blob: 69f4591723ed7fd74d73bef0d2633a3071fe6bbe [file] [log] [blame]
Willy Tarreau6a06a402007-07-15 20:15:28 +02001 ----------------------
2 HAProxy
3 Configuration Manual
4 ----------------------
Willy Tarreau21475e32010-05-23 08:46:08 +02005 version 1.5
Willy Tarreau6a06a402007-07-15 20:15:28 +02006 willy tarreau
Willy Tarreau16216822012-09-10 09:46:55 +02007 2012/09/10
Willy Tarreau6a06a402007-07-15 20:15:28 +02008
9
10This document covers the configuration language as implemented in the version
11specified above. It does not provide any hint, example or advice. For such
Willy Tarreau0ba27502007-12-24 16:55:16 +010012documentation, please refer to the Reference Manual or the Architecture Manual.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013The summary below is meant to help you search sections by name and navigate
14through the document.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015
Willy Tarreauc57f0e22009-05-10 13:12:33 +020016Note to documentation contributors :
Jamie Gloudonaaa21002012-08-25 00:18:33 -040017 This document is formatted with 80 columns per line, with even number of
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018 spaces for indentation and without tabs. Please follow these rules strictly
19 so that it remains easily printable everywhere. If a line needs to be
20 printed verbatim and does not fit, please end each line with a backslash
Willy Tarreau62a36c42010-08-17 15:53:10 +020021 ('\') and continue on next line, indented by two characters. It is also
22 sometimes useful to prefix all output lines (logs, console outs) with 3
23 closing angle brackets ('>>>') in order to help get the difference between
24 inputs and outputs when it can become ambiguous. If you add sections,
25 please update the summary below for easier searching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020026
27
28Summary
29-------
30
311. Quick reminder about HTTP
321.1. The HTTP transaction model
331.2. HTTP request
341.2.1. The Request line
351.2.2. The request headers
361.3. HTTP response
371.3.1. The Response line
381.3.2. The response headers
39
402. Configuring HAProxy
412.1. Configuration file format
422.2. Time format
Patrick Mezard35da19c2010-06-12 17:02:47 +0200432.3. Examples
Willy Tarreauc57f0e22009-05-10 13:12:33 +020044
453. Global parameters
463.1. Process management and security
473.2. Performance tuning
483.3. Debugging
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100493.4. Userlists
Cyril Bontédc4d9032012-04-08 21:57:39 +0200503.5. Peers
Willy Tarreauc57f0e22009-05-10 13:12:33 +020051
524. Proxies
534.1. Proxy keywords matrix
544.2. Alphabetically sorted keywords reference
55
Willy Tarreau086fbf52012-09-24 20:34:51 +0200565. Bind and Server options
575.1. Bind options
585.2. Server and default-server options
Willy Tarreauc57f0e22009-05-10 13:12:33 +020059
606. HTTP header manipulation
61
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100627. Using ACLs and pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200637.1. Matching integers
647.2. Matching strings
657.3. Matching regular expressions (regexes)
Willy Tarreauceb4ac92012-04-28 00:41:46 +0200667.4. Matching IPv4 and IPv6 addresses
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200677.5. Available matching criteria
687.5.1. Matching at Layer 4 and below
697.5.2. Matching contents at Layer 4
707.5.3. Matching at Layer 7
717.6. Pre-defined ACLs
727.7. Using ACLs to form conditions
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100737.8. Pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +020074
758. Logging
768.1. Log levels
778.2. Log formats
788.2.1. Default log format
798.2.2. TCP log format
808.2.3. HTTP log format
William Lallemand48940402012-01-30 16:47:22 +0100818.2.4. Custom log format
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200828.3. Advanced logging options
838.3.1. Disabling logging of external tests
848.3.2. Logging before waiting for the session to terminate
858.3.3. Raising log level upon errors
868.3.4. Disabling logging of successful connections
878.4. Timing events
888.5. Session state at disconnection
898.6. Non-printable characters
908.7. Capturing HTTP cookies
918.8. Capturing HTTP headers
928.9. Examples of logs
93
949. Statistics and monitoring
959.1. CSV format
969.2. Unix Socket commands
97
98
991. Quick reminder about HTTP
100----------------------------
101
102When haproxy is running in HTTP mode, both the request and the response are
103fully analyzed and indexed, thus it becomes possible to build matching criteria
104on almost anything found in the contents.
105
106However, it is important to understand how HTTP requests and responses are
107formed, and how HAProxy decomposes them. It will then become easier to write
108correct rules and to debug existing configurations.
109
110
1111.1. The HTTP transaction model
112-------------------------------
113
114The HTTP protocol is transaction-driven. This means that each request will lead
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100115to one and only one response. Traditionally, a TCP connection is established
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200116from the client to the server, a request is sent by the client on the
117connection, the server responds and the connection is closed. A new request
118will involve a new connection :
119
120 [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
121
122In this mode, called the "HTTP close" mode, there are as many connection
123establishments as there are HTTP transactions. Since the connection is closed
124by the server after the response, the client does not need to know the content
125length.
126
127Due to the transactional nature of the protocol, it was possible to improve it
128to avoid closing a connection between two subsequent transactions. In this mode
129however, it is mandatory that the server indicates the content length for each
130response so that the client does not wait indefinitely. For this, a special
131header is used: "Content-length". This mode is called the "keep-alive" mode :
132
133 [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ...
134
135Its advantages are a reduced latency between transactions, and less processing
136power required on the server side. It is generally better than the close mode,
137but not always because the clients often limit their concurrent connections to
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200138a smaller value.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200139
140A last improvement in the communications is the pipelining mode. It still uses
141keep-alive, but the client does not wait for the first response to send the
142second request. This is useful for fetching large number of images composing a
143page :
144
145 [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ...
146
147This can obviously have a tremendous benefit on performance because the network
148latency is eliminated between subsequent requests. Many HTTP agents do not
149correctly support pipelining since there is no way to associate a response with
150the corresponding request in HTTP. For this reason, it is mandatory for the
Cyril Bonté78caf842010-03-10 22:41:43 +0100151server to reply in the exact same order as the requests were received.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200152
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200153By default HAProxy operates in a tunnel-like mode with regards to persistent
154connections: for each connection it processes the first request and forwards
155everything else (including additional requests) to selected server. Once
156established, the connection is persisted both on the client and server
157sides. Use "option http-server-close" to preserve client persistent connections
158while handling every incoming request individually, dispatching them one after
159another to servers, in HTTP close mode. Use "option httpclose" to switch both
160sides to HTTP close mode. "option forceclose" and "option
161http-pretend-keepalive" help working around servers misbehaving in HTTP close
162mode.
163
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200164
1651.2. HTTP request
166-----------------
167
168First, let's consider this HTTP request :
169
170 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100171 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200172 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1
173 2 Host: www.mydomain.com
174 3 User-agent: my small browser
175 4 Accept: image/jpeg, image/gif
176 5 Accept: image/png
177
178
1791.2.1. The Request line
180-----------------------
181
182Line 1 is the "request line". It is always composed of 3 fields :
183
184 - a METHOD : GET
185 - a URI : /serv/login.php?lang=en&profile=2
186 - a version tag : HTTP/1.1
187
188All of them are delimited by what the standard calls LWS (linear white spaces),
189which are commonly spaces, but can also be tabs or line feeds/carriage returns
190followed by spaces/tabs. The method itself cannot contain any colon (':') and
191is limited to alphabetic letters. All those various combinations make it
192desirable that HAProxy performs the splitting itself rather than leaving it to
193the user to write a complex or inaccurate regular expression.
194
195The URI itself can have several forms :
196
197 - A "relative URI" :
198
199 /serv/login.php?lang=en&profile=2
200
201 It is a complete URL without the host part. This is generally what is
202 received by servers, reverse proxies and transparent proxies.
203
204 - An "absolute URI", also called a "URL" :
205
206 http://192.168.0.12:8080/serv/login.php?lang=en&profile=2
207
208 It is composed of a "scheme" (the protocol name followed by '://'), a host
209 name or address, optionally a colon (':') followed by a port number, then
210 a relative URI beginning at the first slash ('/') after the address part.
211 This is generally what proxies receive, but a server supporting HTTP/1.1
212 must accept this form too.
213
214 - a star ('*') : this form is only accepted in association with the OPTIONS
215 method and is not relayable. It is used to inquiry a next hop's
216 capabilities.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100217
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200218 - an address:port combination : 192.168.0.12:80
219 This is used with the CONNECT method, which is used to establish TCP
220 tunnels through HTTP proxies, generally for HTTPS, but sometimes for
221 other protocols too.
222
223In a relative URI, two sub-parts are identified. The part before the question
224mark is called the "path". It is typically the relative path to static objects
225on the server. The part after the question mark is called the "query string".
226It is mostly used with GET requests sent to dynamic scripts and is very
227specific to the language, framework or application in use.
228
229
2301.2.2. The request headers
231--------------------------
232
233The headers start at the second line. They are composed of a name at the
234beginning of the line, immediately followed by a colon (':'). Traditionally,
235an LWS is added after the colon but that's not required. Then come the values.
236Multiple identical headers may be folded into one single line, delimiting the
237values with commas, provided that their order is respected. This is commonly
238encountered in the "Cookie:" field. A header may span over multiple lines if
239the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5
240define a total of 3 values for the "Accept:" header.
241
242Contrary to a common mis-conception, header names are not case-sensitive, and
243their values are not either if they refer to other header names (such as the
244"Connection:" header).
245
246The end of the headers is indicated by the first empty line. People often say
247that it's a double line feed, which is not exact, even if a double line feed
248is one valid form of empty line.
249
250Fortunately, HAProxy takes care of all these complex combinations when indexing
251headers, checking values and counting them, so there is no reason to worry
252about the way they could be written, but it is important not to accuse an
253application of being buggy if it does unusual, valid things.
254
255Important note:
256 As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks
257 in the middle of headers by LWS in order to join multi-line headers. This
258 is necessary for proper analysis and helps less capable HTTP parsers to work
259 correctly and not to be fooled by such complex constructs.
260
261
2621.3. HTTP response
263------------------
264
265An HTTP response looks very much like an HTTP request. Both are called HTTP
266messages. Let's consider this HTTP response :
267
268 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100269 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200270 1 HTTP/1.1 200 OK
271 2 Content-length: 350
272 3 Content-Type: text/html
273
Willy Tarreau816b9792009-09-15 21:25:21 +0200274As a special case, HTTP supports so called "Informational responses" as status
275codes 1xx. These messages are special in that they don't convey any part of the
276response, they're just used as sort of a signaling message to ask a client to
Willy Tarreau5843d1a2010-02-01 15:13:32 +0100277continue to post its request for instance. In the case of a status 100 response
278the requested information will be carried by the next non-100 response message
279following the informational one. This implies that multiple responses may be
280sent to a single request, and that this only works when keep-alive is enabled
281(1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to
282correctly forward and skip them, and only process the next non-100 response. As
283such, these messages are neither logged nor transformed, unless explicitly
284state otherwise. Status 101 messages indicate that the protocol is changing
285over the same connection and that haproxy must switch to tunnel mode, just as
286if a CONNECT had occurred. Then the Upgrade header would contain additional
287information about the type of protocol the connection is switching to.
Willy Tarreau816b9792009-09-15 21:25:21 +0200288
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200289
2901.3.1. The Response line
291------------------------
292
293Line 1 is the "response line". It is always composed of 3 fields :
294
295 - a version tag : HTTP/1.1
296 - a status code : 200
297 - a reason : OK
298
299The status code is always 3-digit. The first digit indicates a general status :
Willy Tarreau816b9792009-09-15 21:25:21 +0200300 - 1xx = informational message to be skipped (eg: 100, 101)
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200301 - 2xx = OK, content is following (eg: 200, 206)
302 - 3xx = OK, no content following (eg: 302, 304)
303 - 4xx = error caused by the client (eg: 401, 403, 404)
304 - 5xx = error caused by the server (eg: 500, 502, 503)
305
306Please refer to RFC2616 for the detailed meaning of all such codes. The
Willy Tarreaud72758d2010-01-12 10:42:19 +0100307"reason" field is just a hint, but is not parsed by clients. Anything can be
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200308found there, but it's a common practice to respect the well-established
309messages. It can be composed of one or multiple words, such as "OK", "Found",
310or "Authentication Required".
311
312Haproxy may emit the following status codes by itself :
313
314 Code When / reason
315 200 access to stats page, and when replying to monitoring requests
316 301 when performing a redirection, depending on the configured code
317 302 when performing a redirection, depending on the configured code
318 303 when performing a redirection, depending on the configured code
319 400 for an invalid or too large request
320 401 when an authentication is required to perform the action (when
321 accessing the stats page)
322 403 when a request is forbidden by a "block" ACL or "reqdeny" filter
323 408 when the request timeout strikes before the request is complete
324 500 when haproxy encounters an unrecoverable internal error, such as a
325 memory allocation failure, which should never happen
326 502 when the server returns an empty, invalid or incomplete response, or
327 when an "rspdeny" filter blocks the response.
328 503 when no server was available to handle the request, or in response to
329 monitoring requests which match the "monitor fail" condition
330 504 when the response timeout strikes before the server responds
331
332The error 4xx and 5xx codes above may be customized (see "errorloc" in section
3334.2).
334
335
3361.3.2. The response headers
337---------------------------
338
339Response headers work exactly like request headers, and as such, HAProxy uses
340the same parsing function for both. Please refer to paragraph 1.2.2 for more
341details.
342
343
3442. Configuring HAProxy
345----------------------
346
3472.1. Configuration file format
348------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200349
350HAProxy's configuration process involves 3 major sources of parameters :
351
352 - the arguments from the command-line, which always take precedence
353 - the "global" section, which sets process-wide parameters
354 - the proxies sections which can take form of "defaults", "listen",
355 "frontend" and "backend".
356
Willy Tarreau0ba27502007-12-24 16:55:16 +0100357The configuration file syntax consists in lines beginning with a keyword
358referenced in this manual, optionally followed by one or several parameters
359delimited by spaces. If spaces have to be entered in strings, then they must be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100360preceded by a backslash ('\') to be escaped. Backslashes also have to be
Willy Tarreau0ba27502007-12-24 16:55:16 +0100361escaped by doubling them.
362
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200363
3642.2. Time format
365----------------
366
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100367Some parameters involve values representing time, such as timeouts. These
Willy Tarreau0ba27502007-12-24 16:55:16 +0100368values are generally expressed in milliseconds (unless explicitly stated
369otherwise) but may be expressed in any other unit by suffixing the unit to the
370numeric value. It is important to consider this because it will not be repeated
371for every keyword. Supported units are :
372
373 - us : microseconds. 1 microsecond = 1/1000000 second
374 - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
375 - s : seconds. 1s = 1000ms
376 - m : minutes. 1m = 60s = 60000ms
377 - h : hours. 1h = 60m = 3600s = 3600000ms
378 - d : days. 1d = 24h = 1440m = 86400s = 86400000ms
379
380
Patrick Mezard35da19c2010-06-12 17:02:47 +02003812.3. Examples
382-------------
383
384 # Simple configuration for an HTTP proxy listening on port 80 on all
385 # interfaces and forwarding requests to a single backend "servers" with a
386 # single server "server1" listening on 127.0.0.1:8000
387 global
388 daemon
389 maxconn 256
390
391 defaults
392 mode http
393 timeout connect 5000ms
394 timeout client 50000ms
395 timeout server 50000ms
396
397 frontend http-in
398 bind *:80
399 default_backend servers
400
401 backend servers
402 server server1 127.0.0.1:8000 maxconn 32
403
404
405 # The same configuration defined with a single listen block. Shorter but
406 # less expressive, especially in HTTP mode.
