that using this option requires root privileges.
4903
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004904 The "source" keyword is useful in complex environments where a specific
4905 address only is allowed to connect to the servers. It may be needed when a
4906 private address must be used through a public gateway for instance, and it is
4907 known that the system cannot determine the adequate source address by itself.
4908
4909 An extension which is available on certain patched Linux kernels may be used
4910 through the "usesrc" optional keyword. It makes it possible to connect to the
4911 servers with an IP address which does not belong to the system itself. This
4912 is called "full transparent proxy mode". For this to work, the destination
4913 servers have to route their traffic back to this address through the machine
4914 running HAProxy, and IP forwarding must generally be enabled on this machine.
4915
4916 In this "full transparent proxy" mode, it is possible to force a specific IP
4917 address to be presented to the servers. This is not much used in fact. A more
4918 common use is to tell HAProxy to present the client's IP address. For this,
4919 there are two methods :
4920
4921 - present the client's IP and port addresses. This is the most transparent
4922 mode, but it can cause problems when IP connection tracking is enabled on
4923 the machine, because a same connection may be seen twice with different
4924 states. However, this solution presents the huge advantage of not
4925 limiting the system to the 64k outgoing address+port couples, because all
4926 of the client ranges may be used.
4927
4928 - present only the client's IP address and select a spare port. This
4929 solution is still quite elegant but slightly less transparent (downstream
4930 firewalls logs will not match upstream's). It also presents the downside
4931 of limiting the number of concurrent connections to the usual 64k ports.
4932 However, since the upstream and downstream ports are different, local IP
4933 connection tracking on the machine will not be upset by the reuse of the
4934 same session.
4935
4936 Note that depending on the transparent proxy technology used, it may be
4937 required to force the source address. In fact, cttproxy version 2 requires an
4938 IP address in <addr> above, and does not support setting of "0.0.0.0" as the
4939 IP address because it creates NAT entries which much match the exact outgoing
4940 address. Tproxy version 4 and some other kernel patches which work in pure
4941 forwarding mode generally will not have this limitation.
4942
4943 This option sets the default source for all servers in the backend. It may
4944 also be specified in a "defaults" section. Finer source address specification
4945 is possible at the server level using the "source" server option. Refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004946 section 5 for more information.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004947
4948 Examples :
4949 backend private
4950 # Connect to the servers using our 192.168.1.200 source address
4951 source 192.168.1.200
4952
4953 backend transparent_ssl1
4954 # Connect to the SSL farm from the client's source address
4955 source 192.168.1.200 usesrc clientip
4956
4957 backend transparent_ssl2
4958 # Connect to the SSL farm from the client's source address and port
4959 # not recommended if IP conntrack is present on the local machine.
4960 source 192.168.1.200 usesrc client
4961
4962 backend transparent_ssl3
4963 # Connect to the SSL farm from the client's source address. It
4964 # is more conntrack-friendly.
4965 source 192.168.1.200 usesrc clientip
4966
4967 backend transparent_smtp
4968 # Connect to the SMTP farm from the client's source address/port
4969 # with Tproxy version 4.
4970 source 0.0.0.0 usesrc clientip
4971
Willy Tarreaubce70882009-09-07 11:51:47 +02004972 backend transparent_http
4973 # Connect to the servers using the client's IP as seen by previous
4974 # proxy.
4975 source 0.0.0.0 usesrc hdr_ip(x-forwarded-for,-1)
4976
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004977 See also : the "source" server option in section 5, the Tproxy patches for
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004978 the Linux kernel on www.balabit.com, the "bind" keyword.
4979
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004980
Willy Tarreau844e3c52008-01-11 16:28:18 +01004981srvtimeout <timeout> (deprecated)
4982 Set the maximum inactivity time on the server side.
4983 May be used in sections : defaults | frontend | listen | backend
4984 yes | no | yes | yes
4985 Arguments :
4986 <timeout> is the timeout value specified in milliseconds by default, but
4987 can be in any other unit if the number is suffixed by the unit,
4988 as explained at the top of this document.
4989
4990 The inactivity timeout applies when the server is expected to acknowledge or
4991 send data. In HTTP mode, this timeout is particularly important to consider
4992 during the first phase of the server's response, when it has to send the
4993 headers, as it directly represents the server's processing time for the
4994 request. To find out what value to put there, it's often good to start with
4995 what would be considered as unacceptable response times, then check the logs
4996 to observe the response time distribution, and adjust the value accordingly.
4997
4998 The value is specified in milliseconds by default, but can be in any other
4999 unit if the number is suffixed by the unit, as specified at the top of this
5000 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
5001 recommended that the client timeout remains equal to the server timeout in
5002 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01005003 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01005004 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreaud72758d2010-01-12 10:42:19 +01005005 seconds (eg: 4 or 5 seconds minimum).
Willy Tarreau844e3c52008-01-11 16:28:18 +01005006
5007 This parameter is specific to backends, but can be specified once for all in
5008 "defaults" sections. This is in fact one of the easiest solutions not to
5009 forget about it. An unspecified timeout results in an infinite timeout, which
5010 is not recommended. Such a usage is accepted and works but reports a warning
5011 during startup because it may results in accumulation of expired sessions in
5012 the system if the system's timeouts are not configured either.
5013
5014 This parameter is provided for compatibility but is currently deprecated.
5015 Please use "timeout server" instead.
5016
5017 See also : "timeout server", "timeout client" and "clitimeout".
5018
5019
Cyril Bonté66c327d2010-10-12 00:14:37 +02005020stats admin { if | unless } <cond>
5021 Enable statistics admin level if/unless a condition is matched
5022 May be used in sections : defaults | frontend | listen | backend
5023 no | no | yes | yes
5024
5025 This statement enables the statistics admin level if/unless a condition is
5026 matched.
5027
5028 The admin level allows to enable/disable servers from the web interface. By
5029 default, statistics page is read-only for security reasons.
5030
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005031 Note : Consider not using this feature in multi-process mode (nbproc > 1)
5032 unless you know what you do : memory is not shared between the
5033 processes, which can result in random behaviours.
5034
Cyril Bonté23b39d92011-02-10 22:54:44 +01005035 Currently, the POST request is limited to the buffer size minus the reserved
5036 buffer space, which means that if the list of servers is too long, the
5037 request won't be processed. It is recommended to alter few servers at a
5038 time.
Cyril Bonté66c327d2010-10-12 00:14:37 +02005039
5040 Example :
5041 # statistics admin level only for localhost
5042 backend stats_localhost
5043 stats enable
5044 stats admin if LOCALHOST
5045
5046 Example :
5047 # statistics admin level always enabled because of the authentication
5048 backend stats_auth
5049 stats enable
5050 stats auth admin:AdMiN123
5051 stats admin if TRUE
5052
5053 Example :
5054 # statistics admin level depends on the authenticated user
5055 userlist stats-auth
5056 group admin users admin
5057 user admin insecure-password AdMiN123
5058 group readonly users haproxy
5059 user haproxy insecure-password haproxy
5060
5061 backend stats_auth
5062 stats enable
5063 acl AUTH http_auth(stats-auth)
5064 acl AUTH_ADMIN http_auth_group(stats-auth) admin
5065 stats http-request auth unless AUTH
5066 stats admin if AUTH_ADMIN
5067
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005068 See also : "stats enable", "stats auth", "stats http-request", "nbproc",
5069 "bind-process", section 3.4 about userlists and section 7 about
5070 ACL usage.
Cyril Bonté66c327d2010-10-12 00:14:37 +02005071
5072
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005073stats auth <user>:<passwd>
5074 Enable statistics with authentication and grant access to an account
5075 May be used in sections : defaults | frontend | listen | backend
5076 yes | no | yes | yes
5077 Arguments :
5078 <user> is a user name to grant access to
5079
5080 <passwd> is the cleartext password associated to this user
5081
5082 This statement enables statistics with default settings, and restricts access
5083 to declared users only. It may be repeated as many times as necessary to
5084 allow as many users as desired. When a user tries to access the statistics
5085 without a valid account, a "401 Forbidden" response will be returned so that
5086 the browser asks the user to provide a valid user and password. The real
5087 which will be returned to the browser is configurable using "stats realm".
5088
5089 Since the authentication method is HTTP Basic Authentication, the passwords
5090 circulate in cleartext on the network. Thus, it was decided that the
5091 configuration file would also use cleartext passwords to remind the users
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02005092 that those ones should not be sensitive and not shared with any other account.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005093
5094 It is also possible to reduce the scope of the proxies which appear in the
5095 report using "stats scope".
5096
5097 Though this statement alone is enough to enable statistics reporting, it is
5098 recommended to set all other settings in order to avoid relying on default
5099 unobvious parameters.
5100
5101 Example :
5102 # public access (limited to this backend only)
5103 backend public_www
5104 server srv1 192.168.0.1:80
5105 stats enable
5106 stats hide-version
5107 stats scope .
5108 stats uri /admin?stats
5109 stats realm Haproxy\ Statistics
5110 stats auth admin1:AdMiN123
5111 stats auth admin2:AdMiN321
5112
5113 # internal monitoring access (unlimited)
5114 backend private_monitoring
5115 stats enable
5116 stats uri /admin?stats
5117 stats refresh 5s
5118
5119 See also : "stats enable", "stats realm", "stats scope", "stats uri"
5120
5121
5122stats enable
5123 Enable statistics reporting with default settings
5124 May be used in sections : defaults | frontend | listen | backend
5125 yes | no | yes | yes
5126 Arguments : none
5127
5128 This statement enables statistics reporting with default settings defined
5129 at build time. Unless stated otherwise, these settings are used :
5130 - stats uri : /haproxy?stats
5131 - stats realm : "HAProxy Statistics"
5132 - stats auth : no authentication
5133 - stats scope : no restriction
5134
5135 Though this statement alone is enough to enable statistics reporting, it is
5136 recommended to set all other settings in order to avoid relying on default
5137 unobvious parameters.
5138
5139 Example :
5140 # public access (limited to this backend only)
5141 backend public_www
5142 server srv1 192.168.0.1:80
5143 stats enable
5144 stats hide-version
5145 stats scope .
5146 stats uri /admin?stats
5147 stats realm Haproxy\ Statistics
5148 stats auth admin1:AdMiN123
5149 stats auth admin2:AdMiN321
5150
5151 # internal monitoring access (unlimited)
5152 backend private_monitoring
5153 stats enable
5154 stats uri /admin?stats
5155 stats refresh 5s
5156
5157 See also : "stats auth", "stats realm", "stats uri"
5158
5159
Willy Tarreaud63335a2010-02-26 12:56:52 +01005160stats hide-version
5161 Enable statistics and hide HAProxy version reporting
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02005162 May be used in sections : defaults | frontend | listen | backend
5163 yes | no | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +01005164 Arguments : none
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02005165
Willy Tarreaud63335a2010-02-26 12:56:52 +01005166 By default, the stats page reports some useful status information along with
5167 the statistics. Among them is HAProxy's version. However, it is generally
5168 considered dangerous to report precise version to anyone, as it can help them
5169 target known weaknesses with specific attacks. The "stats hide-version"
5170 statement removes the version from the statistics report. This is recommended
5171 for public sites or any site with a weak login/password.
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02005172
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02005173 Though this statement alone is enough to enable statistics reporting, it is
5174 recommended to set all other settings in order to avoid relying on default
5175 unobvious parameters.
5176
Willy Tarreaud63335a2010-02-26 12:56:52 +01005177 Example :
5178 # public access (limited to this backend only)
5179 backend public_www
5180 server srv1 192.168.0.1:80
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02005181 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01005182 stats hide-version
5183 stats scope .
5184 stats uri /admin?stats
5185 stats realm Haproxy\ Statistics
5186 stats auth admin1:AdMiN123
5187 stats auth admin2:AdMiN321
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02005188
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02005189 # internal monitoring access (unlimited)
5190 backend private_monitoring
5191 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01005192 stats uri /admin?stats
5193 stats refresh 5s
Krzysztof Piotr Oledzki15514c22010-01-04 16:03:09 +01005194
Willy Tarreaud63335a2010-02-26 12:56:52 +01005195 See also : "stats auth", "stats enable", "stats realm", "stats uri"
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02005196
Willy Tarreau983e01e2010-01-11 18:42:06 +01005197
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02005198stats http-request { allow | deny | auth [realm <realm>] }
5199 [ { if | unless } <condition> ]
5200 Access control for statistics
5201
5202 May be used in sections: defaults | frontend | listen | backend
5203 no | no | yes | yes
5204
5205 As "http-request", these set of options allow to fine control access to
5206 statistics. Each option may be followed by if/unless and acl.
5207 First option with matched condition (or option without condition) is final.
5208 For "deny" a 403 error will be returned, for "allow" normal processing is
5209 performed, for "auth" a 401/407 error code is returned so the client
5210 should be asked to enter a username and password.
5211
5212 There is no fixed limit to the number of http-request statements per
5213 instance.
5214
5215 See also : "http-request", section 3.4 about userlists and section 7
5216 about ACL usage.
5217
5218
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005219stats realm <realm>
5220 Enable statistics and set authentication realm
5221 May be used in sections : defaults | frontend | listen | backend
5222 yes | no | yes | yes
5223 Arguments :
5224 <realm> is the name of the HTTP Basic Authentication realm reported to
5225 the browser. The browser uses it to display it in the pop-up
5226 inviting the user to enter a valid username and password.
5227
5228 The realm is read as a single word, so any spaces in it should be escaped
5229 using a backslash ('\').
5230
5231 This statement is useful only in conjunction with "stats auth" since it is
5232 only related to authentication.
5233
5234 Though this statement alone is enough to enable statistics reporting, it is
5235 recommended to set all other settings in order to avoid relying on default
5236 unobvious parameters.
5237
5238 Example :
5239 # public access (limited to this backend only)
5240 backend public_www
5241 server srv1 192.168.0.1:80
5242 stats enable
5243 stats hide-version
5244 stats scope .
5245 stats uri /admin?stats
5246 stats realm Haproxy\ Statistics
5247 stats auth admin1:AdMiN123
5248 stats auth admin2:AdMiN321
5249
5250 # internal monitoring access (unlimited)
5251 backend private_monitoring
5252 stats enable
5253 stats uri /admin?stats
5254 stats refresh 5s
5255
5256 See also : "stats auth", "stats enable", "stats uri"
5257
5258
5259stats refresh <delay>
5260 Enable statistics with automatic refresh
5261 May be used in sections : defaults | frontend | listen | backend
5262 yes | no | yes | yes
5263 Arguments :
5264 <delay> is the suggested refresh delay, specified in seconds, which will
5265 be returned to the browser consulting the report page. While the
5266 browser is free to apply any delay, it will generally respect it
5267 and refresh the page this every seconds. The refresh interval may
5268 be specified in any other non-default time unit, by suffixing the
5269 unit after the value, as explained at the top of this document.
5270
5271 This statement is useful on monitoring displays with a permanent page
5272 reporting the load balancer's activity. When set, the HTML report page will
5273 include a link "refresh"/"stop refresh" so that the user can select whether
5274 he wants automatic refresh of the page or not.
5275
5276 Though this statement alone is enough to enable statistics reporting, it is
5277 recommended to set all other settings in order to avoid relying on default
5278 unobvious parameters.
5279
5280 Example :
5281 # public access (limited to this backend only)
5282 backend public_www
5283 server srv1 192.168.0.1:80
5284 stats enable
5285 stats hide-version
5286 stats scope .
5287 stats uri /admin?stats
5288 stats realm Haproxy\ Statistics
5289 stats auth admin1:AdMiN123
5290 stats auth admin2:AdMiN321
5291
5292 # internal monitoring access (unlimited)
5293 backend private_monitoring
5294 stats enable
5295 stats uri /admin?stats
5296 stats refresh 5s
5297
5298 See also : "stats auth", "stats enable", "stats realm", "stats uri"
5299
5300
5301stats scope { <name> | "." }
5302 Enable statistics and limit access scope
5303 May be used in sections : defaults | frontend | listen | backend
5304 yes | no | yes | yes
5305 Arguments :
5306 <name> is the name of a listen, frontend or backend section to be
5307 reported. The special name "." (a single dot) designates the
5308 section in which the statement appears.
5309
5310 When this statement is specified, only the sections enumerated with this
5311 statement will appear in the report. All other ones will be hidden. This
5312 statement may appear as many times as needed if multiple sections need to be
5313 reported. Please note that the name checking is performed as simple string
5314 comparisons, and that it is never checked that a give section name really
5315 exists.
5316
5317 Though this statement alone is enough to enable statistics reporting, it is
5318 recommended to set all other settings in order to avoid relying on default
5319 unobvious parameters.
5320
5321 Example :
5322 # public access (limited to this backend only)
5323 backend public_www
5324 server srv1 192.168.0.1:80
5325 stats enable
5326 stats hide-version
5327 stats scope .
5328 stats uri /admin?stats
5329 stats realm Haproxy\ Statistics
5330 stats auth admin1:AdMiN123
5331 stats auth admin2:AdMiN321
5332
5333 # internal monitoring access (unlimited)
5334 backend private_monitoring
5335 stats enable
5336 stats uri /admin?stats
5337 stats refresh 5s
5338
5339 See also : "stats auth", "stats enable", "stats realm", "stats uri"
5340
Willy Tarreaud63335a2010-02-26 12:56:52 +01005341
Willy Tarreauc9705a12010-07-27 20:05:50 +02005342stats show-desc [ <desc> ]
Willy Tarreaud63335a2010-02-26 12:56:52 +01005343 Enable reporting of a description on the statistics page.
5344 May be used in sections : defaults | frontend | listen | backend
5345 yes | no | yes | yes
5346
Willy Tarreauc9705a12010-07-27 20:05:50 +02005347 <desc> is an optional description to be reported. If unspecified, the
Willy Tarreaud63335a2010-02-26 12:56:52 +01005348 description from global section is automatically used instead.
5349
5350 This statement is useful for users that offer shared services to their
5351 customers, where node or description should be different for each customer.
5352
5353 Though this statement alone is enough to enable statistics reporting, it is
5354 recommended to set all other settings in order to avoid relying on default
5355 unobvious parameters.
5356
5357 Example :
5358 # internal monitoring access (unlimited)
5359 backend private_monitoring
5360 stats enable
5361 stats show-desc Master node for Europe, Asia, Africa
5362 stats uri /admin?stats
5363 stats refresh 5s
5364
5365 See also: "show-node", "stats enable", "stats uri" and "description" in
5366 global section.
5367
5368
5369stats show-legends
5370 Enable reporting additional informations on the statistics page :
5371 - cap: capabilities (proxy)
5372 - mode: one of tcp, http or health (proxy)
5373 - id: SNMP ID (proxy, socket, server)
5374 - IP (socket, server)
5375 - cookie (backend, server)
5376
5377 Though this statement alone is enough to enable statistics reporting, it is
5378 recommended to set all other settings in order to avoid relying on default
5379 unobvious parameters.
5380
5381 See also: "stats enable", "stats uri".
5382
5383
5384stats show-node [ <name> ]
5385 Enable reporting of a host name on the statistics page.
5386 May be used in sections : defaults | frontend | listen | backend
5387 yes | no | yes | yes
5388 Arguments:
5389 <name> is an optional name to be reported. If unspecified, the
5390 node name from global section is automatically used instead.
5391
5392 This statement is useful for users that offer shared services to their
5393 customers, where node or description might be different on a stats page
5394 provided for each customer.
5395
5396 Though this statement alone is enough to enable statistics reporting, it is
5397 recommended to set all other settings in order to avoid relying on default
5398 unobvious parameters.
5399
5400 Example:
5401 # internal monitoring access (unlimited)
5402 backend private_monitoring
5403 stats enable
5404 stats show-node Europe-1
5405 stats uri /admin?stats
5406 stats refresh 5s
5407
5408 See also: "show-desc", "stats enable", "stats uri", and "node" in global
5409 section.
5410
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005411
5412stats uri <prefix>
5413 Enable statistics and define the URI prefix to access them
5414 May be used in sections : defaults | frontend | listen | backend
5415 yes | no | yes | yes
5416 Arguments :
5417 <prefix> is the prefix of any URI which will be redirected to stats. This
5418 prefix may contain a question mark ('?') to indicate part of a
5419 query string.
5420
5421 The statistics URI is intercepted on the relayed traffic, so it appears as a
5422 page within the normal application. It is strongly advised to ensure that the
5423 selected URI will never appear in the application, otherwise it will never be
5424 possible to reach it in the application.
5425
5426 The default URI compiled in haproxy is "/haproxy?stats", but this may be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005427 changed at build time, so it's better to always explicitly specify it here.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005428 It is generally a good idea to include a question mark in the URI so that
5429 intermediate proxies refrain from caching the results. Also, since any string
5430 beginning with the prefix will be accepted as a stats request, the question
5431 mark helps ensuring that no valid URI will begin with the same words.
5432
5433 It is sometimes very convenient to use "/" as the URI prefix, and put that
5434 statement in a "listen" instance of its own. That makes it easy to dedicate
5435 an address or a port to statistics only.
5436
5437 Though this statement alone is enough to enable statistics reporting, it is
5438 recommended to set all other settings in order to avoid relying on default
5439 unobvious parameters.
5440
5441 Example :
5442 # public access (limited to this backend only)
5443 backend public_www
5444 server srv1 192.168.0.1:80
5445 stats enable
5446 stats hide-version
5447 stats scope .
5448 stats uri /admin?stats
5449 stats realm Haproxy\ Statistics
5450 stats auth admin1:AdMiN123
5451 stats auth admin2:AdMiN321
5452
5453 # internal monitoring access (unlimited)
5454 backend private_monitoring
5455 stats enable
5456 stats uri /admin?stats
5457 stats refresh 5s
5458
5459 See also : "stats auth", "stats enable", "stats realm"
5460
5461
Willy Tarreaud63335a2010-02-26 12:56:52 +01005462stick match <pattern> [table <table>] [{if | unless} <cond>]
5463 Define a request pattern matching condition to stick a user to a server
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005464 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaud63335a2010-02-26 12:56:52 +01005465 no | no | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005466
5467 Arguments :
5468 <pattern> is a pattern extraction rule as described in section 7.8. It
5469 describes what elements of the incoming request or connection
5470 will be analysed in the hope to find a matching entry in a
5471 stickiness table. This rule is mandatory.
5472
5473 <table> is an optional stickiness table name. If unspecified, the same
5474 backend's table is used. A stickiness table is declared using
5475 the "stick-table" statement.
5476
5477 <cond> is an optional matching condition. It makes it possible to match
5478 on a certain criterion only when other conditions are met (or
5479 not met). For instance, it could be used to match on a source IP
5480 address except when a request passes through a known proxy, in
5481 which case we'd match on a header containing that IP address.
5482
5483 Some protocols or applications require complex stickiness rules and cannot
5484 always simply rely on cookies nor hashing. The "stick match" statement
5485 describes a rule to extract the stickiness criterion from an incoming request
5486 or connection. See section 7 for a complete list of possible patterns and
5487 transformation rules.
5488
5489 The table has to be declared using the "stick-table" statement. It must be of
5490 a type compatible with the pattern. By default it is the one which is present
5491 in the same backend. It is possible to share a table with other backends by
5492 referencing it using the "table" keyword. If another table is referenced,
5493 the server's ID inside the backends are used. By default, all server IDs
5494 start at 1 in each backend, so the server ordering is enough. But in case of
5495 doubt, it is highly recommended to force server IDs using their "id" setting.
5496
5497 It is possible to restrict the conditions where a "stick match" statement
5498 will apply, using "if" or "unless" followed by a condition. See section 7 for
5499 ACL based conditions.
5500
5501 There is no limit on the number of "stick match" statements. The first that
5502 applies and matches will cause the request to be directed to the same server
5503 as was used for the request which created the entry. That way, multiple
5504 matches can be used as fallbacks.
5505
5506 The stick rules are checked after the persistence cookies, so they will not
5507 affect stickiness if a cookie has already been used to select a server. That
5508 way, it becomes very easy to insert cookies and match on IP addresses in
5509 order to maintain stickiness between HTTP and HTTPS.
5510
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005511 Note : Consider not using this feature in multi-process mode (nbproc > 1)
5512 unless you know what you do : memory is not shared between the
5513 processes, which can result in random behaviours.
5514
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005515 Example :
5516 # forward SMTP users to the same server they just used for POP in the
5517 # last 30 minutes
5518 backend pop
5519 mode tcp
5520 balance roundrobin
5521 stick store-request src
5522 stick-table type ip size 200k expire 30m
5523 server s1 192.168.1.1:110
5524 server s2 192.168.1.1:110
5525
5526 backend smtp
5527 mode tcp
5528 balance roundrobin
5529 stick match src table pop
5530 server s1 192.168.1.1:25
5531 server s2 192.168.1.1:25
5532
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005533 See also : "stick-table", "stick on", "nbproc", "bind-process" and section 7
5534 about ACLs and pattern extraction.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005535
5536
5537stick on <pattern> [table <table>] [{if | unless} <condition>]
5538 Define a request pattern to associate a user to a server
5539 May be used in sections : defaults | frontend | listen | backend
5540 no | no | yes | yes
5541
5542 Note : This form is exactly equivalent to "stick match" followed by
5543 "stick store-request", all with the same arguments. Please refer
5544 to both keywords for details. It is only provided as a convenience
5545 for writing more maintainable configurations.
5546
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005547 Note : Consider not using this feature in multi-process mode (nbproc > 1)
5548 unless you know what you do : memory is not shared between the
5549 processes, which can result in random behaviours.
5550
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005551 Examples :
5552 # The following form ...
Willy Tarreauec579d82010-02-26 19:15:04 +01005553 stick on src table pop if !localhost
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005554
5555 # ...is strictly equivalent to this one :
5556 stick match src table pop if !localhost
5557 stick store-request src table pop if !localhost
5558
5559
5560 # Use cookie persistence for HTTP, and stick on source address for HTTPS as
5561 # well as HTTP without cookie. Share the same table between both accesses.
5562 backend http
5563 mode http
5564 balance roundrobin
5565 stick on src table https
5566 cookie SRV insert indirect nocache
5567 server s1 192.168.1.1:80 cookie s1
5568 server s2 192.168.1.1:80 cookie s2
5569
5570 backend https
5571 mode tcp
5572 balance roundrobin
5573 stick-table type ip size 200k expire 30m
5574 stick on src
5575 server s1 192.168.1.1:443
5576 server s2 192.168.1.1:443
5577
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005578 See also : "stick match", "stick store-request", "nbproc" and "bind-process".
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005579
5580
5581stick store-request <pattern> [table <table>] [{if | unless} <condition>]
5582 Define a request pattern used to create an entry in a stickiness table
5583 May be used in sections : defaults | frontend | listen | backend
5584 no | no | yes | yes
5585
5586 Arguments :
5587 <pattern> is a pattern extraction rule as described in section 7.8. It
5588 describes what elements of the incoming request or connection
5589 will be analysed, extracted and stored in the table once a
5590 server is selected.
5591
5592 <table> is an optional stickiness table name. If unspecified, the same
5593 backend's table is used. A stickiness table is declared using
5594 the "stick-table" statement.
5595
5596 <cond> is an optional storage condition. It makes it possible to store
5597 certain criteria only when some conditions are met (or not met).
5598 For instance, it could be used to store the source IP address
5599 except when the request passes through a known proxy, in which
5600 case we'd store a converted form of a header containing that IP
5601 address.
5602
5603 Some protocols or applications require complex stickiness rules and cannot
5604 always simply rely on cookies nor hashing. The "stick store-request" statement
5605 describes a rule to decide what to extract from the request and when to do
5606 it, in order to store it into a stickiness table for further requests to
5607 match it using the "stick match" statement. Obviously the extracted part must
5608 make sense and have a chance to be matched in a further request. Storing a
5609 client's IP address for instance often makes sense. Storing an ID found in a
5610 URL parameter also makes sense. Storing a source port will almost never make
5611 any sense because it will be randomly matched. See section 7 for a complete
5612 list of possible patterns and transformation rules.
5613
5614 The table has to be declared using the "stick-table" statement. It must be of
5615 a type compatible with the pattern. By default it is the one which is present
5616 in the same backend. It is possible to share a table with other backends by
5617 referencing it using the "table" keyword. If another table is referenced,
5618 the server's ID inside the backends are used. By default, all server IDs
5619 start at 1 in each backend, so the server ordering is enough. But in case of
5620 doubt, it is highly recommended to force server IDs using their "id" setting.
5621
5622 It is possible to restrict the conditions where a "stick store-request"
5623 statement will apply, using "if" or "unless" followed by a condition. This
5624 condition will be evaluated while parsing the request, so any criteria can be
5625 used. See section 7 for ACL based conditions.
5626
5627 There is no limit on the number of "stick store-request" statements, but
5628 there is a limit of 8 simultaneous stores per request or response. This
5629 makes it possible to store up to 8 criteria, all extracted from either the
5630 request or the response, regardless of the number of rules. Only the 8 first
5631 ones which match will be kept. Using this, it is possible to feed multiple
5632 tables at once in the hope to increase the chance to recognize a user on
5633 another protocol or access method.
5634
5635 The "store-request" rules are evaluated once the server connection has been
5636 established, so that the table will contain the real server that processed
5637 the request.
5638
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005639 Note : Consider not using this feature in multi-process mode (nbproc > 1)
5640 unless you know what you do : memory is not shared between the
5641 processes, which can result in random behaviours.
5642
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005643 Example :
5644 # forward SMTP users to the same server they just used for POP in the
5645 # last 30 minutes
5646 backend pop
5647 mode tcp
5648 balance roundrobin
5649 stick store-request src
5650 stick-table type ip size 200k expire 30m
5651 server s1 192.168.1.1:110
5652 server s2 192.168.1.1:110
5653
5654 backend smtp
5655 mode tcp
5656 balance roundrobin
5657 stick match src table pop
5658 server s1 192.168.1.1:25
5659 server s2 192.168.1.1:25
5660
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005661 See also : "stick-table", "stick on", "nbproc", "bind-process" and section 7
5662 about ACLs and pattern extraction.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005663
5664
Emeric Brun7c6b82e2010-09-24 16:34:28 +02005665stick-table type {ip | integer | string [len <length>] | binary [len <length>]}
Emeric Brunf099e792010-09-27 12:05:28 +02005666 size <size> [expire <expire>] [nopurge] [peers <peersect>]
5667 [store <data_type>]*
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005668 Configure the stickiness table for the current backend
5669 May be used in sections : defaults | frontend | listen | backend
Willy Tarreauc00cdc22010-06-06 16:48:26 +02005670 no | yes | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005671
5672 Arguments :
5673 ip a table declared with "type ip" will only store IPv4 addresses.
5674 This form is very compact (about 50 bytes per entry) and allows
5675 very fast entry lookup and stores with almost no overhead. This
5676 is mainly used to store client source IP addresses.
5677
David du Colombier9a6d3c92011-03-17 10:40:24 +01005678 ipv6 a table declared with "type ipv6" will only store IPv6 addresses.
5679 This form is very compact (about 60 bytes per entry) and allows
5680 very fast entry lookup and stores with almost no overhead. This
5681 is mainly used to store client source IP addresses.
5682
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005683 integer a table declared with "type integer" will store 32bit integers
5684 which can represent a client identifier found in a request for
5685 instance.
5686
5687 string a table declared with "type string" will store substrings of up
5688 to <len> characters. If the string provided by the pattern
5689 extractor is larger than <len>, it will be truncated before
5690 being stored. During matching, at most <len> characters will be
5691 compared between the string in the table and the extracted
5692 pattern. When not specified, the string is automatically limited
Emeric Brun7c6b82e2010-09-24 16:34:28 +02005693 to 32 characters.
5694
5695 binary a table declared with "type binary" will store binary blocks
5696 of <len> bytes. If the block provided by the pattern
5697 extractor is larger than <len>, it will be truncated before
5698 being stored. If the block provided by the pattern extractor
5699 is shorter than <len>, it will be padded by 0. When not
5700 specified, the block is automatically limited to 32 bytes.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005701
5702 <length> is the maximum number of characters that will be stored in a
Emeric Brun7c6b82e2010-09-24 16:34:28 +02005703 "string" type table (See type "string" above). Or the number
5704 of bytes of the block in "binary" type table. Be careful when
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005705 changing this parameter as memory usage will proportionally
5706 increase.
5707
5708 <size> is the maximum number of entries that can fit in the table. This
Cyril Bonté78caf842010-03-10 22:41:43 +01005709 value directly impacts memory usage. Count approximately
5710 50 bytes per entry, plus the size of a string if any. The size
5711 supports suffixes "k", "m", "g" for 2^10, 2^20 and 2^30 factors.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005712
5713 [nopurge] indicates that we refuse to purge older entries when the table
5714 is full. When not specified and the table is full when haproxy
5715 wants to store an entry in it, it will flush a few of the oldest
5716 entries in order to release some space for the new ones. This is
5717 most often the desired behaviour. In some specific cases, it
5718 be desirable to refuse new entries instead of purging the older
5719 ones. That may be the case when the amount of data to store is
5720 far above the hardware limits and we prefer not to offer access
5721 to new clients than to reject the ones already connected. When
5722 using this parameter, be sure to properly set the "expire"
5723 parameter (see below).
5724
Emeric Brunf099e792010-09-27 12:05:28 +02005725 <peersect> is the name of the peers section to use for replication. Entries
5726 which associate keys to server IDs are kept synchronized with
5727 the remote peers declared in this section. All entries are also
5728 automatically learned from the local peer (old process) during a
5729 soft restart.
5730
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005731 NOTE : peers can't be used in multi-process mode.