407 global
408 daemon
409 maxconn 256
410
411 defaults
412 mode http
413 timeout connect 5000ms
414 timeout client 50000ms
415 timeout server 50000ms
416
417 listen http-in
418 bind *:80
419 server server1 127.0.0.1:8000 maxconn 32
420
421
422Assuming haproxy is in $PATH, test these configurations in a shell with:
423
Willy Tarreauccb289d2010-12-11 20:19:38 +0100424 $ sudo haproxy -f configuration.conf -c
Patrick Mezard35da19c2010-06-12 17:02:47 +0200425
426
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004273. Global parameters
Willy Tarreau6a06a402007-07-15 20:15:28 +0200428--------------------
429
430Parameters in the "global" section are process-wide and often OS-specific. They
431are generally set once for all and do not need being changed once correct. Some
432of them have command-line equivalents.
433
434The following keywords are supported in the "global" section :
435
436 * Process management and security
Emeric Brunc8e8d122012-10-02 18:42:10 +0200437 - ca-base
Willy Tarreau6a06a402007-07-15 20:15:28 +0200438 - chroot
Emeric Brunc8e8d122012-10-02 18:42:10 +0200439 - crt-base
Willy Tarreau6a06a402007-07-15 20:15:28 +0200440 - daemon
441 - gid
442 - group
443 - log
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100444 - log-send-hostname
Willy Tarreau6a06a402007-07-15 20:15:28 +0200445 - nbproc
446 - pidfile
447 - uid
448 - ulimit-n
449 - user
Willy Tarreaufbee7132007-10-18 13:53:22 +0200450 - stats
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200451 - node
452 - description
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100453 - unix-bind
Willy Tarreaud72758d2010-01-12 10:42:19 +0100454
Willy Tarreau6a06a402007-07-15 20:15:28 +0200455 * Performance tuning
456 - maxconn
Willy Tarreau81c25d02011-09-07 15:17:21 +0200457 - maxconnrate
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100458 - maxpipes
Willy Tarreau403edff2012-09-06 11:58:37 +0200459 - maxsslconn
Willy Tarreau6a06a402007-07-15 20:15:28 +0200460 - noepoll
461 - nokqueue
462 - nopoll
463 - nosepoll
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100464 - nosplice
Willy Tarreaufe255b72007-10-14 23:09:26 +0200465 - spread-checks
Willy Tarreau27a674e2009-08-17 07:23:33 +0200466 - tune.bufsize
Willy Tarreau43961d52010-10-04 20:39:20 +0200467 - tune.chksize
Willy Tarreauac1932d2011-10-24 19:14:41 +0200468 - tune.http.maxhdr
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100469 - tune.maxaccept
470 - tune.maxpollevents
Willy Tarreau27a674e2009-08-17 07:23:33 +0200471 - tune.maxrewrite
Willy Tarreaubd9a0a72011-10-23 21:14:29 +0200472 - tune.pipesize
Willy Tarreaue803de22010-01-21 17:43:04 +0100473 - tune.rcvbuf.client
474 - tune.rcvbuf.server
475 - tune.sndbuf.client
476 - tune.sndbuf.server
Willy Tarreaud72758d2010-01-12 10:42:19 +0100477
Willy Tarreau6a06a402007-07-15 20:15:28 +0200478 * Debugging
479 - debug
480 - quiet
Willy Tarreau6a06a402007-07-15 20:15:28 +0200481
482
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004833.1. Process management and security
Willy Tarreau6a06a402007-07-15 20:15:28 +0200484------------------------------------
485
Emeric Brunc8e8d122012-10-02 18:42:10 +0200486ca-base <dir>
487 Assigns a default directory to fetch SSL CA certificates and CRLs from when a
Emeric Brunfd33a262012-10-11 16:28:27 +0200488 relative path is used with "ca-file" or "crl-file" directives. Absolute
489 locations specified in "ca-file" and "crl-file" prevail and ignore "ca-base".
Emeric Brunc8e8d122012-10-02 18:42:10 +0200490
Willy Tarreau6a06a402007-07-15 20:15:28 +0200491chroot <jail dir>
492 Changes current directory to <jail dir> and performs a chroot() there before
493 dropping privileges. This increases the security level in case an unknown
494 vulnerability would be exploited, since it would make it very hard for the
495 attacker to exploit the system. This only works when the process is started
496 with superuser privileges. It is important to ensure that <jail_dir> is both
497 empty and unwritable to anyone.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100498
Emeric Brunc8e8d122012-10-02 18:42:10 +0200499crt-base <dir>
500 Assigns a default directory to fetch SSL certificates from when a relative
501 path is used with "crtfile" directives. Absolute locations specified after
502 "crtfile" prevail and ignore "crt-base".
503
Willy Tarreau6a06a402007-07-15 20:15:28 +0200504daemon
505 Makes the process fork into background. This is the recommended mode of
506 operation. It is equivalent to the command line "-D" argument. It can be
507 disabled by the command line "-db" argument.
508
509gid <number>
510 Changes the process' group ID to <number>. It is recommended that the group
511 ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
512 be started with a user belonging to this group, or with superuser privileges.
513 See also "group" and "uid".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100514
Willy Tarreau6a06a402007-07-15 20:15:28 +0200515group <group name>
516 Similar to "gid" but uses the GID of group name <group name> from /etc/group.
517 See also "gid" and "user".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100518
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200519log <address> <facility> [max level [min level]]
Willy Tarreau6a06a402007-07-15 20:15:28 +0200520 Adds a global syslog server. Up to two global servers can be defined. They
521 will receive logs for startups and exits, as well as all logs from proxies
Robert Tsai81ae1952007-12-05 10:47:29 +0100522 configured with "log global".
523
524 <address> can be one of:
525
Willy Tarreau2769aa02007-12-27 18:26:09 +0100526 - An IPv4 address optionally followed by a colon and a UDP port. If
Robert Tsai81ae1952007-12-05 10:47:29 +0100527 no port is specified, 514 is used by default (the standard syslog
528 port).
529
David du Colombier24bb5f52011-03-17 10:40:23 +0100530 - An IPv6 address followed by a colon and optionally a UDP port. If
531 no port is specified, 514 is used by default (the standard syslog
532 port).
533
Robert Tsai81ae1952007-12-05 10:47:29 +0100534 - A filesystem path to a UNIX domain socket, keeping in mind
535 considerations for chroot (be sure the path is accessible inside
536 the chroot) and uid/gid (be sure the path is appropriately
537 writeable).
538
539 <facility> must be one of the 24 standard syslog facilities :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200540
541 kern user mail daemon auth syslog lpr news
542 uucp cron auth2 ftp ntp audit alert cron2
543 local0 local1 local2 local3 local4 local5 local6 local7
544
545 An optional level can be specified to filter outgoing messages. By default,
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200546 all messages are sent. If a maximum level is specified, only messages with a
547 severity at least as important as this level will be sent. An optional minimum
548 level can be specified. If it is set, logs emitted with a more severe level
549 than this one will be capped to this level. This is used to avoid sending
550 "emerg" messages on all terminals on some default syslog configurations.
551 Eight levels are known :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200552
Cyril Bontédc4d9032012-04-08 21:57:39 +0200553 emerg alert crit err warning notice info debug
Willy Tarreau6a06a402007-07-15 20:15:28 +0200554
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100555log-send-hostname [<string>]
556 Sets the hostname field in the syslog header. If optional "string" parameter
557 is set the header is set to the string contents, otherwise uses the hostname
558 of the system. Generally used if one is not relaying logs through an
559 intermediate syslog server or for simply customizing the hostname printed in
560 the logs.
561
Kevinm48936af2010-12-22 16:08:21 +0000562log-tag <string>
563 Sets the tag field in the syslog header to this string. It defaults to the
564 program name as launched from the command line, which usually is "haproxy".
565 Sometimes it can be useful to differentiate between multiple processes
566 running on the same host.
567
Willy Tarreau6a06a402007-07-15 20:15:28 +0200568nbproc <number>
569 Creates <number> processes when going daemon. This requires the "daemon"
570 mode. By default, only one process is created, which is the recommended mode
571 of operation. For systems limited to small sets of file descriptors per
572 process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES
573 IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon".
574
575pidfile <pidfile>
576 Writes pids of all daemons into file <pidfile>. This option is equivalent to
577 the "-p" command line argument. The file must be accessible to the user
578 starting the process. See also "daemon".
579
Willy Tarreau35b7b162012-10-22 23:17:18 +0200580stats bind-process [ all | odd | even | <number 1-32> ] ...
581 Limits the stats socket to a certain set of processes numbers. By default the
582 stats socket is bound to all processes, causing a warning to be emitted when
583 nbproc is greater than 1 because there is no way to select the target process
584 when connecting. However, by using this setting, it becomes possible to pin
585 the stats socket to a specific set of processes, typically the first one. The
586 warning will automatically be disabled when this setting is used, whatever
587 the number of processes used.
588
Willy Tarreauabb175f2012-09-24 12:43:26 +0200589stats socket [<address:port>|<path>] [param*]
590 Binds a UNIX socket to <path> or a TCPv4/v6 address to <address:port>.
591 Connections to this socket will return various statistics outputs and even
592 allow some commands to be issued to change some runtime settings. Please
593 consult section 9.2 "Unix Socket commands" for more details.
Willy Tarreau6162db22009-10-10 17:13:00 +0200594
Willy Tarreauabb175f2012-09-24 12:43:26 +0200595 All parameters supported by "bind" lines are supported, for instance to
596 restrict access to some users or their access rights. Please consult
597 section 5.1 for more information.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200598
599stats timeout <timeout, in milliseconds>
600 The default timeout on the stats socket is set to 10 seconds. It is possible
601 to change this value with "stats timeout". The value must be passed in
Willy Tarreaubefdff12007-12-02 22:27:38 +0100602 milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200603
604stats maxconn <connections>
605 By default, the stats socket is limited to 10 concurrent connections. It is
606 possible to change this value with "stats maxconn".
607
Willy Tarreau6a06a402007-07-15 20:15:28 +0200608uid <number>
609 Changes the process' user ID to <number>. It is recommended that the user ID
610 is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
611 be started with superuser privileges in order to be able to switch to another
612 one. See also "gid" and "user".
613
614ulimit-n <number>
615 Sets the maximum number of per-process file-descriptors to <number>. By
616 default, it is automatically computed, so it is recommended not to use this
617 option.
618
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100619unix-bind [ prefix <prefix> ] [ mode <mode> ] [ user <user> ] [ uid <uid> ]
620 [ group <group> ] [ gid <gid> ]
621
622 Fixes common settings to UNIX listening sockets declared in "bind" statements.
623 This is mainly used to simplify declaration of those UNIX sockets and reduce
624 the risk of errors, since those settings are most commonly required but are
625 also process-specific. The <prefix> setting can be used to force all socket
626 path to be relative to that directory. This might be needed to access another
627 component's chroot. Note that those paths are resolved before haproxy chroots
628 itself, so they are absolute. The <mode>, <user>, <uid>, <group> and <gid>
629 all have the same meaning as their homonyms used by the "bind" statement. If
630 both are specified, the "bind" statement has priority, meaning that the
631 "unix-bind" settings may be seen as process-wide default settings.
632
Willy Tarreau6a06a402007-07-15 20:15:28 +0200633user <user name>
634 Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
635 See also "uid" and "group".
636
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200637node <name>
638 Only letters, digits, hyphen and underscore are allowed, like in DNS names.
639
640 This statement is useful in HA configurations where two or more processes or
641 servers share the same IP address. By setting a different node-name on all
642 nodes, it becomes easy to immediately spot what server is handling the
643 traffic.
644
645description <text>
646 Add a text that describes the instance.
647
648 Please note that it is required to escape certain characters (# for example)
649 and this text is inserted into a html page so you should avoid using
650 "<" and ">" characters.
651
Willy Tarreau6a06a402007-07-15 20:15:28 +0200652
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006533.2. Performance tuning
Willy Tarreau6a06a402007-07-15 20:15:28 +0200654-----------------------
655
656maxconn <number>
657 Sets the maximum per-process number of concurrent connections to <number>. It
658 is equivalent to the command-line argument "-n". Proxies will stop accepting
659 connections when this limit is reached. The "ulimit-n" parameter is
660 automatically adjusted according to this value. See also "ulimit-n".
661
Willy Tarreau81c25d02011-09-07 15:17:21 +0200662maxconnrate <number>
663 Sets the maximum per-process number of connections per second to <number>.
664 Proxies will stop accepting connections when this limit is reached. It can be
665 used to limit the global capacity regardless of each frontend capacity. It is
666 important to note that this can only be used as a service protection measure,
667 as there will not necessarily be a fair share between frontends when the
668 limit is reached, so it's a good idea to also limit each frontend to some
669 value close to its expected share. Also, lowering tune.maxaccept can improve
670 fairness.
671
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100672maxpipes <number>
673 Sets the maximum per-process number of pipes to <number>. Currently, pipes
674 are only used by kernel-based tcp splicing. Since a pipe contains two file
675 descriptors, the "ulimit-n" value will be increased accordingly. The default
676 value is maxconn/4, which seems to be more than enough for most heavy usages.
677 The splice code dynamically allocates and releases pipes, and can fall back
678 to standard copy, so setting this value too low may only impact performance.
679
Willy Tarreau403edff2012-09-06 11:58:37 +0200680maxsslconn <number>
681 Sets the maximum per-process number of concurrent SSL connections to
682 <number>. By default there is no SSL-specific limit, which means that the
683 global maxconn setting will apply to all connections. Setting this limit
684 avoids having openssl use too much memory and crash when malloc returns NULL
685 (since it unfortunately does not reliably check for such conditions). Note
686 that the limit applies both to incoming and outgoing connections, so one
687 connection which is deciphered then ciphered accounts for 2 SSL connections.
688
Willy Tarreau6a06a402007-07-15 20:15:28 +0200689noepoll
690 Disables the use of the "epoll" event polling system on Linux. It is
691 equivalent to the command-line argument "-de". The next polling system
692 used will generally be "poll". See also "nosepoll", and "nopoll".
693
694nokqueue
695 Disables the use of the "kqueue" event polling system on BSD. It is
696 equivalent to the command-line argument "-dk". The next polling system
697 used will generally be "poll". See also "nopoll".
698
699nopoll
700 Disables the use of the "poll" event polling system. It is equivalent to the
701 command-line argument "-dp". The next polling system used will be "select".
Willy Tarreau0ba27502007-12-24 16:55:16 +0100702 It should never be needed to disable "poll" since it's available on all
Willy Tarreau6a06a402007-07-15 20:15:28 +0200703 platforms supported by HAProxy. See also "nosepoll", and "nopoll" and
704 "nokqueue".
705
706nosepoll
707 Disables the use of the "speculative epoll" event polling system on Linux. It
708 is equivalent to the command-line argument "-ds". The next polling system
709 used will generally be "epoll". See also "nosepoll", and "nopoll".
710
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100711nosplice
712 Disables the use of kernel tcp splicing between sockets on Linux. It is
713 equivalent to the command line argument "-dS". Data will then be copied
714 using conventional and more portable recv/send calls. Kernel tcp splicing is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100715 limited to some very recent instances of kernel 2.6. Most versions between
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100716 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not
717 be used. This option makes it easier to globally disable kernel splicing in
718 case of doubt. See also "option splice-auto", "option splice-request" and
719 "option splice-response".