5732
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005733 <expire> defines the maximum duration of an entry in the table since it
5734 was last created, refreshed or matched. The expiration delay is
5735 defined using the standard time format, similarly as the various
5736 timeouts. The maximum duration is slightly above 24 days. See
5737 section 2.2 for more information. If this delay is not specified,
Cyril Bontédc4d9032012-04-08 21:57:39 +02005738 the session won't automatically expire, but older entries will
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005739 be removed once full. Be sure not to use the "nopurge" parameter
5740 if not expiration delay is specified.
5741
Willy Tarreau08d5f982010-06-06 13:34:54 +02005742 <data_type> is used to store additional information in the stick-table. This
5743 may be used by ACLs in order to control various criteria related
5744 to the activity of the client matching the stick-table. For each
5745 item specified here, the size of each entry will be inflated so
Willy Tarreauc9705a12010-07-27 20:05:50 +02005746 that the additional data can fit. Several data types may be
5747 stored with an entry. Multiple data types may be specified after
5748 the "store" keyword, as a comma-separated list. Alternatively,
5749 it is possible to repeat the "store" keyword followed by one or
5750 several data types. Except for the "server_id" type which is
5751 automatically detected and enabled, all data types must be
5752 explicitly declared to be stored. If an ACL references a data
5753 type which is not stored, the ACL will simply not match. Some
5754 data types require an argument which must be passed just after
5755 the type between parenthesis. See below for the supported data
5756 types and their arguments.
5757
5758 The data types that can be stored with an entry are the following :
5759 - server_id : this is an integer which holds the numeric ID of the server a
5760 request was assigned to. It is used by the "stick match", "stick store",
5761 and "stick on" rules. It is automatically enabled when referenced.
5762
5763 - gpc0 : first General Purpose Counter. It is a positive 32-bit integer
5764 integer which may be used for anything. Most of the time it will be used
5765 to put a special tag on some entries, for instance to note that a
5766 specific behaviour was detected and must be known for future matches.
5767
5768 - conn_cnt : Connection Count. It is a positive 32-bit integer which counts
5769 the absolute number of connections received from clients which matched
5770 this entry. It does not mean the connections were accepted, just that
5771 they were received.
5772
5773 - conn_cur : Current Connections. It is a positive 32-bit integer which
5774 stores the concurrent connection counts for the entry. It is incremented
5775 once an incoming connection matches the entry, and decremented once the
5776 connection leaves. That way it is possible to know at any time the exact
5777 number of concurrent connections for an entry.
5778
5779 - conn_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5780 integer parameter <period> which indicates in milliseconds the length
5781 of the period over which the average is measured. It reports the average
5782 incoming connection rate over that period, in connections per period. The
5783 result is an integer which can be matched using ACLs.
5784
5785 - sess_cnt : Session Count. It is a positive 32-bit integer which counts
5786 the absolute number of sessions received from clients which matched this
5787 entry. A session is a connection that was accepted by the layer 4 rules.
5788
5789 - sess_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5790 integer parameter <period> which indicates in milliseconds the length
5791 of the period over which the average is measured. It reports the average
5792 incoming session rate over that period, in sessions per period. The
5793 result is an integer which can be matched using ACLs.
5794
5795 - http_req_cnt : HTTP request Count. It is a positive 32-bit integer which
5796 counts the absolute number of HTTP requests received from clients which
5797 matched this entry. It does not matter whether they are valid requests or
5798 not. Note that this is different from sessions when keep-alive is used on
5799 the client side.
5800
5801 - http_req_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5802 integer parameter <period> which indicates in milliseconds the length
5803 of the period over which the average is measured. It reports the average
5804 HTTP request rate over that period, in requests per period. The result is
5805 an integer which can be matched using ACLs. It does not matter whether
5806 they are valid requests or not. Note that this is different from sessions
5807 when keep-alive is used on the client side.
5808
5809 - http_err_cnt : HTTP Error Count. It is a positive 32-bit integer which
5810 counts the absolute number of HTTP requests errors induced by clients
5811 which matched this entry. Errors are counted on invalid and truncated
5812 requests, as well as on denied or tarpitted requests, and on failed
5813 authentications. If the server responds with 4xx, then the request is
5814 also counted as an error since it's an error triggered by the client
5815 (eg: vulnerability scan).
5816
5817 - http_err_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5818 integer parameter <period> which indicates in milliseconds the length
5819 of the period over which the average is measured. It reports the average
5820 HTTP request error rate over that period, in requests per period (see
5821 http_err_cnt above for what is accounted as an error). The result is an
5822 integer which can be matched using ACLs.
5823
5824 - bytes_in_cnt : client to server byte count. It is a positive 64-bit
5825 integer which counts the cumulated amount of bytes received from clients
5826 which matched this entry. Headers are included in the count. This may be
5827 used to limit abuse of upload features on photo or video servers.
5828
5829 - bytes_in_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5830 integer parameter <period> which indicates in milliseconds the length
5831 of the period over which the average is measured. It reports the average
5832 incoming bytes rate over that period, in bytes per period. It may be used
5833 to detect users which upload too much and too fast. Warning: with large
5834 uploads, it is possible that the amount of uploaded data will be counted
5835 once upon termination, thus causing spikes in the average transfer speed
5836 instead of having a smooth one. This may partially be smoothed with
5837 "option contstats" though this is not perfect yet. Use of byte_in_cnt is
5838 recommended for better fairness.
5839
5840 - bytes_out_cnt : server to client byte count. It is a positive 64-bit
5841 integer which counts the cumulated amount of bytes sent to clients which
5842 matched this entry. Headers are included in the count. This may be used
5843 to limit abuse of bots sucking the whole site.
5844
5845 - bytes_out_rate(<period>) : frequency counter (takes 12 bytes). It takes
5846 an integer parameter <period> which indicates in milliseconds the length
5847 of the period over which the average is measured. It reports the average
5848 outgoing bytes rate over that period, in bytes per period. It may be used
5849 to detect users which download too much and too fast. Warning: with large
5850 transfers, it is possible that the amount of transferred data will be
5851 counted once upon termination, thus causing spikes in the average
5852 transfer speed instead of having a smooth one. This may partially be
5853 smoothed with "option contstats" though this is not perfect yet. Use of
5854 byte_out_cnt is recommended for better fairness.
Willy Tarreau08d5f982010-06-06 13:34:54 +02005855
Willy Tarreauc00cdc22010-06-06 16:48:26 +02005856 There is only one stick-table per proxy. At the moment of writing this doc,
5857 it does not seem useful to have multiple tables per proxy. If this happens
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005858 to be required, simply create a dummy backend with a stick-table in it and
5859 reference it.
5860
5861 It is important to understand that stickiness based on learning information
5862 has some limitations, including the fact that all learned associations are
5863 lost upon restart. In general it can be good as a complement but not always
5864 as an exclusive stickiness.
5865
Willy Tarreauc9705a12010-07-27 20:05:50 +02005866 Last, memory requirements may be important when storing many data types.
5867 Indeed, storing all indicators above at once in each entry requires 116 bytes
5868 per entry, or 116 MB for a 1-million entries table. This is definitely not
5869 something that can be ignored.
5870
5871 Example:
5872 # Keep track of counters of up to 1 million IP addresses over 5 minutes
5873 # and store a general purpose counter and the average connection rate
5874 # computed over a sliding window of 30 seconds.
5875 stick-table type ip size 1m expire 5m store gpc0,conn_rate(30s)
5876
5877 See also : "stick match", "stick on", "stick store-request", section 2.2
David du Colombiera13d1b92011-03-17 10:40:22 +01005878 about time format and section 7 about ACLs.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005879
5880
Emeric Brun6a1cefa2010-09-24 18:15:17 +02005881stick store-response <pattern> [table <table>] [{if | unless} <condition>]
5882 Define a request pattern used to create an entry in a stickiness table
5883 May be used in sections : defaults | frontend | listen | backend
5884 no | no | yes | yes
5885
5886 Arguments :
5887 <pattern> is a pattern extraction rule as described in section 7.8. It
5888 describes what elements of the response or connection will
5889 be analysed, extracted and stored in the table once a
5890 server is selected.
5891
5892 <table> is an optional stickiness table name. If unspecified, the same
5893 backend's table is used. A stickiness table is declared using
5894 the "stick-table" statement.
5895
5896 <cond> is an optional storage condition. It makes it possible to store
5897 certain criteria only when some conditions are met (or not met).
5898 For instance, it could be used to store the SSL session ID only
5899 when the response is a SSL server hello.
5900
5901 Some protocols or applications require complex stickiness rules and cannot
5902 always simply rely on cookies nor hashing. The "stick store-response"
5903 statement describes a rule to decide what to extract from the response and
5904 when to do it, in order to store it into a stickiness table for further
5905 requests to match it using the "stick match" statement. Obviously the
5906 extracted part must make sense and have a chance to be matched in a further
Cyril Bonté108cf6e2012-04-21 23:30:29 +02005907 request. Storing an ID found in a header of a response makes sense.
Emeric Brun6a1cefa2010-09-24 18:15:17 +02005908 See section 7 for a complete list of possible patterns and transformation
5909 rules.
5910
5911 The table has to be declared using the "stick-table" statement. It must be of
5912 a type compatible with the pattern. By default it is the one which is present
5913 in the same backend. It is possible to share a table with other backends by
5914 referencing it using the "table" keyword. If another table is referenced,
5915 the server's ID inside the backends are used. By default, all server IDs
5916 start at 1 in each backend, so the server ordering is enough. But in case of
5917 doubt, it is highly recommended to force server IDs using their "id" setting.
5918
5919 It is possible to restrict the conditions where a "stick store-response"
5920 statement will apply, using "if" or "unless" followed by a condition. This
5921 condition will be evaluated while parsing the response, so any criteria can
5922 be used. See section 7 for ACL based conditions.
5923
5924 There is no limit on the number of "stick store-response" statements, but
5925 there is a limit of 8 simultaneous stores per request or response. This
5926 makes it possible to store up to 8 criteria, all extracted from either the
5927 request or the response, regardless of the number of rules. Only the 8 first
5928 ones which match will be kept. Using this, it is possible to feed multiple
5929 tables at once in the hope to increase the chance to recognize a user on
5930 another protocol or access method.
5931
5932 The table will contain the real server that processed the request.
5933
5934 Example :
5935 # Learn SSL session ID from both request and response and create affinity.
5936 backend https
5937 mode tcp
5938 balance roundrobin
Cyril Bontédc4d9032012-04-08 21:57:39 +02005939 # maximum SSL session ID length is 32 bytes.
Emeric Brun6a1cefa2010-09-24 18:15:17 +02005940 stick-table type binary len 32 size 30k expire 30m
Cyril Bonté108cf6e2012-04-21 23:30:29 +02005941
Emeric Brun6a1cefa2010-09-24 18:15:17 +02005942 acl clienthello req_ssl_hello_type 1
5943 acl serverhello rep_ssl_hello_type 2
5944
5945 # use tcp content accepts to detects ssl client and server hello.
5946 tcp-request inspect-delay 5s
5947 tcp-request content accept if clienthello
5948
5949 # no timeout on response inspect delay by default.
5950 tcp-response content accept if serverhello
Cyril Bonté108cf6e2012-04-21 23:30:29 +02005951
Emeric Brun6a1cefa2010-09-24 18:15:17 +02005952 # SSL session ID (SSLID) may be present on a client or server hello.
5953 # Its length is coded on 1 byte at offset 43 and its value starts
5954 # at offset 44.
5955
5956 # Match and learn on request if client hello.
5957 stick on payload_lv(43,1) if clienthello
5958
5959 # Learn on response if server hello.
5960 stick store-response payload_lv(43,1) if serverhello
Cyril Bontédc4d9032012-04-08 21:57:39 +02005961
Emeric Brun6a1cefa2010-09-24 18:15:17 +02005962 server s1 192.168.1.1:443
5963 server s2 192.168.1.1:443
5964
5965 See also : "stick-table", "stick on", and section 7 about ACLs and pattern
5966 extraction.
5967
5968
Willy Tarreaue9656522010-08-17 15:40:09 +02005969tcp-request connection <action> [{if | unless} <condition>]
5970 Perform an action on an incoming connection depending on a layer 4 condition
Willy Tarreau1a687942010-05-23 22:40:30 +02005971 May be used in sections : defaults | frontend | listen | backend
5972 no | yes | yes | no
Willy Tarreaue9656522010-08-17 15:40:09 +02005973 Arguments :
5974 <action> defines the action to perform if the condition applies. Valid
5975 actions include : "accept", "reject", "track-sc1", "track-sc2".
5976 See below for more details.
Willy Tarreau1a687942010-05-23 22:40:30 +02005977
Willy Tarreaue9656522010-08-17 15:40:09 +02005978 <condition> is a standard layer4-only ACL-based condition (see section 7).
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005979
5980 Immediately after acceptance of a new incoming connection, it is possible to
5981 evaluate some conditions to decide whether this connection must be accepted
Willy Tarreaue9656522010-08-17 15:40:09 +02005982 or dropped or have its counters tracked. Those conditions cannot make use of
5983 any data contents because the connection has not been read from yet, and the
5984 buffers are not yet allocated. This is used to selectively and very quickly
5985 accept or drop connections from various sources with a very low overhead. If
5986 some contents need to be inspected in order to take the decision, the
5987 "tcp-request content" statements must be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005988
Willy Tarreaue9656522010-08-17 15:40:09 +02005989 The "tcp-request connection" rules are evaluated in their exact declaration
5990 order. If no rule matches or if there is no rule, the default action is to
5991 accept the incoming connection. There is no specific limit to the number of
5992 rules which may be inserted.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005993
Willy Tarreaue9656522010-08-17 15:40:09 +02005994 Three types of actions are supported :
5995 - accept :
5996 accepts the connection if the condition is true (when used with "if")
5997 or false (when used with "unless"). The first such rule executed ends
5998 the rules evaluation.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005999
Willy Tarreaue9656522010-08-17 15:40:09 +02006000 - reject :
6001 rejects the connection if the condition is true (when used with "if")
6002 or false (when used with "unless"). The first such rule executed ends
6003 the rules evaluation. Rejected connections do not even become a
6004 session, which is why they are accounted separately for in the stats,
6005 as "denied connections". They are not considered for the session
6006 rate-limit and are not logged either. The reason is that these rules
6007 should only be used to filter extremely high connection rates such as
6008 the ones encountered during a massive DDoS attack. Under these extreme
6009 conditions, the simple action of logging each event would make the
6010 system collapse and would considerably lower the filtering capacity. If
6011 logging is absolutely desired, then "tcp-request content" rules should
6012 be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006013
Willy Tarreaue9656522010-08-17 15:40:09 +02006014 - { track-sc1 | track-sc2 } <key> [table <table>] :
6015 enables tracking of sticky counters from current connection. These
6016 rules do not stop evaluation and do not change default action. Two sets
6017 of counters may be simultaneously tracked by the same connection. The
6018 first "track-sc1" rule executed enables tracking of the counters of the
6019 specified table as the first set. The first "track-sc2" rule executed
6020 enables tracking of the counters of the specified table as the second
6021 set. It is a recommended practice to use the first set of counters for
6022 the per-frontend counters and the second set for the per-backend ones.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006023
Willy Tarreaue9656522010-08-17 15:40:09 +02006024 These actions take one or two arguments :
6025 <key> is mandatory, and defines the criterion the tracking key will
6026 be derived from. At the moment, only "src" is supported. With
6027 it, the key will be the connection's source IPv4 address.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006028
Willy Tarreaue9656522010-08-17 15:40:09 +02006029 <table> is an optional table to be used instead of the default one,
6030 which is the stick-table declared in the current proxy. All
6031 the counters for the matches and updates for the key will
6032 then be performed in that table until the session ends.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006033
Willy Tarreaue9656522010-08-17 15:40:09 +02006034 Once a "track-sc*" rule is executed, the key is looked up in the table
6035 and if it is not found, an entry is allocated for it. Then a pointer to
6036 that entry is kept during all the session's life, and this entry's
6037 counters are updated as often as possible, every time the session's
6038 counters are updated, and also systematically when the session ends.
6039 If the entry tracks concurrent connection counters, one connection is
6040 counted for as long as the entry is tracked, and the entry will not
6041 expire during that time. Tracking counters also provides a performance
6042 advantage over just checking the keys, because only one table lookup is
6043 performed for all ACL checks that make use of it.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006044
Willy Tarreaue9656522010-08-17 15:40:09 +02006045 Note that the "if/unless" condition is optional. If no condition is set on
6046 the action, it is simply performed unconditionally. That can be useful for
6047 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006048
Willy Tarreaue9656522010-08-17 15:40:09 +02006049 Example: accept all connections from white-listed hosts, reject too fast
6050 connection without counting them, and track accepted connections.
6051 This results in connection rate being capped from abusive sources.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006052
Willy Tarreaue9656522010-08-17 15:40:09 +02006053 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006054 tcp-request connection reject if { src_conn_rate gt 10 }
Willy Tarreaue9656522010-08-17 15:40:09 +02006055 tcp-request connection track-sc1 src
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006056
Willy Tarreaue9656522010-08-17 15:40:09 +02006057 Example: accept all connections from white-listed hosts, count all other
6058 connections and reject too fast ones. This results in abusive ones
6059 being blocked as long as they don't slow down.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006060
Willy Tarreaue9656522010-08-17 15:40:09 +02006061 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
6062 tcp-request connection track-sc1 src
6063 tcp-request connection reject if { sc1_conn_rate gt 10 }
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006064
6065 See section 7 about ACL usage.
6066
Willy Tarreaue9656522010-08-17 15:40:09 +02006067 See also : "tcp-request content", "stick-table"
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006068
6069
Willy Tarreaue9656522010-08-17 15:40:09 +02006070tcp-request content <action> [{if | unless} <condition>]
6071 Perform an action on a new session depending on a layer 4-7 condition
Willy Tarreau62644772008-07-16 18:36:06 +02006072 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02006073 no | yes | yes | yes
Willy Tarreaue9656522010-08-17 15:40:09 +02006074 Arguments :
6075 <action> defines the action to perform if the condition applies. Valid
6076 actions include : "accept", "reject", "track-sc1", "track-sc2".
6077 See "tcp-request connection" above for their signification.
Willy Tarreau62644772008-07-16 18:36:06 +02006078
Willy Tarreaue9656522010-08-17 15:40:09 +02006079 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
Willy Tarreau62644772008-07-16 18:36:06 +02006080
Willy Tarreaue9656522010-08-17 15:40:09 +02006081 A request's contents can be analysed at an early stage of request processing
6082 called "TCP content inspection". During this stage, ACL-based rules are
6083 evaluated every time the request contents are updated, until either an
6084 "accept" or a "reject" rule matches, or the TCP request inspection delay
6085 expires with no matching rule.
Willy Tarreau62644772008-07-16 18:36:06 +02006086
Willy Tarreaue9656522010-08-17 15:40:09 +02006087 The first difference between these rules and "tcp-request connection" rules
6088 is that "tcp-request content" rules can make use of contents to take a
6089 decision. Most often, these decisions will consider a protocol recognition or
6090 validity. The second difference is that content-based rules can be used in
6091 both frontends and backends. In frontends, they will be evaluated upon new
6092 connections. In backends, they will be evaluated once a session is assigned
6093 a backend. This means that a single frontend connection may be evaluated
6094 several times by one or multiple backends when a session gets reassigned
6095 (for instance after a client-side HTTP keep-alive request).
Willy Tarreau62644772008-07-16 18:36:06 +02006096
Willy Tarreaue9656522010-08-17 15:40:09 +02006097 Content-based rules are evaluated in their exact declaration order. If no
6098 rule matches or if there is no rule, the default action is to accept the
6099 contents. There is no specific limit to the number of rules which may be
6100 inserted.
Willy Tarreau62644772008-07-16 18:36:06 +02006101
Willy Tarreaue9656522010-08-17 15:40:09 +02006102 Three types of actions are supported :
6103 - accept :
6104 - reject :
6105 - { track-sc1 | track-sc2 } <key> [table <table>]
Willy Tarreau62644772008-07-16 18:36:06 +02006106
Willy Tarreaue9656522010-08-17 15:40:09 +02006107 They have the same meaning as their counter-parts in "tcp-request connection"
6108 so please refer to that section for a complete description.
Willy Tarreau62644772008-07-16 18:36:06 +02006109
Willy Tarreaue9656522010-08-17 15:40:09 +02006110 Also, it is worth noting that if sticky counters are tracked from a rule
6111 defined in a backend, this tracking will automatically end when the session
6112 releases the backend. That allows per-backend counter tracking even in case
6113 of HTTP keep-alive requests when the backend changes. While there is nothing
6114 mandatory about it, it is recommended to use the track-sc1 pointer to track
6115 per-frontend counters and track-sc2 to track per-backend counters.
Willy Tarreau62644772008-07-16 18:36:06 +02006116
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006117 Note that the "if/unless" condition is optional. If no condition is set on
Willy Tarreaue9656522010-08-17 15:40:09 +02006118 the action, it is simply performed unconditionally. That can be useful for
6119 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau62644772008-07-16 18:36:06 +02006120
Willy Tarreaue9656522010-08-17 15:40:09 +02006121 It is perfectly possible to match layer 7 contents with "tcp-request content"
Willy Tarreauc0239e02012-04-16 14:42:55 +02006122 rules, since HTTP-specific ACL matches are able to preliminarily parse the
6123 contents of a buffer before extracting the required data. If the buffered
6124 contents do not parse as a valid HTTP message, then the ACL does not match.
6125 The parser which is involved there is exactly the same as for all other HTTP
6126 processing, so there is no risk of parsing something differently.
Willy Tarreau62644772008-07-16 18:36:06 +02006127
6128 Example:
Willy Tarreaue9656522010-08-17 15:40:09 +02006129 # Accept HTTP requests containing a Host header saying "example.com"
6130 # and reject everything else.
6131 acl is_host_com hdr(Host) -i example.com
6132 tcp-request inspect-delay 30s
Willy Tarreauc0239e02012-04-16 14:42:55 +02006133 tcp-request content accept if is_host_com
Willy Tarreaue9656522010-08-17 15:40:09 +02006134 tcp-request content reject
6135
6136 Example:
Willy Tarreau62644772008-07-16 18:36:06 +02006137 # reject SMTP connection if client speaks first
6138 tcp-request inspect-delay 30s
6139 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006140 tcp-request content reject if content_present
Willy Tarreau62644772008-07-16 18:36:06 +02006141
6142 # Forward HTTPS connection only if client speaks
6143 tcp-request inspect-delay 30s
6144 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006145 tcp-request content accept if content_present
Willy Tarreaue9656522010-08-17 15:40:09 +02006146 tcp-request content reject
6147
6148 Example: track per-frontend and per-backend counters, block abusers at the
6149 frontend when the backend detects abuse.
6150
6151 frontend http
6152 # Use General Purpose Couter 0 in SC1 as a global abuse counter
6153 # protecting all our sites
6154 stick-table type ip size 1m expire 5m store gpc0
6155 tcp-request connection track-sc1 src
6156 tcp-request connection reject if { sc1_get_gpc0 gt 0 }
6157 ...
6158 use_backend http_dynamic if { path_end .php }
6159
6160 backend http_dynamic
6161 # if a source makes too fast requests to this dynamic site (tracked
6162 # by SC2), block it globally in the frontend.
6163 stick-table type ip size 1m expire 5m store http_req_rate(10s)
6164 acl click_too_fast sc2_http_req_rate gt 10
6165 acl mark_as_abuser sc1_inc_gpc0
6166 tcp-request content track-sc2 src
6167 tcp-request content reject if click_too_fast mark_as_abuser
Willy Tarreau62644772008-07-16 18:36:06 +02006168
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006169 See section 7 about ACL usage.
Willy Tarreau62644772008-07-16 18:36:06 +02006170
Willy Tarreaue9656522010-08-17 15:40:09 +02006171 See also : "tcp-request connection", "tcp-request inspect-delay"
Willy Tarreau62644772008-07-16 18:36:06 +02006172
6173
6174tcp-request inspect-delay <timeout>
6175 Set the maximum allowed time to wait for data during content inspection
6176 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02006177 no | yes | yes | yes
Willy Tarreau62644772008-07-16 18:36:06 +02006178 Arguments :
6179 <timeout> is the timeout value specified in milliseconds by default, but
6180 can be in any other unit if the number is suffixed by the unit,
6181 as explained at the top of this document.
6182
6183 People using haproxy primarily as a TCP relay are often worried about the
6184 risk of passing any type of protocol to a server without any analysis. In
6185 order to be able to analyze the request contents, we must first withhold
6186 the data then analyze them. This statement simply enables withholding of
6187 data for at most the specified amount of time.
6188
Willy Tarreaufb356202010-08-03 14:02:05 +02006189 TCP content inspection applies very early when a connection reaches a
6190 frontend, then very early when the connection is forwarded to a backend. This
6191 means that a connection may experience a first delay in the frontend and a
6192 second delay in the backend if both have tcp-request rules.
6193
Willy Tarreau62644772008-07-16 18:36:06 +02006194 Note that when performing content inspection, haproxy will evaluate the whole
6195 rules for every new chunk which gets in, taking into account the fact that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006196 those data are partial. If no rule matches before the aforementioned delay,
Willy Tarreau62644772008-07-16 18:36:06 +02006197 a last check is performed upon expiration, this time considering that the
Willy Tarreaud869b242009-03-15 14:43:58 +01006198 contents are definitive. If no delay is set, haproxy will not wait at all
6199 and will immediately apply a verdict based on the available information.
6200 Obviously this is unlikely to be very useful and might even be racy, so such
6201 setups are not recommended.
Willy Tarreau62644772008-07-16 18:36:06 +02006202
6203 As soon as a rule matches, the request is released and continues as usual. If
6204 the timeout is reached and no rule matches, the default policy will be to let
6205 it pass through unaffected.
6206
6207 For most protocols, it is enough to set it to a few seconds, as most clients
6208 send the full request immediately upon connection. Add 3 or more seconds to
6209 cover TCP retransmits but that's all. For some protocols, it may make sense
Willy Tarreaud72758d2010-01-12 10:42:19 +01006210 to use large values, for instance to ensure that the client never talks
Willy Tarreau62644772008-07-16 18:36:06 +02006211 before the server (eg: SMTP), or to wait for a client to talk before passing
6212 data to the server (eg: SSL). Note that the client timeout must cover at
Willy Tarreaub824b002010-09-29 16:36:16 +02006213 least the inspection delay, otherwise it will expire first. If the client
6214 closes the connection or if the buffer is full, the delay immediately expires
6215 since the contents will not be able to change anymore.
Willy Tarreau62644772008-07-16 18:36:06 +02006216
Willy Tarreau55165fe2009-05-10 12:02:55 +02006217 See also : "tcp-request content accept", "tcp-request content reject",
Willy Tarreau62644772008-07-16 18:36:06 +02006218 "timeout client".
6219
6220
Emeric Brun0a3b67f2010-09-24 15:34:53 +02006221tcp-response content <action> [{if | unless} <condition>]
6222 Perform an action on a session response depending on a layer 4-7 condition
6223 May be used in sections : defaults | frontend | listen | backend
6224 no | no | yes | yes
6225 Arguments :
6226 <action> defines the action to perform if the condition applies. Valid
6227 actions include : "accept", "reject".
6228 See "tcp-request connection" above for their signification.
6229
6230 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
6231
6232 Response contents can be analysed at an early stage of response processing
6233 called "TCP content inspection". During this stage, ACL-based rules are
6234 evaluated every time the response contents are updated, until either an
6235 "accept" or a "reject" rule matches, or a TCP response inspection delay is
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006236 set and expires with no matching rule.
Emeric Brun0a3b67f2010-09-24 15:34:53 +02006237
6238 Most often, these decisions will consider a protocol recognition or validity.
6239
6240 Content-based rules are evaluated in their exact declaration order. If no
6241 rule matches or if there is no rule, the default action is to accept the
6242 contents. There is no specific limit to the number of rules which may be
6243 inserted.
6244
6245 Two types of actions are supported :
6246 - accept :
6247 accepts the response if the condition is true (when used with "if")
6248 or false (when used with "unless"). The first such rule executed ends
6249 the rules evaluation.
6250
6251 - reject :
6252 rejects the response if the condition is true (when used with "if")
6253 or false (when used with "unless"). The first such rule executed ends
6254 the rules evaluation. Rejected session are immediatly closed.
6255
6256 Note that the "if/unless" condition is optional. If no condition is set on
6257 the action, it is simply performed unconditionally. That can be useful for
6258 for changing the default action to a reject.
6259
6260 It is perfectly possible to match layer 7 contents with "tcp-reponse content"
6261 rules, but then it is important to ensure that a full response has been
6262 buffered, otherwise no contents will match. In order to achieve this, the
6263 best solution involves detecting the HTTP protocol during the inspection
6264 period.
6265
6266 See section 7 about ACL usage.
6267
6268 See also : "tcp-request content", "tcp-response inspect-delay"
6269
6270
6271tcp-response inspect-delay <timeout>
6272 Set the maximum allowed time to wait for a response during content inspection
6273 May be used in sections : defaults | frontend | listen | backend
6274 no | no | yes | yes
6275 Arguments :
6276 <timeout> is the timeout value specified in milliseconds by default, but
6277 can be in any other unit if the number is suffixed by the unit,
6278 as explained at the top of this document.
6279
6280 See also : "tcp-response content", "tcp-request inspect-delay".
6281
6282
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01006283timeout check <timeout>
6284 Set additional check timeout, but only after a connection has been already
6285 established.
6286
6287 May be used in sections: defaults | frontend | listen | backend
6288 yes | no | yes | yes
6289 Arguments:
6290 <timeout> is the timeout value specified in milliseconds by default, but
6291 can be in any other unit if the number is suffixed by the unit,
6292 as explained at the top of this document.
6293
6294 If set, haproxy uses min("timeout connect", "inter") as a connect timeout
6295 for check and "timeout check" as an additional read timeout. The "min" is
6296 used so that people running with *very* long "timeout connect" (eg. those
6297 who needed this due to the queue or tarpit) do not slow down their checks.
Willy Tarreaud7550a22010-02-10 05:10:19 +01006298 (Please also note that there is no valid reason to have such long connect
6299 timeouts, because "timeout queue" and "timeout tarpit" can always be used to
6300 avoid that).
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01006301
6302 If "timeout check" is not set haproxy uses "inter" for complete check
6303 timeout (connect + read) exactly like all <1.3.15 version.
6304
6305 In most cases check request is much simpler and faster to handle than normal
6306 requests and people may want to kick out laggy servers so this timeout should
Willy Tarreau41a340d2008-01-22 12:25:31 +01006307 be smaller than "timeout server".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01006308
6309 This parameter is specific to backends, but can be specified once for all in
6310 "defaults" sections. This is in fact one of the easiest solutions not to
6311 forget about it.
6312
Willy Tarreau41a340d2008-01-22 12:25:31 +01006313 See also: "timeout connect", "timeout queue", "timeout server",
6314 "timeout tarpit".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01006315
6316
Willy Tarreau0ba27502007-12-24 16:55:16 +01006317timeout client <timeout>
6318timeout clitimeout <timeout> (deprecated)
6319 Set the maximum inactivity time on the client side.
6320 May be used in sections : defaults | frontend | listen | backend
6321 yes | yes | yes | no
6322 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01006323 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01006324 can be in any other unit if the number is suffixed by the unit,
6325 as explained at the top of this document.
6326
6327 The inactivity timeout applies when the client is expected to acknowledge or
6328 send data. In HTTP mode, this timeout is particularly important to consider
6329 during the first phase, when the client sends the request, and during the
6330 response while it is reading data sent by the server. The value is specified
6331 in milliseconds by default, but can be in any other unit if the number is
6332 suffixed by the unit, as specified at the top of this document. In TCP mode
6333 (and to a lesser extent, in HTTP mode), it is highly recommended that the
6334 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01006335 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01006336 losses by specifying timeouts that are slightly above multiples of 3 seconds
6337 (eg: 4 or 5 seconds).
6338
6339 This parameter is specific to frontends, but can be specified once for all in
6340 "defaults" sections. This is in fact one of the easiest solutions not to
6341 forget about it. An unspecified timeout results in an infinite timeout, which
6342 is not recommended. Such a usage is accepted and works but reports a warning
6343 during startup because it may results in accumulation of expired sessions in
6344 the system if the system's timeouts are not configured either.
6345
6346 This parameter replaces the old, deprecated "clitimeout". It is recommended
6347 to use it to write new configurations. The form "timeout clitimeout" is
6348 provided only by backwards compatibility but its use is strongly discouraged.
6349
6350 See also : "clitimeout", "timeout server".
6351
6352
6353timeout connect <timeout>
6354timeout contimeout <timeout> (deprecated)
6355 Set the maximum time to wait for a connection attempt to a server to succeed.
6356 May be used in sections : defaults | frontend | listen | backend
6357 yes | no | yes | yes
6358 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01006359 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01006360 can be in any other unit if the number is suffixed by the unit,
6361 as explained at the top of this document.
6362
6363 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01006364 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01006365 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01006366 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01006367 connect timeout also presets both queue and tarpit timeouts to the same value
6368 if these have not been specified.
Willy Tarreau0ba27502007-12-24 16:55:16 +01006369
6370 This parameter is specific to backends, but can be specified once for all in
6371 "defaults" sections. This is in fact one of the easiest solutions not to
6372 forget about it. An unspecified timeout results in an infinite timeout, which
6373 is not recommended. Such a usage is accepted and works but reports a warning
6374 during startup because it may results in accumulation of failed sessions in
6375 the system if the system's timeouts are not configured either.
6376
6377 This parameter replaces the old, deprecated "contimeout". It is recommended
6378 to use it to write new configurations. The form "timeout contimeout" is
6379 provided only by backwards compatibility but its use is strongly discouraged.
6380
Willy Tarreau41a340d2008-01-22 12:25:31 +01006381 See also: "timeout check", "timeout queue", "timeout server", "contimeout",
6382 "timeout tarpit".
Willy Tarreau0ba27502007-12-24 16:55:16 +01006383
6384
Willy Tarreaub16a5742010-01-10 14:46:16 +01006385timeout http-keep-alive <timeout>
6386 Set the maximum allowed time to wait for a new HTTP request to appear
6387 May be used in sections : defaults | frontend | listen | backend
6388 yes | yes | yes | yes
6389 Arguments :
6390 <timeout> is the timeout value specified in milliseconds by default, but
6391 can be in any other unit if the number is suffixed by the unit,
6392 as explained at the top of this document.
6393
6394 By default, the time to wait for a new request in case of keep-alive is set
6395 by "timeout http-request". However this is not always convenient because some
6396 people want very short keep-alive timeouts in order to release connections
6397 faster, and others prefer to have larger ones but still have short timeouts
6398 once the request has started to present itself.
6399
6400 The "http-keep-alive" timeout covers these needs. It will define how long to
6401 wait for a new HTTP request to start coming after a response was sent. Once
6402 the first byte of request has been seen, the "http-request" timeout is used
6403 to wait for the complete request to come. Note that empty lines prior to a
6404 new request do not refresh the timeout and are not counted as a new request.
6405
6406 There is also another difference between the two timeouts : when a connection
6407 expires during timeout http-keep-alive, no error is returned, the connection
6408 just closes. If the connection expires in "http-request" while waiting for a
6409 connection to complete, a HTTP 408 error is returned.
6410
6411 In general it is optimal to set this value to a few tens to hundreds of
6412 milliseconds, to allow users to fetch all objects of a page at once but
6413 without waiting for further clicks. Also, if set to a very small value (eg:
6414 1 millisecond) it will probably only accept pipelined requests but not the
6415 non-pipelined ones. It may be a nice trade-off for very large sites running
Patrick Mézard2382ad62010-05-09 10:43:32 +02006416 with tens to hundreds of thousands of clients.
Willy Tarreaub16a5742010-01-10 14:46:16 +01006417
6418 If this parameter is not set, the "http-request" timeout applies, and if both
6419 are not set, "timeout client" still applies at the lower level. It should be
6420 set in the frontend to take effect, unless the frontend is in TCP mode, in
6421 which case the HTTP backend's timeout will be used.
6422
6423 See also : "timeout http-request", "timeout client".
6424
6425
Willy Tarreau036fae02008-01-06 13:24:40 +01006426timeout http-request <timeout>
6427 Set the maximum allowed time to wait for a complete HTTP request
6428 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaucd7afc02009-07-12 10:03:17 +02006429 yes | yes | yes | yes
Willy Tarreau036fae02008-01-06 13:24:40 +01006430 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01006431 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau036fae02008-01-06 13:24:40 +01006432 can be in any other unit if the number is suffixed by the unit,
6433 as explained at the top of this document.
6434
6435 In order to offer DoS protection, it may be required to lower the maximum
6436 accepted time to receive a complete HTTP request without affecting the client
6437 timeout. This helps protecting against established connections on which
6438 nothing is sent. The client timeout cannot offer a good protection against
6439 this abuse because it is an inactivity timeout, which means that if the
6440 attacker sends one character every now and then, the timeout will not
6441 trigger. With the HTTP request timeout, no matter what speed the client
6442 types, the request will be aborted if it does not complete in time.
6443
6444 Note that this timeout only applies to the header part of the request, and
6445 not to any data. As soon as the empty line is received, this timeout is not
Willy Tarreaub16a5742010-01-10 14:46:16 +01006446 used anymore. It is used again on keep-alive connections to wait for a second
6447 request if "timeout http-keep-alive" is not set.
Willy Tarreau036fae02008-01-06 13:24:40 +01006448
6449 Generally it is enough to set it to a few seconds, as most clients send the
6450 full request immediately upon connection. Add 3 or more seconds to cover TCP
6451 retransmits but that's all. Setting it to very low values (eg: 50 ms) will
6452 generally work on local networks as long as there are no packet losses. This
6453 will prevent people from sending bare HTTP requests using telnet.
6454
6455 If this parameter is not set, the client timeout still applies between each
Willy Tarreaucd7afc02009-07-12 10:03:17 +02006456 chunk of the incoming request. It should be set in the frontend to take
6457 effect, unless the frontend is in TCP mode, in which case the HTTP backend's
6458 timeout will be used.
Willy Tarreau036fae02008-01-06 13:24:40 +01006459
Willy Tarreaub16a5742010-01-10 14:46:16 +01006460 See also : "timeout http-keep-alive", "timeout client".
Willy Tarreau036fae02008-01-06 13:24:40 +01006461
Willy Tarreau844e3c52008-01-11 16:28:18 +01006462
6463timeout queue <timeout>
6464 Set the maximum time to wait in the queue for a connection slot to be free
6465 May be used in sections : defaults | frontend | listen | backend
6466 yes | no | yes | yes
6467 Arguments :
6468 <timeout> is the timeout value specified in milliseconds by default, but
6469 can be in any other unit if the number is suffixed by the unit,
6470 as explained at the top of this document.
6471
6472 When a server's maxconn is reached, connections are left pending in a queue
6473 which may be server-specific or global to the backend. In order not to wait
6474 indefinitely, a timeout is applied to requests pending in the queue. If the
6475 timeout is reached, it is considered that the request will almost never be
6476 served, so it is dropped and a 503 error is returned to the client.
6477
6478 The "timeout queue" statement allows to fix the maximum time for a request to
6479 be left pending in a queue. If unspecified, the same value as the backend's
6480 connection timeout ("timeout connect") is used, for backwards compatibility
6481 with older versions with no "timeout queue" parameter.
6482
6483 See also : "timeout connect", "contimeout".
6484
6485
6486timeout server <timeout>
6487timeout srvtimeout <timeout> (deprecated)
6488 Set the maximum inactivity time on the server side.
6489 May be used in sections : defaults | frontend | listen | backend
6490 yes | no | yes | yes
6491 Arguments :
6492 <timeout> is the timeout value specified in milliseconds by default, but
6493 can be in any other unit if the number is suffixed by the unit,
6494 as explained at the top of this document.
6495
6496 The inactivity timeout applies when the server is expected to acknowledge or
6497 send data. In HTTP mode, this timeout is particularly important to consider
6498 during the first phase of the server's response, when it has to send the
6499 headers, as it directly represents the server's processing time for the
6500 request. To find out what value to put there, it's often good to start with
6501 what would be considered as unacceptable response times, then check the logs
6502 to observe the response time distribution, and adjust the value accordingly.
6503
6504 The value is specified in milliseconds by default, but can be in any other
6505 unit if the number is suffixed by the unit, as specified at the top of this
6506 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
6507 recommended that the client timeout remains equal to the server timeout in
6508 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01006509 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01006510 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreaud72758d2010-01-12 10:42:19 +01006511 seconds (eg: 4 or 5 seconds minimum).
Willy Tarreau844e3c52008-01-11 16:28:18 +01006512
6513 This parameter is specific to backends, but can be specified once for all in
6514 "defaults" sections. This is in fact one of the easiest solutions not to
6515 forget about it. An unspecified timeout results in an infinite timeout, which
6516 is not recommended. Such a usage is accepted and works but reports a warning
6517 during startup because it may results in accumulation of expired sessions in
6518 the system if the system's timeouts are not configured either.
6519
6520 This parameter replaces the old, deprecated "srvtimeout". It is recommended
6521 to use it to write new configurations. The form "timeout srvtimeout" is
6522 provided only by backwards compatibility but its use is strongly discouraged.
6523
6524 See also : "srvtimeout", "timeout client".
6525
6526
6527timeout tarpit <timeout>
Cyril Bonté78caf842010-03-10 22:41:43 +01006528 Set the duration for which tarpitted connections will be maintained
Willy Tarreau844e3c52008-01-11 16:28:18 +01006529 May be used in sections : defaults | frontend | listen | backend
6530 yes | yes | yes | yes
6531 Arguments :
6532 <timeout> is the tarpit duration specified in milliseconds by default, but
6533 can be in any other unit if the number is suffixed by the unit,
6534 as explained at the top of this document.
6535
6536 When a connection is tarpitted using "reqtarpit", it is maintained open with
6537 no activity for a certain amount of time, then closed. "timeout tarpit"
6538 defines how long it will be maintained open.
6539
6540 The value is specified in milliseconds by default, but can be in any other
6541 unit if the number is suffixed by the unit, as specified at the top of this
6542 document. If unspecified, the same value as the backend's connection timeout
6543 ("timeout connect") is used, for backwards compatibility with older versions
Cyril Bonté78caf842010-03-10 22:41:43 +01006544 with no "timeout tarpit" parameter.
Willy Tarreau844e3c52008-01-11 16:28:18 +01006545
6546 See also : "timeout connect", "contimeout".
6547
6548
6549transparent (deprecated)
6550 Enable client-side transparent proxying
6551 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01006552 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01006553 Arguments : none
6554
6555 This keyword was introduced in order to provide layer 7 persistence to layer
6556 3 load balancers. The idea is to use the OS's ability to redirect an incoming
6557 connection for a remote address to a local process (here HAProxy), and let
6558 this process know what address was initially requested. When this option is
6559 used, sessions without cookies will be forwarded to the original destination
6560 IP address of the incoming request (which should match that of another
6561 equipment), while requests with cookies will still be forwarded to the
6562 appropriate server.
6563
6564 The "transparent" keyword is deprecated, use "option transparent" instead.
6565
6566 Note that contrary to a common belief, this option does NOT make HAProxy
6567 present the client's IP to the server when establishing the connection.
6568
Willy Tarreau844e3c52008-01-11 16:28:18 +01006569 See also: "option transparent"
6570
William Lallemanda73203e2012-03-12 12:48:57 +01006571unique-id-format <string>
6572 Generate a unique ID for each request.
6573 May be used in sections : defaults | frontend | listen | backend
6574 yes | yes | yes | no
6575 Arguments :
6576 <string> is a log-format string.
6577
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006578 This keyword creates a ID for each request using the custom log format. A
6579 unique ID is useful to trace a request passing through many components of
6580 a complex infrastructure. The newly created ID may also be logged using the
6581 %ID tag the log-format string.
William Lallemanda73203e2012-03-12 12:48:57 +01006582
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006583 The format should be composed from elements that are guaranteed to be
6584 unique when combined together. For instance, if multiple haproxy instances
6585 are involved, it might be important to include the node name. It is often
6586 needed to log the incoming connection's source and destination addresses
6587 and ports. Note that since multiple requests may be performed over the same
6588 connection, including a request counter may help differentiate them.
6589 Similarly, a timestamp may protect against a rollover of the counter.
6590 Logging the process ID will avoid collisions after a service restart.
William Lallemanda73203e2012-03-12 12:48:57 +01006591
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006592 It is recommended to use hexadecimal notation for many fields since it
6593 makes them more compact and saves space in logs.
William Lallemanda73203e2012-03-12 12:48:57 +01006594
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006595 Example:
William Lallemanda73203e2012-03-12 12:48:57 +01006596
6597 unique-id-format %{+X}o\ %Ci:%Cp_%Fi:%Fp_%Ts_%rt:%pid
6598
6599 will generate:
6600
6601 7F000001:8296_7F00001E:1F90_4F7B0A69_0003:790A
6602
6603 See also: "unique-id-header"
6604
6605unique-id-header <name>
6606 Add a unique ID header in the HTTP request.
6607 May be used in sections : defaults | frontend | listen | backend
6608 yes | yes | yes | no
6609 Arguments :
6610 <name> is the name of the header.
6611
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006612 Add a unique-id header in the HTTP request sent to the server, using the
6613 unique-id-format. It can't work if the unique-id-format doesn't exist.
William Lallemanda73203e2012-03-12 12:48:57 +01006614
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006615 Example:
William Lallemanda73203e2012-03-12 12:48:57 +01006616
6617 unique-id-format %{+X}o\ %Ci:%Cp_%Fi:%Fp_%Ts_%rt:%pid
6618 unique-id-header X-Unique-ID
6619
6620 will generate:
6621
6622 X-Unique-ID: 7F000001:8296_7F00001E:1F90_4F7B0A69_0003:790A
6623
6624 See also: "unique-id-format"
Willy Tarreau844e3c52008-01-11 16:28:18 +01006625
6626use_backend <backend> if <condition>
6627use_backend <backend> unless <condition>
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02006628 Switch to a specific backend if/unless an ACL-based condition is matched.
Willy Tarreau844e3c52008-01-11 16:28:18 +01006629 May be used in sections : defaults | frontend | listen | backend
6630 no | yes | yes | no
6631 Arguments :
6632 <backend> is the name of a valid backend or "listen" section.
6633
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006634 <condition> is a condition composed of ACLs, as described in section 7.
Willy Tarreau844e3c52008-01-11 16:28:18 +01006635
6636 When doing content-switching, connections arrive on a frontend and are then
6637 dispatched to various backends depending on a number of conditions. The
6638 relation between the conditions and the backends is described with the
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02006639 "use_backend" keyword. While it is normally used with HTTP processing, it can
6640 also be used in pure TCP, either without content using stateless ACLs (eg:
6641 source address validation) or combined with a "tcp-request" rule to wait for
6642 some payload.
Willy Tarreau844e3c52008-01-11 16:28:18 +01006643
6644 There may be as many "use_backend" rules as desired. All of these rules are
6645 evaluated in their declaration order, and the first one which matches will
6646 assign the backend.
6647
6648 In the first form, the backend will be used if the condition is met. In the
6649 second form, the backend will be used if the condition is not met. If no
6650 condition is valid, the backend defined with "default_backend" will be used.
6651 If no default backend is defined, either the servers in the same section are
6652 used (in case of a "listen" section) or, in case of a frontend, no server is
6653 used and a 503 service unavailable response is returned.
6654
Willy Tarreau51aecc72009-07-12 09:47:04 +02006655 Note that it is possible to switch from a TCP frontend to an HTTP backend. In
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006656 this case, either the frontend has already checked that the protocol is HTTP,
Willy Tarreau51aecc72009-07-12 09:47:04 +02006657 and backend processing will immediately follow, or the backend will wait for
6658 a complete HTTP request to get in. This feature is useful when a frontend
6659 must decode several protocols on a unique port, one of them being HTTP.
6660
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02006661 See also: "default_backend", "tcp-request", and section 7 about ACLs.
Willy Tarreaud72758d2010-01-12 10:42:19 +01006662
Willy Tarreau036fae02008-01-06 13:24:40 +01006663
Willy Tarreau4a5cade2012-04-05 21:09:48 +02006664use-server <server> if <condition>
6665use-server <server> unless <condition>
6666 Only use a specific server if/unless an ACL-based condition is matched.
6667 May be used in sections : defaults | frontend | listen | backend
6668 no | no | yes | yes
6669 Arguments :
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006670 <server> is the name of a valid server in the same backend section.
Willy Tarreau4a5cade2012-04-05 21:09:48 +02006671
6672 <condition> is a condition composed of ACLs, as described in section 7.
6673
6674 By default, connections which arrive to a backend are load-balanced across
6675 the available servers according to the configured algorithm, unless a
6676 persistence mechanism such as a cookie is used and found in the request.
6677
6678 Sometimes it is desirable to forward a particular request to a specific
6679 server without having to declare a dedicated backend for this server. This
6680 can be achieved using the "use-server" rules. These rules are evaluated after
6681 the "redirect" rules and before evaluating cookies, and they have precedence
6682 on them. There may be as many "use-server" rules as desired. All of these
6683 rules are evaluated in their declaration order, and the first one which
6684 matches will assign the server.
6685
6686 If a rule designates a server which is down, and "option persist" is not used
6687 and no force-persist rule was validated, it is ignored and evaluation goes on
6688 with the next rules until one matches.
6689
6690 In the first form, the server will be used if the condition is met. In the
6691 second form, the server will be used if the condition is not met. If no
6692 condition is valid, the processing continues and the server will be assigned
6693 according to other persistence mechanisms.
6694
6695 Note that even if a rule is matched, cookie processing is still performed but
6696 does not assign the server. This allows prefixed cookies to have their prefix
6697 stripped.
6698
6699 The "use-server" statement works both in HTTP and TCP mode. This makes it
6700 suitable for use with content-based inspection. For instance, a server could
6701 be selected in a farm according to the TLS SNI field. And if these servers
6702 have their weight set to zero, they will not be used for other traffic.
6703
6704 Example :
6705 # intercept incoming TLS requests based on the SNI field
6706 use-server www if { req_ssl_sni -i www.example.com }
6707 server www 192.168.0.1:443 weight 0
6708 use-server mail if { req_ssl_sni -i mail.example.com }
6709 server mail 192.168.0.1:587 weight 0
6710 use-server imap if { req_ssl_sni -i imap.example.com }
6711 server mail 192.168.0.1:993 weight 0
6712 # all the rest is forwarded to this server
6713 server default 192.168.0.2:443 check
6714
6715 See also: "use_backend", serction 5 about server and section 7 about ACLs.
6716
6717
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +010067185. Server and default-server options
Cyril Bontéf0c60612010-02-06 14:44:47 +01006719------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02006720
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01006721The "server" and "default-server" keywords support a certain number of settings
6722which are all passed as arguments on the server line. The order in which those
6723arguments appear does not count, and they are all optional. Some of those
6724settings are single words (booleans) while others expect one or several values
6725after them. In this case, the values must immediately follow the setting name.
6726Except default-server, all those settings must be specified after the server's
6727address if they are used:
Willy Tarreau6a06a402007-07-15 20:15:28 +02006728
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006729 server <name> <address>[:port] [settings ...]
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01006730 default-server [settings ...]
Willy Tarreau6a06a402007-07-15 20:15:28 +02006731
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006732The currently supported settings are the following ones.
Willy Tarreau0ba27502007-12-24 16:55:16 +01006733
Willy Tarreauceb4ac92012-04-28 00:41:46 +02006734addr <ipv4|ipv6>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006735 Using the "addr" parameter, it becomes possible to use a different IP address
6736 to send health-checks. On some servers, it may be desirable to dedicate an IP
6737 address to specific component able to perform complex tests which are more
6738 suitable to health-checks than the application. This parameter is ignored if
6739 the "check" parameter is not set. See also the "port" parameter.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006740
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006741 Supported in default-server: No
6742
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006743backup
6744 When "backup" is present on a server line, the server is only used in load
6745 balancing when all other non-backup servers are unavailable. Requests coming
6746 with a persistence cookie referencing the server will always be served
6747 though. By default, only the first operational backup server is used, unless
6748 the "allbackups" option is set in the backend. See also the "allbackups"
6749 option.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006750
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006751 Supported in default-server: No
6752
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006753check
6754 This option enables health checks on the server. By default, a server is
Patrick Mézardb7aeec62012-01-22 16:01:22 +01006755 always considered available. If "check" is set, the server is available when
6756 accepting periodic TCP connections, to ensure that it is really able to serve
6757 requests. The default address and port to send the tests to are those of the
6758 server, and the default source is the same as the one defined in the
6759 backend. It is possible to change the address using the "addr" parameter, the
6760 port using the "port" parameter, the source address using the "source"
6761 address, and the interval and timers using the "inter", "rise" and "fall"
6762 parameters. The request method is define in the backend using the "httpchk",
6763 "smtpchk", "mysql-check", "pgsql-check" and "ssl-hello-chk" options. Please
6764 refer to those options and parameters for more information.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006765
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006766 Supported in default-server: No
6767
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006768cookie <value>
6769 The "cookie" parameter sets the cookie value assigned to the server to
6770 <value>. This value will be checked in incoming requests, and the first
6771 operational server possessing the same value will be selected. In return, in
6772 cookie insertion or rewrite modes, this value will be assigned to the cookie
6773 sent to the client. There is nothing wrong in having several servers sharing
6774 the same cookie value, and it is in fact somewhat common between normal and
6775 backup servers. See also the "cookie" keyword in backend section.
6776
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006777 Supported in default-server: No
6778
Willy Tarreau96839092010-03-29 10:02:24 +02006779disabled
6780 The "disabled" keyword starts the server in the "disabled" state. That means
6781 that it is marked down in maintenance mode, and no connection other than the
6782 ones allowed by persist mode will reach it. It is very well suited to setup
6783 new servers, because normal traffic will never reach them, while it is still
6784 possible to test the service by making use of the force-persist mechanism.
6785
6786 Supported in default-server: No
6787
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006788error-limit <count>
Willy Tarreau983e01e2010-01-11 18:42:06 +01006789 If health observing is enabled, the "error-limit" parameter specifies the
6790 number of consecutive errors that triggers event selected by the "on-error"
6791 option. By default it is set to 10 consecutive errors.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006792
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006793 Supported in default-server: Yes
6794
6795 See also the "check", "error-limit" and "on-error".
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006796
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006797fall <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006798 The "fall" parameter states that a server will be considered as dead after
6799 <count> consecutive unsuccessful health checks. This value defaults to 3 if
6800 unspecified. See also the "check", "inter" and "rise" parameters.
6801
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006802 Supported in default-server: Yes
6803
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006804id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02006805 Set a persistent ID for the server. This ID must be positive and unique for
6806 the proxy. An unused ID will automatically be assigned if unset. The first
6807 assigned value will be 1. This ID is currently only returned in statistics.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006808
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006809 Supported in default-server: No
6810
6811inter <delay>
6812fastinter <delay>
6813downinter <delay>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006814 The "inter" parameter sets the interval between two consecutive health checks
6815 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
6816 It is also possible to use "fastinter" and "downinter" to optimize delays
6817 between checks depending on the server state :
6818
6819 Server state | Interval used
6820 ---------------------------------+-----------------------------------------
6821 UP 100% (non-transitional) | "inter"
6822 ---------------------------------+-----------------------------------------
6823 Transitionally UP (going down), |
6824 Transitionally DOWN (going up), | "fastinter" if set, "inter" otherwise.
6825 or yet unchecked. |
6826 ---------------------------------+-----------------------------------------
6827 DOWN 100% (non-transitional) | "downinter" if set, "inter" otherwise.
6828 ---------------------------------+-----------------------------------------
Willy Tarreaud72758d2010-01-12 10:42:19 +01006829
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006830 Just as with every other time-based parameter, they can be entered in any
6831 other explicit unit among { us, ms, s, m, h, d }. The "inter" parameter also
6832 serves as a timeout for health checks sent to servers if "timeout check" is
6833 not set. In order to reduce "resonance" effects when multiple servers are
6834 hosted on the same hardware, the health-checks of all servers are started
6835 with a small time offset between them. It is also possible to add some random
6836 noise in the health checks interval using the global "spread-checks"
6837 keyword. This makes sense for instance when a lot of backends use the same
6838 servers.
6839
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006840 Supported in default-server: Yes
6841
6842maxconn <maxconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006843 The "maxconn" parameter specifies the maximal number of concurrent
6844 connections that will be sent to this server. If the number of incoming
6845 concurrent requests goes higher than this value, they will be queued, waiting
6846 for a connection to be released. This parameter is very important as it can
6847 save fragile servers from going down under extreme loads. If a "minconn"
6848 parameter is specified, the limit becomes dynamic. The default value is "0"
6849 which means unlimited. See also the "minconn" and "maxqueue" parameters, and
6850 the backend's "fullconn" keyword.
6851
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006852 Supported in default-server: Yes
6853
6854maxqueue <maxqueue>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006855 The "maxqueue" parameter specifies the maximal number of connections which
6856 will wait in the queue for this server. If this limit is reached, next
6857 requests will be redispatched to other servers instead of indefinitely
6858 waiting to be served. This will break persistence but may allow people to
6859 quickly re-log in when the server they try to connect to is dying. The
6860 default value is "0" which means the queue is unlimited. See also the
6861 "maxconn" and "minconn" parameters.
6862
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006863 Supported in default-server: Yes
6864
6865minconn <minconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006866 When the "minconn" parameter is set, the maxconn limit becomes a dynamic
6867 limit following the backend's load. The server will always accept at least
6868 <minconn> connections, never more than <maxconn>, and the limit will be on
6869 the ramp between both values when the backend has less than <fullconn>
6870 concurrent connections. This makes it possible to limit the load on the
6871 server during normal loads, but push it further for important loads without
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006872 overloading the server during exceptional loads. See also the "maxconn"
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006873 and "maxqueue" parameters, as well as the "fullconn" backend keyword.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006874
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006875 Supported in default-server: Yes
6876
Simon Hormanfa461682011-06-25 09:39:49 +09006877non-stick
6878 Never add connections allocated to this sever to a stick-table.
6879 This may be used in conjunction with backup to ensure that
6880 stick-table persistence is disabled for backup servers.
6881
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006882observe <mode>
6883 This option enables health adjusting based on observing communication with
6884 the server. By default this functionality is disabled and enabling it also
6885 requires to enable health checks. There are two supported modes: "layer4" and
6886 "layer7". In layer4 mode, only successful/unsuccessful tcp connections are
6887 significant. In layer7, which is only allowed for http proxies, responses
6888 received from server are verified, like valid/wrong http code, unparsable
Willy Tarreau150d1462012-03-10 08:19:02 +01006889 headers, a timeout, etc. Valid status codes include 100 to 499, 501 and 505.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006890
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006891 Supported in default-server: No
6892
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006893 See also the "check", "on-error" and "error-limit".
6894
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006895on-error <mode>
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006896 Select what should happen when enough consecutive errors are detected.
6897 Currently, four modes are available:
6898 - fastinter: force fastinter
6899 - fail-check: simulate a failed check, also forces fastinter (default)
6900 - sudden-death: simulate a pre-fatal failed health check, one more failed
6901 check will mark a server down, forces fastinter
6902 - mark-down: mark the server immediately down and force fastinter
6903
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006904 Supported in default-server: Yes
6905
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006906 See also the "check", "observe" and "error-limit".
6907
Simon Hormane0d1bfb2011-06-21 14:34:58 +09006908on-marked-down <action>
6909 Modify what occurs when a server is marked down.
6910 Currently one action is available:
6911 - shutdown-sessions: Shutdown peer sessions
6912
6913 Actions are disabled by default
6914
6915 Supported in default-server: Yes
6916
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006917port <port>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006918 Using the "port" parameter, it becomes possible to use a different port to
6919 send health-checks. On some servers, it may be desirable to dedicate a port
6920 to a specific component able to perform complex tests which are more suitable
6921 to health-checks than the application. It is common to run a simple script in
6922 inetd for instance. This parameter is ignored if the "check" parameter is not
6923 set. See also the "addr" parameter.
6924
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006925 Supported in default-server: Yes
6926
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006927redir <prefix>
6928 The "redir" parameter enables the redirection mode for all GET and HEAD
6929 requests addressing this server. This means that instead of having HAProxy
6930 forward the request to the server, it will send an "HTTP 302" response with
6931 the "Location" header composed of this prefix immediately followed by the
6932 requested URI beginning at the leading '/' of the path component. That means
6933 that no trailing slash should be used after <prefix>. All invalid requests
6934 will be rejected, and all non-GET or HEAD requests will be normally served by
6935 the server. Note that since the response is completely forged, no header
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006936 mangling nor cookie insertion is possible in the response. However, cookies in
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006937 requests are still analysed, making this solution completely usable to direct
6938 users to a remote location in case of local disaster. Main use consists in
6939 increasing bandwidth for static servers by having the clients directly
6940 connect to them. Note: never use a relative location here, it would cause a
6941 loop between the client and HAProxy!
6942
6943 Example : server srv1 192.168.1.1:80 redir http://image1.mydomain.com check
6944
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006945 Supported in default-server: No
6946
6947rise <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006948 The "rise" parameter states that a server will be considered as operational
6949 after <count> consecutive successful health checks. This value defaults to 2
6950 if unspecified. See also the "check", "inter" and "fall" parameters.
6951
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006952 Supported in default-server: Yes
6953
Willy Tarreau5ab04ec2011-03-20 10:32:26 +01006954send-proxy
6955 The "send-proxy" parameter enforces use of the PROXY protocol over any
6956 connection established to this server. The PROXY protocol informs the other
6957 end about the layer 3/4 addresses of the incoming connection, so that it can
6958 know the client's address or the public address it accessed to, whatever the
6959 upper layer protocol. For connections accepted by an "accept-proxy" listener,
6960 the advertised address will be used. Only TCPv4 and TCPv6 address families
6961 are supported. Other families such as Unix sockets, will report an UNKNOWN
6962 family. Servers using this option can fully be chained to another instance of
6963 haproxy listening with an "accept-proxy" setting. This setting must not be
6964 used if the server isn't aware of the protocol. See also the "accept-proxy"
6965 option of the "bind" keyword.
6966
6967 Supported in default-server: No
6968
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006969slowstart <start_time_in_ms>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006970 The "slowstart" parameter for a server accepts a value in milliseconds which
6971 indicates after how long a server which has just come back up will run at
6972 full speed. Just as with every other time-based parameter, it can be entered
6973 in any other explicit unit among { us, ms, s, m, h, d }. The speed grows
6974 linearly from 0 to 100% during this time. The limitation applies to two
6975 parameters :
6976
6977 - maxconn: the number of connections accepted by the server will grow from 1
6978 to 100% of the usual dynamic limit defined by (minconn,maxconn,fullconn).
6979
6980 - weight: when the backend uses a dynamic weighted algorithm, the weight
6981 grows linearly from 1 to 100%. In this case, the weight is updated at every
6982 health-check. For this reason, it is important that the "inter" parameter
6983 is smaller than the "slowstart", in order to maximize the number of steps.
6984
6985 The slowstart never applies when haproxy starts, otherwise it would cause
6986 trouble to running servers. It only applies when a server has been previously
6987 seen as failed.
6988
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006989 Supported in default-server: Yes
6990
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02006991source <addr>[:<pl>[-<ph>]] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02006992source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02006993source <addr>[:<pl>[-<ph>]] [interface <name>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006994 The "source" parameter sets the source address which will be used when
6995 connecting to the server. It follows the exact same parameters and principle
6996 as the backend "source" keyword, except that it only applies to the server
6997 referencing it. Please consult the "source" keyword for details.
6998
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02006999 Additionally, the "source" statement on a server line allows one to specify a
7000 source port range by indicating the lower and higher bounds delimited by a
7001 dash ('-'). Some operating systems might require a valid IP address when a
7002 source port range is specified. It is permitted to have the same IP/range for
7003 several servers. Doing so makes it possible to bypass the maximum of 64k
7004 total concurrent connections. The limit will then reach 64k connections per
7005 server.
7006
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007007 Supported in default-server: No
7008
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007009track [<proxy>/]<server>
7010 This option enables ability to set the current state of the server by
7011 tracking another one. Only a server with checks enabled can be tracked
7012 so it is not possible for example to track a server that tracks another
7013 one. If <proxy> is omitted the current one is used. If disable-on-404 is
7014 used, it has to be enabled on both proxies.
7015
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007016 Supported in default-server: No
7017
7018weight <weight>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007019 The "weight" parameter is used to adjust the server's weight relative to
7020 other servers. All servers will receive a load proportional to their weight
7021 relative to the sum of all weights, so the higher the weight, the higher the
Willy Tarreau6704d672009-06-15 10:56:05 +02007022 load. The default weight is 1, and the maximal value is 256. A value of 0
7023 means the server will not participate in load-balancing but will still accept
7024 persistent connections. If this parameter is used to distribute the load
7025 according to server's capacity, it is recommended to start with values which
7026 can both grow and shrink, for instance between 10 and 100 to leave enough
7027 room above and below for later adjustments.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007028
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007029 Supported in default-server: Yes
7030
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007031
70326. HTTP header manipulation
7033---------------------------
7034
7035In HTTP mode, it is possible to rewrite, add or delete some of the request and
7036response headers based on regular expressions. It is also possible to block a
7037request or a response if a particular header matches a regular expression,
7038which is enough to stop most elementary protocol attacks, and to protect
7039against information leak from the internal network. But there is a limitation
7040to this : since HAProxy's HTTP engine does not support keep-alive, only headers
7041passed during the first request of a TCP session will be seen. All subsequent
7042headers will be considered data only and not analyzed. Furthermore, HAProxy
7043never touches data contents, it stops analysis at the end of headers.
7044
Willy Tarreau816b9792009-09-15 21:25:21 +02007045There is an exception though. If HAProxy encounters an "Informational Response"
7046(status code 1xx), it is able to process all rsp* rules which can allow, deny,
7047rewrite or delete a header, but it will refuse to add a header to any such
7048messages as this is not HTTP-compliant. The reason for still processing headers
7049in such responses is to stop and/or fix any possible information leak which may
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007050happen, for instance because another downstream equipment would unconditionally
Willy Tarreau816b9792009-09-15 21:25:21 +02007051add a header, or if a server name appears there. When such messages are seen,
7052normal processing still occurs on the next non-informational messages.