720
Willy Tarreaufe255b72007-10-14 23:09:26 +0200721spread-checks <0..50, in percent>
722 Sometimes it is desirable to avoid sending health checks to servers at exact
723 intervals, for instance when many logical servers are located on the same
724 physical server. With the help of this parameter, it becomes possible to add
725 some randomness in the check interval between 0 and +/- 50%. A value between
726 2 and 5 seems to show good results. The default value remains at 0.
727
Willy Tarreau27a674e2009-08-17 07:23:33 +0200728tune.bufsize <number>
729 Sets the buffer size to this size (in bytes). Lower values allow more
730 sessions to coexist in the same amount of RAM, and higher values allow some
731 applications with very large cookies to work. The default value is 16384 and
732 can be changed at build time. It is strongly recommended not to change this
733 from the default value, as very low values will break some services such as
734 statistics, and values larger than default size will increase memory usage,
735 possibly causing the system to run out of memory. At least the global maxconn
736 parameter should be decreased by the same factor as this one is increased.
Dmitry Sivachenkof6f4f7b2012-10-21 18:10:25 +0400737 If HTTP request is larger than (tune.bufsize - tune.maxrewrite), haproxy will
738 return HTTP 400 (Bad Request) error. Similarly if an HTTP response is larger
739 than this size, haproxy will return HTTP 502 (Bad Gateway).
Willy Tarreau27a674e2009-08-17 07:23:33 +0200740
Willy Tarreau43961d52010-10-04 20:39:20 +0200741tune.chksize <number>
742 Sets the check buffer size to this size (in bytes). Higher values may help
743 find string or regex patterns in very large pages, though doing so may imply
744 more memory and CPU usage. The default value is 16384 and can be changed at
745 build time. It is not recommended to change this value, but to use better
746 checks whenever possible.
747
Willy Tarreauac1932d2011-10-24 19:14:41 +0200748tune.http.maxhdr <number>
749 Sets the maximum number of headers in a request. When a request comes with a
750 number of headers greater than this value (including the first line), it is
751 rejected with a "400 Bad Request" status code. Similarly, too large responses
752 are blocked with "502 Bad Gateway". The default value is 101, which is enough
753 for all usages, considering that the widely deployed Apache server uses the
754 same limit. It can be useful to push this limit further to temporarily allow
755 a buggy application to work by the time it gets fixed. Keep in mind that each
756 new header consumes 32bits of memory for each session, so don't push this
757 limit too high.
758
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100759tune.maxaccept <number>
760 Sets the maximum number of consecutive accepts that a process may perform on
761 a single wake up. High values give higher priority to high connection rates,
762 while lower values give higher priority to already established connections.
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100763 This value is limited to 100 by default in single process mode. However, in
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100764 multi-process mode (nbproc > 1), it defaults to 8 so that when one process
765 wakes up, it does not take all incoming connections for itself and leaves a
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100766 part of them to other processes. Setting this value to -1 completely disables
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100767 the limitation. It should normally not be needed to tweak this value.
768
769tune.maxpollevents <number>
770 Sets the maximum amount of events that can be processed at once in a call to
771 the polling system. The default value is adapted to the operating system. It
772 has been noticed that reducing it below 200 tends to slightly decrease
773 latency at the expense of network bandwidth, and increasing it above 200
774 tends to trade latency for slightly increased bandwidth.
775
Willy Tarreau27a674e2009-08-17 07:23:33 +0200776tune.maxrewrite <number>
777 Sets the reserved buffer space to this size in bytes. The reserved space is
778 used for header rewriting or appending. The first reads on sockets will never
779 fill more than bufsize-maxrewrite. Historically it has defaulted to half of
780 bufsize, though that does not make much sense since there are rarely large
781 numbers of headers to add. Setting it too high prevents processing of large
782 requests or responses. Setting it too low prevents addition of new headers
783 to already large requests or to POST requests. It is generally wise to set it
784 to about 1024. It is automatically readjusted to half of bufsize if it is
785 larger than that. This means you don't have to worry about it when changing
786 bufsize.
787
Willy Tarreaubd9a0a72011-10-23 21:14:29 +0200788tune.pipesize <number>
789 Sets the kernel pipe buffer size to this size (in bytes). By default, pipes
790 are the default size for the system. But sometimes when using TCP splicing,
791 it can improve performance to increase pipe sizes, especially if it is
792 suspected that pipes are not filled and that many calls to splice() are
793 performed. This has an impact on the kernel's memory footprint, so this must
794 not be changed if impacts are not understood.
795
Willy Tarreaue803de22010-01-21 17:43:04 +0100796tune.rcvbuf.client <number>
797tune.rcvbuf.server <number>
798 Forces the kernel socket receive buffer size on the client or the server side
799 to the specified value in bytes. This value applies to all TCP/HTTP frontends
800 and backends. It should normally never be set, and the default size (0) lets
801 the kernel autotune this value depending on the amount of available memory.
802 However it can sometimes help to set it to very low values (eg: 4096) in
803 order to save kernel memory by preventing it from buffering too large amounts
804 of received data. Lower values will significantly increase CPU usage though.
805
806tune.sndbuf.client <number>
807tune.sndbuf.server <number>
808 Forces the kernel socket send buffer size on the client or the server side to
809 the specified value in bytes. This value applies to all TCP/HTTP frontends
810 and backends. It should normally never be set, and the default size (0) lets
811 the kernel autotune this value depending on the amount of available memory.
812 However it can sometimes help to set it to very low values (eg: 4096) in
813 order to save kernel memory by preventing it from buffering too large amounts
814 of received data. Lower values will significantly increase CPU usage though.
815 Another use case is to prevent write timeouts with extremely slow clients due
816 to the kernel waiting for a large part of the buffer to be read before
817 notifying haproxy again.
818
Willy Tarreau6a06a402007-07-15 20:15:28 +0200819
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008203.3. Debugging
821--------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200822
823debug
824 Enables debug mode which dumps to stdout all exchanges, and disables forking
825 into background. It is the equivalent of the command-line argument "-d". It
826 should never be used in a production configuration since it may prevent full
827 system startup.
828
829quiet
830 Do not display any message during startup. It is equivalent to the command-
831 line argument "-q".
832
Emeric Brunf099e792010-09-27 12:05:28 +0200833
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01008343.4. Userlists
835--------------
836It is possible to control access to frontend/backend/listen sections or to
837http stats by allowing only authenticated and authorized users. To do this,
838it is required to create at least one userlist and to define users.
839
840userlist <listname>
Cyril Bonté78caf842010-03-10 22:41:43 +0100841 Creates new userlist with name <listname>. Many independent userlists can be
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100842 used to store authentication & authorization data for independent customers.
843
844group <groupname> [users <user>,<user>,(...)]
Cyril Bonté78caf842010-03-10 22:41:43 +0100845 Adds group <groupname> to the current userlist. It is also possible to
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100846 attach users to this group by using a comma separated list of names
847 proceeded by "users" keyword.
848
Cyril Bontéf0c60612010-02-06 14:44:47 +0100849user <username> [password|insecure-password <password>]
850 [groups <group>,<group>,(...)]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100851 Adds user <username> to the current userlist. Both secure (encrypted) and
852 insecure (unencrypted) passwords can be used. Encrypted passwords are
Cyril Bonté78caf842010-03-10 22:41:43 +0100853 evaluated using the crypt(3) function so depending of the system's
854 capabilities, different algorithms are supported. For example modern Glibc
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100855 based Linux system supports MD5, SHA-256, SHA-512 and of course classic,
856 DES-based method of crypting passwords.
857
858
859 Example:
Cyril Bontéf0c60612010-02-06 14:44:47 +0100860 userlist L1
861 group G1 users tiger,scott
862 group G2 users xdb,scott
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100863
Cyril Bontéf0c60612010-02-06 14:44:47 +0100864 user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91
865 user scott insecure-password elgato
866 user xdb insecure-password hello
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100867
Cyril Bontéf0c60612010-02-06 14:44:47 +0100868 userlist L2
869 group G1
870 group G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100871
Cyril Bontéf0c60612010-02-06 14:44:47 +0100872 user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1
873 user scott insecure-password elgato groups G1,G2
874 user xdb insecure-password hello groups G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100875
876 Please note that both lists are functionally identical.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200877
Emeric Brunf099e792010-09-27 12:05:28 +0200878
8793.5. Peers
Cyril Bontédc4d9032012-04-08 21:57:39 +0200880----------
Emeric Brunf099e792010-09-27 12:05:28 +0200881It is possible to synchronize server entries in stick tables between several
882haproxy instances over TCP connections in a multi-master fashion. Each instance
883pushes its local updates and insertions to remote peers. Server IDs are used to
884identify servers remotely, so it is important that configurations look similar
885or at least that the same IDs are forced on each server on all participants.
886Interrupted exchanges are automatically detected and recovered from the last
887known point. In addition, during a soft restart, the old process connects to
888the new one using such a TCP connection to push all its entries before the new
889process tries to connect to other peers. That ensures very fast replication
890during a reload, it typically takes a fraction of a second even for large
891tables.
892
893peers <peersect>
Jamie Gloudon801a0a32012-08-25 00:18:33 -0400894 Creates a new peer list with name <peersect>. It is an independent section,
Emeric Brunf099e792010-09-27 12:05:28 +0200895 which is referenced by one or more stick-tables.
896
897peer <peername> <ip>:<port>
898 Defines a peer inside a peers section.
899 If <peername> is set to the local peer name (by default hostname, or forced
900 using "-L" command line option), haproxy will listen for incoming remote peer
901 connection on <ip>:<port>. Otherwise, <ip>:<port> defines where to connect to
902 to join the remote peer, and <peername> is used at the protocol level to
903 identify and validate the remote peer on the server side.
904
905 During a soft restart, local peer <ip>:<port> is used by the old instance to
906 connect the new one and initiate a complete replication (teaching process).
907
908 It is strongly recommended to have the exact same peers declaration on all
909 peers and to only rely on the "-L" command line argument to change the local
910 peer name. This makes it easier to maintain coherent configuration files
911 across all peers.
912
Cyril Bontédc4d9032012-04-08 21:57:39 +0200913 Example:
Emeric Brunf099e792010-09-27 12:05:28 +0200914 peers mypeers
Willy Tarreauf7b30a92010-12-06 22:59:17 +0100915 peer haproxy1 192.168.0.1:1024
916 peer haproxy2 192.168.0.2:1024
917 peer haproxy3 10.2.0.1:1024
Emeric Brunf099e792010-09-27 12:05:28 +0200918
919 backend mybackend
920 mode tcp
921 balance roundrobin
922 stick-table type ip size 20k peers mypeers
923 stick on src
924
Willy Tarreauf7b30a92010-12-06 22:59:17 +0100925 server srv1 192.168.0.30:80
926 server srv2 192.168.0.31:80
Emeric Brunf099e792010-09-27 12:05:28 +0200927
928
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009294. Proxies
Willy Tarreau6a06a402007-07-15 20:15:28 +0200930----------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100931
Willy Tarreau6a06a402007-07-15 20:15:28 +0200932Proxy configuration can be located in a set of sections :
933 - defaults <name>
934 - frontend <name>
935 - backend <name>
936 - listen <name>
937
938A "defaults" section sets default parameters for all other sections following
939its declaration. Those default parameters are reset by the next "defaults"
940section. See below for the list of parameters which can be set in a "defaults"
Willy Tarreau0ba27502007-12-24 16:55:16 +0100941section. The name is optional but its use is encouraged for better readability.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200942
943A "frontend" section describes a set of listening sockets accepting client
944connections.
945
946A "backend" section describes a set of servers to which the proxy will connect
947to forward incoming connections.
948
949A "listen" section defines a complete proxy with its frontend and backend
950parts combined in one section. It is generally useful for TCP-only traffic.
951
Willy Tarreau0ba27502007-12-24 16:55:16 +0100952All proxy names must be formed from upper and lower case letters, digits,
953'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
954case-sensitive, which means that "www" and "WWW" are two different proxies.
955
956Historically, all proxy names could overlap, it just caused troubles in the
957logs. Since the introduction of content switching, it is mandatory that two
958proxies with overlapping capabilities (frontend/backend) have different names.
959However, it is still permitted that a frontend and a backend share the same
960name, as this configuration seems to be commonly encountered.
961
962Right now, two major proxy modes are supported : "tcp", also known as layer 4,
963and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100964bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the
Willy Tarreau0ba27502007-12-24 16:55:16 +0100965protocol, and can interact with it by allowing, blocking, switching, adding,
966modifying, or removing arbitrary contents in requests or responses, based on
967arbitrary criteria.