7053
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007054This section covers common usage of the following keywords, described in detail
7055in section 4.2 :
7056
7057 - reqadd <string>
7058 - reqallow <search>
7059 - reqiallow <search>
7060 - reqdel <search>
7061 - reqidel <search>
7062 - reqdeny <search>
7063 - reqideny <search>
7064 - reqpass <search>
7065 - reqipass <search>
7066 - reqrep <search> <replace>
7067 - reqirep <search> <replace>
7068 - reqtarpit <search>
7069 - reqitarpit <search>
7070 - rspadd <string>
7071 - rspdel <search>
7072 - rspidel <search>
7073 - rspdeny <search>
7074 - rspideny <search>
7075 - rsprep <search> <replace>
7076 - rspirep <search> <replace>
7077
7078With all these keywords, the same conventions are used. The <search> parameter
7079is a POSIX extended regular expression (regex) which supports grouping through
7080parenthesis (without the backslash). Spaces and other delimiters must be
7081prefixed with a backslash ('\') to avoid confusion with a field delimiter.
7082Other characters may be prefixed with a backslash to change their meaning :
7083
7084 \t for a tab
7085 \r for a carriage return (CR)
7086 \n for a new line (LF)
7087 \ to mark a space and differentiate it from a delimiter
7088 \# to mark a sharp and differentiate it from a comment
7089 \\ to use a backslash in a regex
7090 \\\\ to use a backslash in the text (*2 for regex, *2 for haproxy)
7091 \xXX to write the ASCII hex code XX as in the C language
7092
7093The <replace> parameter contains the string to be used to replace the largest
7094portion of text matching the regex. It can make use of the special characters
7095above, and can reference a substring which is delimited by parenthesis in the
7096regex, by writing a backslash ('\') immediately followed by one digit from 0 to
70979 indicating the group position (0 designating the entire line). This practice
7098is very common to users of the "sed" program.
7099
7100The <string> parameter represents the string which will systematically be added
7101after the last header line. It can also use special character sequences above.
7102
7103Notes related to these keywords :
7104---------------------------------
7105 - these keywords are not always convenient to allow/deny based on header
7106 contents. It is strongly recommended to use ACLs with the "block" keyword
7107 instead, resulting in far more flexible and manageable rules.
7108
7109 - lines are always considered as a whole. It is not possible to reference
7110 a header name only or a value only. This is important because of the way
7111 headers are written (notably the number of spaces after the colon).
7112
7113 - the first line is always considered as a header, which makes it possible to
7114 rewrite or filter HTTP requests URIs or response codes, but in turn makes
7115 it harder to distinguish between headers and request line. The regex prefix
7116 ^[^\ \t]*[\ \t] matches any HTTP method followed by a space, and the prefix
7117 ^[^ \t:]*: matches any header name followed by a colon.
7118
7119 - for performances reasons, the number of characters added to a request or to
7120 a response is limited at build time to values between 1 and 4 kB. This
7121 should normally be far more than enough for most usages. If it is too short
7122 on occasional usages, it is possible to gain some space by removing some
7123 useless headers before adding new ones.
7124
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007125 - keywords beginning with "reqi" and "rspi" are the same as their counterpart
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007126 without the 'i' letter except that they ignore case when matching patterns.
7127
7128 - when a request passes through a frontend then a backend, all req* rules
7129 from the frontend will be evaluated, then all req* rules from the backend
7130 will be evaluated. The reverse path is applied to responses.
7131
7132 - req* statements are applied after "block" statements, so that "block" is
7133 always the first one, but before "use_backend" in order to permit rewriting
Willy Tarreaud72758d2010-01-12 10:42:19 +01007134 before switching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007135
7136
Willy Tarreaub937b7e2010-01-12 15:27:54 +010071377. Using ACLs and pattern extraction
7138------------------------------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007139
7140The use of Access Control Lists (ACL) provides a flexible solution to perform
7141content switching and generally to take decisions based on content extracted
7142from the request, the response or any environmental status. The principle is
7143simple :
7144
7145 - define test criteria with sets of values
7146 - perform actions only if a set of tests is valid
7147
7148The actions generally consist in blocking the request, or selecting a backend.
7149
7150In order to define a test, the "acl" keyword is used. The syntax is :
7151
7152 acl <aclname> <criterion> [flags] [operator] <value> ...
7153
7154This creates a new ACL <aclname> or completes an existing one with new tests.
7155Those tests apply to the portion of request/response specified in <criterion>
7156and may be adjusted with optional flags [flags]. Some criteria also support
7157an operator which may be specified before the set of values. The values are
7158of the type supported by the criterion, and are separated by spaces.
7159
7160ACL names must be formed from upper and lower case letters, digits, '-' (dash),
7161'_' (underscore) , '.' (dot) and ':' (colon). ACL names are case-sensitive,
7162which means that "my_acl" and "My_Acl" are two different ACLs.
7163
7164There is no enforced limit to the number of ACLs. The unused ones do not affect
7165performance, they just consume a small amount of memory.
7166
7167The following ACL flags are currently supported :
7168
Willy Tarreau2b5285d2010-05-09 23:45:24 +02007169 -i : ignore case during matching of all subsequent patterns.
7170 -f : load patterns from a file.
Willy Tarreau6a06a402007-07-15 20:15:28 +02007171 -- : force end of flags. Useful when a string looks like one of the flags.
7172
Willy Tarreau2b5285d2010-05-09 23:45:24 +02007173The "-f" flag is special as it loads all of the lines it finds in the file
7174specified in argument and loads all of them before continuing. It is even
7175possible to pass multiple "-f" arguments if the patterns are to be loaded from
Willy Tarreau58215a02010-05-13 22:07:43 +02007176multiple files. Empty lines as well as lines beginning with a sharp ('#') will
7177be ignored. All leading spaces and tabs will be stripped. If it is absolutely
7178needed to insert a valid pattern beginning with a sharp, just prefix it with a
7179space so that it is not taken for a comment. Depending on the data type and
7180match method, haproxy may load the lines into a binary tree, allowing very fast
7181lookups. This is true for IPv4 and exact string matching. In this case,
7182duplicates will automatically be removed. Also, note that the "-i" flag applies
7183to subsequent entries and not to entries loaded from files preceeding it. For
7184instance :
Willy Tarreau2b5285d2010-05-09 23:45:24 +02007185
7186 acl valid-ua hdr(user-agent) -f exact-ua.lst -i -f generic-ua.lst test
7187
7188In this example, each line of "exact-ua.lst" will be exactly matched against
7189the "user-agent" header of the request. Then each line of "generic-ua" will be
7190case-insensitively matched. Then the word "test" will be insensitively matched
7191too.
7192
7193Note that right now it is difficult for the ACL parsers to report errors, so if
7194a file is unreadable or unparsable, the most you'll get is a parse error in the
7195ACL. Thus, file-based ACLs should only be produced by reliable processes.
7196
Willy Tarreau6a06a402007-07-15 20:15:28 +02007197Supported types of values are :
Willy Tarreau0ba27502007-12-24 16:55:16 +01007198
Willy Tarreau6a06a402007-07-15 20:15:28 +02007199 - integers or integer ranges
7200 - strings
7201 - regular expressions
7202 - IP addresses and networks
7203
7204
Willy Tarreauc57f0e22009-05-10 13:12:33 +020072057.1. Matching integers
7206----------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02007207
7208Matching integers is special in that ranges and operators are permitted. Note
7209that integer matching only applies to positive values. A range is a value
7210expressed with a lower and an upper bound separated with a colon, both of which
7211may be omitted.
7212
7213For instance, "1024:65535" is a valid range to represent a range of
7214unprivileged ports, and "1024:" would also work. "0:1023" is a valid
7215representation of privileged ports, and ":1023" would also work.
7216
Willy Tarreau62644772008-07-16 18:36:06 +02007217As a special case, some ACL functions support decimal numbers which are in fact
7218two integers separated by a dot. This is used with some version checks for
7219instance. All integer properties apply to those decimal numbers, including
7220ranges and operators.
7221
Willy Tarreau6a06a402007-07-15 20:15:28 +02007222For an easier usage, comparison operators are also supported. Note that using
Willy Tarreau0ba27502007-12-24 16:55:16 +01007223operators with ranges does not make much sense and is strongly discouraged.
7224Similarly, it does not make much sense to perform order comparisons with a set
7225of values.
Willy Tarreau6a06a402007-07-15 20:15:28 +02007226
Willy Tarreau0ba27502007-12-24 16:55:16 +01007227Available operators for integer matching are :
Willy Tarreau6a06a402007-07-15 20:15:28 +02007228
7229 eq : true if the tested value equals at least one value
7230 ge : true if the tested value is greater than or equal to at least one value
7231 gt : true if the tested value is greater than at least one value
7232 le : true if the tested value is less than or equal to at least one value
7233 lt : true if the tested value is less than at least one value
7234
Willy Tarreau0ba27502007-12-24 16:55:16 +01007235For instance, the following ACL matches any negative Content-Length header :
Willy Tarreau6a06a402007-07-15 20:15:28 +02007236
7237 acl negative-length hdr_val(content-length) lt 0
7238
Willy Tarreau62644772008-07-16 18:36:06 +02007239This one matches SSL versions between 3.0 and 3.1 (inclusive) :
7240
7241 acl sslv3 req_ssl_ver 3:3.1
7242
Willy Tarreau6a06a402007-07-15 20:15:28 +02007243
Willy Tarreauc57f0e22009-05-10 13:12:33 +020072447.2. Matching strings
7245---------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02007246
7247String matching applies to verbatim strings as they are passed, with the
7248exception of the backslash ("\") which makes it possible to escape some
7249characters such as the space. If the "-i" flag is passed before the first
7250string, then the matching will be performed ignoring the case. In order
7251to match the string "-i", either set it second, or pass the "--" flag
Willy Tarreau0ba27502007-12-24 16:55:16 +01007252before the first string. Same applies of course to match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02007253
7254
Willy Tarreauc57f0e22009-05-10 13:12:33 +020072557.3. Matching regular expressions (regexes)
7256-------------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02007257
7258Just like with string matching, regex matching applies to verbatim strings as
7259they are passed, with the exception of the backslash ("\") which makes it
7260possible to escape some characters such as the space. If the "-i" flag is
7261passed before the first regex, then the matching will be performed ignoring
7262the case. In order to match the string "-i", either set it second, or pass
Willy Tarreau0ba27502007-12-24 16:55:16 +01007263the "--" flag before the first string. Same principle applies of course to
7264match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02007265
7266
Willy Tarreauceb4ac92012-04-28 00:41:46 +020072677.4. Matching IPv4 and IPv6 addresses
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007268----------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02007269
7270IPv4 addresses values can be specified either as plain addresses or with a
7271netmask appended, in which case the IPv4 address matches whenever it is
7272within the network. Plain addresses may also be replaced with a resolvable
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01007273host name, but this practice is generally discouraged as it makes it more
Willy Tarreau0ba27502007-12-24 16:55:16 +01007274difficult to read and debug configurations. If hostnames are used, you should
7275at least ensure that they are present in /etc/hosts so that the configuration
7276does not depend on any random DNS match at the moment the configuration is
7277parsed.
Willy Tarreau6a06a402007-07-15 20:15:28 +02007278
Willy Tarreauceb4ac92012-04-28 00:41:46 +02007279IPv6 may be entered in their usual form, with or without a netmask appended.
7280Only bit counts are accepted for IPv6 netmasks. In order to avoid any risk of
7281trouble with randomly resolved IP addresses, host names are never allowed in
7282IPv6 patterns.
7283
7284HAProxy is also able to match IPv4 addresses with IPv6 addresses in the
7285following situations :
7286 - tested address is IPv4, pattern address is IPv4, the match applies
7287 in IPv4 using the supplied mask if any.
7288 - tested address is IPv6, pattern address is IPv6, the match applies
7289 in IPv6 using the supplied mask if any.
7290 - tested address is IPv6, pattern address is IPv4, the match applies in IPv4
7291 using the pattern's mask if the IPv6 address matches with 2002:IPV4::,
7292 ::IPV4 or ::ffff:IPV4, otherwise it fails.
7293 - tested address is IPv4, pattern address is IPv6, the IPv4 address is first
7294 converted to IPv6 by prefixing ::ffff: in front of it, then the match is
7295 applied in IPv6 using the supplied IPv6 mask.
7296
Willy Tarreau6a06a402007-07-15 20:15:28 +02007297
Willy Tarreauc57f0e22009-05-10 13:12:33 +020072987.5. Available matching criteria
7299--------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02007300
Willy Tarreauc57f0e22009-05-10 13:12:33 +020073017.5.1. Matching at Layer 4 and below
7302------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01007303
7304A first set of criteria applies to information which does not require any
7305analysis of the request or response contents. Those generally include TCP/IP
7306addresses and ports, as well as internal values independant on the stream.
7307
Willy Tarreau6a06a402007-07-15 20:15:28 +02007308always_false
7309 This one never matches. All values and flags are ignored. It may be used as
7310 a temporary replacement for another one when adjusting configurations.
7311
7312always_true
7313 This one always matches. All values and flags are ignored. It may be used as
7314 a temporary replacement for another one when adjusting configurations.
7315
Willy Tarreaud63335a2010-02-26 12:56:52 +01007316avg_queue <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007317avg_queue(<backend>) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007318 Returns the total number of queued connections of the designated backend
7319 divided by the number of active servers. This is very similar to "queue"
7320 except that the size of the farm is considered, in order to give a more
7321 accurate measurement of the time it may take for a new connection to be
7322 processed. The main usage is to return a sorry page to new users when it
7323 becomes certain they will get a degraded service. Note that in the event
7324 there would not be any active server anymore, we would consider twice the
7325 number of queued connections as the measured value. This is a fair estimate,
7326 as we expect one server to get back soon anyway, but we still prefer to send
7327 new traffic to another backend if in better shape. See also the "queue",
7328 "be_conn", and "be_sess_rate" criteria.
Krzysztof Piotr Oledzki346f76d2010-01-12 21:59:30 +01007329
Willy Tarreaua36af912009-10-10 12:02:45 +02007330be_conn <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007331be_conn(<backend>) <integer>
Willy Tarreaua36af912009-10-10 12:02:45 +02007332 Applies to the number of currently established connections on the backend,
7333 possibly including the connection being evaluated. If no backend name is
7334 specified, the current one is used. But it is also possible to check another
7335 backend. It can be used to use a specific farm when the nominal one is full.
7336 See also the "fe_conn", "queue" and "be_sess_rate" criteria.
Willy Tarreau6a06a402007-07-15 20:15:28 +02007337
Hervé COMMOWICK35ed8012010-12-15 14:04:51 +01007338be_id <integer>
7339 Applies to the backend's id. Can be used in frontends to check from which
7340 backend it was called.
7341
Willy Tarreaud63335a2010-02-26 12:56:52 +01007342be_sess_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007343be_sess_rate(<backend>) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007344 Returns true when the sessions creation rate on the backend matches the
7345 specified values or ranges, in number of new sessions per second. This is
7346 used to switch to an alternate backend when an expensive or fragile one
7347 reaches too high a session rate, or to limit abuse of service (eg. prevent
7348 sucking of an online dictionary).
7349
7350 Example :
7351 # Redirect to an error page if the dictionary is requested too often
7352 backend dynamic
7353 mode http
7354 acl being_scanned be_sess_rate gt 100
7355 redirect location /denied.html if being_scanned
Willy Tarreau0ba27502007-12-24 16:55:16 +01007356
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08007357connslots <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007358connslots(<backend>) <integer>
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08007359 The basic idea here is to be able to measure the number of connection "slots"
Willy Tarreau55165fe2009-05-10 12:02:55 +02007360 still available (connection + queue), so that anything beyond that (intended
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08007361 usage; see "use_backend" keyword) can be redirected to a different backend.
7362
Willy Tarreau55165fe2009-05-10 12:02:55 +02007363 'connslots' = number of available server connection slots, + number of
7364 available server queue slots.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08007365
Willy Tarreaua36af912009-10-10 12:02:45 +02007366 Note that while "fe_conn" may be used, "connslots" comes in especially
Willy Tarreau55165fe2009-05-10 12:02:55 +02007367 useful when you have a case of traffic going to one single ip, splitting into
7368 multiple backends (perhaps using acls to do name-based load balancing) and
7369 you want to be able to differentiate between different backends, and their
7370 available "connslots". Also, whereas "nbsrv" only measures servers that are
7371 actually *down*, this acl is more fine-grained and looks into the number of
Willy Tarreaua36af912009-10-10 12:02:45 +02007372 available connection slots as well. See also "queue" and "avg_queue".
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08007373
Willy Tarreau55165fe2009-05-10 12:02:55 +02007374 OTHER CAVEATS AND NOTES: at this point in time, the code does not take care
7375 of dynamic connections. Also, if any of the server maxconn, or maxqueue is 0,
7376 then this acl clearly does not make sense, in which case the value returned
7377 will be -1.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08007378
Willy Tarreaud63335a2010-02-26 12:56:52 +01007379dst <ip_address>
Willy Tarreauceb4ac92012-04-28 00:41:46 +02007380 Applies to the local IPv4 or IPv6 address the client connected to. It can be
7381 used to switch to a different backend for some alternative addresses.
Willy Tarreaua36af912009-10-10 12:02:45 +02007382
Willy Tarreaud63335a2010-02-26 12:56:52 +01007383dst_conn <integer>
7384 Applies to the number of currently established connections on the same socket
7385 including the one being evaluated. It can be used to either return a sorry
7386 page before hard-blocking, or to use a specific backend to drain new requests
7387 when the socket is considered saturated. This offers the ability to assign
7388 different limits to different listening ports or addresses. See also the
7389 "fe_conn" and "be_conn" criteria.
7390
7391dst_port <integer>
7392 Applies to the local port the client connected to. It can be used to switch
7393 to a different backend for some alternative ports.
7394
7395fe_conn <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007396fe_conn(<frontend>) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007397 Applies to the number of currently established connections on the frontend,
7398 possibly including the connection being evaluated. If no frontend name is
7399 specified, the current one is used. But it is also possible to check another
7400 frontend. It can be used to either return a sorry page before hard-blocking,
7401 or to use a specific backend to drain new requests when the farm is
7402 considered saturated. See also the "dst_conn", "be_conn" and "fe_sess_rate"
7403 criteria.
7404
7405fe_id <integer>
Cyril Bonté78caf842010-03-10 22:41:43 +01007406 Applies to the frontend's id. Can be used in backends to check from which
Willy Tarreaud63335a2010-02-26 12:56:52 +01007407 frontend it was called.
Willy Tarreaua36af912009-10-10 12:02:45 +02007408
Willy Tarreau079ff0a2009-03-05 21:34:28 +01007409fe_sess_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007410fe_sess_rate(<frontend>) <integer>
Willy Tarreau079ff0a2009-03-05 21:34:28 +01007411 Returns true when the session creation rate on the current or the named
7412 frontend matches the specified values or ranges, expressed in new sessions
7413 per second. This is used to limit the connection rate to acceptable ranges in
7414 order to prevent abuse of service at the earliest moment. This can be
7415 combined with layer 4 ACLs in order to force the clients to wait a bit for
7416 the rate to go down below the limit.
7417
7418 Example :
7419 # This frontend limits incoming mails to 10/s with a max of 100
7420 # concurrent connections. We accept any connection below 10/s, and
7421 # force excess clients to wait for 100 ms. Since clients are limited to
7422 # 100 max, there cannot be more than 10 incoming mails per second.
7423 frontend mail
7424 bind :25
7425 mode tcp
7426 maxconn 100
7427 acl too_fast fe_sess_rate ge 10
7428 tcp-request inspect-delay 100ms
7429 tcp-request content accept if ! too_fast
7430 tcp-request content accept if WAIT_END
Willy Tarreaud72758d2010-01-12 10:42:19 +01007431
Willy Tarreaud63335a2010-02-26 12:56:52 +01007432nbsrv <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007433nbsrv(<backend>) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007434 Returns true when the number of usable servers of either the current backend
7435 or the named backend matches the values or ranges specified. This is used to
7436 switch to an alternate backend when the number of servers is too low to
7437 to handle some load. It is useful to report a failure when combined with
7438 "monitor fail".
Willy Tarreau079ff0a2009-03-05 21:34:28 +01007439
Willy Tarreaud63335a2010-02-26 12:56:52 +01007440queue <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007441queue(<backend>) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007442 Returns the total number of queued connections of the designated backend,
7443 including all the connections in server queues. If no backend name is
7444 specified, the current one is used, but it is also possible to check another
7445 one. This can be used to take actions when queuing goes above a known level,
7446 generally indicating a surge of traffic or a massive slowdown on the servers.
7447 One possible action could be to reject new users but still accept old ones.
7448 See also the "avg_queue", "be_conn", and "be_sess_rate" criteria.
7449
Willy Tarreaue9656522010-08-17 15:40:09 +02007450sc1_bytes_in_rate
7451sc2_bytes_in_rate
7452 Returns the average client-to-server bytes rate from the currently tracked
7453 counters, measured in amount of bytes over the period configured in the
7454 table. See also src_bytes_in_rate.
7455
7456sc1_bytes_out_rate
7457sc2_bytes_out_rate
7458 Returns the average server-to-client bytes rate from the currently tracked
7459 counters, measured in amount of bytes over the period configured in the
7460 table. See also src_bytes_out_rate.
7461
Willy Tarreauf73cd112011-08-13 01:45:16 +02007462sc1_clr_gpc0
7463sc2_clr_gpc0
7464 Clears the first General Purpose Counter associated to the currently tracked
7465 counters, and returns its previous value. Before the first invocation, the
7466 stored value is zero, so first invocation will always return zero. The test
7467 can also be used alone and always returns true. This is typically used as a
7468 second ACL in an expression in order to mark a connection when a first ACL
7469 was verified :
7470
7471 # block if 5 consecutive requests continue to come faster than 10 sess
7472 # per second, and reset the counter as soon as the traffic slows down.
7473 acl abuse sc1_http_req_rate gt 10
7474 acl kill sc1_inc_gpc0 gt 5
7475 acl save sc1_clr_gpc0
7476 tcp-request connection accept if !abuse save
7477 tcp-request connection reject if abuse kill
7478
Willy Tarreaue9656522010-08-17 15:40:09 +02007479sc1_conn_cnt
7480sc2_conn_cnt
7481 Returns the cumulated number of incoming connections from currently tracked
7482 counters. See also src_conn_cnt.
7483
7484sc1_conn_cur
7485sc2_conn_cur
7486 Returns the current amount of concurrent connections tracking the same
7487 tracked counters. This number is automatically incremented when tracking
7488 begins and decremented when tracking stops. See also src_conn_cur.
7489
7490sc1_conn_rate
7491sc2_conn_rate
7492 Returns the average connection rate from the currently tracked counters,
7493 measured in amount of connections over the period configured in the table.
7494 See also src_conn_rate.
7495
7496sc1_get_gpc0
7497sc2_get_gpc0
7498 Returns the value of the first General Purpose Counter associated to the
7499 currently tracked counters. See also src_get_gpc0 and sc1/sc2_inc_gpc0.
7500
7501sc1_http_err_cnt
7502sc2_http_err_cnt
7503 Returns the cumulated number of HTTP errors from the currently tracked
7504 counters. This includes the both request errors and 4xx error responses.
7505 See also src_http_err_cnt.
7506
7507sc1_http_err_rate
7508sc2_http_err_rate
7509 Returns the average rate of HTTP errors from the currently tracked counters,
7510 measured in amount of errors over the period configured in the table. This
7511 includes the both request errors and 4xx error responses. See also
7512 src_http_err_rate.
7513
7514sc1_http_req_cnt
7515sc2_http_req_cnt
7516 Returns the cumulated number of HTTP requests from the currently tracked
7517 counters. This includes every started request, valid or not. See also
7518 src_http_req_cnt.
7519
7520sc1_http_req_rate
7521sc2_http_req_rate
7522 Returns the average rate of HTTP requests from the currently tracked
7523 counters, measured in amount of requests over the period configured in
7524 the table. This includes every started request, valid or not. See also
7525 src_http_req_rate.
7526
7527sc1_inc_gpc0
7528sc2_inc_gpc0
7529 Increments the first General Purpose Counter associated to the currently
7530 tracked counters, and returns its value. Before the first invocation, the
7531 stored value is zero, so first invocation will increase it to 1 and will
7532 return 1. The test can also be used alone and always returns true. This is
7533 typically used as a second ACL in an expression in order to mark a connection
7534 when a first ACL was verified :
7535
7536 acl abuse sc1_http_req_rate gt 10
7537 acl kill sc1_inc_gpc0
7538 tcp-request connection reject if abuse kill
7539
7540sc1_kbytes_in
7541sc2_kbytes_in
7542 Returns the amount of client-to-server data from the currently tracked
7543 counters, measured in kilobytes over the period configured in the table. The
7544 test is currently performed on 32-bit integers, which limits values to 4
7545 terabytes. See also src_kbytes_in.
7546
7547sc1_kbytes_out
7548sc2_kbytes_out
7549 Returns the amount of server-to-client data from the currently tracked
7550 counters, measured in kilobytes over the period configured in the table. The
7551 test is currently performed on 32-bit integers, which limits values to 4
7552 terabytes. See also src_kbytes_out.
7553
7554sc1_sess_cnt
7555sc2_sess_cnt
7556 Returns the cumulated number of incoming connections that were transformed
7557 into sessions, which means that they were accepted by a "tcp-request
7558 connection" rule, from the currently tracked counters. A backend may count
7559 more sessions than connections because each connection could result in many
7560 backend sessions if some HTTP keep-alive is performend over the connection
7561 with the client. See also src_sess_cnt.
7562
7563sc1_sess_rate
7564sc2_sess_rate
7565 Returns the average session rate from the currently tracked counters,
7566 measured in amount of sessions over the period configured in the table. A
7567 session is a connection that got past the early "tcp-request connection"
7568 rules. A backend may count more sessions than connections because each
7569 connection could result in many backend sessions if some HTTP keep-alive is
7570 performend over the connection with the client. See also src_sess_rate.
7571
Willy Tarreaud63335a2010-02-26 12:56:52 +01007572so_id <integer>
7573 Applies to the socket's id. Useful in frontends with many bind keywords.
7574
7575src <ip_address>
Willy Tarreauceb4ac92012-04-28 00:41:46 +02007576 Applies to the client's IPv4 or IPv6 address. It is usually used to limit
7577 access to certain resources such as statistics. Note that it is the TCP-level
7578 source address which is used, and not the address of a client behind a proxy.
Willy Tarreaud63335a2010-02-26 12:56:52 +01007579
Willy Tarreauc9705a12010-07-27 20:05:50 +02007580src_bytes_in_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007581src_bytes_in_rate(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007582 Returns the average bytes rate from the connection's source IPv4 address in
7583 the current proxy's stick-table or in the designated stick-table, measured in
7584 amount of bytes over the period configured in the table. If the address is
Willy Tarreaue9656522010-08-17 15:40:09 +02007585 not found, zero is returned. See also sc1/sc2_bytes_in_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007586
7587src_bytes_out_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007588src_bytes_out_rate(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007589 Returns the average bytes rate to the connection's source IPv4 address in the
7590 current proxy's stick-table or in the designated stick-table, measured in
7591 amount of bytes over the period configured in the table. If the address is
Willy Tarreaue9656522010-08-17 15:40:09 +02007592 not found, zero is returned. See also sc1/sc2_bytes_out_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007593
Willy Tarreauf73cd112011-08-13 01:45:16 +02007594src_clr_gpc0 <integer>
7595src_clr_gpc0(<table>) <integer>
7596 Clears the first General Purpose Counter associated to the connection's
7597 source IPv4 address in the current proxy's stick-table or in the designated
7598 stick-table, and returns its previous value. If the address is not found, an
7599 entry is created and 0 is returned. The test can also be used alone and
7600 always returns true. This is typically used as a second ACL in an expression
7601 in order to mark a connection when a first ACL was verified :
7602
7603 # block if 5 consecutive requests continue to come faster than 10 sess
7604 # per second, and reset the counter as soon as the traffic slows down.
7605 acl abuse src_http_req_rate gt 10
7606 acl kill src_inc_gpc0 gt 5
7607 acl save src_clr_gpc0
7608 tcp-request connection accept if !abuse save
7609 tcp-request connection reject if abuse kill
7610
Willy Tarreauc9705a12010-07-27 20:05:50 +02007611src_conn_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007612src_conn_cnt(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007613 Returns the cumulated number of connections initiated from the current
7614 connection's source IPv4 address in the current proxy's stick-table or in
7615 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreaue9656522010-08-17 15:40:09 +02007616 See also sc1/sc2_conn_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007617
7618src_conn_cur <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007619src_conn_cur(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007620 Returns the current amount of concurrent connections initiated from the
7621 current connection's source IPv4 address in the current proxy's stick-table
7622 or in the designated stick-table. If the address is not found, zero is
Willy Tarreaue9656522010-08-17 15:40:09 +02007623 returned. See also sc1/sc2_conn_cur.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007624
7625src_conn_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007626src_conn_rate(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007627 Returns the average connection rate from the connection's source IPv4 address
7628 in the current proxy's stick-table or in the designated stick-table, measured
7629 in amount of connections over the period configured in the table. If the
Willy Tarreaue9656522010-08-17 15:40:09 +02007630 address is not found, zero is returned. See also sc1/sc2_conn_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007631
7632src_get_gpc0 <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007633src_get_gpc0(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007634 Returns the value of the first General Purpose Counter associated to the
7635 connection's source IPv4 address in the current proxy's stick-table or in
7636 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreaue9656522010-08-17 15:40:09 +02007637 See also sc1/sc2_get_gpc0 and src_inc_gpc0.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007638
7639src_http_err_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007640src_http_err_cnt(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007641 Returns the cumulated number of HTTP errors from the current connection's
7642 source IPv4 address in the current proxy's stick-table or in the designated
7643 stick-table. This includes the both request errors and 4xx error responses.
Willy Tarreaue9656522010-08-17 15:40:09 +02007644 If the address is not found, zero is returned. See also sc1/sc2_http_err_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007645
7646src_http_err_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007647src_http_err_rate(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007648 Returns the average rate of HTTP errors from the current connection's source
7649 IPv4 address in the current proxy's stick-table or in the designated stick-
7650 table, measured in amount of errors over the period configured in the table.
7651 This includes the both request errors and 4xx error responses. If the address
Willy Tarreaue9656522010-08-17 15:40:09 +02007652 is not found, zero is returned. See also sc1/sc2_http_err_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007653
7654src_http_req_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007655src_http_req_cnt(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007656 Returns the cumulated number of HTTP requests from the current connection's
7657 source IPv4 address in the current proxy's stick-table or in the designated
7658 stick-table. This includes every started request, valid or not. If the
Willy Tarreaue9656522010-08-17 15:40:09 +02007659 address is not found, zero is returned. See also sc1/sc2_http_req_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007660
7661src_http_req_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007662src_http_req_rate(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007663 Returns the average rate of HTTP requests from the current connection's
7664 source IPv4 address in the current proxy's stick-table or in the designated
7665 stick-table, measured in amount of requests over the period configured in the
7666 table. This includes every started request, valid or not. If the address is
Willy Tarreaue9656522010-08-17 15:40:09 +02007667 not found, zero is returned. See also sc1/sc2_http_req_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007668
7669src_inc_gpc0 <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007670src_inc_gpc0(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007671 Increments the first General Purpose Counter associated to the connection's
7672 source IPv4 address in the current proxy's stick-table or in the designated
7673 stick-table, and returns its value. If the address is not found, an entry is
7674 created and 1 is returned. The test can also be used alone and always returns
7675 true. This is typically used as a second ACL in an expression in order to
7676 mark a connection when a first ACL was verified :
7677
7678 acl abuse src_http_req_rate gt 10
7679 acl kill src_inc_gpc0
Willy Tarreaue9656522010-08-17 15:40:09 +02007680 tcp-request connection reject if abuse kill
Willy Tarreauc9705a12010-07-27 20:05:50 +02007681
7682src_kbytes_in <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007683src_kbytes_in(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007684 Returns the amount of data received from the connection's source IPv4 address
7685 in the current proxy's stick-table or in the designated stick-table, measured
7686 in kilobytes over the period configured in the table. If the address is not
7687 found, zero is returned. The test is currently performed on 32-bit integers,
Willy Tarreaue9656522010-08-17 15:40:09 +02007688 which limits values to 4 terabytes. See also sc1/sc2_kbytes_in.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007689
7690src_kbytes_out <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007691src_kbytes_out(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007692 Returns the amount of data sent to the connection's source IPv4 address in
7693 the current proxy's stick-table or in the designated stick-table, measured
7694 in kilobytes over the period configured in the table. If the address is not
7695 found, zero is returned. The test is currently performed on 32-bit integers,
Willy Tarreaue9656522010-08-17 15:40:09 +02007696 which limits values to 4 terabytes. See also sc1/sc2_kbytes_out.
Willy Tarreaua975b8f2010-06-05 19:13:27 +02007697
Willy Tarreaud63335a2010-02-26 12:56:52 +01007698src_port <integer>
7699 Applies to the client's TCP source port. This has a very limited usage.
Willy Tarreau079ff0a2009-03-05 21:34:28 +01007700
Willy Tarreauc9705a12010-07-27 20:05:50 +02007701src_sess_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007702src_sess_cnt(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007703 Returns the cumulated number of connections initiated from the current
7704 connection's source IPv4 address in the current proxy's stick-table or in the
7705 designated stick-table, that were transformed into sessions, which means that
7706 they were accepted by "tcp-request" rules. If the address is not found, zero
Willy Tarreaue9656522010-08-17 15:40:09 +02007707 is returned. See also sc1/sc2_sess_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007708
7709src_sess_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007710src_sess_rate(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02007711 Returns the average session rate from the connection's source IPv4 address in
7712 the current proxy's stick-table or in the designated stick-table, measured in
7713 amount of sessions over the period configured in the table. A session is a
7714 connection that got past the early "tcp-request" rules. If the address is not
Willy Tarreaue9656522010-08-17 15:40:09 +02007715 found, zero is returned. See also sc1/sc2_sess_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007716
7717src_updt_conn_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007718src_updt_conn_cnt(<table>) <integer>
Willy Tarreaua975b8f2010-06-05 19:13:27 +02007719 Creates or updates the entry associated to the source IPv4 address in the
Willy Tarreauc9705a12010-07-27 20:05:50 +02007720 current proxy's stick-table or in the designated stick-table. This table
7721 must be configured to store the "conn_cnt" data type, otherwise the match
Willy Tarreaua975b8f2010-06-05 19:13:27 +02007722 will be ignored. The current count is incremented by one, and the expiration
7723 timer refreshed. The updated count is returned, so this match can't return
7724 zero. This is used to reject service abusers based on their source address.
Willy Tarreauc9705a12010-07-27 20:05:50 +02007725 Note: it is recommended to use the more complete "track-counters" instead.
Willy Tarreaua975b8f2010-06-05 19:13:27 +02007726
7727 Example :
7728 # This frontend limits incoming SSH connections to 3 per 10 second for
7729 # each source address, and rejects excess connections until a 10 second
7730 # silence is observed. At most 20 addresses are tracked.
7731 listen ssh
7732 bind :22
7733 mode tcp
7734 maxconn 100
Willy Tarreauc9705a12010-07-27 20:05:50 +02007735 stick-table type ip size 20 expire 10s store conn_cnt
Willy Tarreaua975b8f2010-06-05 19:13:27 +02007736 tcp-request content reject if { src_update_count gt 3 }
7737 server local 127.0.0.1:22
7738
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007739srv_conn(<backend>/<server>) <integer>
Hervé COMMOWICKdaa824e2011-08-05 12:09:44 +02007740 Applies to the number of currently established connections on the server,
7741 possibly including the connection being evaluated.
7742 It can be used to use a specific farm when one server is full.
7743 See also the "fe_conn", "be_conn" and "queue" criteria.
7744
Hervé COMMOWICK35ed8012010-12-15 14:04:51 +01007745srv_id <integer>
7746 Applies to the server's id. Can be used in frontends or backends.
7747
Willy Tarreau0b1cd942010-05-16 22:18:27 +02007748srv_is_up(<server>)
7749srv_is_up(<backend>/<server>)
7750 Returns true when the designated server is UP, and false when it is either
7751 DOWN or in maintenance mode. If <backend> is omitted, then the server is
7752 looked up in the current backend. The function takes no arguments since it
7753 is used as a boolean. It is mainly used to take action based on an external
7754 status reported via a health check (eg: a geographical site's availability).
7755 Another possible use which is more of a hack consists in using dummy servers
7756 as boolean variables that can be enabled or disabled from the CLI, so that
7757 rules depending on those ACLs can be tweaked in realtime.
7758
Willy Tarreauc735a072011-03-29 00:57:02 +02007759table_avl <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007760table_avl(<table>) <integer>
Willy Tarreauc735a072011-03-29 00:57:02 +02007761 Returns the total number of available entries in the current proxy's
7762 stick-table or in the designated stick-table. See also table_cnt.
7763
7764table_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007765table_cnt(<table>) <integer>
Willy Tarreauc735a072011-03-29 00:57:02 +02007766 Returns the total number of entries currently in use in the current proxy's
7767 stick-table or in the designated stick-table. See also src_conn_cnt and
7768 table_avl for other entry counting methods.
7769
Willy Tarreau0ba27502007-12-24 16:55:16 +01007770
Willy Tarreaue9656522010-08-17 15:40:09 +020077717.5.2. Matching contents at Layer 4 (also called Layer 6)
7772---------------------------------------------------------
Willy Tarreau62644772008-07-16 18:36:06 +02007773
7774A second set of criteria depends on data found in buffers, but which can change
7775during analysis. This requires that some data has been buffered, for instance
Willy Tarreaue9656522010-08-17 15:40:09 +02007776through TCP request content inspection. Please see the "tcp-request content"
7777keyword for more detailed information on the subject.
Willy Tarreau62644772008-07-16 18:36:06 +02007778
Willy Tarreaub6672b52011-12-12 17:23:41 +01007779rep_ssl_hello_type <integer>
7780 Returns true when data in the response buffer looks like a complete SSL (v3
7781 or superior) hello message and handshake type is equal to <integer>.
7782 This test was designed to be used with TCP response content inspection: a
7783 SSL session ID may be fetched.
7784
Willy Tarreau62644772008-07-16 18:36:06 +02007785req_len <integer>
Emeric Brunbede3d02009-06-30 17:54:00 +02007786 Returns true when the length of the data in the request buffer matches the
Willy Tarreau62644772008-07-16 18:36:06 +02007787 specified range. It is important to understand that this test does not
7788 return false as long as the buffer is changing. This means that a check with
7789 equality to zero will almost always immediately match at the beginning of the
7790 session, while a test for more data will wait for that data to come in and
7791 return false only when haproxy is certain that no more data will come in.
7792 This test was designed to be used with TCP request content inspection.
7793
Willy Tarreau2492d5b2009-07-11 00:06:00 +02007794req_proto_http
7795 Returns true when data in the request buffer look like HTTP and correctly
7796 parses as such. It is the same parser as the common HTTP request parser which
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007797 is used so there should be no surprises. This test can be used for instance
Willy Tarreau2492d5b2009-07-11 00:06:00 +02007798 to direct HTTP traffic to a given port and HTTPS traffic to another one
7799 using TCP request content inspection rules.
7800
Emeric Brunbede3d02009-06-30 17:54:00 +02007801req_rdp_cookie <string>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007802req_rdp_cookie(<name>) <string>
Emeric Brunbede3d02009-06-30 17:54:00 +02007803 Returns true when data in the request buffer look like the RDP protocol, and
7804 a cookie is present and equal to <string>. By default, any cookie name is
7805 checked, but a specific cookie name can be specified in parenthesis. The
7806 parser only checks for the first cookie, as illustrated in the RDP protocol
7807 specification. The cookie name is case insensitive. This ACL can be useful
7808 with the "MSTS" cookie, as it can contain the user name of the client
7809 connecting to the server if properly configured on the client. This can be
7810 used to restrict access to certain servers to certain users.
7811
7812req_rdp_cookie_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007813req_rdp_cookie_cnt(<name>) <integer>
Emeric Brunbede3d02009-06-30 17:54:00 +02007814 Returns true when the data in the request buffer look like the RDP protocol
7815 and the number of RDP cookies matches the specified range (typically zero or
7816 one). Optionally a specific cookie name can be checked. This is a simple way
7817 of detecting the RDP protocol, as clients generally send the MSTS or MSTSHASH
7818 cookies.
7819
Willy Tarreaub6672b52011-12-12 17:23:41 +01007820req_ssl_hello_type <integer>
7821 Returns true when data in the request buffer looks like a complete SSL (v3
7822 or superior) hello message and handshake type is equal to <integer>.
7823 This test was designed to be used with TCP request content inspection: an
7824 SSL session ID may be fetched.
7825
7826req_ssl_sni <string>
7827 Returns true when data in the request buffer looks like a complete SSL (v3
7828 or superior) client hello message with a Server Name Indication TLS extension
7829 (SNI) matching <string>. SNI normally contains the name of the host the
7830 client tries to connect to (for recent browsers). SNI is useful for allowing
7831 or denying access to certain hosts when SSL/TLS is used by the client. This
7832 test was designed to be used with TCP request content inspection. If content
7833 switching is needed, it is recommended to first wait for a complete client
7834 hello (type 1), like in the example below.
7835
7836 Examples :
7837 # Wait for a client hello for at most 5 seconds
7838 tcp-request inspect-delay 5s
7839 tcp-request content accept if { req_ssl_hello_type 1 }
7840 use_backend bk_allow if { req_ssl_sni -f allowed_sites }
7841 default_backend bk_sorry_page
7842
Willy Tarreau62644772008-07-16 18:36:06 +02007843req_ssl_ver <decimal>
7844 Returns true when data in the request buffer look like SSL, with a protocol
7845 version matching the specified range. Both SSLv2 hello messages and SSLv3
7846 messages are supported. The test tries to be strict enough to avoid being
7847 easily fooled. In particular, it waits for as many bytes as announced in the
7848 message header if this header looks valid (bound to the buffer size). Note
7849 that TLSv1 is announced as SSL version 3.1. This test was designed to be used
7850 with TCP request content inspection.
7851
Willy Tarreaub6fb4202008-07-20 11:18:28 +02007852wait_end
7853 Waits for the end of the analysis period to return true. This may be used in
7854 conjunction with content analysis to avoid returning a wrong verdict early.
7855 It may also be used to delay some actions, such as a delayed reject for some
7856 special addresses. Since it either stops the rules evaluation or immediately
7857 returns true, it is recommended to use this acl as the last one in a rule.
7858 Please note that the default ACL "WAIT_END" is always usable without prior
7859 declaration. This test was designed to be used with TCP request content
7860 inspection.
7861
7862 Examples :
7863 # delay every incoming request by 2 seconds
7864 tcp-request inspect-delay 2s
7865 tcp-request content accept if WAIT_END
7866
7867 # don't immediately tell bad guys they are rejected
7868 tcp-request inspect-delay 10s
7869 acl goodguys src 10.0.0.0/24
7870 acl badguys src 10.0.1.0/24
7871 tcp-request content accept if goodguys
7872 tcp-request content reject if badguys WAIT_END
7873 tcp-request content reject
7874
Willy Tarreau62644772008-07-16 18:36:06 +02007875
Willy Tarreauc57f0e22009-05-10 13:12:33 +020078767.5.3. Matching at Layer 7
7877--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01007878
Willy Tarreau62644772008-07-16 18:36:06 +02007879A third set of criteria applies to information which can be found at the
Willy Tarreau0ba27502007-12-24 16:55:16 +01007880application layer (layer 7). Those require that a full HTTP request has been
7881read, and are only evaluated then. They may require slightly more CPU resources
7882than the layer 4 ones, but not much since the request and response are indexed.
7883
Willy Tarreau04aa6a92012-04-06 18:57:55 +02007884cook(<name>) <string>
7885 All "cook*" matching criteria inspect all "Cookie" headers to find a cookie
7886 with the name between parenthesis. If multiple occurrences of the cookie are
7887 found in the request, they will all be evaluated. Spaces around the name and
7888 the value are ignored as requested by the Cookie specification (RFC6265). The
7889 cookie name is case-sensitive. Use the scook() variant for response cookies
7890 sent by the server.
7891
7892 The "cook" criteria returns true if any of the request cookies <name> match
7893 any of the strings. This can be used to check exact for values. For instance,
7894 checking that the "profile" cookie is set to either "silver" or "gold" :
7895
7896 cook(profile) silver gold
7897
7898cook_beg(<name>) <string>
7899 Returns true if any of the request cookies <name> begins with one of the
7900 strings. See "cook" for more information on cookie matching. Use the
7901 scook_beg() variant for response cookies sent by the server.
7902
7903cook_cnt(<name>) <integer>
7904 Returns true when the number of occurrences of the specified cookie matches
7905 the values or ranges specified. This is used to detect presence, absence or
7906 abuse of a specific cookie. See "cook" for more information on header
7907 matching. Use the scook_cnt() variant for response cookies sent by the
7908 server.
7909
7910cook_dir(<name>) <string>
7911 Returns true if any of the request cookies <name> contains one of the strings
7912 either isolated or delimited by slashes. This is used to perform filename or
7913 directory name matching, though it generally is of limited use with cookies.
7914 See "cook" for more information on cookie matching. Use the scook_dir()
7915 variant for response cookies sent by the server.
7916
7917cook_dom(<name>) <string>
7918 Returns true if any of the request cookies <name> contains one of the strings
7919 either isolated or delimited by dots. This is used to perform domain name
7920 matching. See "cook" for more information on cookie matching. Use the
7921 scook_dom() variant for response cookies sent by the server.
7922
7923cook_end(<name>) <string>
7924 Returns true if any of the request cookies <name> ends with one of the
7925 strings. See "cook" for more information on cookie matching. Use the
7926 scook_end() variant for response cookies sent by the server.
7927
7928cook_len(<name>) <integer>
7929 Returns true if any of the request cookies <name> has a length which matches
7930 the values or ranges specified. This may be used to detect empty or too large
7931 cookie values. Note that an absent cookie does not match a zero-length test.
7932 See "cook" for more information on cookie matching. Use the scook_len()
7933 variant for response cookies sent by the server.
7934
7935cook_reg(<name>) <regex>
7936 Returns true if any of the request cookies <name> matches any of the regular
7937 expressions. It can be used at any time, but it is important to remember that
7938 regex matching is slower than other methods. See also other "cook_" criteria,
7939 as well as "cook" for more information on cookie matching. Use the
7940 scook_reg() variant for response cookies sent by the server.
7941
7942cook_sub(<name>) <string>
7943 Returns true if any of the request cookies <name> contains at least one of
7944 the strings. See "cook" for more information on cookie matching. Use the
7945 scook_sub() variant for response cookies sent by the server.
7946
Willy Tarreau51539362012-05-08 12:46:28 +02007947cook_val(<name>) <integer>
7948 Returns true if any of the request cookies <name> starts with a number which
7949 matches the values or ranges specified. This may be used to select a server
7950 based on application-specific cookies. Note that an absent cookie does not
7951 match any value. See "cook" for more information on cookie matching. Use the
7952 scook_val() variant for response cookies sent by the server.
7953
Willy Tarreaud63335a2010-02-26 12:56:52 +01007954hdr <string>
Willy Tarreau185b5c42012-04-26 15:11:51 +02007955hdr(<header>[,<occ>]) <string>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007956 Note: all the "hdr*" matching criteria either apply to all headers, or to a
7957 particular header whose name is passed between parenthesis and without any
7958 space. The header name is not case-sensitive. The header matching complies
7959 with RFC2616, and treats as separate headers all values delimited by commas.
Willy Tarreau185b5c42012-04-26 15:11:51 +02007960 If an occurrence number is specified as the optional second argument, only
7961 this occurrence will be considered. Positive values indicate a position from
7962 the first occurrence, 1 being the first one. Negative values indicate
7963 positions relative to the last one, -1 being the last one. Use the shdr()
7964 variant for response headers sent by the server.
Willy Tarreaud63335a2010-02-26 12:56:52 +01007965
7966 The "hdr" criteria returns true if any of the headers matching the criteria
Willy Tarreau25c1ebc2012-04-25 16:21:44 +02007967 match any of the strings. This can be used to check for exact values. For
Willy Tarreaud63335a2010-02-26 12:56:52 +01007968 instance, checking that "connection: close" is set :
7969
7970 hdr(Connection) -i close
7971
7972hdr_beg <string>
Willy Tarreau185b5c42012-04-26 15:11:51 +02007973hdr_beg(<header>[,<occ>]) <string>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007974 Returns true when one of the headers begins with one of the strings. See
7975 "hdr" for more information on header matching. Use the shdr_beg() variant for
7976 response headers sent by the server.
7977
7978hdr_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007979hdr_cnt(<header>) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007980 Returns true when the number of occurrence of the specified header matches
7981 the values or ranges specified. It is important to remember that one header
7982 line may count as several headers if it has several values. This is used to
7983 detect presence, absence or abuse of a specific header, as well as to block
7984 request smuggling attacks by rejecting requests which contain more than one
7985 of certain headers. See "hdr" for more information on header matching. Use
7986 the shdr_cnt() variant for response headers sent by the server.
7987
7988hdr_dir <string>
Willy Tarreau185b5c42012-04-26 15:11:51 +02007989hdr_dir(<header>[,<occ>]) <string>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007990 Returns true when one of the headers contains one of the strings either
7991 isolated or delimited by slashes. This is used to perform filename or
7992 directory name matching, and may be used with Referer. See "hdr" for more
7993 information on header matching. Use the shdr_dir() variant for response
7994 headers sent by the server.
7995
7996hdr_dom <string>
Willy Tarreau185b5c42012-04-26 15:11:51 +02007997hdr_dom(<header>[,<occ>]) <string>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007998 Returns true when one of the headers contains one of the strings either
7999 isolated or delimited by dots. This is used to perform domain name matching,
8000 and may be used with the Host header. See "hdr" for more information on
8001 header matching. Use the shdr_dom() variant for response headers sent by the
8002 server.
8003
8004hdr_end <string>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008005hdr_end(<header>[,<occ>]) <string>
Willy Tarreaud63335a2010-02-26 12:56:52 +01008006 Returns true when one of the headers ends with one of the strings. See "hdr"
8007 for more information on header matching. Use the shdr_end() variant for
8008 response headers sent by the server.
8009
8010hdr_ip <ip_address>
Willy Tarreauceb4ac92012-04-28 00:41:46 +02008011hdr_ip(<header>[,<occ>]) <address>
8012 Returns true when one of the headers' values contains an IPv4 or IPv6 address
8013 matching <address>. This is mainly used with headers such as X-Forwarded-For
8014 or X-Client-IP. See "hdr" for more information on header matching. Use the
Willy Tarreaud63335a2010-02-26 12:56:52 +01008015 shdr_ip() variant for response headers sent by the server.
8016
Willy Tarreau0e698542011-09-16 08:32:32 +02008017hdr_len <integer>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008018hdr_len(<header>[,<occ>]) <integer>
Willy Tarreau0e698542011-09-16 08:32:32 +02008019 Returns true when at least one of the headers has a length which matches the
8020 values or ranges specified. This may be used to detect empty or too large
8021 headers. See "hdr" for more information on header matching. Use the
8022 shdr_len() variant for response headers sent by the server.
8023
Willy Tarreaud63335a2010-02-26 12:56:52 +01008024hdr_reg <regex>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008025hdr_reg(<header>[,<occ>]) <regex>
Willy Tarreau04aa6a92012-04-06 18:57:55 +02008026 Returns true it one of the headers matches one of the regular expressions. It
Willy Tarreaud63335a2010-02-26 12:56:52 +01008027 can be used at any time, but it is important to remember that regex matching
8028 is slower than other methods. See also other "hdr_" criteria, as well as
8029 "hdr" for more information on header matching. Use the shdr_reg() variant for
8030 response headers sent by the server.
8031
8032hdr_sub <string>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008033hdr_sub(<header>[,<occ>]) <string>
Willy Tarreaud63335a2010-02-26 12:56:52 +01008034 Returns true when one of the headers contains one of the strings. See "hdr"
8035 for more information on header matching. Use the shdr_sub() variant for
8036 response headers sent by the server.
8037
8038hdr_val <integer>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008039hdr_val(<header>[,<occ>]) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01008040 Returns true when one of the headers starts with a number which matches the
8041 values or ranges specified. This may be used to limit content-length to
8042 acceptable values for example. See "hdr" for more information on header
8043 matching. Use the shdr_val() variant for response headers sent by the server.
8044
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008045http_auth(<userlist>)
8046http_auth_group(<userlist>) <group> [<group>]*
Willy Tarreaud63335a2010-02-26 12:56:52 +01008047 Returns true when authentication data received from the client matches
8048 username & password stored on the userlist. It is also possible to
8049 use http_auth_group to check if the user is assigned to at least one
8050 of specified groups.
8051
8052 Currently only http basic auth is supported.
8053
Willy Tarreau85c27da2011-09-16 07:53:52 +02008054http_first_req
Willy Tarreau7f18e522010-10-22 20:04:13 +02008055 Returns true when the request being processed is the first one of the
8056 connection. This can be used to add or remove headers that may be missing
8057 from some requests when a request is not the first one, or even to perform
8058 some specific ACL checks only on the first request.
8059
Willy Tarreau6a06a402007-07-15 20:15:28 +02008060method <string>
8061 Applies to the method in the HTTP request, eg: "GET". Some predefined ACL
8062 already check for most common methods.
8063
Willy Tarreau6a06a402007-07-15 20:15:28 +02008064path <string>
8065 Returns true when the path part of the request, which starts at the first
8066 slash and ends before the question mark, equals one of the strings. It may be
8067 used to match known files, such as /favicon.ico.
8068
8069path_beg <string>
Willy Tarreau0ba27502007-12-24 16:55:16 +01008070 Returns true when the path begins with one of the strings. This can be used
8071 to send certain directory names to alternative backends.
Willy Tarreau6a06a402007-07-15 20:15:28 +02008072
Willy Tarreau6a06a402007-07-15 20:15:28 +02008073path_dir <string>
8074 Returns true when one of the strings is found isolated or delimited with
8075 slashes in the path. This is used to perform filename or directory name
8076 matching without the risk of wrong match due to colliding prefixes. See also
8077 "url_dir" and "path_sub".
8078
8079path_dom <string>
8080 Returns true when one of the strings is found isolated or delimited with dots
8081 in the path. This may be used to perform domain name matching in proxy
8082 requests. See also "path_sub" and "url_dom".
8083
Willy Tarreaud63335a2010-02-26 12:56:52 +01008084path_end <string>
8085 Returns true when the path ends with one of the strings. This may be used to
8086 control file name extension.
8087
Willy Tarreau0e698542011-09-16 08:32:32 +02008088path_len <integer>
8089 Returns true when the path length matches the values or ranges specified.
8090 This may be used to detect abusive requests for instance.
8091
Willy Tarreau6a06a402007-07-15 20:15:28 +02008092path_reg <regex>
8093 Returns true when the path matches one of the regular expressions. It can be
8094 used any time, but it is important to remember that regex matching is slower
8095 than other methods. See also "url_reg" and all "path_" criteria.
8096
Willy Tarreaud63335a2010-02-26 12:56:52 +01008097path_sub <string>
8098 Returns true when the path contains one of the strings. It can be used to
8099 detect particular patterns in paths, such as "../" for example. See also
8100 "path_dir".
8101
Willy Tarreau0ce3aa02012-04-25 18:46:33 +02008102payload(<offset>,<length>) <string>
8103 Returns true if the block of <length> bytes, starting at byte <offset> in the
8104 request or response buffer (depending on the rule) exactly matches one of the
8105 strings.
8106
8107payload_lv(<offset1>,<length>[,<offset2>])
8108 Returns true if the block whose size is specified at <offset1> for <length>
8109 bytes, and which starts at <offset2> if specified or just after the length in
8110 the request or response buffer (depending on the rule) exactly matches one of
8111 the strings. The <offset2> parameter also supports relative offsets if
8112 prepended with a '+' or '-' sign.
8113
Willy Tarreaud63335a2010-02-26 12:56:52 +01008114req_ver <string>
8115 Applies to the version string in the HTTP request, eg: "1.0". Some predefined
8116 ACL already check for versions 1.0 and 1.1.
8117
8118status <integer>
8119 Applies to the HTTP status code in the HTTP response, eg: "302". It can be
8120 used to act on responses depending on status ranges, for instance, remove
8121 any Location header if the response is not a 3xx.
8122
Willy Tarreau6a06a402007-07-15 20:15:28 +02008123url <string>
8124 Applies to the whole URL passed in the request. The only real use is to match
8125 "*", for which there already is a predefined ACL.
8126
8127url_beg <string>
8128 Returns true when the URL begins with one of the strings. This can be used to
8129 check whether a URL begins with a slash or with a protocol scheme.
8130
Willy Tarreau6a06a402007-07-15 20:15:28 +02008131url_dir <string>
8132 Returns true when one of the strings is found isolated or delimited with
8133 slashes in the URL. This is used to perform filename or directory name
8134 matching without the risk of wrong match due to colliding prefixes. See also
8135 "path_dir" and "url_sub".
8136
8137url_dom <string>
8138 Returns true when one of the strings is found isolated or delimited with dots
8139 in the URL. This is used to perform domain name matching without the risk of
8140 wrong match due to colliding prefixes. See also "url_sub".
8141
Willy Tarreaud63335a2010-02-26 12:56:52 +01008142url_end <string>
8143 Returns true when the URL ends with one of the strings. It has very limited
8144 use. "path_end" should be used instead for filename matching.
Willy Tarreau6a06a402007-07-15 20:15:28 +02008145
Willy Tarreauceb4ac92012-04-28 00:41:46 +02008146url_ip <address>
8147 Applies to the IPv4 or IPv6 address specified in the absolute URI in an HTTP
8148 request. It can be used to prevent access to certain resources such as local
8149 network. It is useful with option "http_proxy".
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01008150
Willy Tarreau0e698542011-09-16 08:32:32 +02008151url_len <integer>
8152 Returns true when the url length matches the values or ranges specified. This
8153 may be used to detect abusive requests for instance.
8154
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01008155url_port <integer>
Willy Tarreau0ba27502007-12-24 16:55:16 +01008156 Applies to the port specified in the absolute URI in an HTTP request. It can
8157 be used to prevent access to certain resources. It is useful with option
Willy Tarreau198a7442008-01-17 12:05:32 +01008158 "http_proxy". Note that if the port is not specified in the request, port 80
Willy Tarreau0ba27502007-12-24 16:55:16 +01008159 is assumed.
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01008160
Willy Tarreaud63335a2010-02-26 12:56:52 +01008161url_reg <regex>
8162 Returns true when the URL matches one of the regular expressions. It can be
8163 used any time, but it is important to remember that regex matching is slower
8164 than other methods. See also "path_reg" and all "url_" criteria.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01008165
Willy Tarreaud63335a2010-02-26 12:56:52 +01008166url_sub <string>
8167 Returns true when the URL contains one of the strings. It can be used to
8168 detect particular patterns in query strings for example. See also "path_sub".
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01008169
Willy Tarreau25c1ebc2012-04-25 16:21:44 +02008170urlp(<name>) <string>
8171 Note: all "urlp*" matching criteria apply to the first occurrence of the
8172 parameter <name> in the query string. The parameter name is case-sensitive.
8173
8174 The "urlp" matching criteria returns true if the designated URL parameter
8175 matches any of the strings. This can be used to check for exact values.
8176
8177urlp_beg(<name>) <string>
8178 Returns true when the URL parameter "<name>" begins with one of the strings.
8179 This can be used to check whether a URL begins with a slash or with a
8180 protocol scheme.
8181
8182urlp_dir(<name>) <string>
8183 Returns true when the URL parameter "<name>" contains one of the strings
8184 either isolated or delimited with slashes. This is used to perform filename
8185 or directory name matching in a specific URL parameter without the risk of
8186 wrong match due to colliding prefixes. See also "path_dir" and "urlp_sub".
8187
8188urlp_dom(<name>) <string>
8189 Returns true when one of the strings is found isolated or delimited with dots
8190 in the URL parameter "<name>". This is used to perform domain name matching
8191 in a specific URL parameter without the risk of wrong match due to colliding
8192 prefixes. See also "urlp_sub".
8193
8194urlp_end(<name>) <string>
8195 Returns true when the URL parameter "<name>" ends with one of the strings.
8196
8197urlp_ip(<name>) <ip_address>
Willy Tarreauceb4ac92012-04-28 00:41:46 +02008198 Returns true when the URL parameter "<name>" contains an IPv4 or IPv6 address
8199 which matches one of the specified addresses.
Willy Tarreau25c1ebc2012-04-25 16:21:44 +02008200
8201urlp_len(<name>) <integer>
8202 Returns true when the URL parameter "<name>" has a length matching the values
8203 or ranges specified. This is used to detect abusive requests for instance.
8204
8205urlp_reg(<name>) <regex>
8206 Returns true when the URL parameter "<name>" matches one of the regular
8207 expressions. It can be used any time, but it is important to remember that
8208 regex matching is slower than other methods. See also "path_reg" and all
8209 "urlp_" criteria.
8210
8211urlp_sub(<name>) <string>
8212 Returns true when the URL parameter "<name>" contains one of the strings. It
8213 can be used to detect particular patterns in query strings for example. See
8214 also "path_sub" and other "urlp_" criteria.
8215
Willy Tarreau198a7442008-01-17 12:05:32 +01008216
Willy Tarreauc57f0e22009-05-10 13:12:33 +020082177.6. Pre-defined ACLs
8218---------------------
Willy Tarreauced27012008-01-17 20:35:34 +01008219
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008220Some predefined ACLs are hard-coded so that they do not have to be declared in
8221every frontend which needs them. They all have their names in upper case in
Patrick Mézard2382ad62010-05-09 10:43:32 +02008222order to avoid confusion. Their equivalence is provided below.
Willy Tarreauced27012008-01-17 20:35:34 +01008223
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008224ACL name Equivalent to Usage
8225---------------+-----------------------------+---------------------------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008226FALSE always_false never match
Willy Tarreau2492d5b2009-07-11 00:06:00 +02008227HTTP req_proto_http match if protocol is valid HTTP
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008228HTTP_1.0 req_ver 1.0 match HTTP version 1.0
8229HTTP_1.1 req_ver 1.1 match HTTP version 1.1
Willy Tarreaud63335a2010-02-26 12:56:52 +01008230HTTP_CONTENT hdr_val(content-length) gt 0 match an existing content-length
8231HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme
8232HTTP_URL_SLASH url_beg / match URL beginning with "/"
8233HTTP_URL_STAR url * match URL equal to "*"
8234LOCALHOST src 127.0.0.1/8 match connection from local host
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008235METH_CONNECT method CONNECT match HTTP CONNECT method
8236METH_GET method GET HEAD match HTTP GET or HEAD method
8237METH_HEAD method HEAD match HTTP HEAD method
8238METH_OPTIONS method OPTIONS match HTTP OPTIONS method
8239METH_POST method POST match HTTP POST method
8240METH_TRACE method TRACE match HTTP TRACE method
Emeric Brunbede3d02009-06-30 17:54:00 +02008241RDP_COOKIE req_rdp_cookie_cnt gt 0 match presence of an RDP cookie
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008242REQ_CONTENT req_len gt 0 match data in the request buffer
Willy Tarreaud63335a2010-02-26 12:56:52 +01008243TRUE always_true always match
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008244WAIT_END wait_end wait for end of content analysis
8245---------------+-----------------------------+---------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +01008246
Willy Tarreauced27012008-01-17 20:35:34 +01008247
Willy Tarreauc57f0e22009-05-10 13:12:33 +020082487.7. Using ACLs to form conditions
8249----------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +01008250
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008251Some actions are only performed upon a valid condition. A condition is a
8252combination of ACLs with operators. 3 operators are supported :
Willy Tarreauced27012008-01-17 20:35:34 +01008253
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008254 - AND (implicit)
8255 - OR (explicit with the "or" keyword or the "||" operator)
8256 - Negation with the exclamation mark ("!")
Willy Tarreauced27012008-01-17 20:35:34 +01008257
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008258A condition is formed as a disjunctive form:
Willy Tarreauced27012008-01-17 20:35:34 +01008259
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008260 [!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ...
Willy Tarreauced27012008-01-17 20:35:34 +01008261
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008262Such conditions are generally used after an "if" or "unless" statement,
8263indicating when the condition will trigger the action.
Willy Tarreauced27012008-01-17 20:35:34 +01008264
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008265For instance, to block HTTP requests to the "*" URL with methods other than
8266"OPTIONS", as well as POST requests without content-length, and GET or HEAD
8267requests with a content-length greater than 0, and finally every request which
8268is not either GET/HEAD/POST/OPTIONS !
Willy Tarreauced27012008-01-17 20:35:34 +01008269
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008270 acl missing_cl hdr_cnt(Content-length) eq 0
8271 block if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
8272 block if METH_GET HTTP_CONTENT
8273 block unless METH_GET or METH_POST or METH_OPTIONS
Willy Tarreauced27012008-01-17 20:35:34 +01008274
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008275To select a different backend for requests to static contents on the "www" site
8276and to every request on the "img", "video", "download" and "ftp" hosts :
Willy Tarreauced27012008-01-17 20:35:34 +01008277
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008278 acl url_static path_beg /static /images /img /css
8279 acl url_static path_end .gif .png .jpg .css .js
8280 acl host_www hdr_beg(host) -i www
8281 acl host_static hdr_beg(host) -i img. video. download. ftp.
Willy Tarreauced27012008-01-17 20:35:34 +01008282
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008283 # now use backend "static" for all static-only hosts, and for static urls
8284 # of host "www". Use backend "www" for the rest.
8285 use_backend static if host_static or host_www url_static
8286 use_backend www if host_www
Willy Tarreauced27012008-01-17 20:35:34 +01008287
Willy Tarreau95fa4692010-02-01 13:05:50 +01008288It is also possible to form rules using "anonymous ACLs". Those are unnamed ACL
8289expressions that are built on the fly without needing to be declared. They must
8290be enclosed between braces, with a space before and after each brace (because
8291the braces must be seen as independant words). Example :
8292
8293 The following rule :
8294
8295 acl missing_cl hdr_cnt(Content-length) eq 0
8296 block if METH_POST missing_cl
8297
8298 Can also be written that way :
8299
8300 block if METH_POST { hdr_cnt(Content-length) eq 0 }
8301
8302It is generally not recommended to use this construct because it's a lot easier
8303to leave errors in the configuration when written that way. However, for very
8304simple rules matching only one source IP address for instance, it can make more
8305sense to use them than to declare ACLs with random names. Another example of
8306good use is the following :
8307
8308 With named ACLs :
8309
8310 acl site_dead nbsrv(dynamic) lt 2
8311 acl site_dead nbsrv(static) lt 2
8312 monitor fail if site_dead
8313
8314 With anonymous ACLs :
8315
8316 monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
8317
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008318See section 4.2 for detailed help on the "block" and "use_backend" keywords.
Willy Tarreauced27012008-01-17 20:35:34 +01008319
Willy Tarreau5764b382007-11-30 17:46:49 +01008320
Willy Tarreaub937b7e2010-01-12 15:27:54 +010083217.8. Pattern extraction
8322-----------------------
8323
8324The stickiness features relies on pattern extraction in the request and
8325response. Sometimes the data needs to be converted first before being stored,
8326for instance converted from ASCII to IP or upper case to lower case.