968
Willy Tarreau0ba27502007-12-24 16:55:16 +0100969
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009704.1. Proxy keywords matrix
971--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100972
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200973The following list of keywords is supported. Most of them may only be used in a
974limited set of section types. Some of them are marked as "deprecated" because
975they are inherited from an old syntax which may be confusing or functionally
976limited, and there are new recommended keywords to replace them. Keywords
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100977marked with "(*)" can be optionally inverted using the "no" prefix, eg. "no
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200978option contstats". This makes sense when the option has been enabled by default
Willy Tarreau3842f002009-06-14 11:39:52 +0200979and must be disabled for a specific instance. Such options may also be prefixed
980with "default" in order to restore default settings regardless of what has been
981specified in a previous "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +0100982
Willy Tarreau6a06a402007-07-15 20:15:28 +0200983
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100984 keyword defaults frontend listen backend
985------------------------------------+----------+----------+---------+---------
986acl - X X X
987appsession - - X X
988backlog X X X -
989balance X - X X
990bind - X X -
991bind-process X X X X
992block - X X X
993capture cookie - X X -
994capture request header - X X -
995capture response header - X X -
996clitimeout (deprecated) X X X -
997contimeout (deprecated) X - X X
998cookie X - X X
999default-server X - X X
1000default_backend X X X -
1001description - X X X
1002disabled X X X X
1003dispatch - - X X
1004enabled X X X X
1005errorfile X X X X
1006errorloc X X X X
1007errorloc302 X X X X
1008-- keyword -------------------------- defaults - frontend - listen -- backend -
1009errorloc303 X X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001010force-persist - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001011fullconn X - X X
1012grace X X X X
1013hash-type X - X X
1014http-check disable-on-404 X - X X
Willy Tarreaubd741542010-03-16 18:46:54 +01001015http-check expect - - X X
Willy Tarreau7ab6aff2010-10-12 06:30:16 +02001016http-check send-state X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001017http-request - X X X
1018id - X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001019ignore-persist - X X X
William Lallemand0f99e342011-10-12 17:50:54 +02001020log (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001021maxconn X X X -
1022mode X X X X
1023monitor fail - X X -
1024monitor-net X X X -
1025monitor-uri X X X -
1026option abortonclose (*) X - X X
1027option accept-invalid-http-request (*) X X X -
1028option accept-invalid-http-response (*) X - X X
1029option allbackups (*) X - X X
1030option checkcache (*) X - X X
1031option clitcpka (*) X X X -
1032option contstats (*) X X X -
1033option dontlog-normal (*) X X X -
1034option dontlognull (*) X X X -
1035option forceclose (*) X X X X
1036-- keyword -------------------------- defaults - frontend - listen -- backend -
1037option forwardfor X X X X
Willy Tarreau96e31212011-05-30 18:10:30 +02001038option http-no-delay (*) X X X X
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02001039option http-pretend-keepalive (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001040option http-server-close (*) X X X X
1041option http-use-proxy-header (*) X X X -
1042option httpchk X - X X
1043option httpclose (*) X X X X
1044option httplog X X X X
1045option http_proxy (*) X X X X
Jamie Gloudon801a0a32012-08-25 00:18:33 -04001046option independent-streams (*) X X X X
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02001047option ldap-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001048option log-health-checks (*) X - X X
1049option log-separate-errors (*) X X X -
1050option logasap (*) X X X -
1051option mysql-check X - X X
Rauf Kuliyev38b41562011-01-04 15:14:13 +01001052option pgsql-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001053option nolinger (*) X X X X
1054option originalto X X X X
1055option persist (*) X - X X
1056option redispatch (*) X - X X
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02001057option redis-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001058option smtpchk X - X X
1059option socket-stats (*) X X X -
1060option splice-auto (*) X X X X
1061option splice-request (*) X X X X
1062option splice-response (*) X X X X
1063option srvtcpka (*) X - X X
1064option ssl-hello-chk X - X X
1065-- keyword -------------------------- defaults - frontend - listen -- backend -
1066option tcp-smart-accept (*) X X X -
1067option tcp-smart-connect (*) X - X X
1068option tcpka X X X X
1069option tcplog X X X X
1070option transparent (*) X - X X
1071persist rdp-cookie X - X X
1072rate-limit sessions X X X -
1073redirect - X X X
1074redisp (deprecated) X - X X
1075redispatch (deprecated) X - X X
1076reqadd - X X X
1077reqallow - X X X
1078reqdel - X X X
1079reqdeny - X X X
1080reqiallow - X X X
1081reqidel - X X X
1082reqideny - X X X
1083reqipass - X X X
1084reqirep - X X X
1085reqisetbe - X X X
1086reqitarpit - X X X
1087reqpass - X X X
1088reqrep - X X X
1089-- keyword -------------------------- defaults - frontend - listen -- backend -
1090reqsetbe - X X X
1091reqtarpit - X X X
1092retries X - X X
1093rspadd - X X X
1094rspdel - X X X
1095rspdeny - X X X
1096rspidel - X X X
1097rspideny - X X X
1098rspirep - X X X
1099rsprep - X X X
1100server - - X X
1101source X - X X
1102srvtimeout (deprecated) X - X X
Cyril Bonté66c327d2010-10-12 00:14:37 +02001103stats admin - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001104stats auth X - X X
1105stats enable X - X X
1106stats hide-version X - X X
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02001107stats http-request - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001108stats realm X - X X
1109stats refresh X - X X
1110stats scope X - X X
1111stats show-desc X - X X
1112stats show-legends X - X X
1113stats show-node X - X X
1114stats uri X - X X
1115-- keyword -------------------------- defaults - frontend - listen -- backend -
1116stick match - - X X
1117stick on - - X X
1118stick store-request - - X X
Willy Tarreaud8dc99f2011-07-01 11:33:25 +02001119stick store-response - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001120stick-table - - X X
Willy Tarreaue9656522010-08-17 15:40:09 +02001121tcp-request connection - X X -
1122tcp-request content - X X X
Willy Tarreaua56235c2010-09-14 11:31:36 +02001123tcp-request inspect-delay - X X X
Emeric Brun0a3b67f2010-09-24 15:34:53 +02001124tcp-response content - - X X
1125tcp-response inspect-delay - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001126timeout check X - X X
1127timeout client X X X -
1128timeout clitimeout (deprecated) X X X -
1129timeout connect X - X X
1130timeout contimeout (deprecated) X - X X
1131timeout http-keep-alive X X X X
1132timeout http-request X X X X
1133timeout queue X - X X
1134timeout server X - X X
1135timeout srvtimeout (deprecated) X - X X
1136timeout tarpit X X X X
Willy Tarreauce887fd2012-05-12 12:50:00 +02001137timeout tunnel X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001138transparent (deprecated) X - X X
William Lallemanda73203e2012-03-12 12:48:57 +01001139unique-id-format X X X -
1140unique-id-header X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001141use_backend - X X -
Willy Tarreau4a5cade2012-04-05 21:09:48 +02001142use-server - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001143------------------------------------+----------+----------+---------+---------
1144 keyword defaults frontend listen backend
Willy Tarreau6a06a402007-07-15 20:15:28 +02001145
Willy Tarreau0ba27502007-12-24 16:55:16 +01001146
Willy Tarreauc57f0e22009-05-10 13:12:33 +020011474.2. Alphabetically sorted keywords reference
1148---------------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001149
1150This section provides a description of each keyword and its usage.
1151
1152
1153acl <aclname> <criterion> [flags] [operator] <value> ...
1154 Declare or complete an access list.
1155 May be used in sections : defaults | frontend | listen | backend
1156 no | yes | yes | yes
1157 Example:
1158 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1159 acl invalid_src src_port 0:1023
1160 acl local_dst hdr(host) -i localhost
1161
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001162 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001163
1164
Cyril Bontéb21570a2009-11-29 20:04:48 +01001165appsession <cookie> len <length> timeout <holdtime>
1166 [request-learn] [prefix] [mode <path-parameters|query-string>]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001167 Define session stickiness on an existing application cookie.
1168 May be used in sections : defaults | frontend | listen | backend
1169 no | no | yes | yes
1170 Arguments :
1171 <cookie> this is the name of the cookie used by the application and which
1172 HAProxy will have to learn for each new session.
1173
Cyril Bontéb21570a2009-11-29 20:04:48 +01001174 <length> this is the max number of characters that will be memorized and
Willy Tarreau0ba27502007-12-24 16:55:16 +01001175 checked in each cookie value.
1176
1177 <holdtime> this is the time after which the cookie will be removed from
1178 memory if unused. If no unit is specified, this time is in
1179 milliseconds.
1180
Cyril Bontébf47aeb2009-10-15 00:15:40 +02001181 request-learn
1182 If this option is specified, then haproxy will be able to learn
1183 the cookie found in the request in case the server does not
1184 specify any in response. This is typically what happens with
1185 PHPSESSID cookies, or when haproxy's session expires before
1186 the application's session and the correct server is selected.
1187 It is recommended to specify this option to improve reliability.
1188
Cyril Bontéb21570a2009-11-29 20:04:48 +01001189 prefix When this option is specified, haproxy will match on the cookie
1190 prefix (or URL parameter prefix). The appsession value is the
1191 data following this prefix.
1192
1193 Example :
1194 appsession ASPSESSIONID len 64 timeout 3h prefix
1195
1196 This will match the cookie ASPSESSIONIDXXXX=XXXXX,
1197 the appsession value will be XXXX=XXXXX.
1198
1199 mode This option allows to change the URL parser mode.
1200 2 modes are currently supported :
1201 - path-parameters :
1202 The parser looks for the appsession in the path parameters
1203 part (each parameter is separated by a semi-colon), which is
1204 convenient for JSESSIONID for example.
1205 This is the default mode if the option is not set.
1206 - query-string :
1207 In this mode, the parser will look for the appsession in the
1208 query string.
1209
Willy Tarreau0ba27502007-12-24 16:55:16 +01001210 When an application cookie is defined in a backend, HAProxy will check when
1211 the server sets such a cookie, and will store its value in a table, and
1212 associate it with the server's identifier. Up to <length> characters from
1213 the value will be retained. On each connection, haproxy will look for this
Cyril Bontéb21570a2009-11-29 20:04:48 +01001214 cookie both in the "Cookie:" headers, and as a URL parameter (depending on
1215 the mode used). If a known value is found, the client will be directed to the
1216 server associated with this value. Otherwise, the load balancing algorithm is
Willy Tarreau0ba27502007-12-24 16:55:16 +01001217 applied. Cookies are automatically removed from memory when they have been
1218 unused for a duration longer than <holdtime>.
1219
1220 The definition of an application cookie is limited to one per backend.
1221
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01001222 Note : Consider not using this feature in multi-process mode (nbproc > 1)
1223 unless you know what you do : memory is not shared between the
1224 processes, which can result in random behaviours.
1225
Willy Tarreau0ba27502007-12-24 16:55:16 +01001226 Example :
1227 appsession JSESSIONID len 52 timeout 3h
1228
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01001229 See also : "cookie", "capture cookie", "balance", "stick", "stick-table",
1230 "ignore-persist", "nbproc" and "bind-process".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001231
1232
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001233backlog <conns>
1234 Give hints to the system about the approximate listen backlog desired size
1235 May be used in sections : defaults | frontend | listen | backend
1236 yes | yes | yes | no
1237 Arguments :
1238 <conns> is the number of pending connections. Depending on the operating
1239 system, it may represent the number of already acknowledged
Cyril Bontédc4d9032012-04-08 21:57:39 +02001240 connections, of non-acknowledged ones, or both.
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001241
1242 In order to protect against SYN flood attacks, one solution is to increase
1243 the system's SYN backlog size. Depending on the system, sometimes it is just
1244 tunable via a system parameter, sometimes it is not adjustable at all, and
1245 sometimes the system relies on hints given by the application at the time of
1246 the listen() syscall. By default, HAProxy passes the frontend's maxconn value
1247 to the listen() syscall. On systems which can make use of this value, it can
1248 sometimes be useful to be able to specify a different value, hence this
1249 backlog parameter.
1250
1251 On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
1252 used as a hint and the system accepts up to the smallest greater power of
1253 two, and never more than some limits (usually 32768).
1254
1255 See also : "maxconn" and the target operating system's tuning guide.
1256
1257
Willy Tarreau0ba27502007-12-24 16:55:16 +01001258balance <algorithm> [ <arguments> ]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001259balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001260 Define the load balancing algorithm to be used in a backend.
1261 May be used in sections : defaults | frontend | listen | backend
1262 yes | no | yes | yes
1263 Arguments :
1264 <algorithm> is the algorithm used to select a server when doing load
1265 balancing. This only applies when no persistence information
1266 is available, or when a connection is redispatched to another
1267 server. <algorithm> may be one of the following :
1268
1269 roundrobin Each server is used in turns, according to their weights.
1270 This is the smoothest and fairest algorithm when the server's
1271 processing time remains equally distributed. This algorithm
1272 is dynamic, which means that server weights may be adjusted
Willy Tarreau9757a382009-10-03 12:56:50 +02001273 on the fly for slow starts for instance. It is limited by
1274 design to 4128 active servers per backend. Note that in some
1275 large farms, when a server becomes up after having been down
1276 for a very short time, it may sometimes take a few hundreds
1277 requests for it to be re-integrated into the farm and start
1278 receiving traffic. This is normal, though very rare. It is
1279 indicated here in case you would have the chance to observe
1280 it, so that you don't worry.
1281
1282 static-rr Each server is used in turns, according to their weights.
1283 This algorithm is as similar to roundrobin except that it is
1284 static, which means that changing a server's weight on the
1285 fly will have no effect. On the other hand, it has no design
1286 limitation on the number of servers, and when a server goes
1287 up, it is always immediately reintroduced into the farm, once
1288 the full map is recomputed. It also uses slightly less CPU to
1289 run (around -1%).
Willy Tarreau0ba27502007-12-24 16:55:16 +01001290
Willy Tarreau2d2a7f82008-03-17 12:07:56 +01001291 leastconn The server with the lowest number of connections receives the
1292 connection. Round-robin is performed within groups of servers
1293 of the same load to ensure that all servers will be used. Use
1294 of this algorithm is recommended where very long sessions are
1295 expected, such as LDAP, SQL, TSE, etc... but is not very well
1296 suited for protocols using short sessions such as HTTP. This
1297 algorithm is dynamic, which means that server weights may be
1298 adjusted on the fly for slow starts for instance.
1299
Willy Tarreauf09c6602012-02-13 17:12:08 +01001300 first The first server with available connection slots receives the
1301 connection. The servers are choosen from the lowest numeric
1302 identifier to the highest (see server parameter "id"), which
1303 defaults to the server's position in the farm. Once a server
Willy Tarreau64559c52012-04-07 09:08:45 +02001304 reaches its maxconn value, the next server is used. It does
Willy Tarreauf09c6602012-02-13 17:12:08 +01001305 not make sense to use this algorithm without setting maxconn.
1306 The purpose of this algorithm is to always use the smallest
1307 number of servers so that extra servers can be powered off
1308 during non-intensive hours. This algorithm ignores the server
1309 weight, and brings more benefit to long session such as RDP
Willy Tarreau64559c52012-04-07 09:08:45 +02001310 or IMAP than HTTP, though it can be useful there too. In
1311 order to use this algorithm efficiently, it is recommended
1312 that a cloud controller regularly checks server usage to turn
1313 them off when unused, and regularly checks backend queue to
1314 turn new servers on when the queue inflates. Alternatively,
1315 using "http-check send-state" may inform servers on the load.
Willy Tarreauf09c6602012-02-13 17:12:08 +01001316
Willy Tarreau0ba27502007-12-24 16:55:16 +01001317 source The source IP address is hashed and divided by the total
1318 weight of the running servers to designate which server will
1319 receive the request. This ensures that the same client IP
1320 address will always reach the same server as long as no
1321 server goes down or up. If the hash result changes due to the
1322 number of running servers changing, many clients will be
1323 directed to a different server. This algorithm is generally
1324 used in TCP mode where no cookie may be inserted. It may also
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001325 be used on the Internet to provide a best-effort stickiness
Willy Tarreau0ba27502007-12-24 16:55:16 +01001326 to clients which refuse session cookies. This algorithm is
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001327 static by default, which means that changing a server's
1328 weight on the fly will have no effect, but this can be
1329 changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001330
Oskar Stolc8dc41842012-05-19 10:19:54 +01001331 uri This algorithm hashes either the left part of the URI (before
1332 the question mark) or the whole URI (if the "whole" parameter
1333 is present) and divides the hash value by the total weight of
1334 the running servers. The result designates which server will
1335 receive the request. This ensures that the same URI will
1336 always be directed to the same server as long as no server
1337 goes up or down. This is used with proxy caches and
1338 anti-virus proxies in order to maximize the cache hit rate.
1339 Note that this algorithm may only be used in an HTTP backend.
1340 This algorithm is static by default, which means that
1341 changing a server's weight on the fly will have no effect,
1342 but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001343
Oskar Stolc8dc41842012-05-19 10:19:54 +01001344 This algorithm supports two optional parameters "len" and
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001345 "depth", both followed by a positive integer number. These
1346 options may be helpful when it is needed to balance servers
1347 based on the beginning of the URI only. The "len" parameter
1348 indicates that the algorithm should only consider that many
1349 characters at the beginning of the URI to compute the hash.
1350 Note that having "len" set to 1 rarely makes sense since most
1351 URIs start with a leading "/".
1352
1353 The "depth" parameter indicates the maximum directory depth
1354 to be used to compute the hash. One level is counted for each
1355 slash in the request. If both parameters are specified, the
1356 evaluation stops when either is reached.
1357
Willy Tarreau0ba27502007-12-24 16:55:16 +01001358 url_param The URL parameter specified in argument will be looked up in
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001359 the query string of each HTTP GET request.
1360
1361 If the modifier "check_post" is used, then an HTTP POST
Cyril Bontédc4d9032012-04-08 21:57:39 +02001362 request entity will be searched for the parameter argument,
1363 when it is not found in a query string after a question mark
1364 ('?') in the URL. Optionally, specify a number of octets to
1365 wait for before attempting to search the message body. If the
1366 entity can not be searched, then round robin is used for each
1367 request. For instance, if your clients always send the LB
1368 parameter in the first 128 bytes, then specify that. The
1369 default is 48. The entity data will not be scanned until the
1370 required number of octets have arrived at the gateway, this
1371 is the minimum of: (default/max_wait, Content-Length or first
1372 chunk length). If Content-Length is missing or zero, it does
1373 not need to wait for more data than the client promised to
1374 send. When Content-Length is present and larger than
1375 <max_wait>, then waiting is limited to <max_wait> and it is
1376 assumed that this will be enough data to search for the
1377 presence of the parameter. In the unlikely event that
1378 Transfer-Encoding: chunked is used, only the first chunk is
1379 scanned. Parameter values separated by a chunk boundary, may
1380 be randomly balanced if at all.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001381
1382 If the parameter is found followed by an equal sign ('=') and
1383 a value, then the value is hashed and divided by the total
1384 weight of the running servers. The result designates which
1385 server will receive the request.
1386
1387 This is used to track user identifiers in requests and ensure
1388 that a same user ID will always be sent to the same server as
1389 long as no server goes up or down. If no value is found or if
1390 the parameter is not found, then a round robin algorithm is
1391 applied. Note that this algorithm may only be used in an HTTP
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001392 backend. This algorithm is static by default, which means
1393 that changing a server's weight on the fly will have no
1394 effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001395
Cyril Bontédc4d9032012-04-08 21:57:39 +02001396 hdr(<name>) The HTTP header <name> will be looked up in each HTTP
1397 request. Just as with the equivalent ACL 'hdr()' function,
1398 the header name in parenthesis is not case sensitive. If the
1399 header is absent or if it does not contain any value, the
1400 roundrobin algorithm is applied instead.
Benoitaffb4812009-03-25 13:02:10 +01001401
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001402 An optional 'use_domain_only' parameter is available, for
Benoitaffb4812009-03-25 13:02:10 +01001403 reducing the hash algorithm to the main domain part with some
1404 specific headers such as 'Host'. For instance, in the Host
1405 value "haproxy.1wt.eu", only "1wt" will be considered.
1406
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001407 This algorithm is static by default, which means that
1408 changing a server's weight on the fly will have no effect,
1409 but this can be changed using "hash-type".
1410
Emeric Brun736aa232009-06-30 17:56:00 +02001411 rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02001412 rdp-cookie(<name>)
Emeric Brun736aa232009-06-30 17:56:00 +02001413 The RDP cookie <name> (or "mstshash" if omitted) will be
1414 looked up and hashed for each incoming TCP request. Just as
1415 with the equivalent ACL 'req_rdp_cookie()' function, the name
1416 is not case-sensitive. This mechanism is useful as a degraded
1417 persistence mode, as it makes it possible to always send the
1418 same user (or the same session ID) to the same server. If the
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001419 cookie is not found, the normal roundrobin algorithm is
Emeric Brun736aa232009-06-30 17:56:00 +02001420 used instead.
1421
1422 Note that for this to work, the frontend must ensure that an
1423 RDP cookie is already present in the request buffer. For this
1424 you must use 'tcp-request content accept' rule combined with
1425 a 'req_rdp_cookie_cnt' ACL.
1426
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001427 This algorithm is static by default, which means that
1428 changing a server's weight on the fly will have no effect,
1429 but this can be changed using "hash-type".
1430
Cyril Bontédc4d9032012-04-08 21:57:39 +02001431 See also the rdp_cookie pattern fetch function.
Simon Hormanab814e02011-06-24 14:50:20 +09001432
Willy Tarreau0ba27502007-12-24 16:55:16 +01001433 <arguments> is an optional list of arguments which may be needed by some
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001434 algorithms. Right now, only "url_param" and "uri" support an
1435 optional argument.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001436
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001437 balance uri [len <len>] [depth <depth>]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001438 balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001439
Willy Tarreau3cd9af22009-03-15 14:06:41 +01001440 The load balancing algorithm of a backend is set to roundrobin when no other
1441 algorithm, mode nor option have been set. The algorithm may only be set once
1442 for each backend.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001443
1444 Examples :
1445 balance roundrobin
1446 balance url_param userid
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001447 balance url_param session_id check_post 64
Benoitaffb4812009-03-25 13:02:10 +01001448 balance hdr(User-Agent)
1449 balance hdr(host)
1450 balance hdr(Host) use_domain_only
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001451
1452 Note: the following caveats and limitations on using the "check_post"
1453 extension with "url_param" must be considered :
1454
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001455 - all POST requests are eligible for consideration, because there is no way
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001456 to determine if the parameters will be found in the body or entity which
1457 may contain binary data. Therefore another method may be required to
1458 restrict consideration of POST requests that have no URL parameters in
1459 the body. (see acl reqideny http_end)
1460
1461 - using a <max_wait> value larger than the request buffer size does not
1462 make sense and is useless. The buffer size is set at build time, and
1463 defaults to 16 kB.
1464
1465 - Content-Encoding is not supported, the parameter search will probably
1466 fail; and load balancing will fall back to Round Robin.
1467
1468 - Expect: 100-continue is not supported, load balancing will fall back to
1469 Round Robin.
1470
1471 - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk.
1472 If the entire parameter value is not present in the first chunk, the
1473 selection of server is undefined (actually, defined by how little
1474 actually appeared in the first chunk).
1475
1476 - This feature does not support generation of a 100, 411 or 501 response.
1477
1478 - In some cases, requesting "check_post" MAY attempt to scan the entire
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001479 contents of a message body. Scanning normally terminates when linear
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001480 white space or control characters are found, indicating the end of what
1481 might be a URL parameter list. This is probably not a concern with SGML
1482 type message bodies.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001483
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001484 See also : "dispatch", "cookie", "appsession", "transparent", "hash-type" and
1485 "http_proxy".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001486
1487
Willy Tarreaub6205fd2012-09-24 12:27:33 +02001488bind [<address>]:<port_range> [, ...] [param*]
1489bind /<path> [, ...] [param*]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001490 Define one or several listening addresses and/or ports in a frontend.
1491 May be used in sections : defaults | frontend | listen | backend
1492 no | yes | yes | no
1493 Arguments :
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001494 <address> is optional and can be a host name, an IPv4 address, an IPv6
1495 address, or '*'. It designates the address the frontend will
1496 listen on. If unset, all IPv4 addresses of the system will be
1497 listened on. The same will apply for '*' or the system's
David du Colombier9c938da2011-03-17 10:40:27 +01001498 special address "0.0.0.0". The IPv6 equivalent is '::'.
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001499
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001500 <port_range> is either a unique TCP port, or a port range for which the
1501 proxy will accept connections for the IP address specified
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001502 above. The port is mandatory for TCP listeners. Note that in
1503 the case of an IPv6 address, the port is always the number
1504 after the last colon (':'). A range can either be :
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001505 - a numerical port (ex: '80')
1506 - a dash-delimited ports range explicitly stating the lower
1507 and upper bounds (ex: '2000-2100') which are included in
1508 the range.
1509
1510 Particular care must be taken against port ranges, because
1511 every <address:port> couple consumes one socket (= a file
1512 descriptor), so it's easy to consume lots of descriptors
1513 with a simple range, and to run out of sockets. Also, each
1514 <address:port> couple must be used only once among all
1515 instances running on a same system. Please note that binding
1516 to ports lower than 1024 generally require particular
Jamie Gloudon801a0a32012-08-25 00:18:33 -04001517 privileges to start the program, which are independent of
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001518 the 'uid' parameter.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001519
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001520 <path> is a UNIX socket path beginning with a slash ('/'). This is
1521 alternative to the TCP listening port. Haproxy will then
1522 receive UNIX connections on the socket located at this place.
1523 The path must begin with a slash and by default is absolute.
1524 It can be relative to the prefix defined by "unix-bind" in
1525 the global section. Note that the total length of the prefix
1526 followed by the socket path cannot exceed some system limits
1527 for UNIX sockets, which commonly are set to 107 characters.
1528
Willy Tarreaub6205fd2012-09-24 12:27:33 +02001529 <param*> is a list of parameters common to all sockets declared on the
1530 same line. These numerous parameters depend on OS and build
1531 options and have a complete section dedicated to them. Please
1532 refer to section 5 to for more details.
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02001533
Willy Tarreau0ba27502007-12-24 16:55:16 +01001534 It is possible to specify a list of address:port combinations delimited by
1535 commas. The frontend will then listen on all of these addresses. There is no
1536 fixed limit to the number of addresses and ports which can be listened on in
1537 a frontend, as well as there is no limit to the number of "bind" statements
1538 in a frontend.
1539
1540 Example :
1541 listen http_proxy
1542 bind :80,:443
1543 bind 10.0.0.1:10080,10.0.0.1:10443
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001544 bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy
Willy Tarreau0ba27502007-12-24 16:55:16 +01001545
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02001546 listen http_https_proxy
1547 bind :80
Cyril Bonté0d44fc62012-10-09 22:45:33 +02001548 bind :443 ssl crt /etc/haproxy/site.pem
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02001549
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001550 See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol
Willy Tarreaub6205fd2012-09-24 12:27:33 +02001551 documentation, and section 5 about bind options.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001552
1553
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001554bind-process [ all | odd | even | <number 1-32> ] ...
1555 Limit visibility of an instance to a certain set of processes numbers.
1556 May be used in sections : defaults | frontend | listen | backend
1557 yes | yes | yes | yes
1558 Arguments :
1559 all All process will see this instance. This is the default. It
1560 may be used to override a default value.
1561
1562 odd This instance will be enabled on processes 1,3,5,...31. This
1563 option may be combined with other numbers.
1564
1565 even This instance will be enabled on processes 2,4,6,...32. This
1566 option may be combined with other numbers. Do not use it
1567 with less than 2 processes otherwise some instances might be
1568 missing from all processes.
1569
1570 number The instance will be enabled on this process number, between
1571 1 and 32. You must be careful not to reference a process
1572 number greater than the configured global.nbproc, otherwise
1573 some instances might be missing from all processes.
1574
1575 This keyword limits binding of certain instances to certain processes. This
1576 is useful in order not to have too many processes listening to the same
1577 ports. For instance, on a dual-core machine, it might make sense to set
1578 'nbproc 2' in the global section, then distributes the listeners among 'odd'
1579 and 'even' instances.
1580
1581 At the moment, it is not possible to reference more than 32 processes using
1582 this keyword, but this should be more than enough for most setups. Please
1583 note that 'all' really means all processes and is not limited to the first
1584 32.
1585
1586 If some backends are referenced by frontends bound to other processes, the
1587 backend automatically inherits the frontend's processes.
1588
1589 Example :
1590 listen app_ip1
1591 bind 10.0.0.1:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001592 bind-process odd
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001593
1594 listen app_ip2
1595 bind 10.0.0.2:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001596 bind-process even
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001597
1598 listen management
1599 bind 10.0.0.3:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001600 bind-process 1 2 3 4
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001601
1602 See also : "nbproc" in global section.
1603
1604
Willy Tarreau0ba27502007-12-24 16:55:16 +01001605block { if | unless } <condition>
1606 Block a layer 7 request if/unless a condition is matched
1607 May be used in sections : defaults | frontend | listen | backend
1608 no | yes | yes | yes
1609
1610 The HTTP request will be blocked very early in the layer 7 processing
1611 if/unless <condition> is matched. A 403 error will be returned if the request
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001612 is blocked. The condition has to reference ACLs (see section 7). This is
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02001613 typically used to deny access to certain sensitive resources if some
Willy Tarreau0ba27502007-12-24 16:55:16 +01001614 conditions are met or not met. There is no fixed limit to the number of
1615 "block" statements per instance.
1616
1617 Example:
1618 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1619 acl invalid_src src_port 0:1023
1620 acl local_dst hdr(host) -i localhost
1621 block if invalid_src || local_dst
1622
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001623 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001624
1625
1626capture cookie <name> len <length>
1627 Capture and log a cookie in the request and in the response.
1628 May be used in sections : defaults | frontend | listen | backend
1629 no | yes | yes | no
1630 Arguments :
1631 <name> is the beginning of the name of the cookie to capture. In order
1632 to match the exact name, simply suffix the name with an equal
1633 sign ('='). The full name will appear in the logs, which is
1634 useful with application servers which adjust both the cookie name
1635 and value (eg: ASPSESSIONXXXXX).
1636
1637 <length> is the maximum number of characters to report in the logs, which
1638 include the cookie name, the equal sign and the value, all in the
1639 standard "name=value" form. The string will be truncated on the
1640 right if it exceeds <length>.
1641
1642 Only the first cookie is captured. Both the "cookie" request headers and the
1643 "set-cookie" response headers are monitored. This is particularly useful to
1644 check for application bugs causing session crossing or stealing between
1645 users, because generally the user's cookies can only change on a login page.
1646
1647 When the cookie was not presented by the client, the associated log column
1648 will report "-". When a request does not cause a cookie to be assigned by the
1649 server, a "-" is reported in the response column.
1650
1651 The capture is performed in the frontend only because it is necessary that
1652 the log format does not change for a given frontend depending on the
1653 backends. This may change in the future. Note that there can be only one
1654 "capture cookie" statement in a frontend. The maximum capture length is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001655 configured in the sources by default to 64 characters. It is not possible to
Willy Tarreau0ba27502007-12-24 16:55:16 +01001656 specify a capture in a "defaults" section.
1657
1658 Example:
1659 capture cookie ASPSESSION len 32
1660
1661 See also : "capture request header", "capture response header" as well as
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001662 section 8 about logging.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001663
1664
1665capture request header <name> len <length>
1666 Capture and log the first occurrence of the specified request header.
1667 May be used in sections : defaults | frontend | listen | backend
1668 no | yes | yes | no
1669 Arguments :
1670 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001671 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001672 appear in the requests, with the first letter of each word in
1673 upper case. The header name will not appear in the logs, only the
1674 value is reported, but the position in the logs is respected.
1675
1676 <length> is the maximum number of characters to extract from the value and
1677 report in the logs. The string will be truncated on the right if
1678 it exceeds <length>.
1679
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001680 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001681 value will be added to the logs between braces ('{}'). If multiple headers
1682 are captured, they will be delimited by a vertical bar ('|') and will appear
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001683 in the same order they were declared in the configuration. Non-existent
1684 headers will be logged just as an empty string. Common uses for request
1685 header captures include the "Host" field in virtual hosting environments, the
1686 "Content-length" when uploads are supported, "User-agent" to quickly
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001687 differentiate between real users and robots, and "X-Forwarded-For" in proxied
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001688 environments to find where the request came from.
1689
1690 Note that when capturing headers such as "User-agent", some spaces may be
1691 logged, making the log analysis more difficult. Thus be careful about what
1692 you log if you know your log parser is not smart enough to rely on the
1693 braces.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001694
1695 There is no limit to the number of captured request headers, but each capture
1696 is limited to 64 characters. In order to keep log format consistent for a
1697 same frontend, header captures can only be declared in a frontend. It is not
1698 possible to specify a capture in a "defaults" section.
1699
1700 Example:
1701 capture request header Host len 15
1702 capture request header X-Forwarded-For len 15
1703 capture request header Referrer len 15
1704
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001705 See also : "capture cookie", "capture response header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001706 about logging.
1707
1708
1709capture response header <name> len <length>
1710 Capture and log the first occurrence of the specified response header.
1711 May be used in sections : defaults | frontend | listen | backend
1712 no | yes | yes | no
1713 Arguments :
1714 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001715 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001716 appear in the response, with the first letter of each word in
1717 upper case. The header name will not appear in the logs, only the
1718 value is reported, but the position in the logs is respected.