8327
8328All these operations of data extraction and conversion are defined as
8329"pattern extraction rules". A pattern rule always has the same format. It
8330begins with a single pattern fetch word, potentially followed by a list of
8331arguments within parenthesis then an optional list of transformations. As
8332much as possible, the pattern fetch functions use the same name as their
8333equivalent used in ACLs.
8334
8335The list of currently supported pattern fetch functions is the following :
8336
8337 src This is the source IPv4 address of the client of the session.
David du Colombier9a6d3c92011-03-17 10:40:24 +01008338 It is of type IPv4 and works on both IPv4 and IPv6 tables.
8339 On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent,
8340 according to RFC 4291.
8341
Willy Tarreaub937b7e2010-01-12 15:27:54 +01008342 dst This is the destination IPv4 address of the session on the
8343 client side, which is the address the client connected to.
8344 It can be useful when running in transparent mode. It is of
David du Colombier9a6d3c92011-03-17 10:40:24 +01008345 type IPv4 and works on both IPv4 and IPv6 tables.
8346 On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent,
8347 according to RFC 4291.
8348
Willy Tarreaub937b7e2010-01-12 15:27:54 +01008349 dst_port This is the destination TCP port of the session on the client
8350 side, which is the port the client connected to. This might be
8351 used when running in transparent mode or when assigning dynamic
8352 ports to some clients for a whole application session. It is of
8353 type integer and only works with such tables.
8354
Willy Tarreau185b5c42012-04-26 15:11:51 +02008355 hdr(<name>[,<occ>])
8356 This extracts the last occurrence of header <name> in an HTTP
8357 request. Optionally, a specific occurrence might be specified as
8358 a position number. Positive values indicate a position from the
8359 first occurrence, with 1 being the first one. Negative values
8360 indicate positions relative to the last one, with -1 being the
8361 last one. A typical use is with the X-Forwarded-For header once
Willy Tarreaue428fb72011-12-16 21:50:30 +01008362 converted to IP, associated with an IP stick-table.
Willy Tarreau4a568972010-05-12 08:08:50 +02008363
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008364 payload(<offset>,<length>)
Emeric Brun6a1cefa2010-09-24 18:15:17 +02008365 This extracts a binary block of <length> bytes, and starting
8366 at bytes <offset> in the buffer of request or response (request
8367 on "stick on" or "stick match" or response in on "stick store
8368 response").
Willy Tarreaub937b7e2010-01-12 15:27:54 +01008369
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008370 payload_lv(<offset1>,<length>[,<offset2>])
Emeric Brun6a1cefa2010-09-24 18:15:17 +02008371 This extracts a binary block. In a first step the size of the
8372 block is read from response or request buffer at <offset>
8373 bytes and considered coded on <length> bytes. In a second step
8374 data of the block are read from buffer at <offset2> bytes
8375 (by default <lengthoffset> + <lengthsize>).
8376 If <offset2> is prefixed by '+' or '-', it is relative to
8377 <lengthoffset> + <lengthsize> else it is absolute.
8378 Ex: see SSL session id example in "stick table" chapter.
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008379
Willy Tarreau25c1ebc2012-04-25 16:21:44 +02008380 src_port This is the source TCP port of the session on the client side,
8381 which is the port the client connected from. It is very unlikely
8382 that this function will be useful but it's available at no cost.
8383 It is of type integer and only works with such tables.
8384
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008385 url_param(<name>)
Cyril Bontédc4d9032012-04-08 21:57:39 +02008386 This extracts the first occurrence of the parameter <name> in
8387 the query string of the request and uses the corresponding value
8388 to match. A typical use is to get sticky session through url
8389 (e.g. http://example.com/foo?JESSIONID=some_id with
8390 url_param(JSESSIONID)), for cases where cookies cannot be used.
David Cournapeau16023ee2010-12-23 20:55:41 +09008391
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008392 rdp_cookie(<name>)
Cyril Bontédc4d9032012-04-08 21:57:39 +02008393 This extracts the value of the rdp cookie <name> as a string
8394 and uses this value to match. This enables implementation of
8395 persistence based on the mstshash cookie. This is typically
8396 done if there is no msts cookie present.
Simon Hormanab814e02011-06-24 14:50:20 +09008397
Cyril Bontédc4d9032012-04-08 21:57:39 +02008398 This differs from "balance rdp-cookie" in that any balancing
8399 algorithm may be used and thus the distribution of clients
8400 to backend servers is not linked to a hash of the RDP
8401 cookie. It is envisaged that using a balancing algorithm
8402 such as "balance roundrobin" or "balance leastconnect" will
8403 lead to a more even distribution of clients to backend
8404 servers than the hash used by "balance rdp-cookie".
Simon Hormanab814e02011-06-24 14:50:20 +09008405
Cyril Bontédc4d9032012-04-08 21:57:39 +02008406 Example :
8407 listen tse-farm
8408 bind 0.0.0.0:3389
8409 # wait up to 5s for an RDP cookie in the request
8410 tcp-request inspect-delay 5s
8411 tcp-request content accept if RDP_COOKIE
8412 # apply RDP cookie persistence
8413 persist rdp-cookie
8414 # Persist based on the mstshash cookie
8415 # This is only useful makes sense if
8416 # balance rdp-cookie is not used
8417 stick-table type string size 204800
8418 stick on rdp_cookie(mstshash)
8419 server srv1 1.1.1.1:3389
8420 server srv1 1.1.1.2:3389
Simon Hormanab814e02011-06-24 14:50:20 +09008421
Cyril Bontédc4d9032012-04-08 21:57:39 +02008422 See also : "balance rdp-cookie", "persist rdp-cookie",
8423 "tcp-request" and the "req_rdp_cookie" ACL.
Simon Hormanab814e02011-06-24 14:50:20 +09008424
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008425 cookie(<name>)
Cyril Bontédc4d9032012-04-08 21:57:39 +02008426 This extracts the last occurrence of the cookie name <name> on a
Willy Tarreau28376d62012-04-26 21:26:10 +02008427 "Cookie" header line from the request, or a "Set-Cookie" header
8428 from the response, and uses the corresponding value to match. A
8429 typical use is to get multiple clients sharing a same profile
8430 use the same server. This can be similar to what "appsession"
8431 does with the "request-learn" statement, but with support for
8432 multi-peer synchronization and state keeping across restarts.
Willy Tarreaub3eb2212011-07-01 16:16:17 +02008433
Cyril Bontédc4d9032012-04-08 21:57:39 +02008434 See also : "appsession"
Willy Tarreaub3eb2212011-07-01 16:16:17 +02008435
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008436 set-cookie(<name>)
Willy Tarreau28376d62012-04-26 21:26:10 +02008437 This fetch function is deprecated and has been superseded by the
8438 "cookie" fetch which is capable of handling both requests and
8439 responses. This keyword will disappear soon.
8440
Cyril Bontédc4d9032012-04-08 21:57:39 +02008441 This extracts the last occurrence of the cookie name <name> on a
8442 "Set-Cookie" header line from the response and uses the
8443 corresponding value to match. This can be comparable to what
8444 "appsession" does with default options, but with support for
8445 multi-peer synchronization and state keeping across restarts.
Willy Tarreaub3eb2212011-07-01 16:16:17 +02008446
Cyril Bontédc4d9032012-04-08 21:57:39 +02008447 See also : "appsession"
Willy Tarreaub3eb2212011-07-01 16:16:17 +02008448
Simon Hormanab814e02011-06-24 14:50:20 +09008449
Willy Tarreaub937b7e2010-01-12 15:27:54 +01008450The currently available list of transformations include :
8451
8452 lower Convert a string pattern to lower case. This can only be placed
8453 after a string pattern fetch function or after a conversion
8454 function returning a string type. The result is of type string.
8455
8456 upper Convert a string pattern to upper case. This can only be placed
8457 after a string pattern fetch function or after a conversion
8458 function returning a string type. The result is of type string.
8459
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008460 ipmask(<mask>) Apply a mask to an IPv4 address, and use the result for lookups
Willy Tarreaud31d6eb2010-01-26 18:01:41 +01008461 and storage. This can be used to make all hosts within a
8462 certain mask to share the same table entries and as such use
8463 the same server. The mask can be passed in dotted form (eg:
8464 255.255.255.0) or in CIDR form (eg: 24).
8465
Willy Tarreaub937b7e2010-01-12 15:27:54 +01008466
Willy Tarreauc57f0e22009-05-10 13:12:33 +020084678. Logging
8468----------
Willy Tarreau844e3c52008-01-11 16:28:18 +01008469
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008470One of HAProxy's strong points certainly lies is its precise logs. It probably
8471provides the finest level of information available for such a product, which is
8472very important for troubleshooting complex environments. Standard information
8473provided in logs include client ports, TCP/HTTP state timers, precise session
8474state at termination and precise termination cause, information about decisions
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008475to direct traffic to a server, and of course the ability to capture arbitrary
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008476headers.
8477
8478In order to improve administrators reactivity, it offers a great transparency
8479about encountered problems, both internal and external, and it is possible to
8480send logs to different sources at the same time with different level filters :
8481
8482 - global process-level logs (system errors, start/stop, etc..)
8483 - per-instance system and internal errors (lack of resource, bugs, ...)
8484 - per-instance external troubles (servers up/down, max connections)
8485 - per-instance activity (client connections), either at the establishment or
8486 at the termination.
8487
8488The ability to distribute different levels of logs to different log servers
8489allow several production teams to interact and to fix their problems as soon
8490as possible. For example, the system team might monitor system-wide errors,
8491while the application team might be monitoring the up/down for their servers in
8492real time, and the security team might analyze the activity logs with one hour
8493delay.
8494
8495
Willy Tarreauc57f0e22009-05-10 13:12:33 +020084968.1. Log levels
8497---------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008498
Simon Hormandf791f52011-05-29 15:01:10 +09008499TCP and HTTP connections can be logged with information such as the date, time,
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008500source IP address, destination address, connection duration, response times,
Simon Hormandf791f52011-05-29 15:01:10 +09008501HTTP request, HTTP return code, number of bytes transmitted, conditions
8502in which the session ended, and even exchanged cookies values. For example
8503track a particular user's problems. All messages may be sent to up to two
8504syslog servers. Check the "log" keyword in section 4.2 for more information
8505about log facilities.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008506
8507
Willy Tarreauc57f0e22009-05-10 13:12:33 +020085088.2. Log formats
8509----------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008510
William Lallemand48940402012-01-30 16:47:22 +01008511HAProxy supports 5 log formats. Several fields are common between these formats
Simon Hormandf791f52011-05-29 15:01:10 +09008512and will be detailed in the following sections. A few of them may vary
8513slightly with the configuration, due to indicators specific to certain
8514options. The supported formats are as follows :
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008515
8516 - the default format, which is very basic and very rarely used. It only
8517 provides very basic information about the incoming connection at the moment
8518 it is accepted : source IP:port, destination IP:port, and frontend-name.
8519 This mode will eventually disappear so it will not be described to great
8520 extents.
8521
8522 - the TCP format, which is more advanced. This format is enabled when "option
8523 tcplog" is set on the frontend. HAProxy will then usually wait for the
8524 connection to terminate before logging. This format provides much richer
8525 information, such as timers, connection counts, queue size, etc... This
8526 format is recommended for pure TCP proxies.
8527
8528 - the HTTP format, which is the most advanced for HTTP proxying. This format
8529 is enabled when "option httplog" is set on the frontend. It provides the
8530 same information as the TCP format with some HTTP-specific fields such as
8531 the request, the status code, and captures of headers and cookies. This
8532 format is recommended for HTTP proxies.
8533
Emeric Brun3a058f32009-06-30 18:26:00 +02008534 - the CLF HTTP format, which is equivalent to the HTTP format, but with the
8535 fields arranged in the same order as the CLF format. In this mode, all
8536 timers, captures, flags, etc... appear one per field after the end of the
8537 common fields, in the same order they appear in the standard HTTP format.
8538
William Lallemand48940402012-01-30 16:47:22 +01008539 - the custom log format, allows you to make your own log line.
8540
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008541Next sections will go deeper into details for each of these formats. Format
8542specification will be performed on a "field" basis. Unless stated otherwise, a
8543field is a portion of text delimited by any number of spaces. Since syslog
8544servers are susceptible of inserting fields at the beginning of a line, it is
8545always assumed that the first field is the one containing the process name and
8546identifier.
8547
8548Note : Since log lines may be quite long, the log examples in sections below
8549 might be broken into multiple lines. The example log lines will be
8550 prefixed with 3 closing angle brackets ('>>>') and each time a log is
8551 broken into multiple lines, each non-final line will end with a
8552 backslash ('\') and the next line will start indented by two characters.
8553
8554
Willy Tarreauc57f0e22009-05-10 13:12:33 +020085558.2.1. Default log format
8556-------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008557
8558This format is used when no specific option is set. The log is emitted as soon
8559as the connection is accepted. One should note that this currently is the only
8560format which logs the request's destination IP and ports.
8561
8562 Example :
8563 listen www
8564 mode http
8565 log global
8566 server srv1 127.0.0.1:8000
8567
8568 >>> Feb 6 12:12:09 localhost \
8569 haproxy[14385]: Connect from 10.0.1.2:33312 to 10.0.3.31:8012 \
8570 (www/HTTP)
8571
8572 Field Format Extract from the example above
8573 1 process_name '[' pid ']:' haproxy[14385]:
8574 2 'Connect from' Connect from
8575 3 source_ip ':' source_port 10.0.1.2:33312
8576 4 'to' to
8577 5 destination_ip ':' destination_port 10.0.3.31:8012
8578 6 '(' frontend_name '/' mode ')' (www/HTTP)
8579
8580Detailed fields description :
8581 - "source_ip" is the IP address of the client which initiated the connection.
8582 - "source_port" is the TCP port of the client which initiated the connection.
8583 - "destination_ip" is the IP address the client connected to.
8584 - "destination_port" is the TCP port the client connected to.
8585 - "frontend_name" is the name of the frontend (or listener) which received
8586 and processed the connection.
8587 - "mode is the mode the frontend is operating (TCP or HTTP).
8588
Willy Tarreauceb24bc2010-11-09 12:46:41 +01008589In case of a UNIX socket, the source and destination addresses are marked as
8590"unix:" and the ports reflect the internal ID of the socket which accepted the
8591connection (the same ID as reported in the stats).
8592
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008593It is advised not to use this deprecated format for newer installations as it
8594will eventually disappear.
8595
8596
Willy Tarreauc57f0e22009-05-10 13:12:33 +020085978.2.2. TCP log format
8598---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008599
8600The TCP format is used when "option tcplog" is specified in the frontend, and
8601is the recommended format for pure TCP proxies. It provides a lot of precious
8602information for troubleshooting. Since this format includes timers and byte
8603counts, the log is normally emitted at the end of the session. It can be
8604emitted earlier if "option logasap" is specified, which makes sense in most
8605environments with long sessions such as remote terminals. Sessions which match
8606the "monitor" rules are never logged. It is also possible not to emit logs for
8607sessions for which no data were exchanged between the client and the server, by
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02008608specifying "option dontlognull" in the frontend. Successful connections will
8609not be logged if "option dontlog-normal" is specified in the frontend. A few
8610fields may slightly vary depending on some configuration options, those are
8611marked with a star ('*') after the field name below.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008612
8613 Example :
8614 frontend fnt
8615 mode tcp
8616 option tcplog
8617 log global
8618 default_backend bck
8619
8620 backend bck
8621 server srv1 127.0.0.1:8000
8622
8623 >>> Feb 6 12:12:56 localhost \
8624 haproxy[14387]: 10.0.1.2:33313 [06/Feb/2009:12:12:51.443] fnt \
8625 bck/srv1 0/0/5007 212 -- 0/0/0/0/3 0/0
8626
8627 Field Format Extract from the example above
8628 1 process_name '[' pid ']:' haproxy[14387]:
8629 2 client_ip ':' client_port 10.0.1.2:33313
8630 3 '[' accept_date ']' [06/Feb/2009:12:12:51.443]
8631 4 frontend_name fnt
8632 5 backend_name '/' server_name bck/srv1
8633 6 Tw '/' Tc '/' Tt* 0/0/5007
8634 7 bytes_read* 212
8635 8 termination_state --
8636 9 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 0/0/0/0/3
8637 10 srv_queue '/' backend_queue 0/0
8638
8639Detailed fields description :
8640 - "client_ip" is the IP address of the client which initiated the TCP
Willy Tarreauceb24bc2010-11-09 12:46:41 +01008641 connection to haproxy. If the connection was accepted on a UNIX socket
8642 instead, the IP address would be replaced with the word "unix". Note that
8643 when the connection is accepted on a socket configured with "accept-proxy"
8644 and the PROXY protocol is correctly used, then the logs will reflect the
8645 forwarded connection's information.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008646
8647 - "client_port" is the TCP port of the client which initiated the connection.
Willy Tarreauceb24bc2010-11-09 12:46:41 +01008648 If the connection was accepted on a UNIX socket instead, the port would be
8649 replaced with the ID of the accepting socket, which is also reported in the
8650 stats interface.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008651
8652 - "accept_date" is the exact date when the connection was received by haproxy
8653 (which might be very slightly different from the date observed on the
8654 network if there was some queuing in the system's backlog). This is usually
8655 the same date which may appear in any upstream firewall's log.
8656
8657 - "frontend_name" is the name of the frontend (or listener) which received
8658 and processed the connection.
8659
8660 - "backend_name" is the name of the backend (or listener) which was selected
8661 to manage the connection to the server. This will be the same as the
8662 frontend if no switching rule has been applied, which is common for TCP
8663 applications.
8664
8665 - "server_name" is the name of the last server to which the connection was
8666 sent, which might differ from the first one if there were connection errors
8667 and a redispatch occurred. Note that this server belongs to the backend
8668 which processed the request. If the connection was aborted before reaching
8669 a server, "<NOSRV>" is indicated instead of a server name.
8670
8671 - "Tw" is the total time in milliseconds spent waiting in the various queues.
8672 It can be "-1" if the connection was aborted before reaching the queue.
8673 See "Timers" below for more details.
8674
8675 - "Tc" is the total time in milliseconds spent waiting for the connection to
8676 establish to the final server, including retries. It can be "-1" if the
8677 connection was aborted before a connection could be established. See
8678 "Timers" below for more details.
8679
8680 - "Tt" is the total time in milliseconds elapsed between the accept and the
8681 last close. It covers all possible processings. There is one exception, if
8682 "option logasap" was specified, then the time counting stops at the moment
8683 the log is emitted. In this case, a '+' sign is prepended before the value,
8684 indicating that the final one will be larger. See "Timers" below for more
8685 details.
8686
8687 - "bytes_read" is the total number of bytes transmitted from the server to
8688 the client when the log is emitted. If "option logasap" is specified, the
8689 this value will be prefixed with a '+' sign indicating that the final one
8690 may be larger. Please note that this value is a 64-bit counter, so log
8691 analysis tools must be able to handle it without overflowing.
8692
8693 - "termination_state" is the condition the session was in when the session
8694 ended. This indicates the session state, which side caused the end of
8695 session to happen, and for what reason (timeout, error, ...). The normal
8696 flags should be "--", indicating the session was closed by either end with
8697 no data remaining in buffers. See below "Session state at disconnection"
8698 for more details.
8699
8700 - "actconn" is the total number of concurrent connections on the process when
8701 the session was logged. It it useful to detect when some per-process system
8702 limits have been reached. For instance, if actconn is close to 512 when
8703 multiple connection errors occur, chances are high that the system limits
8704 the process to use a maximum of 1024 file descriptors and that all of them
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008705 are used. See section 3 "Global parameters" to find how to tune the system.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008706
8707 - "feconn" is the total number of concurrent connections on the frontend when
8708 the session was logged. It is useful to estimate the amount of resource
8709 required to sustain high loads, and to detect when the frontend's "maxconn"
8710 has been reached. Most often when this value increases by huge jumps, it is
8711 because there is congestion on the backend servers, but sometimes it can be
8712 caused by a denial of service attack.
8713
8714 - "beconn" is the total number of concurrent connections handled by the
8715 backend when the session was logged. It includes the total number of
8716 concurrent connections active on servers as well as the number of
8717 connections pending in queues. It is useful to estimate the amount of
8718 additional servers needed to support high loads for a given application.
8719 Most often when this value increases by huge jumps, it is because there is
8720 congestion on the backend servers, but sometimes it can be caused by a
8721 denial of service attack.
8722
8723 - "srv_conn" is the total number of concurrent connections still active on
8724 the server when the session was logged. It can never exceed the server's
8725 configured "maxconn" parameter. If this value is very often close or equal
8726 to the server's "maxconn", it means that traffic regulation is involved a
8727 lot, meaning that either the server's maxconn value is too low, or that
8728 there aren't enough servers to process the load with an optimal response
8729 time. When only one of the server's "srv_conn" is high, it usually means
8730 that this server has some trouble causing the connections to take longer to
8731 be processed than on other servers.
8732
8733 - "retries" is the number of connection retries experienced by this session
8734 when trying to connect to the server. It must normally be zero, unless a
8735 server is being stopped at the same moment the connection was attempted.
8736 Frequent retries generally indicate either a network problem between
8737 haproxy and the server, or a misconfigured system backlog on the server
8738 preventing new connections from being queued. This field may optionally be
8739 prefixed with a '+' sign, indicating that the session has experienced a
8740 redispatch after the maximal retry count has been reached on the initial
8741 server. In this case, the server name appearing in the log is the one the
8742 connection was redispatched to, and not the first one, though both may
8743 sometimes be the same in case of hashing for instance. So as a general rule
8744 of thumb, when a '+' is present in front of the retry count, this count
8745 should not be attributed to the logged server.
8746
8747 - "srv_queue" is the total number of requests which were processed before
8748 this one in the server queue. It is zero when the request has not gone
8749 through the server queue. It makes it possible to estimate the approximate
8750 server's response time by dividing the time spent in queue by the number of
8751 requests in the queue. It is worth noting that if a session experiences a
8752 redispatch and passes through two server queues, their positions will be
8753 cumulated. A request should not pass through both the server queue and the
8754 backend queue unless a redispatch occurs.
8755
8756 - "backend_queue" is the total number of requests which were processed before
8757 this one in the backend's global queue. It is zero when the request has not
8758 gone through the global queue. It makes it possible to estimate the average
8759 queue length, which easily translates into a number of missing servers when
8760 divided by a server's "maxconn" parameter. It is worth noting that if a
8761 session experiences a redispatch, it may pass twice in the backend's queue,
8762 and then both positions will be cumulated. A request should not pass
8763 through both the server queue and the backend queue unless a redispatch
8764 occurs.
8765
8766
Willy Tarreauc57f0e22009-05-10 13:12:33 +020087678.2.3. HTTP log format
8768----------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008769
8770The HTTP format is the most complete and the best suited for HTTP proxies. It
8771is enabled by when "option httplog" is specified in the frontend. It provides
8772the same level of information as the TCP format with additional features which
8773are specific to the HTTP protocol. Just like the TCP format, the log is usually
8774emitted at the end of the session, unless "option logasap" is specified, which
8775generally only makes sense for download sites. A session which matches the
8776"monitor" rules will never logged. It is also possible not to log sessions for
8777which no data were sent by the client by specifying "option dontlognull" in the
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02008778frontend. Successful connections will not be logged if "option dontlog-normal"
8779is specified in the frontend.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008780
8781Most fields are shared with the TCP log, some being different. A few fields may
8782slightly vary depending on some configuration options. Those ones are marked
8783with a star ('*') after the field name below.
8784
8785 Example :
8786 frontend http-in
8787 mode http
8788 option httplog
8789 log global
8790 default_backend bck
8791
8792 backend static
8793 server srv1 127.0.0.1:8000
8794
8795 >>> Feb 6 12:14:14 localhost \
8796 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
8797 static/srv1 10/0/30/69/109 200 2750 - - ---- 1/1/1/1/0 0/0 {1wt.eu} \
Willy Tarreaud72758d2010-01-12 10:42:19 +01008798 {} "GET /index.html HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008799
8800 Field Format Extract from the example above
8801 1 process_name '[' pid ']:' haproxy[14389]:
8802 2 client_ip ':' client_port 10.0.1.2:33317
8803 3 '[' accept_date ']' [06/Feb/2009:12:14:14.655]
8804 4 frontend_name http-in
8805 5 backend_name '/' server_name static/srv1
8806 6 Tq '/' Tw '/' Tc '/' Tr '/' Tt* 10/0/30/69/109
8807 7 status_code 200
8808 8 bytes_read* 2750
8809 9 captured_request_cookie -
8810 10 captured_response_cookie -
8811 11 termination_state ----
8812 12 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 1/1/1/1/0
8813 13 srv_queue '/' backend_queue 0/0
8814 14 '{' captured_request_headers* '}' {haproxy.1wt.eu}
8815 15 '{' captured_response_headers* '}' {}
8816 16 '"' http_request '"' "GET /index.html HTTP/1.1"
Willy Tarreaud72758d2010-01-12 10:42:19 +01008817
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008818
8819Detailed fields description :
8820 - "client_ip" is the IP address of the client which initiated the TCP
Willy Tarreauceb24bc2010-11-09 12:46:41 +01008821 connection to haproxy. If the connection was accepted on a UNIX socket
8822 instead, the IP address would be replaced with the word "unix". Note that
8823 when the connection is accepted on a socket configured with "accept-proxy"
8824 and the PROXY protocol is correctly used, then the logs will reflect the
8825 forwarded connection's information.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008826
8827 - "client_port" is the TCP port of the client which initiated the connection.
Willy Tarreauceb24bc2010-11-09 12:46:41 +01008828 If the connection was accepted on a UNIX socket instead, the port would be
8829 replaced with the ID of the accepting socket, which is also reported in the
8830 stats interface.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008831
8832 - "accept_date" is the exact date when the TCP connection was received by
8833 haproxy (which might be very slightly different from the date observed on
8834 the network if there was some queuing in the system's backlog). This is
8835 usually the same date which may appear in any upstream firewall's log. This
8836 does not depend on the fact that the client has sent the request or not.
8837
8838 - "frontend_name" is the name of the frontend (or listener) which received
8839 and processed the connection.
8840
8841 - "backend_name" is the name of the backend (or listener) which was selected
8842 to manage the connection to the server. This will be the same as the
8843 frontend if no switching rule has been applied.
8844
8845 - "server_name" is the name of the last server to which the connection was
8846 sent, which might differ from the first one if there were connection errors
8847 and a redispatch occurred. Note that this server belongs to the backend
8848 which processed the request. If the request was aborted before reaching a
8849 server, "<NOSRV>" is indicated instead of a server name. If the request was
8850 intercepted by the stats subsystem, "<STATS>" is indicated instead.
8851
8852 - "Tq" is the total time in milliseconds spent waiting for the client to send
8853 a full HTTP request, not counting data. It can be "-1" if the connection
8854 was aborted before a complete request could be received. It should always
8855 be very small because a request generally fits in one single packet. Large
8856 times here generally indicate network trouble between the client and
8857 haproxy. See "Timers" below for more details.
8858
8859 - "Tw" is the total time in milliseconds spent waiting in the various queues.
8860 It can be "-1" if the connection was aborted before reaching the queue.
8861 See "Timers" below for more details.
8862
8863 - "Tc" is the total time in milliseconds spent waiting for the connection to
8864 establish to the final server, including retries. It can be "-1" if the
8865 request was aborted before a connection could be established. See "Timers"
8866 below for more details.
8867
8868 - "Tr" is the total time in milliseconds spent waiting for the server to send
8869 a full HTTP response, not counting data. It can be "-1" if the request was
8870 aborted before a complete response could be received. It generally matches
8871 the server's processing time for the request, though it may be altered by
8872 the amount of data sent by the client to the server. Large times here on
8873 "GET" requests generally indicate an overloaded server. See "Timers" below
8874 for more details.
8875
8876 - "Tt" is the total time in milliseconds elapsed between the accept and the
8877 last close. It covers all possible processings. There is one exception, if
8878 "option logasap" was specified, then the time counting stops at the moment
8879 the log is emitted. In this case, a '+' sign is prepended before the value,
8880 indicating that the final one will be larger. See "Timers" below for more
8881 details.
8882
8883 - "status_code" is the HTTP status code returned to the client. This status
8884 is generally set by the server, but it might also be set by haproxy when
8885 the server cannot be reached or when its response is blocked by haproxy.
8886
8887 - "bytes_read" is the total number of bytes transmitted to the client when
8888 the log is emitted. This does include HTTP headers. If "option logasap" is
8889 specified, the this value will be prefixed with a '+' sign indicating that
8890 the final one may be larger. Please note that this value is a 64-bit
8891 counter, so log analysis tools must be able to handle it without
8892 overflowing.
8893
8894 - "captured_request_cookie" is an optional "name=value" entry indicating that
8895 the client had this cookie in the request. The cookie name and its maximum
8896 length are defined by the "capture cookie" statement in the frontend
8897 configuration. The field is a single dash ('-') when the option is not
8898 set. Only one cookie may be captured, it is generally used to track session
8899 ID exchanges between a client and a server to detect session crossing
8900 between clients due to application bugs. For more details, please consult
8901 the section "Capturing HTTP headers and cookies" below.
8902
8903 - "captured_response_cookie" is an optional "name=value" entry indicating
8904 that the server has returned a cookie with its response. The cookie name
8905 and its maximum length are defined by the "capture cookie" statement in the
8906 frontend configuration. The field is a single dash ('-') when the option is
8907 not set. Only one cookie may be captured, it is generally used to track
8908 session ID exchanges between a client and a server to detect session
8909 crossing between clients due to application bugs. For more details, please
8910 consult the section "Capturing HTTP headers and cookies" below.
8911
8912 - "termination_state" is the condition the session was in when the session
8913 ended. This indicates the session state, which side caused the end of
8914 session to happen, for what reason (timeout, error, ...), just like in TCP
8915 logs, and information about persistence operations on cookies in the last
8916 two characters. The normal flags should begin with "--", indicating the
8917 session was closed by either end with no data remaining in buffers. See
8918 below "Session state at disconnection" for more details.
8919
8920 - "actconn" is the total number of concurrent connections on the process when
8921 the session was logged. It it useful to detect when some per-process system
8922 limits have been reached. For instance, if actconn is close to 512 or 1024
8923 when multiple connection errors occur, chances are high that the system
8924 limits the process to use a maximum of 1024 file descriptors and that all
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008925 of them are used. See section 3 "Global parameters" to find how to tune the
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008926 system.
8927
8928 - "feconn" is the total number of concurrent connections on the frontend when
8929 the session was logged. It is useful to estimate the amount of resource
8930 required to sustain high loads, and to detect when the frontend's "maxconn"
8931 has been reached. Most often when this value increases by huge jumps, it is
8932 because there is congestion on the backend servers, but sometimes it can be
8933 caused by a denial of service attack.
8934
8935 - "beconn" is the total number of concurrent connections handled by the
8936 backend when the session was logged. It includes the total number of
8937 concurrent connections active on servers as well as the number of
8938 connections pending in queues. It is useful to estimate the amount of
8939 additional servers needed to support high loads for a given application.
8940 Most often when this value increases by huge jumps, it is because there is
8941 congestion on the backend servers, but sometimes it can be caused by a
8942 denial of service attack.
8943
8944 - "srv_conn" is the total number of concurrent connections still active on
8945 the server when the session was logged. It can never exceed the server's
8946 configured "maxconn" parameter. If this value is very often close or equal
8947 to the server's "maxconn", it means that traffic regulation is involved a
8948 lot, meaning that either the server's maxconn value is too low, or that
8949 there aren't enough servers to process the load with an optimal response
8950 time. When only one of the server's "srv_conn" is high, it usually means
8951 that this server has some trouble causing the requests to take longer to be
8952 processed than on other servers.
8953
8954 - "retries" is the number of connection retries experienced by this session
8955 when trying to connect to the server. It must normally be zero, unless a
8956 server is being stopped at the same moment the connection was attempted.
8957 Frequent retries generally indicate either a network problem between
8958 haproxy and the server, or a misconfigured system backlog on the server
8959 preventing new connections from being queued. This field may optionally be
8960 prefixed with a '+' sign, indicating that the session has experienced a
8961 redispatch after the maximal retry count has been reached on the initial
8962 server. In this case, the server name appearing in the log is the one the
8963 connection was redispatched to, and not the first one, though both may
8964 sometimes be the same in case of hashing for instance. So as a general rule
8965 of thumb, when a '+' is present in front of the retry count, this count
8966 should not be attributed to the logged server.
8967
8968 - "srv_queue" is the total number of requests which were processed before
8969 this one in the server queue. It is zero when the request has not gone
8970 through the server queue. It makes it possible to estimate the approximate
8971 server's response time by dividing the time spent in queue by the number of
8972 requests in the queue. It is worth noting that if a session experiences a
8973 redispatch and passes through two server queues, their positions will be
8974 cumulated. A request should not pass through both the server queue and the
8975 backend queue unless a redispatch occurs.
8976
8977 - "backend_queue" is the total number of requests which were processed before
8978 this one in the backend's global queue. It is zero when the request has not
8979 gone through the global queue. It makes it possible to estimate the average
8980 queue length, which easily translates into a number of missing servers when
8981 divided by a server's "maxconn" parameter. It is worth noting that if a
8982 session experiences a redispatch, it may pass twice in the backend's queue,
8983 and then both positions will be cumulated. A request should not pass
8984 through both the server queue and the backend queue unless a redispatch
8985 occurs.