1719
1720 <length> is the maximum number of characters to extract from the value and
1721 report in the logs. The string will be truncated on the right if
1722 it exceeds <length>.
1723
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001724 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001725 result will be added to the logs between braces ('{}') after the captured
1726 request headers. If multiple headers are captured, they will be delimited by
1727 a vertical bar ('|') and will appear in the same order they were declared in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001728 the configuration. Non-existent headers will be logged just as an empty
1729 string. Common uses for response header captures include the "Content-length"
1730 header which indicates how many bytes are expected to be returned, the
1731 "Location" header to track redirections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001732
1733 There is no limit to the number of captured response headers, but each
1734 capture is limited to 64 characters. In order to keep log format consistent
1735 for a same frontend, header captures can only be declared in a frontend. It
1736 is not possible to specify a capture in a "defaults" section.
1737
1738 Example:
1739 capture response header Content-length len 9
1740 capture response header Location len 15
1741
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001742 See also : "capture cookie", "capture request header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001743 about logging.
1744
1745
Cyril Bontéf0c60612010-02-06 14:44:47 +01001746clitimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01001747 Set the maximum inactivity time on the client side.
1748 May be used in sections : defaults | frontend | listen | backend
1749 yes | yes | yes | no
1750 Arguments :
1751 <timeout> is the timeout value is specified in milliseconds by default, but
1752 can be in any other unit if the number is suffixed by the unit,
1753 as explained at the top of this document.
1754
1755 The inactivity timeout applies when the client is expected to acknowledge or
1756 send data. In HTTP mode, this timeout is particularly important to consider
1757 during the first phase, when the client sends the request, and during the
1758 response while it is reading data sent by the server. The value is specified
1759 in milliseconds by default, but can be in any other unit if the number is
1760 suffixed by the unit, as specified at the top of this document. In TCP mode
1761 (and to a lesser extent, in HTTP mode), it is highly recommended that the
1762 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001763 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01001764 losses by specifying timeouts that are slightly above multiples of 3 seconds
1765 (eg: 4 or 5 seconds).
1766
1767 This parameter is specific to frontends, but can be specified once for all in
1768 "defaults" sections. This is in fact one of the easiest solutions not to
1769 forget about it. An unspecified timeout results in an infinite timeout, which
1770 is not recommended. Such a usage is accepted and works but reports a warning
1771 during startup because it may results in accumulation of expired sessions in
1772 the system if the system's timeouts are not configured either.
1773
1774 This parameter is provided for compatibility but is currently deprecated.
1775 Please use "timeout client" instead.
1776
Willy Tarreau036fae02008-01-06 13:24:40 +01001777 See also : "timeout client", "timeout http-request", "timeout server", and
1778 "srvtimeout".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001779
1780
Cyril Bontéf0c60612010-02-06 14:44:47 +01001781contimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01001782 Set the maximum time to wait for a connection attempt to a server to succeed.
1783 May be used in sections : defaults | frontend | listen | backend
1784 yes | no | yes | yes
1785 Arguments :
1786 <timeout> is the timeout value is specified in milliseconds by default, but
1787 can be in any other unit if the number is suffixed by the unit,
1788 as explained at the top of this document.
1789
1790 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001791 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01001792 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01001793 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
1794 connect timeout also presets the queue timeout to the same value if this one
1795 has not been specified. Historically, the contimeout was also used to set the
1796 tarpit timeout in a listen section, which is not possible in a pure frontend.
1797
1798 This parameter is specific to backends, but can be specified once for all in
1799 "defaults" sections. This is in fact one of the easiest solutions not to
1800 forget about it. An unspecified timeout results in an infinite timeout, which
1801 is not recommended. Such a usage is accepted and works but reports a warning
1802 during startup because it may results in accumulation of failed sessions in
1803 the system if the system's timeouts are not configured either.
1804
1805 This parameter is provided for backwards compatibility but is currently
1806 deprecated. Please use "timeout connect", "timeout queue" or "timeout tarpit"
1807 instead.
1808
1809 See also : "timeout connect", "timeout queue", "timeout tarpit",
1810 "timeout server", "contimeout".
1811
1812
Willy Tarreau55165fe2009-05-10 12:02:55 +02001813cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
Willy Tarreau4992dd22012-05-31 21:02:17 +02001814 [ postonly ] [ preserve ] [ httponly ] [ secure ]
1815 [ domain <domain> ]* [ maxidle <idle> ] [ maxlife <life> ]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001816 Enable cookie-based persistence in a backend.
1817 May be used in sections : defaults | frontend | listen | backend
1818 yes | no | yes | yes
1819 Arguments :
1820 <name> is the name of the cookie which will be monitored, modified or
1821 inserted in order to bring persistence. This cookie is sent to
1822 the client via a "Set-Cookie" header in the response, and is
1823 brought back by the client in a "Cookie" header in all requests.
1824 Special care should be taken to choose a name which does not
1825 conflict with any likely application cookie. Also, if the same
1826 backends are subject to be used by the same clients (eg:
1827 HTTP/HTTPS), care should be taken to use different cookie names
1828 between all backends if persistence between them is not desired.
1829
1830 rewrite This keyword indicates that the cookie will be provided by the
1831 server and that haproxy will have to modify its value to set the
1832 server's identifier in it. This mode is handy when the management
1833 of complex combinations of "Set-cookie" and "Cache-control"
1834 headers is left to the application. The application can then
1835 decide whether or not it is appropriate to emit a persistence
1836 cookie. Since all responses should be monitored, this mode only
1837 works in HTTP close mode. Unless the application behaviour is
1838 very complex and/or broken, it is advised not to start with this
1839 mode for new deployments. This keyword is incompatible with
1840 "insert" and "prefix".
1841
1842 insert This keyword indicates that the persistence cookie will have to
Willy Tarreaua79094d2010-08-31 22:54:15 +02001843 be inserted by haproxy in server responses if the client did not
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001844
Willy Tarreaua79094d2010-08-31 22:54:15 +02001845 already have a cookie that would have permitted it to access this
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001846 server. When used without the "preserve" option, if the server
1847 emits a cookie with the same name, it will be remove before
1848 processing. For this reason, this mode can be used to upgrade
1849 existing configurations running in the "rewrite" mode. The cookie
1850 will only be a session cookie and will not be stored on the
1851 client's disk. By default, unless the "indirect" option is added,
1852 the server will see the cookies emitted by the client. Due to
1853 caching effects, it is generally wise to add the "nocache" or
1854 "postonly" keywords (see below). The "insert" keyword is not
1855 compatible with "rewrite" and "prefix".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001856
1857 prefix This keyword indicates that instead of relying on a dedicated
1858 cookie for the persistence, an existing one will be completed.
1859 This may be needed in some specific environments where the client
1860 does not support more than one single cookie and the application
1861 already needs it. In this case, whenever the server sets a cookie
1862 named <name>, it will be prefixed with the server's identifier
1863 and a delimiter. The prefix will be removed from all client
1864 requests so that the server still finds the cookie it emitted.
1865 Since all requests and responses are subject to being modified,
1866 this mode requires the HTTP close mode. The "prefix" keyword is
Willy Tarreau37229df2011-10-17 12:24:55 +02001867 not compatible with "rewrite" and "insert". Note: it is highly
1868 recommended not to use "indirect" with "prefix", otherwise server
1869 cookie updates would not be sent to clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001870
Willy Tarreaua79094d2010-08-31 22:54:15 +02001871 indirect When this option is specified, no cookie will be emitted to a
1872 client which already has a valid one for the server which has
1873 processed the request. If the server sets such a cookie itself,
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001874 it will be removed, unless the "preserve" option is also set. In
1875 "insert" mode, this will additionally remove cookies from the
1876 requests transmitted to the server, making the persistence
1877 mechanism totally transparent from an application point of view.
Willy Tarreau37229df2011-10-17 12:24:55 +02001878 Note: it is highly recommended not to use "indirect" with
1879 "prefix", otherwise server cookie updates would not be sent to
1880 clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001881
1882 nocache This option is recommended in conjunction with the insert mode
1883 when there is a cache between the client and HAProxy, as it
1884 ensures that a cacheable response will be tagged non-cacheable if
1885 a cookie needs to be inserted. This is important because if all
1886 persistence cookies are added on a cacheable home page for
1887 instance, then all customers will then fetch the page from an
1888 outer cache and will all share the same persistence cookie,
1889 leading to one server receiving much more traffic than others.
1890 See also the "insert" and "postonly" options.
1891
1892 postonly This option ensures that cookie insertion will only be performed
1893 on responses to POST requests. It is an alternative to the
1894 "nocache" option, because POST responses are not cacheable, so
1895 this ensures that the persistence cookie will never get cached.
1896 Since most sites do not need any sort of persistence before the
1897 first POST which generally is a login request, this is a very
1898 efficient method to optimize caching without risking to find a
1899 persistence cookie in the cache.
1900 See also the "insert" and "nocache" options.
1901
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001902 preserve This option may only be used with "insert" and/or "indirect". It
1903 allows the server to emit the persistence cookie itself. In this
1904 case, if a cookie is found in the response, haproxy will leave it
1905 untouched. This is useful in order to end persistence after a
1906 logout request for instance. For this, the server just has to
1907 emit a cookie with an invalid value (eg: empty) or with a date in
1908 the past. By combining this mechanism with the "disable-on-404"
1909 check option, it is possible to perform a completely graceful
1910 shutdown because users will definitely leave the server after
1911 they logout.
1912
Willy Tarreau4992dd22012-05-31 21:02:17 +02001913 httponly This option tells haproxy to add an "HttpOnly" cookie attribute
1914 when a cookie is inserted. This attribute is used so that a
1915 user agent doesn't share the cookie with non-HTTP components.
1916 Please check RFC6265 for more information on this attribute.
1917
1918 secure This option tells haproxy to add a "Secure" cookie attribute when
1919 a cookie is inserted. This attribute is used so that a user agent
1920 never emits this cookie over non-secure channels, which means
1921 that a cookie learned with this flag will be presented only over
1922 SSL/TLS connections. Please check RFC6265 for more information on
1923 this attribute.
1924
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02001925 domain This option allows to specify the domain at which a cookie is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001926 inserted. It requires exactly one parameter: a valid domain
Willy Tarreau68a897b2009-12-03 23:28:34 +01001927 name. If the domain begins with a dot, the browser is allowed to
1928 use it for any host ending with that name. It is also possible to
1929 specify several domain names by invoking this option multiple
1930 times. Some browsers might have small limits on the number of
1931 domains, so be careful when doing that. For the record, sending
1932 10 domains to MSIE 6 or Firefox 2 works as expected.
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02001933
Willy Tarreau996a92c2010-10-13 19:30:47 +02001934 maxidle This option allows inserted cookies to be ignored after some idle
1935 time. It only works with insert-mode cookies. When a cookie is
1936 sent to the client, the date this cookie was emitted is sent too.
1937 Upon further presentations of this cookie, if the date is older
1938 than the delay indicated by the parameter (in seconds), it will
1939 be ignored. Otherwise, it will be refreshed if needed when the
1940 response is sent to the client. This is particularly useful to
1941 prevent users who never close their browsers from remaining for
1942 too long on the same server (eg: after a farm size change). When
1943 this option is set and a cookie has no date, it is always
1944 accepted, but gets refreshed in the response. This maintains the
1945 ability for admins to access their sites. Cookies that have a
1946 date in the future further than 24 hours are ignored. Doing so
1947 lets admins fix timezone issues without risking kicking users off
1948 the site.
1949
1950 maxlife This option allows inserted cookies to be ignored after some life
1951 time, whether they're in use or not. It only works with insert
1952 mode cookies. When a cookie is first sent to the client, the date
1953 this cookie was emitted is sent too. Upon further presentations
1954 of this cookie, if the date is older than the delay indicated by
1955 the parameter (in seconds), it will be ignored. If the cookie in
1956 the request has no date, it is accepted and a date will be set.
1957 Cookies that have a date in the future further than 24 hours are
1958 ignored. Doing so lets admins fix timezone issues without risking
1959 kicking users off the site. Contrary to maxidle, this value is
1960 not refreshed, only the first visit date counts. Both maxidle and
1961 maxlife may be used at the time. This is particularly useful to
1962 prevent users who never close their browsers from remaining for
1963 too long on the same server (eg: after a farm size change). This
1964 is stronger than the maxidle method in that it forces a
1965 redispatch after some absolute delay.
1966
Willy Tarreau0ba27502007-12-24 16:55:16 +01001967 There can be only one persistence cookie per HTTP backend, and it can be
1968 declared in a defaults section. The value of the cookie will be the value
1969 indicated after the "cookie" keyword in a "server" statement. If no cookie
1970 is declared for a given server, the cookie is not set.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001971
Willy Tarreau0ba27502007-12-24 16:55:16 +01001972 Examples :
1973 cookie JSESSIONID prefix
1974 cookie SRV insert indirect nocache
1975 cookie SRV insert postonly indirect
Willy Tarreau996a92c2010-10-13 19:30:47 +02001976 cookie SRV insert indirect nocache maxidle 30m maxlife 8h
Willy Tarreau0ba27502007-12-24 16:55:16 +01001977
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02001978 See also : "appsession", "balance source", "capture cookie", "server"
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001979 and "ignore-persist".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001980
Willy Tarreau983e01e2010-01-11 18:42:06 +01001981
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01001982default-server [param*]
1983 Change default options for a server in a backend
1984 May be used in sections : defaults | frontend | listen | backend
1985 yes | no | yes | yes
1986 Arguments:
Willy Tarreau983e01e2010-01-11 18:42:06 +01001987 <param*> is a list of parameters for this server. The "default-server"
1988 keyword accepts an important number of options and has a complete
1989 section dedicated to it. Please refer to section 5 for more
1990 details.
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01001991
Willy Tarreau983e01e2010-01-11 18:42:06 +01001992 Example :
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01001993 default-server inter 1000 weight 13
1994
1995 See also: "server" and section 5 about server options
Willy Tarreau0ba27502007-12-24 16:55:16 +01001996
Willy Tarreau983e01e2010-01-11 18:42:06 +01001997
Willy Tarreau0ba27502007-12-24 16:55:16 +01001998default_backend <backend>
1999 Specify the backend to use when no "use_backend" rule has been matched.
2000 May be used in sections : defaults | frontend | listen | backend
2001 yes | yes | yes | no
2002 Arguments :
2003 <backend> is the name of the backend to use.
2004
2005 When doing content-switching between frontend and backends using the
2006 "use_backend" keyword, it is often useful to indicate which backend will be
2007 used when no rule has matched. It generally is the dynamic backend which
2008 will catch all undetermined requests.
2009
Willy Tarreau0ba27502007-12-24 16:55:16 +01002010 Example :
2011
2012 use_backend dynamic if url_dyn
2013 use_backend static if url_css url_img extension_img
2014 default_backend dynamic
2015
Willy Tarreau2769aa02007-12-27 18:26:09 +01002016 See also : "use_backend", "reqsetbe", "reqisetbe"
2017
Willy Tarreau0ba27502007-12-24 16:55:16 +01002018
2019disabled
2020 Disable a proxy, frontend or backend.
2021 May be used in sections : defaults | frontend | listen | backend
2022 yes | yes | yes | yes
2023 Arguments : none
2024
2025 The "disabled" keyword is used to disable an instance, mainly in order to
2026 liberate a listening port or to temporarily disable a service. The instance
2027 will still be created and its configuration will be checked, but it will be
2028 created in the "stopped" state and will appear as such in the statistics. It
2029 will not receive any traffic nor will it send any health-checks or logs. It
2030 is possible to disable many instances at once by adding the "disabled"
2031 keyword in a "defaults" section.
2032
2033 See also : "enabled"
2034
2035
Willy Tarreau5ce94572010-06-07 14:35:41 +02002036dispatch <address>:<port>
2037 Set a default server address
2038 May be used in sections : defaults | frontend | listen | backend
2039 no | no | yes | yes
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002040 Arguments :
Willy Tarreau5ce94572010-06-07 14:35:41 +02002041
2042 <address> is the IPv4 address of the default server. Alternatively, a
2043 resolvable hostname is supported, but this name will be resolved
2044 during start-up.
2045
2046 <ports> is a mandatory port specification. All connections will be sent
2047 to this port, and it is not permitted to use port offsets as is
2048 possible with normal servers.
2049
Willy Tarreau787aed52011-04-15 06:45:37 +02002050 The "dispatch" keyword designates a default server for use when no other
Willy Tarreau5ce94572010-06-07 14:35:41 +02002051 server can take the connection. In the past it was used to forward non
2052 persistent connections to an auxiliary load balancer. Due to its simple
2053 syntax, it has also been used for simple TCP relays. It is recommended not to
2054 use it for more clarity, and to use the "server" directive instead.
2055
2056 See also : "server"
2057
2058
Willy Tarreau0ba27502007-12-24 16:55:16 +01002059enabled
2060 Enable a proxy, frontend or backend.
2061 May be used in sections : defaults | frontend | listen | backend
2062 yes | yes | yes | yes
2063 Arguments : none
2064
2065 The "enabled" keyword is used to explicitly enable an instance, when the
2066 defaults has been set to "disabled". This is very rarely used.
2067
2068 See also : "disabled"
2069
2070
2071errorfile <code> <file>
2072 Return a file contents instead of errors generated by HAProxy
2073 May be used in sections : defaults | frontend | listen | backend
2074 yes | yes | yes | yes
2075 Arguments :
2076 <code> is the HTTP status code. Currently, HAProxy is capable of
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002077 generating codes 200, 400, 403, 408, 500, 502, 503, and 504.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002078
2079 <file> designates a file containing the full HTTP response. It is
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002080 recommended to follow the common practice of appending ".http" to
Willy Tarreau0ba27502007-12-24 16:55:16 +01002081 the filename so that people do not confuse the response with HTML
Willy Tarreau59140a22009-02-22 12:02:30 +01002082 error pages, and to use absolute paths, since files are read
2083 before any chroot is performed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002084
2085 It is important to understand that this keyword is not meant to rewrite
2086 errors returned by the server, but errors detected and returned by HAProxy.
2087 This is why the list of supported errors is limited to a small set.
2088
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002089 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2090
Willy Tarreau0ba27502007-12-24 16:55:16 +01002091 The files are returned verbatim on the TCP socket. This allows any trick such
2092 as redirections to another URL or site, as well as tricks to clean cookies,
2093 force enable or disable caching, etc... The package provides default error
2094 files returning the same contents as default errors.
2095
Willy Tarreau59140a22009-02-22 12:02:30 +01002096 The files should not exceed the configured buffer size (BUFSIZE), which
2097 generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
2098 not to put any reference to local contents (eg: images) in order to avoid
2099 loops between the client and HAProxy when all servers are down, causing an
2100 error to be returned instead of an image. For better HTTP compliance, it is
2101 recommended that all header lines end with CR-LF and not LF alone.
2102
Willy Tarreau0ba27502007-12-24 16:55:16 +01002103 The files are read at the same time as the configuration and kept in memory.
2104 For this reason, the errors continue to be returned even when the process is
2105 chrooted, and no file change is considered while the process is running. A
Willy Tarreauc27debf2008-01-06 08:57:02 +01002106 simple method for developing those files consists in associating them to the
Willy Tarreau0ba27502007-12-24 16:55:16 +01002107 403 status code and interrogating a blocked URL.
2108
2109 See also : "errorloc", "errorloc302", "errorloc303"
2110
Willy Tarreau59140a22009-02-22 12:02:30 +01002111 Example :
2112 errorfile 400 /etc/haproxy/errorfiles/400badreq.http
2113 errorfile 403 /etc/haproxy/errorfiles/403forbid.http
2114 errorfile 503 /etc/haproxy/errorfiles/503sorry.http
2115
Willy Tarreau2769aa02007-12-27 18:26:09 +01002116
2117errorloc <code> <url>
2118errorloc302 <code> <url>
2119 Return an HTTP redirection to a URL instead of errors generated by HAProxy
2120 May be used in sections : defaults | frontend | listen | backend
2121 yes | yes | yes | yes
2122 Arguments :
2123 <code> is the HTTP status code. Currently, HAProxy is capable of
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002124 generating codes 200, 400, 403, 408, 500, 502, 503, and 504.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002125
2126 <url> it is the exact contents of the "Location" header. It may contain
2127 either a relative URI to an error page hosted on the same site,
2128 or an absolute URI designating an error page on another site.
2129 Special care should be given to relative URIs to avoid redirect
2130 loops if the URI itself may generate the same error (eg: 500).
2131
2132 It is important to understand that this keyword is not meant to rewrite
2133 errors returned by the server, but errors detected and returned by HAProxy.
2134 This is why the list of supported errors is limited to a small set.
2135
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002136 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2137
Willy Tarreau2769aa02007-12-27 18:26:09 +01002138 Note that both keyword return the HTTP 302 status code, which tells the
2139 client to fetch the designated URL using the same HTTP method. This can be
2140 quite problematic in case of non-GET methods such as POST, because the URL
2141 sent to the client might not be allowed for something other than GET. To
2142 workaround this problem, please use "errorloc303" which send the HTTP 303
2143 status code, indicating to the client that the URL must be fetched with a GET
2144 request.
2145
2146 See also : "errorfile", "errorloc303"
2147
2148
2149errorloc303 <code> <url>
2150 Return an HTTP redirection to a URL instead of errors generated by HAProxy
2151 May be used in sections : defaults | frontend | listen | backend
2152 yes | yes | yes | yes
2153 Arguments :
2154 <code> is the HTTP status code. Currently, HAProxy is capable of
2155 generating codes 400, 403, 408, 500, 502, 503, and 504.
2156
2157 <url> it is the exact contents of the "Location" header. It may contain
2158 either a relative URI to an error page hosted on the same site,
2159 or an absolute URI designating an error page on another site.
2160 Special care should be given to relative URIs to avoid redirect
2161 loops if the URI itself may generate the same error (eg: 500).
2162
2163 It is important to understand that this keyword is not meant to rewrite
2164 errors returned by the server, but errors detected and returned by HAProxy.
2165 This is why the list of supported errors is limited to a small set.
2166
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002167 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2168
Willy Tarreau2769aa02007-12-27 18:26:09 +01002169 Note that both keyword return the HTTP 303 status code, which tells the
2170 client to fetch the designated URL using the same HTTP GET method. This
2171 solves the usual problems associated with "errorloc" and the 302 code. It is
2172 possible that some very old browsers designed before HTTP/1.1 do not support
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002173 it, but no such problem has been reported till now.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002174
2175 See also : "errorfile", "errorloc", "errorloc302"
2176
2177
Willy Tarreau4de91492010-01-22 19:10:05 +01002178force-persist { if | unless } <condition>
2179 Declare a condition to force persistence on down servers
2180 May be used in sections: defaults | frontend | listen | backend
2181 no | yes | yes | yes
2182
2183 By default, requests are not dispatched to down servers. It is possible to
2184 force this using "option persist", but it is unconditional and redispatches
2185 to a valid server if "option redispatch" is set. That leaves with very little
2186 possibilities to force some requests to reach a server which is artificially
2187 marked down for maintenance operations.
2188
2189 The "force-persist" statement allows one to declare various ACL-based
2190 conditions which, when met, will cause a request to ignore the down status of
2191 a server and still try to connect to it. That makes it possible to start a
2192 server, still replying an error to the health checks, and run a specially
2193 configured browser to test the service. Among the handy methods, one could
2194 use a specific source IP address, or a specific cookie. The cookie also has
2195 the advantage that it can easily be added/removed on the browser from a test
2196 page. Once the service is validated, it is then possible to open the service
2197 to the world by returning a valid response to health checks.
2198
2199 The forced persistence is enabled when an "if" condition is met, or unless an
2200 "unless" condition is met. The final redispatch is always disabled when this
2201 is used.
2202
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002203 See also : "option redispatch", "ignore-persist", "persist",
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02002204 and section 7 about ACL usage.
Willy Tarreau4de91492010-01-22 19:10:05 +01002205
2206
Willy Tarreau2769aa02007-12-27 18:26:09 +01002207fullconn <conns>
2208 Specify at what backend load the servers will reach their maxconn
2209 May be used in sections : defaults | frontend | listen | backend
2210 yes | no | yes | yes
2211 Arguments :
2212 <conns> is the number of connections on the backend which will make the
2213 servers use the maximal number of connections.
2214
Willy Tarreau198a7442008-01-17 12:05:32 +01002215 When a server has a "maxconn" parameter specified, it means that its number
Willy Tarreau2769aa02007-12-27 18:26:09 +01002216 of concurrent connections will never go higher. Additionally, if it has a
Willy Tarreau198a7442008-01-17 12:05:32 +01002217 "minconn" parameter, it indicates a dynamic limit following the backend's
Willy Tarreau2769aa02007-12-27 18:26:09 +01002218 load. The server will then always accept at least <minconn> connections,
2219 never more than <maxconn>, and the limit will be on the ramp between both
2220 values when the backend has less than <conns> concurrent connections. This
2221 makes it possible to limit the load on the servers during normal loads, but
2222 push it further for important loads without overloading the servers during
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002223 exceptional loads.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002224
Willy Tarreaufbb78422011-06-05 15:38:35 +02002225 Since it's hard to get this value right, haproxy automatically sets it to
2226 10% of the sum of the maxconns of all frontends that may branch to this
2227 backend. That way it's safe to leave it unset.
2228
Willy Tarreau2769aa02007-12-27 18:26:09 +01002229 Example :
2230 # The servers will accept between 100 and 1000 concurrent connections each
2231 # and the maximum of 1000 will be reached when the backend reaches 10000
2232 # connections.
2233 backend dynamic
2234 fullconn 10000
2235 server srv1 dyn1:80 minconn 100 maxconn 1000
2236 server srv2 dyn2:80 minconn 100 maxconn 1000
2237
2238 See also : "maxconn", "server"
2239
2240
2241grace <time>
2242 Maintain a proxy operational for some time after a soft stop
2243 May be used in sections : defaults | frontend | listen | backend
Cyril Bonté99ed3272010-01-24 23:29:44 +01002244 yes | yes | yes | yes
Willy Tarreau2769aa02007-12-27 18:26:09 +01002245 Arguments :
2246 <time> is the time (by default in milliseconds) for which the instance
2247 will remain operational with the frontend sockets still listening
2248 when a soft-stop is received via the SIGUSR1 signal.
2249
2250 This may be used to ensure that the services disappear in a certain order.
2251 This was designed so that frontends which are dedicated to monitoring by an
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002252 external equipment fail immediately while other ones remain up for the time
Willy Tarreau2769aa02007-12-27 18:26:09 +01002253 needed by the equipment to detect the failure.
2254
2255 Note that currently, there is very little benefit in using this parameter,
2256 and it may in fact complicate the soft-reconfiguration process more than
2257 simplify it.
2258
Willy Tarreau0ba27502007-12-24 16:55:16 +01002259
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002260hash-type <method>
2261 Specify a method to use for mapping hashes to servers
2262 May be used in sections : defaults | frontend | listen | backend
2263 yes | no | yes | yes
2264 Arguments :
2265 map-based the hash table is a static array containing all alive servers.
2266 The hashes will be very smooth, will consider weights, but will
2267 be static in that weight changes while a server is up will be
2268 ignored. This means that there will be no slow start. Also,
2269 since a server is selected by its position in the array, most
2270 mappings are changed when the server count changes. This means
2271 that when a server goes up or down, or when a server is added
2272 to a farm, most connections will be redistributed to different
2273 servers. This can be inconvenient with caches for instance.
2274
Willy Tarreau798a39c2010-11-24 15:04:29 +01002275 avalanche this mechanism uses the default map-based hashing described
2276 above but applies a full avalanche hash before performing the
2277 mapping. The result is a slightly less smooth hash for most
2278 situations, but the hash becomes better than pure map-based
2279 hashes when the number of servers is a multiple of the size of
2280 the input set. When using URI hash with a number of servers
2281 multiple of 64, it's desirable to change the hash type to
2282 this value.
2283
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002284 consistent the hash table is a tree filled with many occurrences of each
2285 server. The hash key is looked up in the tree and the closest
2286 server is chosen. This hash is dynamic, it supports changing
2287 weights while the servers are up, so it is compatible with the
2288 slow start feature. It has the advantage that when a server
2289 goes up or down, only its associations are moved. When a server
2290 is added to the farm, only a few part of the mappings are
2291 redistributed, making it an ideal algorithm for caches.
2292 However, due to its principle, the algorithm will never be very
2293 smooth and it may sometimes be necessary to adjust a server's
2294 weight or its ID to get a more balanced distribution. In order
2295 to get the same distribution on multiple load balancers, it is
2296 important that all servers have the same IDs.
2297
2298 The default hash type is "map-based" and is recommended for most usages.
2299
2300 See also : "balance", "server"
2301
2302
Willy Tarreau0ba27502007-12-24 16:55:16 +01002303http-check disable-on-404
2304 Enable a maintenance mode upon HTTP/404 response to health-checks
2305 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau2769aa02007-12-27 18:26:09 +01002306 yes | no | yes | yes
Willy Tarreau0ba27502007-12-24 16:55:16 +01002307 Arguments : none
2308
2309 When this option is set, a server which returns an HTTP code 404 will be
2310 excluded from further load-balancing, but will still receive persistent
2311 connections. This provides a very convenient method for Web administrators
2312 to perform a graceful shutdown of their servers. It is also important to note
2313 that a server which is detected as failed while it was in this mode will not
2314 generate an alert, just a notice. If the server responds 2xx or 3xx again, it
2315 will immediately be reinserted into the farm. The status on the stats page
2316 reports "NOLB" for a server in this mode. It is important to note that this
Willy Tarreaubd741542010-03-16 18:46:54 +01002317 option only works in conjunction with the "httpchk" option. If this option
2318 is used with "http-check expect", then it has precedence over it so that 404
2319 responses will still be considered as soft-stop.
2320
2321 See also : "option httpchk", "http-check expect"
2322
2323
2324http-check expect [!] <match> <pattern>
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002325 Make HTTP health checks consider response contents or specific status codes
Willy Tarreaubd741542010-03-16 18:46:54 +01002326 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau1ee51a62011-08-19 20:04:17 +02002327 yes | no | yes | yes
Willy Tarreaubd741542010-03-16 18:46:54 +01002328 Arguments :
2329 <match> is a keyword indicating how to look for a specific pattern in the
2330 response. The keyword may be one of "status", "rstatus",
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002331 "string", or "rstring". The keyword may be preceded by an
Willy Tarreaubd741542010-03-16 18:46:54 +01002332 exclamation mark ("!") to negate the match. Spaces are allowed
2333 between the exclamation mark and the keyword. See below for more
2334 details on the supported keywords.