8986
8987 - "captured_request_headers" is a list of headers captured in the request due
8988 to the presence of the "capture request header" statement in the frontend.
8989 Multiple headers can be captured, they will be delimited by a vertical bar
8990 ('|'). When no capture is enabled, the braces do not appear, causing a
8991 shift of remaining fields. It is important to note that this field may
8992 contain spaces, and that using it requires a smarter log parser than when
8993 it's not used. Please consult the section "Capturing HTTP headers and
8994 cookies" below for more details.
8995
8996 - "captured_response_headers" is a list of headers captured in the response
8997 due to the presence of the "capture response header" statement in the
8998 frontend. Multiple headers can be captured, they will be delimited by a
8999 vertical bar ('|'). When no capture is enabled, the braces do not appear,
9000 causing a shift of remaining fields. It is important to note that this
9001 field may contain spaces, and that using it requires a smarter log parser
9002 than when it's not used. Please consult the section "Capturing HTTP headers
9003 and cookies" below for more details.
9004
9005 - "http_request" is the complete HTTP request line, including the method,
9006 request and HTTP version string. Non-printable characters are encoded (see
9007 below the section "Non-printable characters"). This is always the last
9008 field, and it is always delimited by quotes and is the only one which can
9009 contain quotes. If new fields are added to the log format, they will be
9010 added before this field. This field might be truncated if the request is
9011 huge and does not fit in the standard syslog buffer (1024 characters). This
9012 is the reason why this field must always remain the last one.
9013
9014
Cyril Bontédc4d9032012-04-08 21:57:39 +020090158.2.4. Custom log format
9016------------------------
William Lallemand48940402012-01-30 16:47:22 +01009017
William Lallemandbddd4fd2012-02-27 11:23:10 +01009018The directive log-format allows you to custom the logs in http mode and tcp
9019mode. It takes a string as argument.
William Lallemand48940402012-01-30 16:47:22 +01009020
9021HAproxy understands some log format variables. % precedes log format variables.
9022Variables can take arguments using braces ('{}'), and multiple arguments are
9023separated by commas within the braces. Flags may be added or removed by
9024prefixing them with a '+' or '-' sign.
9025
9026Special variable "%o" may be used to propagate its flags to all other
9027variables on the same format string. This is particularly handy with quoted
9028string formats ("Q").
9029
9030Note: spaces must be escaped. A space character is considered as a separator.
9031HAproxy will automatically merge consecutive separators.
9032
9033Flags are :
9034 * Q: quote a string
William Lallemand5f232402012-04-05 18:02:55 +02009035 * X: hexadecimal represenation (IPs, Ports, %Ts, %rt, %pid)
William Lallemand48940402012-01-30 16:47:22 +01009036
9037 Example:
9038
9039 log-format %T\ %t\ Some\ Text
9040 log-format %{+Q}o\ %t\ %s\ %{-Q}r
9041
9042At the moment, the default HTTP format is defined this way :
9043
9044 log-format %Ci:%Cp\ [%t]\ %f\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %st\ %B\ %cc\ \
Willy Tarreau6580c062012-03-12 15:09:42 +01009045 %cs\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r
William Lallemand48940402012-01-30 16:47:22 +01009046
William Lallemandbddd4fd2012-02-27 11:23:10 +01009047the default CLF format is defined this way :
William Lallemand48940402012-01-30 16:47:22 +01009048
9049 log-format %{+Q}o\ %{-Q}Ci\ -\ -\ [%T]\ %r\ %st\ %B\ \"\"\ \"\"\ %Cp\ \
Willy Tarreau6580c062012-03-12 15:09:42 +01009050 %ms\ %f\ %b\ %s\ \%Tq\ %Tw\ %Tc\ %Tr\ %Tt\ %tsc\ %ac\ %fc\ \
William Lallemand48940402012-01-30 16:47:22 +01009051 %bc\ %sc\ %rc\ %sq\ %bq\ %cc\ %cs\ \%hrl\ %hsl
9052
William Lallemandbddd4fd2012-02-27 11:23:10 +01009053and the default TCP format is defined this way :
9054
9055 log-format %Ci:%Cp\ [%t]\ %f\ %b/%s\ %Tw/%Tc/%Tt\ %B\ %ts\ \
9056 %ac/%fc/%bc/%sc/%rc\ %sq/%bq
9057
William Lallemand48940402012-01-30 16:47:22 +01009058Please refer to the table below for currently defined variables :
9059
William Lallemandbddd4fd2012-02-27 11:23:10 +01009060 +---+------+-----------------------------------------------+-------------+
9061 | H | var | field name (8.2.2 and 8.2.3 for description) | type |
9062 +---+------+-----------------------------------------------+-------------+
9063 | | %o | special variable, apply flags on all next var | |
9064 +---+------+-----------------------------------------------+-------------+
9065 | | %B | bytes_read | numeric |
William Lallemand5f232402012-04-05 18:02:55 +02009066 | | %Ci | client_ip | IP |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009067 | | %Cp | client_port | numeric |
William Lallemand5f232402012-04-05 18:02:55 +02009068 | | %Bi | backend_source_ip | IP |
William Lallemandb7ff6a32012-03-02 14:35:21 +01009069 | | %Bp | backend_source_port | numeric |
William Lallemand5f232402012-04-05 18:02:55 +02009070 | | %Fi | frontend_ip | IP |
9071 | | %Fp | frontend_port | numeric |
9072 | | %H | hostname | string |
William Lallemanda73203e2012-03-12 12:48:57 +01009073 | | %ID | unique-id | string |
William Lallemand5f232402012-04-05 18:02:55 +02009074 | | %Si | server_IP | IP |
9075 | | %Sp | server_port | numeric |
9076 | | %T | gmt_date_time | date |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009077 | | %Tc | Tc | numeric |
9078 | * | %Tq | Tq | numeric |
9079 | * | %Tr | Tr | numeric |
William Lallemand5f232402012-04-05 18:02:55 +02009080 | | %Ts | timestamp | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009081 | | %Tt | Tt | numeric |
9082 | | %Tw | Tw | numeric |
9083 | | %ac | actconn | numeric |
9084 | | %b | backend_name | string |
9085 | | %bc | beconn | numeric |
9086 | | %bq | backend_queue | numeric |
9087 | * | %cc | captured_request_cookie | string |
William Lallemand5f232402012-04-05 18:02:55 +02009088 | * | %rt | http_request_counter | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009089 | * | %cs | captured_response_cookie | string |
9090 | | %f | frontend_name | string |
9091 | | %fc | feconn | numeric |
9092 | * | %hr | captured_request_headers default style | string |
9093 | * | %hrl | captured_request_headers CLF style | string list |
9094 | * | %hs | captured_response_headers default style | string |
9095 | * | %hsl | captured_response_headers CLF style | string list |
9096 | | %ms | accept date milliseconds | numeric |
William Lallemand5f232402012-04-05 18:02:55 +02009097 | | %pid | PID | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009098 | * | %r | http_request | string |
9099 | | %rc | retries | numeric |
9100 | | %s | server_name | string |
9101 | | %sc | srv_conn | numeric |
9102 | | %sq | srv_queue | numeric |
9103 | * | %st | status_code | numeric |
William Lallemand5f232402012-04-05 18:02:55 +02009104 | | %t | date_time | date |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009105 | | %ts | termination_state | string |
Willy Tarreau6580c062012-03-12 15:09:42 +01009106 | * | %tsc | termination_state with cookie status | string |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009107 +---+------+-----------------------------------------------+-------------+
William Lallemand48940402012-01-30 16:47:22 +01009108
William Lallemand5f232402012-04-05 18:02:55 +02009109*: mode http only
William Lallemand48940402012-01-30 16:47:22 +01009110
Willy Tarreauc57f0e22009-05-10 13:12:33 +020091118.3. Advanced logging options
9112-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009113
9114Some advanced logging options are often looked for but are not easy to find out
9115just by looking at the various options. Here is an entry point for the few
9116options which can enable better logging. Please refer to the keywords reference
9117for more information about their usage.
9118
9119
Willy Tarreauc57f0e22009-05-10 13:12:33 +020091208.3.1. Disabling logging of external tests
9121------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009122
9123It is quite common to have some monitoring tools perform health checks on
9124haproxy. Sometimes it will be a layer 3 load-balancer such as LVS or any
9125commercial load-balancer, and sometimes it will simply be a more complete
9126monitoring system such as Nagios. When the tests are very frequent, users often
9127ask how to disable logging for those checks. There are three possibilities :
9128
9129 - if connections come from everywhere and are just TCP probes, it is often
9130 desired to simply disable logging of connections without data exchange, by
9131 setting "option dontlognull" in the frontend. It also disables logging of
9132 port scans, which may or may not be desired.
9133
9134 - if the connection come from a known source network, use "monitor-net" to
9135 declare this network as monitoring only. Any host in this network will then
9136 only be able to perform health checks, and their requests will not be
9137 logged. This is generally appropriate to designate a list of equipments
9138 such as other load-balancers.
9139
9140 - if the tests are performed on a known URI, use "monitor-uri" to declare
9141 this URI as dedicated to monitoring. Any host sending this request will
9142 only get the result of a health-check, and the request will not be logged.
9143
9144
Willy Tarreauc57f0e22009-05-10 13:12:33 +020091458.3.2. Logging before waiting for the session to terminate
9146----------------------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009147
9148The problem with logging at end of connection is that you have no clue about
9149what is happening during very long sessions, such as remote terminal sessions
9150or large file downloads. This problem can be worked around by specifying
9151"option logasap" in the frontend. Haproxy will then log as soon as possible,
9152just before data transfer begins. This means that in case of TCP, it will still
9153log the connection status to the server, and in case of HTTP, it will log just
9154after processing the server headers. In this case, the number of bytes reported
9155is the number of header bytes sent to the client. In order to avoid confusion
9156with normal logs, the total time field and the number of bytes are prefixed
9157with a '+' sign which means that real numbers are certainly larger.
9158
9159
Willy Tarreauc57f0e22009-05-10 13:12:33 +020091608.3.3. Raising log level upon errors
9161------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02009162
9163Sometimes it is more convenient to separate normal traffic from errors logs,
9164for instance in order to ease error monitoring from log files. When the option
9165"log-separate-errors" is used, connections which experience errors, timeouts,
9166retries, redispatches or HTTP status codes 5xx will see their syslog level
9167raised from "info" to "err". This will help a syslog daemon store the log in
9168a separate file. It is very important to keep the errors in the normal traffic
9169file too, so that log ordering is not altered. You should also be careful if
9170you already have configured your syslog daemon to store all logs higher than
9171"notice" in an "admin" file, because the "err" level is higher than "notice".
9172
9173
Willy Tarreauc57f0e22009-05-10 13:12:33 +020091748.3.4. Disabling logging of successful connections
9175--------------------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02009176
9177Although this may sound strange at first, some large sites have to deal with
9178multiple thousands of logs per second and are experiencing difficulties keeping
9179them intact for a long time or detecting errors within them. If the option
9180"dontlog-normal" is set on the frontend, all normal connections will not be
9181logged. In this regard, a normal connection is defined as one without any
9182error, timeout, retry nor redispatch. In HTTP, the status code is checked too,
9183and a response with a status 5xx is not considered normal and will be logged
9184too. Of course, doing is is really discouraged as it will remove most of the
9185useful information from the logs. Do this only if you have no other
9186alternative.
9187
9188
Willy Tarreauc57f0e22009-05-10 13:12:33 +020091898.4. Timing events
9190------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009191
9192Timers provide a great help in troubleshooting network problems. All values are
9193reported in milliseconds (ms). These timers should be used in conjunction with
9194the session termination flags. In TCP mode with "option tcplog" set on the
9195frontend, 3 control points are reported under the form "Tw/Tc/Tt", and in HTTP
9196mode, 5 control points are reported under the form "Tq/Tw/Tc/Tr/Tt" :
9197
9198 - Tq: total time to get the client request (HTTP mode only). It's the time
9199 elapsed between the moment the client connection was accepted and the
9200 moment the proxy received the last HTTP header. The value "-1" indicates
9201 that the end of headers (empty line) has never been seen. This happens when
9202 the client closes prematurely or times out.
9203
9204 - Tw: total time spent in the queues waiting for a connection slot. It
9205 accounts for backend queue as well as the server queues, and depends on the
9206 queue size, and the time needed for the server to complete previous
9207 requests. The value "-1" means that the request was killed before reaching
9208 the queue, which is generally what happens with invalid or denied requests.
9209
9210 - Tc: total time to establish the TCP connection to the server. It's the time
9211 elapsed between the moment the proxy sent the connection request, and the
9212 moment it was acknowledged by the server, or between the TCP SYN packet and
9213 the matching SYN/ACK packet in return. The value "-1" means that the
9214 connection never established.
9215
9216 - Tr: server response time (HTTP mode only). It's the time elapsed between
9217 the moment the TCP connection was established to the server and the moment
9218 the server sent its complete response headers. It purely shows its request
9219 processing time, without the network overhead due to the data transmission.
9220 It is worth noting that when the client has data to send to the server, for
9221 instance during a POST request, the time already runs, and this can distort
9222 apparent response time. For this reason, it's generally wise not to trust
9223 too much this field for POST requests initiated from clients behind an
9224 untrusted network. A value of "-1" here means that the last the response
9225 header (empty line) was never seen, most likely because the server timeout
9226 stroke before the server managed to process the request.
9227
9228 - Tt: total session duration time, between the moment the proxy accepted it
9229 and the moment both ends were closed. The exception is when the "logasap"
9230 option is specified. In this case, it only equals (Tq+Tw+Tc+Tr), and is
9231 prefixed with a '+' sign. From this field, we can deduce "Td", the data
9232 transmission time, by substracting other timers when valid :
9233
9234 Td = Tt - (Tq + Tw + Tc + Tr)
9235
9236 Timers with "-1" values have to be excluded from this equation. In TCP
9237 mode, "Tq" and "Tr" have to be excluded too. Note that "Tt" can never be
9238 negative.
9239
9240These timers provide precious indications on trouble causes. Since the TCP
9241protocol defines retransmit delays of 3, 6, 12... seconds, we know for sure
9242that timers close to multiples of 3s are nearly always related to lost packets
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009243due to network problems (wires, negotiation, congestion). Moreover, if "Tt" is
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009244close to a timeout value specified in the configuration, it often means that a
9245session has been aborted on timeout.
9246
9247Most common cases :
9248
9249 - If "Tq" is close to 3000, a packet has probably been lost between the
9250 client and the proxy. This is very rare on local networks but might happen
9251 when clients are on far remote networks and send large requests. It may
9252 happen that values larger than usual appear here without any network cause.
9253 Sometimes, during an attack or just after a resource starvation has ended,
9254 haproxy may accept thousands of connections in a few milliseconds. The time
9255 spent accepting these connections will inevitably slightly delay processing
9256 of other connections, and it can happen that request times in the order of
9257 a few tens of milliseconds are measured after a few thousands of new
Patrick Mezard105faca2010-06-12 17:02:46 +02009258 connections have been accepted at once. Setting "option http-server-close"
9259 may display larger request times since "Tq" also measures the time spent
9260 waiting for additional requests.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009261
9262 - If "Tc" is close to 3000, a packet has probably been lost between the
9263 server and the proxy during the server connection phase. This value should
9264 always be very low, such as 1 ms on local networks and less than a few tens
9265 of ms on remote networks.
9266
Willy Tarreau55165fe2009-05-10 12:02:55 +02009267 - If "Tr" is nearly always lower than 3000 except some rare values which seem
9268 to be the average majored by 3000, there are probably some packets lost
9269 between the proxy and the server.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009270
9271 - If "Tt" is large even for small byte counts, it generally is because
9272 neither the client nor the server decides to close the connection, for
9273 instance because both have agreed on a keep-alive connection mode. In order
9274 to solve this issue, it will be needed to specify "option httpclose" on
9275 either the frontend or the backend. If the problem persists, it means that
9276 the server ignores the "close" connection mode and expects the client to
9277 close. Then it will be required to use "option forceclose". Having the
9278 smallest possible 'Tt' is important when connection regulation is used with
9279 the "maxconn" option on the servers, since no new connection will be sent
9280 to the server until another one is released.
9281
9282Other noticeable HTTP log cases ('xx' means any value to be ignored) :
9283
9284 Tq/Tw/Tc/Tr/+Tt The "option logasap" is present on the frontend and the log
9285 was emitted before the data phase. All the timers are valid
9286 except "Tt" which is shorter than reality.
9287
9288 -1/xx/xx/xx/Tt The client was not able to send a complete request in time
9289 or it aborted too early. Check the session termination flags
9290 then "timeout http-request" and "timeout client" settings.
9291
9292 Tq/-1/xx/xx/Tt It was not possible to process the request, maybe because
9293 servers were out of order, because the request was invalid
9294 or forbidden by ACL rules. Check the session termination
9295 flags.
9296
9297 Tq/Tw/-1/xx/Tt The connection could not establish on the server. Either it
9298 actively refused it or it timed out after Tt-(Tq+Tw) ms.
9299 Check the session termination flags, then check the
9300 "timeout connect" setting. Note that the tarpit action might
9301 return similar-looking patterns, with "Tw" equal to the time
9302 the client connection was maintained open.
9303
9304 Tq/Tw/Tc/-1/Tt The server has accepted the connection but did not return
9305 a complete response in time, or it closed its connexion
9306 unexpectedly after Tt-(Tq+Tw+Tc) ms. Check the session
9307 termination flags, then check the "timeout server" setting.
9308
9309
Willy Tarreauc57f0e22009-05-10 13:12:33 +020093108.5. Session state at disconnection
9311-----------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009312
9313TCP and HTTP logs provide a session termination indicator in the
9314"termination_state" field, just before the number of active connections. It is
93152-characters long in TCP mode, and is extended to 4 characters in HTTP mode,
9316each of which has a special meaning :
9317
9318 - On the first character, a code reporting the first event which caused the
9319 session to terminate :
9320
9321 C : the TCP session was unexpectedly aborted by the client.
9322
9323 S : the TCP session was unexpectedly aborted by the server, or the
9324 server explicitly refused it.
9325
9326 P : the session was prematurely aborted by the proxy, because of a
9327 connection limit enforcement, because a DENY filter was matched,
9328 because of a security check which detected and blocked a dangerous
9329 error in server response which might have caused information leak
9330 (eg: cacheable cookie), or because the response was processed by
9331 the proxy (redirect, stats, etc...).
9332
9333 R : a resource on the proxy has been exhausted (memory, sockets, source
9334 ports, ...). Usually, this appears during the connection phase, and
9335 system logs should contain a copy of the precise error. If this
9336 happens, it must be considered as a very serious anomaly which
9337 should be fixed as soon as possible by any means.
9338
9339 I : an internal error was identified by the proxy during a self-check.
9340 This should NEVER happen, and you are encouraged to report any log
9341 containing this, because this would almost certainly be a bug. It
9342 would be wise to preventively restart the process after such an
9343 event too, in case it would be caused by memory corruption.
9344
Simon Horman752dc4a2011-06-21 14:34:59 +09009345 D : the session was killed by haproxy because the server was detected
9346 as down and was configured to kill all connections when going down.
9347
Willy Tarreaua2a64e92011-09-07 23:01:56 +02009348 K : the session was actively killed by an admin operating on haproxy.
9349
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009350 c : the client-side timeout expired while waiting for the client to
9351 send or receive data.
9352
9353 s : the server-side timeout expired while waiting for the server to
9354 send or receive data.
9355
9356 - : normal session completion, both the client and the server closed
9357 with nothing left in the buffers.
9358
9359 - on the second character, the TCP or HTTP session state when it was closed :
9360
Willy Tarreauf7b30a92010-12-06 22:59:17 +01009361 R : the proxy was waiting for a complete, valid REQUEST from the client
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009362 (HTTP mode only). Nothing was sent to any server.
9363
9364 Q : the proxy was waiting in the QUEUE for a connection slot. This can
9365 only happen when servers have a 'maxconn' parameter set. It can
9366 also happen in the global queue after a redispatch consecutive to
9367 a failed attempt to connect to a dying server. If no redispatch is
9368 reported, then no connection attempt was made to any server.
9369
9370 C : the proxy was waiting for the CONNECTION to establish on the
9371 server. The server might at most have noticed a connection attempt.
9372
9373 H : the proxy was waiting for complete, valid response HEADERS from the
9374 server (HTTP only).
9375
9376 D : the session was in the DATA phase.
9377
9378 L : the proxy was still transmitting LAST data to the client while the
9379 server had already finished. This one is very rare as it can only
9380 happen when the client dies while receiving the last packets.
9381
9382 T : the request was tarpitted. It has been held open with the client
9383 during the whole "timeout tarpit" duration or until the client
9384 closed, both of which will be reported in the "Tw" timer.
9385
9386 - : normal session completion after end of data transfer.
9387
9388 - the third character tells whether the persistence cookie was provided by
9389 the client (only in HTTP mode) :
9390
9391 N : the client provided NO cookie. This is usually the case for new
9392 visitors, so counting the number of occurrences of this flag in the
9393 logs generally indicate a valid trend for the site frequentation.
9394
9395 I : the client provided an INVALID cookie matching no known server.
9396 This might be caused by a recent configuration change, mixed
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02009397 cookies between HTTP/HTTPS sites, persistence conditionally
9398 ignored, or an attack.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009399
9400 D : the client provided a cookie designating a server which was DOWN,
9401 so either "option persist" was used and the client was sent to
9402 this server, or it was not set and the client was redispatched to
9403 another server.
9404
Willy Tarreau996a92c2010-10-13 19:30:47 +02009405 V : the client provided a VALID cookie, and was sent to the associated
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009406 server.
9407
Willy Tarreau996a92c2010-10-13 19:30:47 +02009408 E : the client provided a valid cookie, but with a last date which was
9409 older than what is allowed by the "maxidle" cookie parameter, so
9410 the cookie is consider EXPIRED and is ignored. The request will be
9411 redispatched just as if there was no cookie.
9412
9413 O : the client provided a valid cookie, but with a first date which was
9414 older than what is allowed by the "maxlife" cookie parameter, so
9415 the cookie is consider too OLD and is ignored. The request will be
9416 redispatched just as if there was no cookie.
9417
Willy Tarreauc89ccb62012-04-05 21:18:22 +02009418 U : a cookie was present but was not used to select the server because
9419 some other server selection mechanism was used instead (typically a
9420 "use-server" rule).
9421
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009422 - : does not apply (no cookie set in configuration).
9423
9424 - the last character reports what operations were performed on the persistence
9425 cookie returned by the server (only in HTTP mode) :
9426
9427 N : NO cookie was provided by the server, and none was inserted either.
9428
9429 I : no cookie was provided by the server, and the proxy INSERTED one.
9430 Note that in "cookie insert" mode, if the server provides a cookie,
9431 it will still be overwritten and reported as "I" here.
9432
Willy Tarreau996a92c2010-10-13 19:30:47 +02009433 U : the proxy UPDATED the last date in the cookie that was presented by
9434 the client. This can only happen in insert mode with "maxidle". It
9435 happens everytime there is activity at a different date than the
9436 date indicated in the cookie. If any other change happens, such as
9437 a redispatch, then the cookie will be marked as inserted instead.
9438
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009439 P : a cookie was PROVIDED by the server and transmitted as-is.
9440
9441 R : the cookie provided by the server was REWRITTEN by the proxy, which
9442 happens in "cookie rewrite" or "cookie prefix" modes.
9443
9444 D : the cookie provided by the server was DELETED by the proxy.
9445
9446 - : does not apply (no cookie set in configuration).
9447
Willy Tarreau996a92c2010-10-13 19:30:47 +02009448The combination of the two first flags gives a lot of information about what
9449was happening when the session terminated, and why it did terminate. It can be
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009450helpful to detect server saturation, network troubles, local system resource
9451starvation, attacks, etc...
9452
9453The most common termination flags combinations are indicated below. They are
9454alphabetically sorted, with the lowercase set just after the upper case for
9455easier finding and understanding.
9456
9457 Flags Reason
9458
9459 -- Normal termination.
9460
9461 CC The client aborted before the connection could be established to the
9462 server. This can happen when haproxy tries to connect to a recently
9463 dead (or unchecked) server, and the client aborts while haproxy is
9464 waiting for the server to respond or for "timeout connect" to expire.
9465
9466 CD The client unexpectedly aborted during data transfer. This can be
9467 caused by a browser crash, by an intermediate equipment between the
9468 client and haproxy which decided to actively break the connection,
9469 by network routing issues between the client and haproxy, or by a
9470 keep-alive session between the server and the client terminated first
9471 by the client.
Willy Tarreaud72758d2010-01-12 10:42:19 +01009472
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009473 cD The client did not send nor acknowledge any data for as long as the
9474 "timeout client" delay. This is often caused by network failures on
Cyril Bontédc4d9032012-04-08 21:57:39 +02009475 the client side, or the client simply leaving the net uncleanly.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009476
9477 CH The client aborted while waiting for the server to start responding.
9478 It might be the server taking too long to respond or the client
9479 clicking the 'Stop' button too fast.
9480
9481 cH The "timeout client" stroke while waiting for client data during a
9482 POST request. This is sometimes caused by too large TCP MSS values
9483 for PPPoE networks which cannot transport full-sized packets. It can
9484 also happen when client timeout is smaller than server timeout and
9485 the server takes too long to respond.
9486
9487 CQ The client aborted while its session was queued, waiting for a server
9488 with enough empty slots to accept it. It might be that either all the
9489 servers were saturated or that the assigned server was taking too
9490 long a time to respond.
9491
9492 CR The client aborted before sending a full HTTP request. Most likely
9493 the request was typed by hand using a telnet client, and aborted
9494 too early. The HTTP status code is likely a 400 here. Sometimes this
9495 might also be caused by an IDS killing the connection between haproxy
9496 and the client.
9497
9498 cR The "timeout http-request" stroke before the client sent a full HTTP
9499 request. This is sometimes caused by too large TCP MSS values on the
9500 client side for PPPoE networks which cannot transport full-sized
9501 packets, or by clients sending requests by hand and not typing fast
9502 enough, or forgetting to enter the empty line at the end of the
9503 request. The HTTP status code is likely a 408 here.
9504
9505 CT The client aborted while its session was tarpitted. It is important to
9506 check if this happens on valid requests, in order to be sure that no
Willy Tarreau55165fe2009-05-10 12:02:55 +02009507 wrong tarpit rules have been written. If a lot of them happen, it
9508 might make sense to lower the "timeout tarpit" value to something
9509 closer to the average reported "Tw" timer, in order not to consume
9510 resources for just a few attackers.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009511
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009512 SC The server or an equipment between it and haproxy explicitly refused
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009513 the TCP connection (the proxy received a TCP RST or an ICMP message
9514 in return). Under some circumstances, it can also be the network
9515 stack telling the proxy that the server is unreachable (eg: no route,
9516 or no ARP response on local network). When this happens in HTTP mode,
9517 the status code is likely a 502 or 503 here.
9518
9519 sC The "timeout connect" stroke before a connection to the server could
9520 complete. When this happens in HTTP mode, the status code is likely a
9521 503 or 504 here.
9522
9523 SD The connection to the server died with an error during the data
9524 transfer. This usually means that haproxy has received an RST from
9525 the server or an ICMP message from an intermediate equipment while
9526 exchanging data with the server. This can be caused by a server crash
9527 or by a network issue on an intermediate equipment.
9528
9529 sD The server did not send nor acknowledge any data for as long as the
9530 "timeout server" setting during the data phase. This is often caused
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009531 by too short timeouts on L4 equipments before the server (firewalls,
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009532 load-balancers, ...), as well as keep-alive sessions maintained
9533 between the client and the server expiring first on haproxy.
9534
9535 SH The server aborted before sending its full HTTP response headers, or
9536 it crashed while processing the request. Since a server aborting at
9537 this moment is very rare, it would be wise to inspect its logs to
9538 control whether it crashed and why. The logged request may indicate a
9539 small set of faulty requests, demonstrating bugs in the application.
9540 Sometimes this might also be caused by an IDS killing the connection
9541 between haproxy and the server.
9542
9543 sH The "timeout server" stroke before the server could return its
9544 response headers. This is the most common anomaly, indicating too
9545 long transactions, probably caused by server or database saturation.
9546 The immediate workaround consists in increasing the "timeout server"
9547 setting, but it is important to keep in mind that the user experience
9548 will suffer from these long response times. The only long term
9549 solution is to fix the application.
9550
9551 sQ The session spent too much time in queue and has been expired. See
9552 the "timeout queue" and "timeout connect" settings to find out how to
9553 fix this if it happens too often. If it often happens massively in
9554 short periods, it may indicate general problems on the affected
9555 servers due to I/O or database congestion, or saturation caused by
9556 external attacks.
9557
9558 PC The proxy refused to establish a connection to the server because the
9559 process' socket limit has been reached while attempting to connect.
Cyril Bontédc4d9032012-04-08 21:57:39 +02009560 The global "maxconn" parameter may be increased in the configuration
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009561 so that it does not happen anymore. This status is very rare and
9562 might happen when the global "ulimit-n" parameter is forced by hand.
9563
Willy Tarreaued2fd2d2010-12-29 11:23:27 +01009564 PD The proxy blocked an incorrectly formatted chunked encoded message in
9565 a request or a response, after the server has emitted its headers. In
9566 most cases, this will indicate an invalid message from the server to
9567 the client.
9568
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009569 PH The proxy blocked the server's response, because it was invalid,
9570 incomplete, dangerous (cache control), or matched a security filter.
9571 In any case, an HTTP 502 error is sent to the client. One possible
9572 cause for this error is an invalid syntax in an HTTP header name
Willy Tarreaued2fd2d2010-12-29 11:23:27 +01009573 containing unauthorized characters. It is also possible but quite
9574 rare, that the proxy blocked a chunked-encoding request from the
9575 client due to an invalid syntax, before the server responded. In this
9576 case, an HTTP 400 error is sent to the client and reported in the
9577 logs.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009578
9579 PR The proxy blocked the client's HTTP request, either because of an
9580 invalid HTTP syntax, in which case it returned an HTTP 400 error to
9581 the client, or because a deny filter matched, in which case it
9582 returned an HTTP 403 error.
9583
9584 PT The proxy blocked the client's request and has tarpitted its
9585 connection before returning it a 500 server error. Nothing was sent
9586 to the server. The connection was maintained open for as long as
9587 reported by the "Tw" timer field.
9588
9589 RC A local resource has been exhausted (memory, sockets, source ports)
9590 preventing the connection to the server from establishing. The error
9591 logs will tell precisely what was missing. This is very rare and can
9592 only be solved by proper system tuning.
9593
Willy Tarreau996a92c2010-10-13 19:30:47 +02009594The combination of the two last flags gives a lot of information about how
9595persistence was handled by the client, the server and by haproxy. This is very
9596important to troubleshoot disconnections, when users complain they have to
9597re-authenticate. The commonly encountered flags are :
9598
9599 -- Persistence cookie is not enabled.
9600
9601 NN No cookie was provided by the client, none was inserted in the
9602 response. For instance, this can be in insert mode with "postonly"
9603 set on a GET request.
9604
9605 II A cookie designating an invalid server was provided by the client,
9606 a valid one was inserted in the response. This typically happens when
9607 a "server" entry is removed from the configuraton, since its cookie
9608 value can be presented by a client when no other server knows it.
9609
9610 NI No cookie was provided by the client, one was inserted in the
9611 response. This typically happens for first requests from every user
9612 in "insert" mode, which makes it an easy way to count real users.
9613
9614 VN A cookie was provided by the client, none was inserted in the
9615 response. This happens for most responses for which the client has
9616 already got a cookie.
9617
9618 VU A cookie was provided by the client, with a last visit date which is
9619 not completely up-to-date, so an updated cookie was provided in
9620 response. This can also happen if there was no date at all, or if
9621 there was a date but the "maxidle" parameter was not set, so that the
9622 cookie can be switched to unlimited time.
9623
9624 EI A cookie was provided by the client, with a last visit date which is
9625 too old for the "maxidle" parameter, so the cookie was ignored and a
9626 new cookie was inserted in the response.
9627
9628 OI A cookie was provided by the client, with a first visit date which is
9629 too old for the "maxlife" parameter, so the cookie was ignored and a
9630 new cookie was inserted in the response.
9631
9632 DI The server designated by the cookie was down, a new server was
9633 selected and a new cookie was emitted in the response.
9634
9635 VI The server designated by the cookie was not marked dead but could not
9636 be reached. A redispatch happened and selected another one, which was
9637 then advertised in the response.
9638
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009639
Willy Tarreauc57f0e22009-05-10 13:12:33 +020096408.6. Non-printable characters
9641-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009642
9643In order not to cause trouble to log analysis tools or terminals during log
9644consulting, non-printable characters are not sent as-is into log files, but are
9645converted to the two-digits hexadecimal representation of their ASCII code,
9646prefixed by the character '#'. The only characters that can be logged without
9647being escaped are comprised between 32 and 126 (inclusive). Obviously, the
9648escape character '#' itself is also encoded to avoid any ambiguity ("#23"). It
9649is the same for the character '"' which becomes "#22", as well as '{', '|' and
9650'}' when logging headers.
9651
9652Note that the space character (' ') is not encoded in headers, which can cause
9653issues for tools relying on space count to locate fields. A typical header
9654containing spaces is "User-Agent".
9655
9656Last, it has been observed that some syslog daemons such as syslog-ng escape
9657the quote ('"') with a backslash ('\'). The reverse operation can safely be
9658performed since no quote may appear anywhere else in the logs.
9659
9660
Willy Tarreauc57f0e22009-05-10 13:12:33 +020096618.7. Capturing HTTP cookies
9662---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009663
9664Cookie capture simplifies the tracking a complete user session. This can be
9665achieved using the "capture cookie" statement in the frontend. Please refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009666section 4.2 for more details. Only one cookie can be captured, and the same
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009667cookie will simultaneously be checked in the request ("Cookie:" header) and in
9668the response ("Set-Cookie:" header). The respective values will be reported in
9669the HTTP logs at the "captured_request_cookie" and "captured_response_cookie"
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009670locations (see section 8.2.3 about HTTP log format). When either cookie is
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009671not seen, a dash ('-') replaces the value. This way, it's easy to detect when a
9672user switches to a new session for example, because the server will reassign it
9673a new cookie. It is also possible to detect if a server unexpectedly sets a
9674wrong cookie to a client, leading to session crossing.
9675
9676 Examples :
9677 # capture the first cookie whose name starts with "ASPSESSION"
9678 capture cookie ASPSESSION len 32
9679
9680 # capture the first cookie whose name is exactly "vgnvisitor"
9681 capture cookie vgnvisitor= len 32
9682
9683
Willy Tarreauc57f0e22009-05-10 13:12:33 +020096848.8. Capturing HTTP headers
9685---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009686
9687Header captures are useful to track unique request identifiers set by an upper
9688proxy, virtual host names, user-agents, POST content-length, referrers, etc. In
9689the response, one can search for information about the response length, how the
9690server asked the cache to behave, or an object location during a redirection.
9691
9692Header captures are performed using the "capture request header" and "capture
9693response header" statements in the frontend. Please consult their definition in
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009694section 4.2 for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009695
9696It is possible to include both request headers and response headers at the same
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009697time. Non-existent headers are logged as empty strings, and if one header
9698appears more than once, only its last occurrence will be logged. Request headers
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009699are grouped within braces '{' and '}' in the same order as they were declared,
9700and delimited with a vertical bar '|' without any space. Response headers
9701follow the same representation, but are displayed after a space following the
9702request headers block. These blocks are displayed just before the HTTP request
9703in the logs.
9704
9705 Example :
9706 # This instance chains to the outgoing proxy
9707 listen proxy-out
9708 mode http
9709 option httplog
9710 option logasap
9711 log global
9712 server cache1 192.168.1.1:3128
9713
9714 # log the name of the virtual server
9715 capture request header Host len 20
9716
9717 # log the amount of data uploaded during a POST
9718 capture request header Content-Length len 10
9719
9720 # log the beginning of the referrer
9721 capture request header Referer len 20
9722
9723 # server name (useful for outgoing proxies only)
9724 capture response header Server len 20
9725
9726 # logging the content-length is useful with "option logasap"
9727 capture response header Content-Length len 10
9728
9729 # log the expected cache behaviour on the response
9730 capture response header Cache-Control len 8
9731
9732 # the Via header will report the next proxy's name
9733 capture response header Via len 20
9734
9735 # log the URL location during a redirection
9736 capture response header Location len 20
9737
9738 >>> Aug 9 20:26:09 localhost \
9739 haproxy[2022]: 127.0.0.1:34014 [09/Aug/2004:20:26:09] proxy-out \
9740 proxy-out/cache1 0/0/0/162/+162 200 +350 - - ---- 0/0/0/0/0 0/0 \
9741 {fr.adserver.yahoo.co||http://fr.f416.mail.} {|864|private||} \
9742 "GET http://fr.adserver.yahoo.com/"
9743
9744 >>> Aug 9 20:30:46 localhost \
9745 haproxy[2022]: 127.0.0.1:34020 [09/Aug/2004:20:30:46] proxy-out \
9746 proxy-out/cache1 0/0/0/182/+182 200 +279 - - ---- 0/0/0/0/0 0/0 \
9747 {w.ods.org||} {Formilux/0.1.8|3495|||} \
Willy Tarreaud72758d2010-01-12 10:42:19 +01009748 "GET http://trafic.1wt.eu/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009749
9750 >>> Aug 9 20:30:46 localhost \
9751 haproxy[2022]: 127.0.0.1:34028 [09/Aug/2004:20:30:46] proxy-out \
9752 proxy-out/cache1 0/0/2/126/+128 301 +223 - - ---- 0/0/0/0/0 0/0 \
9753 {www.sytadin.equipement.gouv.fr||http://trafic.1wt.eu/} \
9754 {Apache|230|||http://www.sytadin.} \
Willy Tarreaud72758d2010-01-12 10:42:19 +01009755 "GET http://www.sytadin.equipement.gouv.fr/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009756
9757
Willy Tarreauc57f0e22009-05-10 13:12:33 +020097588.9. Examples of logs
9759---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009760
9761These are real-world examples of logs accompanied with an explanation. Some of
9762them have been made up by hand. The syslog part has been removed for better
9763reading. Their sole purpose is to explain how to decipher them.
9764
9765 >>> haproxy[674]: 127.0.0.1:33318 [15/Oct/2003:08:31:57.130] px-http \
9766 px-http/srv1 6559/0/7/147/6723 200 243 - - ---- 5/3/3/1/0 0/0 \
9767 "HEAD / HTTP/1.0"
9768
9769 => long request (6.5s) entered by hand through 'telnet'. The server replied
9770 in 147 ms, and the session ended normally ('----')
9771
9772 >>> haproxy[674]: 127.0.0.1:33319 [15/Oct/2003:08:31:57.149] px-http \
9773 px-http/srv1 6559/1230/7/147/6870 200 243 - - ---- 324/239/239/99/0 \
9774 0/9 "HEAD / HTTP/1.0"
9775
9776 => Idem, but the request was queued in the global queue behind 9 other
9777 requests, and waited there for 1230 ms.
9778
9779 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.654] px-http \
9780 px-http/srv1 9/0/7/14/+30 200 +243 - - ---- 3/3/3/1/0 0/0 \
9781 "GET /image.iso HTTP/1.0"
9782
9783 => request for a long data transfer. The "logasap" option was specified, so
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009784 the log was produced just before transferring data. The server replied in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009785 14 ms, 243 bytes of headers were sent to the client, and total time from
9786 accept to first data byte is 30 ms.
9787
9788 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.925] px-http \
9789 px-http/srv1 9/0/7/14/30 502 243 - - PH-- 3/2/2/0/0 0/0 \
9790 "GET /cgi-bin/bug.cgi? HTTP/1.0"
9791
9792 => the proxy blocked a server response either because of an "rspdeny" or
9793 "rspideny" filter, or because the response was improperly formatted and
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02009794 not HTTP-compliant, or because it blocked sensitive information which
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009795 risked being cached. In this case, the response is replaced with a "502
9796 bad gateway". The flags ("PH--") tell us that it was haproxy who decided
9797 to return the 502 and not the server.
9798
9799 >>> haproxy[18113]: 127.0.0.1:34548 [15/Oct/2003:15:18:55.798] px-http \
Willy Tarreaud72758d2010-01-12 10:42:19 +01009800 px-http/<NOSRV> -1/-1/-1/-1/8490 -1 0 - - CR-- 2/2/2/0/0 0/0 ""
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009801
9802 => the client never completed its request and aborted itself ("C---") after
9803 8.5s, while the proxy was waiting for the request headers ("-R--").
9804 Nothing was sent to any server.
9805
9806 >>> haproxy[18113]: 127.0.0.1:34549 [15/Oct/2003:15:19:06.103] px-http \
9807 px-http/<NOSRV> -1/-1/-1/-1/50001 408 0 - - cR-- 2/2/2/0/0 0/0 ""
9808
9809 => The client never completed its request, which was aborted by the
9810 time-out ("c---") after 50s, while the proxy was waiting for the request
9811 headers ("-R--"). Nothing was sent to any server, but the proxy could
9812 send a 408 return code to the client.
9813
9814 >>> haproxy[18989]: 127.0.0.1:34550 [15/Oct/2003:15:24:28.312] px-tcp \
9815 px-tcp/srv1 0/0/5007 0 cD 0/0/0/0/0 0/0
9816
9817 => This log was produced with "option tcplog". The client timed out after
9818 5 seconds ("c----").
9819
9820 >>> haproxy[18989]: 10.0.0.1:34552 [15/Oct/2003:15:26:31.462] px-http \
9821 px-http/srv1 3183/-1/-1/-1/11215 503 0 - - SC-- 205/202/202/115/3 \
Willy Tarreaud72758d2010-01-12 10:42:19 +01009822 0/0 "HEAD / HTTP/1.0"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009823
9824 => The request took 3s to complete (probably a network problem), and the
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009825 connection to the server failed ('SC--') after 4 attempts of 2 seconds
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009826 (config says 'retries 3'), and no redispatch (otherwise we would have
9827 seen "/+3"). Status code 503 was returned to the client. There were 115
9828 connections on this server, 202 connections on this proxy, and 205 on
9829 the global process. It is possible that the server refused the
9830 connection because of too many already established.
Willy Tarreau844e3c52008-01-11 16:28:18 +01009831
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01009832
Willy Tarreauc57f0e22009-05-10 13:12:33 +020098339. Statistics and monitoring
9834----------------------------
9835
9836It is possible to query HAProxy about its status. The most commonly used
9837mechanism is the HTTP statistics page. This page also exposes an alternative
9838CSV output format for monitoring tools. The same format is provided on the
9839Unix socket.
9840
9841
98429.1. CSV format
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01009843---------------
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01009844
Willy Tarreau7f062c42009-03-05 18:43:00 +01009845The statistics may be consulted either from the unix socket or from the HTTP
9846page. Both means provide a CSV format whose fields follow.
9847
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01009848 0. pxname: proxy name
9849 1. svname: service name (FRONTEND for frontend, BACKEND for backend, any name
9850 for server)
9851 2. qcur: current queued requests
9852 3. qmax: max queued requests
9853 4. scur: current sessions
9854 5. smax: max sessions
9855 6. slim: sessions limit
9856 7. stot: total sessions
9857 8. bin: bytes in
9858 9. bout: bytes out
9859 10. dreq: denied requests
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01009860 11. dresp: denied responses
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01009861 12. ereq: request errors
9862 13. econ: connection errors
Willy Tarreauae526782010-03-04 20:34:23 +01009863 14. eresp: response errors (among which srv_abrt)
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01009864 15. wretr: retries (warning)
9865 16. wredis: redispatches (warning)
Cyril Bonté0dae5852010-02-03 00:26:28 +01009866 17. status: status (UP/DOWN/NOLB/MAINT/MAINT(via)...)
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01009867 18. weight: server weight (server), total weight (backend)
9868 19. act: server is active (server), number of active servers (backend)
9869 20. bck: server is backup (server), number of backup servers (backend)
9870 21. chkfail: number of failed checks
9871 22. chkdown: number of UP->DOWN transitions
9872 23. lastchg: last status change (in seconds)
9873 24. downtime: total downtime (in seconds)
9874 25. qlimit: queue limit
9875 26. pid: process id (0 for first instance, 1 for second, ...)
9876 27. iid: unique proxy id
9877 28. sid: service id (unique inside a proxy)
9878 29. throttle: warm up status
9879 30. lbtot: total number of times a server was selected
9880 31. tracked: id of proxy/server if tracking is enabled
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02009881 32. type (0=frontend, 1=backend, 2=server, 3=socket)
Krzysztof Piotr Oledzkidb57c6b2009-08-31 21:23:27 +02009882 33. rate: number of sessions per second over last elapsed second
9883 34. rate_lim: limit on new sessions per second
9884 35. rate_max: max number of new sessions per second
Krzysztof Piotr Oledzki09605412009-09-23 22:09:24 +02009885 36. check_status: status of last health check, one of:
Cyril Bontéf0c60612010-02-06 14:44:47 +01009886 UNK -> unknown
9887 INI -> initializing
9888 SOCKERR -> socket error
9889 L4OK -> check passed on layer 4, no upper layers testing enabled
9890 L4TMOUT -> layer 1-4 timeout
9891 L4CON -> layer 1-4 connection problem, for example
9892 "Connection refused" (tcp rst) or "No route to host" (icmp)
9893 L6OK -> check passed on layer 6
9894 L6TOUT -> layer 6 (SSL) timeout
9895 L6RSP -> layer 6 invalid response - protocol error
9896 L7OK -> check passed on layer 7
9897 L7OKC -> check conditionally passed on layer 7, for example 404 with
9898 disable-on-404
9899 L7TOUT -> layer 7 (HTTP/SMTP) timeout
9900 L7RSP -> layer 7 invalid response - protocol error
9901 L7STS -> layer 7 response error, for example HTTP 5xx
Krzysztof Piotr Oledzki09605412009-09-23 22:09:24 +02009902 37. check_code: layer5-7 code, if available
9903 38. check_duration: time in ms took to finish last health check
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009904 39. hrsp_1xx: http responses with 1xx code
9905 40. hrsp_2xx: http responses with 2xx code
9906 41. hrsp_3xx: http responses with 3xx code
9907 42. hrsp_4xx: http responses with 4xx code
9908 43. hrsp_5xx: http responses with 5xx code
9909 44. hrsp_other: http responses with other codes (protocol error)
Willy Tarreaud63335a2010-02-26 12:56:52 +01009910 45. hanafail: failed health checks details
9911 46. req_rate: HTTP requests per second over last elapsed second
9912 47. req_rate_max: max number of HTTP requests per second observed
9913 48. req_tot: total number of HTTP requests received
Willy Tarreauae526782010-03-04 20:34:23 +01009914 49. cli_abrt: number of data transfers aborted by the client
9915 50. srv_abrt: number of data transfers aborted by the server (inc. in eresp)
Willy Tarreau844e3c52008-01-11 16:28:18 +01009916
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01009917
Willy Tarreauc57f0e22009-05-10 13:12:33 +020099189.2. Unix Socket commands
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01009919-------------------------
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01009920
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01009921The following commands are supported on the UNIX stats socket ; all of them
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02009922must be terminated by a line feed. The socket supports pipelining, so that it
9923is possible to chain multiple commands at once provided they are delimited by
9924a semi-colon or a line feed, although the former is more reliable as it has no
9925risk of being truncated over the network. The responses themselves will each be
9926followed by an empty line, so it will be easy for an external script to match a
9927given response with a given request. By default one command line is processed
9928then the connection closes, but there is an interactive allowing multiple lines
9929to be issued one at a time.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01009930
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02009931It is important to understand that when multiple haproxy processes are started
9932on the same sockets, any process may pick up the request and will output its
9933own stats.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01009934
Willy Tarreaud63335a2010-02-26 12:56:52 +01009935clear counters
9936 Clear the max values of the statistics counters in each proxy (frontend &
9937 backend) and in each server. The cumulated counters are not affected. This
9938 can be used to get clean counters after an incident, without having to
9939 restart nor to clear traffic counters. This command is restricted and can
9940 only be issued on sockets configured for levels "operator" or "admin".
9941
9942clear counters all
9943 Clear all statistics counters in each proxy (frontend & backend) and in each
9944 server. This has the same effect as restarting. This command is restricted
9945 and can only be issued on sockets configured for level "admin".
9946
Simon Hormanc88b8872011-06-15 15:18:49 +09009947clear table <table> [ data.<type> <operator> <value> ] | [ key <key> ]
9948 Remove entries from the stick-table <table>.
9949
9950 This is typically used to unblock some users complaining they have been
9951 abusively denied access to a service, but this can also be used to clear some
9952 stickiness entries matching a server that is going to be replaced (see "show
9953 table" below for details). Note that sometimes, removal of an entry will be
9954 refused because it is currently tracked by a session. Retrying a few seconds
9955 later after the session ends is usual enough.
9956
9957 In the case where no options arguments are given all entries will be removed.
9958
9959 When the "data." form is used entries matching a filter applied using the
9960 stored data (see "stick-table" in section 4.2) are removed. A stored data
9961 type must be specified in <type>, and this data type must be stored in the
9962 table otherwise an error is reported. The data is compared according to
9963 <operator> with the 64-bit integer <value>. Operators are the same as with
9964 the ACLs :
9965
9966 - eq : match entries whose data is equal to this value
9967 - ne : match entries whose data is not equal to this value
9968 - le : match entries whose data is less than or equal to this value
9969 - ge : match entries whose data is greater than or equal to this value
9970 - lt : match entries whose data is less than this value
9971 - gt : match entries whose data is greater than this value
9972
9973 When the key form is used the entry <key> is removed. The key must be of the
Simon Horman619e3cc2011-06-15 15:18:52 +09009974 same type as the table, which currently is limited to IPv4, IPv6, integer and
9975 string.
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02009976
9977 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +02009978 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Emeric Brun7c6b82e2010-09-24 16:34:28 +02009979 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +02009980 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
9981 bytes_out_rate(60000)=187
9982 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
9983 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02009984
9985 $ echo "clear table http_proxy key 127.0.0.1" | socat stdio /tmp/sock1
9986
9987 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Emeric Brun7c6b82e2010-09-24 16:34:28 +02009988 >>> # table: http_proxy, type: ip, size:204800, used:1
Willy Tarreau62a36c42010-08-17 15:53:10 +02009989 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
9990 bytes_out_rate(60000)=191
Simon Hormanc88b8872011-06-15 15:18:49 +09009991 $ echo "clear table http_proxy data.gpc0 eq 1" | socat stdio /tmp/sock1
9992 $ echo "show table http_proxy" | socat stdio /tmp/sock1
9993 >>> # table: http_proxy, type: ip, size:204800, used:1
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02009994
Willy Tarreau532a4502011-09-07 22:37:44 +02009995disable frontend <frontend>
9996 Mark the frontend as temporarily stopped. This corresponds to the mode which
9997 is used during a soft restart : the frontend releases the port but can be
9998 enabled again if needed. This should be used with care as some non-Linux OSes
9999 are unable to enable it back. This is intended to be used in environments
10000 where stopping a proxy is not even imaginable but a misconfigured proxy must
10001 be fixed. That way it's possible to release the port and bind it into another
10002 process to restore operations. The frontend will appear with status "STOP"
10003 on the stats page.
10004
10005 The frontend may be specified either by its name or by its numeric ID,
10006 prefixed with a sharp ('#').
10007
10008 This command is restricted and can only be issued on sockets configured for
10009 level "admin".
10010
Willy Tarreaud63335a2010-02-26 12:56:52 +010010011disable server <backend>/<server>
10012 Mark the server DOWN for maintenance. In this mode, no more checks will be
10013 performed on the server until it leaves maintenance.
10014 If the server is tracked by other servers, those servers will be set to DOWN
10015 during the maintenance.
10016
10017 In the statistics page, a server DOWN for maintenance will appear with a
10018 "MAINT" status, its tracking servers with the "MAINT(via)" one.
10019
10020 Both the backend and the server may be specified either by their name or by
Willy Tarreauf5f31922011-08-02 11:32:07 +020010021 their numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010010022
10023 This command is restricted and can only be issued on sockets configured for
10024 level "admin".
10025
Willy Tarreau532a4502011-09-07 22:37:44 +020010026enable frontend <frontend>
10027 Resume a frontend which was temporarily stopped. It is possible that some of
10028 the listening ports won't be able to bind anymore (eg: if another process
10029 took them since the 'disable frontend' operation). If this happens, an error
10030 is displayed. Some operating systems might not be able to resume a frontend
10031 which was disabled.
10032
10033 The frontend may be specified either by its name or by its numeric ID,
10034 prefixed with a sharp ('#').
10035
10036 This command is restricted and can only be issued on sockets configured for
10037 level "admin".
10038
Willy Tarreaud63335a2010-02-26 12:56:52 +010010039enable server <backend>/<server>
10040 If the server was previously marked as DOWN for maintenance, this marks the
10041 server UP and checks are re-enabled.
10042
10043 Both the backend and the server may be specified either by their name or by
Willy Tarreauf5f31922011-08-02 11:32:07 +020010044 their numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010010045
10046 This command is restricted and can only be issued on sockets configured for
10047 level "admin".
10048
10049get weight <backend>/<server>
10050 Report the current weight and the initial weight of server <server> in
10051 backend <backend> or an error if either doesn't exist. The initial weight is
10052 the one that appears in the configuration file. Both are normally equal
10053 unless the current weight has been changed. Both the backend and the server
10054 may be specified either by their name or by their numeric ID, prefixed with a
Willy Tarreauf5f31922011-08-02 11:32:07 +020010055 sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010010056
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010057help
10058 Print the list of known keywords and their basic usage. The same help screen
10059 is also displayed for unknown commands.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010010060
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010061prompt
10062 Toggle the prompt at the beginning of the line and enter or leave interactive
10063 mode. In interactive mode, the connection is not closed after a command
10064 completes. Instead, the prompt will appear again, indicating the user that
10065 the interpreter is waiting for a new command. The prompt consists in a right
10066 angle bracket followed by a space "> ". This mode is particularly convenient
10067 when one wants to periodically check information such as stats or errors.
10068 It is also a good idea to enter interactive mode before issuing a "help"
10069 command.
10070
10071quit
10072 Close the connection when in interactive mode.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010010073
Willy Tarreau2a0f4d22011-08-02 11:49:05 +020010074set maxconn frontend <frontend> <value>
10075 Dynamically change the specified frontend's maxconn setting. Any non-null
10076 positive value is allowed, but setting values larger than the global maxconn
10077 does not make much sense. If the limit is increased and connections were
10078 pending, they will immediately be accepted. If it is lowered to a value below
10079 the current number of connections, new connections acceptation will be
10080 delayed until the threshold is reached. The frontend might be specified by
10081 either its name or its numeric ID prefixed with a sharp ('#').
10082
Willy Tarreau91886b62011-09-07 14:38:31 +020010083set maxconn global <maxconn>
10084 Dynamically change the global maxconn setting within the range defined by the
10085 initial global maxconn setting. If it is increased and connections were
10086 pending, they will immediately be accepted. If it is lowered to a value below
10087 the current number of connections, new connections acceptation will be
10088 delayed until the threshold is reached. A value of zero restores the initial
10089 setting.
10090
Willy Tarreauf5b22872011-09-07 16:13:44 +020010091set rate-limit connections global <value>
10092 Change the process-wide connection rate limit, which is set by the global
10093 'maxconnrate' setting. A value of zero disables the limitation. This limit
10094 applies to all frontends and the change has an immediate effect. The value
10095 is passed in number of connections per second.
10096
Willy Tarreaud63335a2010-02-26 12:56:52 +010010097set timeout cli <delay>
10098 Change the CLI interface timeout for current connection. This can be useful
10099 during long debugging sessions where the user needs to constantly inspect
10100 some indicators without being disconnected. The delay is passed in seconds.
10101
10102set weight <backend>/<server> <weight>[%]
10103 Change a server's weight to the value passed in argument. If the value ends
10104 with the '%' sign, then the new weight will be relative to the initially
10105 configured weight. Relative weights are only permitted between 0 and 100%,
10106 and absolute weights are permitted between 0 and 256. Servers which are part
10107 of a farm running a static load-balancing algorithm have stricter limitations
10108 because the weight cannot change once set. Thus for these servers, the only
10109 accepted values are 0 and 100% (or 0 and the initial weight). Changes take
10110 effect immediately, though certain LB algorithms require a certain amount of
10111 requests to consider changes. A typical usage of this command is to disable
10112 a server during an update by setting its weight to zero, then to enable it
10113 again after the update by setting it back to 100%. This command is restricted
10114 and can only be issued on sockets configured for level "admin". Both the
10115 backend and the server may be specified either by their name or by their
Willy Tarreauf5f31922011-08-02 11:32:07 +020010116 numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010010117
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010010118show errors [<iid>]
10119 Dump last known request and response errors collected by frontends and
10120 backends. If <iid> is specified, the limit the dump to errors concerning
Willy Tarreau6162db22009-10-10 17:13:00 +020010121 either frontend or backend whose ID is <iid>. This command is restricted
10122 and can only be issued on sockets configured for levels "operator" or
10123 "admin".
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010010124
10125 The errors which may be collected are the last request and response errors
10126 caused by protocol violations, often due to invalid characters in header
10127 names. The report precisely indicates what exact character violated the
10128 protocol. Other important information such as the exact date the error was
10129 detected, frontend and backend names, the server name (when known), the
10130 internal session ID and the source address which has initiated the session
10131 are reported too.
10132
10133 All characters are returned, and non-printable characters are encoded. The
10134 most common ones (\t = 9, \n = 10, \r = 13 and \e = 27) are encoded as one
10135 letter following a backslash. The backslash itself is encoded as '\\' to
10136 avoid confusion. Other non-printable characters are encoded '\xNN' where
10137 NN is the two-digits hexadecimal representation of the character's ASCII
10138 code.
10139
10140 Lines are prefixed with the position of their first character, starting at 0
10141 for the beginning of the buffer. At most one input line is printed per line,
10142 and large lines will be broken into multiple consecutive output lines so that
10143 the output never goes beyond 79 characters wide. It is easy to detect if a
10144 line was broken, because it will not end with '\n' and the next line's offset
10145 will be followed by a '+' sign, indicating it is a continuation of previous
10146 line.
10147
10148 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020010149 $ echo "show errors" | socat stdio /tmp/sock1
10150 >>> [04/Mar/2009:15:46:56.081] backend http-in (#2) : invalid response
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010010151 src 127.0.0.1, session #54, frontend fe-eth0 (#1), server s2 (#1)
10152 response length 213 bytes, error at position 23:
10153
10154 00000 HTTP/1.0 200 OK\r\n
10155 00017 header/bizarre:blah\r\n
10156 00038 Location: blah\r\n
10157 00054 Long-line: this is a very long line which should b
10158 00104+ e broken into multiple lines on the output buffer,
10159 00154+ otherwise it would be too large to print in a ter
10160 00204+ minal\r\n
10161 00211 \r\n
10162
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010163 In the example above, we see that the backend "http-in" which has internal
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010010164 ID 2 has blocked an invalid response from its server s2 which has internal
10165 ID 1. The request was on session 54 initiated by source 127.0.0.1 and
10166 received by frontend fe-eth0 whose ID is 1. The total response length was
10167 213 bytes when the error was detected, and the error was at byte 23. This
10168 is the slash ('/') in header name "header/bizarre", which is not a valid
10169 HTTP character for a header name.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010010170
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010171show info
10172 Dump info about haproxy status on current process.
10173
10174show sess
10175 Dump all known sessions. Avoid doing this on slow connections as this can
Willy Tarreau6162db22009-10-10 17:13:00 +020010176 be huge. This command is restricted and can only be issued on sockets
10177 configured for levels "operator" or "admin".
10178
Willy Tarreau66dc20a2010-03-05 17:53:32 +010010179show sess <id>
10180 Display a lot of internal information about the specified session identifier.
10181 This identifier is the first field at the beginning of the lines in the dumps
10182 of "show sess" (it corresponds to the session pointer). Those information are
10183 useless to most users but may be used by haproxy developers to troubleshoot a
10184 complex bug. The output format is intentionally not documented so that it can
10185 freely evolve depending on demands.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010186
10187show stat [<iid> <type> <sid>]
10188 Dump statistics in the CSV format. By passing <id>, <type> and <sid>, it is
10189 possible to dump only selected items :
10190 - <iid> is a proxy ID, -1 to dump everything
10191 - <type> selects the type of dumpable objects : 1 for frontends, 2 for
10192 backends, 4 for servers, -1 for everything. These values can be ORed,
10193 for example:
10194 1 + 2 = 3 -> frontend + backend.
10195 1 + 2 + 4 = 7 -> frontend + backend + server.
10196 - <sid> is a server ID, -1 to dump everything from the selected proxy.
10197
10198 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020010199 $ echo "show info;show stat" | socat stdio unix-connect:/tmp/sock1
10200 >>> Name: HAProxy
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010201 Version: 1.4-dev2-49
10202 Release_date: 2009/09/23
10203 Nbproc: 1
10204 Process_num: 1
10205 (...)
10206
10207 # pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq, (...)
10208 stats,FRONTEND,,,0,0,1000,0,0,0,0,0,0,,,,,OPEN,,,,,,,,,1,1,0, (...)
10209 stats,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,0,0,0,,0,250,(...)
10210 (...)
10211 www1,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,1,1,0,,0,250, (...)
10212
10213 $
10214
10215 Here, two commands have been issued at once. That way it's easy to find
10216 which process the stats apply to in multi-process mode. Notice the empty
10217 line after the information output which marks the end of the first block.
10218 A similar empty line appears at the end of the second block (stats) so that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010010219 the reader knows the output has not been truncated.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010220
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010221show table
10222 Dump general information on all known stick-tables. Their name is returned
10223 (the name of the proxy which holds them), their type (currently zero, always
10224 IP), their size in maximum possible number of entries, and the number of
10225 entries currently in use.
10226
10227 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020010228 $ echo "show table" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090010229 >>> # table: front_pub, type: ip, size:204800, used:171454
10230 >>> # table: back_rdp, type: ip, size:204800, used:0
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010231
Simon Horman17bce342011-06-15 15:18:47 +090010232show table <name> [ data.<type> <operator> <value> ] | [ key <key> ]
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010233 Dump contents of stick-table <name>. In this mode, a first line of generic
10234 information about the table is reported as with "show table", then all
10235 entries are dumped. Since this can be quite heavy, it is possible to specify
Simon Horman17bce342011-06-15 15:18:47 +090010236 a filter in order to specify what entries to display.
10237
10238 When the "data." form is used the filter applies to the stored data (see
10239 "stick-table" in section 4.2). A stored data type must be specified
10240 in <type>, and this data type must be stored in the table otherwise an
10241 error is reported. The data is compared according to <operator> with the
10242 64-bit integer <value>. Operators are the same as with the ACLs :
10243
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010244 - eq : match entries whose data is equal to this value
10245 - ne : match entries whose data is not equal to this value
10246 - le : match entries whose data is less than or equal to this value
10247 - ge : match entries whose data is greater than or equal to this value
10248 - lt : match entries whose data is less than this value
10249 - gt : match entries whose data is greater than this value
10250
Simon Hormanc88b8872011-06-15 15:18:49 +090010251
10252 When the key form is used the entry <key> is shown. The key must be of the
Simon Horman619e3cc2011-06-15 15:18:52 +090010253 same type as the table, which currently is limited to IPv4, IPv6, integer,
10254 and string.
Simon Horman17bce342011-06-15 15:18:47 +090010255
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010256 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020010257 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090010258 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020010259 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
10260 bytes_out_rate(60000)=187
10261 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
10262 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010263
Willy Tarreau62a36c42010-08-17 15:53:10 +020010264 $ echo "show table http_proxy data.gpc0 gt 0" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090010265 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020010266 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
10267 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010268
Willy Tarreau62a36c42010-08-17 15:53:10 +020010269 $ echo "show table http_proxy data.conn_rate gt 5" | \
10270 socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090010271 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020010272 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
10273 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010274
Simon Horman17bce342011-06-15 15:18:47 +090010275 $ echo "show table http_proxy key 127.0.0.2" | \
10276 socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090010277 >>> # table: http_proxy, type: ip, size:204800, used:2
Simon Horman17bce342011-06-15 15:18:47 +090010278 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
10279 bytes_out_rate(60000)=191
10280
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010281 When the data criterion applies to a dynamic value dependent on time such as
10282 a bytes rate, the value is dynamically computed during the evaluation of the
10283 entry in order to decide whether it has to be dumped or not. This means that
10284 such a filter could match for some time then not match anymore because as
10285 time goes, the average event rate drops.
10286
10287 It is possible to use this to extract lists of IP addresses abusing the
10288 service, in order to monitor them or even blacklist them in a firewall.
10289 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020010290 $ echo "show table http_proxy data.gpc0 gt 0" \
10291 | socat stdio /tmp/sock1 \
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010292 | fgrep 'key=' | cut -d' ' -f2 | cut -d= -f2 > abusers-ip.txt
10293 ( or | awk '/key/{ print a[split($2,a,"=")]; }' )
Krzysztof Piotr Oledzki719e7262009-10-04 15:02:46 +020010294
Willy Tarreau532a4502011-09-07 22:37:44 +020010295shutdown frontend <frontend>
10296 Completely delete the specified frontend. All the ports it was bound to will
10297 be released. It will not be possible to enable the frontend anymore after
10298 this operation. This is intended to be used in environments where stopping a
10299 proxy is not even imaginable but a misconfigured proxy must be fixed. That
10300 way it's possible to release the port and bind it into another process to
10301 restore operations. The frontend will not appear at all on the stats page
10302 once it is terminated.
10303
10304 The frontend may be specified either by its name or by its numeric ID,
10305 prefixed with a sharp ('#').
10306
10307 This command is restricted and can only be issued on sockets configured for
10308 level "admin".
10309
Willy Tarreaua295edc2011-09-07 23:21:03 +020010310shutdown session <id>
10311 Immediately terminate the session matching the specified session identifier.
10312 This identifier is the first field at the beginning of the lines in the dumps
10313 of "show sess" (it corresponds to the session pointer). This can be used to
10314 terminate a long-running session without waiting for a timeout or when an
10315 endless transfer is ongoing. Such terminated sessions are reported with a 'K'
10316 flag in the logs.
10317
Willy Tarreau52b2d222011-09-07 23:48:48 +020010318shutdown sessions <backend>/<server>
10319 Immediately terminate all the sessions attached to the specified server. This
10320 can be used to terminate long-running sessions after a server is put into
10321 maintenance mode, for instance. Such terminated sessions are reported with a
10322 'K' flag in the logs.
10323
Willy Tarreau0ba27502007-12-24 16:55:16 +010010324/*
10325 * Local variables:
10326 * fill-column: 79
10327 * End:
10328 */