2335
2336 <pattern> is the pattern to look for. It may be a string or a regular
2337 expression. If the pattern contains spaces, they must be escaped
2338 with the usual backslash ('\').
2339
2340 By default, "option httpchk" considers that response statuses 2xx and 3xx
2341 are valid, and that others are invalid. When "http-check expect" is used,
2342 it defines what is considered valid or invalid. Only one "http-check"
2343 statement is supported in a backend. If a server fails to respond or times
2344 out, the check obviously fails. The available matches are :
2345
2346 status <string> : test the exact string match for the HTTP status code.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002347 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002348 response's status code is exactly this string. If the
2349 "status" keyword is prefixed with "!", then the response
2350 will be considered invalid if the status code matches.
2351
2352 rstatus <regex> : test a regular expression for the HTTP status code.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002353 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002354 response's status code matches the expression. If the
2355 "rstatus" keyword is prefixed with "!", then the response
2356 will be considered invalid if the status code matches.
2357 This is mostly used to check for multiple codes.
2358
2359 string <string> : test the exact string match in the HTTP response body.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002360 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002361 response's body contains this exact string. If the
2362 "string" keyword is prefixed with "!", then the response
2363 will be considered invalid if the body contains this
2364 string. This can be used to look for a mandatory word at
2365 the end of a dynamic page, or to detect a failure when a
2366 specific error appears on the check page (eg: a stack
2367 trace).
2368
2369 rstring <regex> : test a regular expression on the HTTP response body.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002370 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002371 response's body matches this expression. If the "rstring"
2372 keyword is prefixed with "!", then the response will be
2373 considered invalid if the body matches the expression.
2374 This can be used to look for a mandatory word at the end
2375 of a dynamic page, or to detect a failure when a specific
2376 error appears on the check page (eg: a stack trace).
2377
2378 It is important to note that the responses will be limited to a certain size
2379 defined by the global "tune.chksize" option, which defaults to 16384 bytes.
2380 Thus, too large responses may not contain the mandatory pattern when using
2381 "string" or "rstring". If a large response is absolutely required, it is
2382 possible to change the default max size by setting the global variable.
2383 However, it is worth keeping in mind that parsing very large responses can
2384 waste some CPU cycles, especially when regular expressions are used, and that
2385 it is always better to focus the checks on smaller resources.
2386
2387 Last, if "http-check expect" is combined with "http-check disable-on-404",
2388 then this last one has precedence when the server responds with 404.
2389
2390 Examples :
2391 # only accept status 200 as valid
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002392 http-check expect status 200
Willy Tarreaubd741542010-03-16 18:46:54 +01002393
2394 # consider SQL errors as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002395 http-check expect ! string SQL\ Error
Willy Tarreaubd741542010-03-16 18:46:54 +01002396
2397 # consider status 5xx only as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002398 http-check expect ! rstatus ^5
Willy Tarreaubd741542010-03-16 18:46:54 +01002399
2400 # check that we have a correct hexadecimal tag before /html
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002401 http-check expect rstring <!--tag:[0-9a-f]*</html>
Willy Tarreau0ba27502007-12-24 16:55:16 +01002402
Willy Tarreaubd741542010-03-16 18:46:54 +01002403 See also : "option httpchk", "http-check disable-on-404"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002404
2405
Willy Tarreauef781042010-01-27 11:53:01 +01002406http-check send-state
2407 Enable emission of a state header with HTTP health checks
2408 May be used in sections : defaults | frontend | listen | backend
2409 yes | no | yes | yes
2410 Arguments : none
2411
2412 When this option is set, haproxy will systematically send a special header
2413 "X-Haproxy-Server-State" with a list of parameters indicating to each server
2414 how they are seen by haproxy. This can be used for instance when a server is
2415 manipulated without access to haproxy and the operator needs to know whether
2416 haproxy still sees it up or not, or if the server is the last one in a farm.
2417
2418 The header is composed of fields delimited by semi-colons, the first of which
2419 is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid
2420 checks on the total number before transition, just as appears in the stats
2421 interface. Next headers are in the form "<variable>=<value>", indicating in
2422 no specific order some values available in the stats interface :
2423 - a variable "name", containing the name of the backend followed by a slash
2424 ("/") then the name of the server. This can be used when a server is
2425 checked in multiple backends.
2426
2427 - a variable "node" containing the name of the haproxy node, as set in the
2428 global "node" variable, otherwise the system's hostname if unspecified.
2429
2430 - a variable "weight" indicating the weight of the server, a slash ("/")
2431 and the total weight of the farm (just counting usable servers). This
2432 helps to know if other servers are available to handle the load when this
2433 one fails.
2434
2435 - a variable "scur" indicating the current number of concurrent connections
2436 on the server, followed by a slash ("/") then the total number of
2437 connections on all servers of the same backend.
2438
2439 - a variable "qcur" indicating the current number of requests in the
2440 server's queue.
2441
2442 Example of a header received by the application server :
2443 >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \
2444 scur=13/22; qcur=0
2445
2446 See also : "option httpchk", "http-check disable-on-404"
2447
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02002448http-request { allow | deny | auth [realm <realm>] }
Cyril Bontéf0c60612010-02-06 14:44:47 +01002449 [ { if | unless } <condition> ]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002450 Access control for Layer 7 requests
2451
2452 May be used in sections: defaults | frontend | listen | backend
2453 no | yes | yes | yes
2454
2455 These set of options allow to fine control access to a
2456 frontend/listen/backend. Each option may be followed by if/unless and acl.
2457 First option with matched condition (or option without condition) is final.
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02002458 For "deny" a 403 error will be returned, for "allow" normal processing is
2459 performed, for "auth" a 401/407 error code is returned so the client
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002460 should be asked to enter a username and password.
2461
2462 There is no fixed limit to the number of http-request statements per
2463 instance.
2464
2465 Example:
Cyril Bonté78caf842010-03-10 22:41:43 +01002466 acl nagios src 192.168.129.3
2467 acl local_net src 192.168.0.0/16
2468 acl auth_ok http_auth(L1)
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002469
Cyril Bonté78caf842010-03-10 22:41:43 +01002470 http-request allow if nagios
2471 http-request allow if local_net auth_ok
2472 http-request auth realm Gimme if local_net auth_ok
2473 http-request deny
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002474
Cyril Bonté78caf842010-03-10 22:41:43 +01002475 Example:
2476 acl auth_ok http_auth_group(L1) G1
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002477
Cyril Bonté78caf842010-03-10 22:41:43 +01002478 http-request auth unless auth_ok
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002479
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02002480 See also : "stats http-request", section 3.4 about userlists and section 7
2481 about ACL usage.
Willy Tarreauef781042010-01-27 11:53:01 +01002482
Mark Lamourinec2247f02012-01-04 13:02:01 -05002483http-send-name-header [<header>]
2484 Add the server name to a request. Use the header string given by <header>
2485
2486 May be used in sections: defaults | frontend | listen | backend
2487 yes | no | yes | yes
2488
2489 Arguments :
2490
2491 <header> The header string to use to send the server name
2492
2493 The "http-send-name-header" statement causes the name of the target
2494 server to be added to the headers of an HTTP request. The name
2495 is added with the header string proved.
2496
2497 See also : "server"
2498
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01002499id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02002500 Set a persistent ID to a proxy.
2501 May be used in sections : defaults | frontend | listen | backend
2502 no | yes | yes | yes
2503 Arguments : none
2504
2505 Set a persistent ID for the proxy. This ID must be unique and positive.
2506 An unused ID will automatically be assigned if unset. The first assigned
2507 value will be 1. This ID is currently only returned in statistics.
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01002508
2509
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002510ignore-persist { if | unless } <condition>
2511 Declare a condition to ignore persistence
2512 May be used in sections: defaults | frontend | listen | backend
2513 no | yes | yes | yes
2514
2515 By default, when cookie persistence is enabled, every requests containing
2516 the cookie are unconditionally persistent (assuming the target server is up
2517 and running).
2518
2519 The "ignore-persist" statement allows one to declare various ACL-based
2520 conditions which, when met, will cause a request to ignore persistence.
2521 This is sometimes useful to load balance requests for static files, which
2522 oftenly don't require persistence. This can also be used to fully disable
2523 persistence for a specific User-Agent (for example, some web crawler bots).
2524
2525 Combined with "appsession", it can also help reduce HAProxy memory usage, as
2526 the appsession table won't grow if persistence is ignored.
2527
2528 The persistence is ignored when an "if" condition is met, or unless an
2529 "unless" condition is met.
2530
2531 See also : "force-persist", "cookie", and section 7 about ACL usage.
2532
2533
Willy Tarreau2769aa02007-12-27 18:26:09 +01002534log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002535log <address> <facility> [<level> [<minlevel>]]
William Lallemand0f99e342011-10-12 17:50:54 +02002536no log
Willy Tarreau2769aa02007-12-27 18:26:09 +01002537 Enable per-instance logging of events and traffic.
2538 May be used in sections : defaults | frontend | listen | backend
2539 yes | yes | yes | yes
William Lallemand0f99e342011-10-12 17:50:54 +02002540
2541 Prefix :
2542 no should be used when the logger list must be flushed. For example,
2543 if you don't want to inherit from the default logger list. This
2544 prefix does not allow arguments.
2545
Willy Tarreau2769aa02007-12-27 18:26:09 +01002546 Arguments :
2547 global should be used when the instance's logging parameters are the
2548 same as the global ones. This is the most common usage. "global"
2549 replaces <address>, <facility> and <level> with those of the log
2550 entries found in the "global" section. Only one "log global"
2551 statement may be used per instance, and this form takes no other
2552 parameter.
2553
2554 <address> indicates where to send the logs. It takes the same format as
2555 for the "global" section's logs, and can be one of :
2556
2557 - An IPv4 address optionally followed by a colon (':') and a UDP
2558 port. If no port is specified, 514 is used by default (the
2559 standard syslog port).
2560
David du Colombier24bb5f52011-03-17 10:40:23 +01002561 - An IPv6 address followed by a colon (':') and optionally a UDP
2562 port. If no port is specified, 514 is used by default (the
2563 standard syslog port).
2564
Willy Tarreau2769aa02007-12-27 18:26:09 +01002565 - A filesystem path to a UNIX domain socket, keeping in mind
2566 considerations for chroot (be sure the path is accessible
2567 inside the chroot) and uid/gid (be sure the path is
2568 appropriately writeable).
2569
2570 <facility> must be one of the 24 standard syslog facilities :
2571
2572 kern user mail daemon auth syslog lpr news
2573 uucp cron auth2 ftp ntp audit alert cron2
2574 local0 local1 local2 local3 local4 local5 local6 local7
2575
2576 <level> is optional and can be specified to filter outgoing messages. By
2577 default, all messages are sent. If a level is specified, only
2578 messages with a severity at least as important as this level
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002579 will be sent. An optional minimum level can be specified. If it
2580 is set, logs emitted with a more severe level than this one will
2581 be capped to this level. This is used to avoid sending "emerg"
2582 messages on all terminals on some default syslog configurations.
2583 Eight levels are known :
Willy Tarreau2769aa02007-12-27 18:26:09 +01002584
2585 emerg alert crit err warning notice info debug
2586
William Lallemand0f99e342011-10-12 17:50:54 +02002587 It is important to keep in mind that it is the frontend which decides what to
2588 log from a connection, and that in case of content switching, the log entries
2589 from the backend will be ignored. Connections are logged at level "info".
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002590
2591 However, backend log declaration define how and where servers status changes
2592 will be logged. Level "notice" will be used to indicate a server going up,
2593 "warning" will be used for termination signals and definitive service
2594 termination, and "alert" will be used for when a server goes down.
2595
2596 Note : According to RFC3164, messages are truncated to 1024 bytes before
2597 being emitted.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002598
2599 Example :
2600 log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002601 log 127.0.0.1:514 local0 notice # only send important events
2602 log 127.0.0.1:514 local0 notice notice # same but limit output level
Willy Tarreau2769aa02007-12-27 18:26:09 +01002603
William Lallemand48940402012-01-30 16:47:22 +01002604log-format <string>
2605 Allows you to custom a log line.
2606
2607 See also : Custom Log Format (8.2.4)
2608
Willy Tarreau2769aa02007-12-27 18:26:09 +01002609
2610maxconn <conns>
2611 Fix the maximum number of concurrent connections on a frontend
2612 May be used in sections : defaults | frontend | listen | backend
2613 yes | yes | yes | no
2614 Arguments :
2615 <conns> is the maximum number of concurrent connections the frontend will
2616 accept to serve. Excess connections will be queued by the system
2617 in the socket's listen queue and will be served once a connection
2618 closes.
2619
2620 If the system supports it, it can be useful on big sites to raise this limit
2621 very high so that haproxy manages connection queues, instead of leaving the
2622 clients with unanswered connection attempts. This value should not exceed the
2623 global maxconn. Also, keep in mind that a connection contains two buffers
2624 of 8kB each, as well as some other data resulting in about 17 kB of RAM being
2625 consumed per established connection. That means that a medium system equipped
2626 with 1GB of RAM can withstand around 40000-50000 concurrent connections if
2627 properly tuned.
2628
2629 Also, when <conns> is set to large values, it is possible that the servers
2630 are not sized to accept such loads, and for this reason it is generally wise
2631 to assign them some reasonable connection limits.
2632
Vincent Bernat6341be52012-06-27 17:18:30 +02002633 By default, this value is set to 2000.
2634
Willy Tarreau2769aa02007-12-27 18:26:09 +01002635 See also : "server", global section's "maxconn", "fullconn"
2636
2637
2638mode { tcp|http|health }
2639 Set the running mode or protocol of the instance
2640 May be used in sections : defaults | frontend | listen | backend
2641 yes | yes | yes | yes
2642 Arguments :
2643 tcp The instance will work in pure TCP mode. A full-duplex connection
2644 will be established between clients and servers, and no layer 7
2645 examination will be performed. This is the default mode. It
2646 should be used for SSL, SSH, SMTP, ...
2647
2648 http The instance will work in HTTP mode. The client request will be
2649 analyzed in depth before connecting to any server. Any request
2650 which is not RFC-compliant will be rejected. Layer 7 filtering,
2651 processing and switching will be possible. This is the mode which
2652 brings HAProxy most of its value.
2653
2654 health The instance will work in "health" mode. It will just reply "OK"
Willy Tarreau82569f92012-09-27 23:48:56 +02002655 to incoming connections and close the connection. Alternatively,
2656 If the "httpchk" option is set, "HTTP/1.0 200 OK" will be sent
2657 instead. Nothing will be logged in either case. This mode is used
2658 to reply to external components health checks. This mode is
2659 deprecated and should not be used anymore as it is possible to do
2660 the same and even better by combining TCP or HTTP modes with the
2661 "monitor" keyword.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002662
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002663 When doing content switching, it is mandatory that the frontend and the
2664 backend are in the same mode (generally HTTP), otherwise the configuration
2665 will be refused.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002666
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002667 Example :
Willy Tarreau2769aa02007-12-27 18:26:09 +01002668 defaults http_instances
2669 mode http
2670
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002671 See also : "monitor", "monitor-net"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002672
Willy Tarreau0ba27502007-12-24 16:55:16 +01002673
Cyril Bontéf0c60612010-02-06 14:44:47 +01002674monitor fail { if | unless } <condition>
Willy Tarreau2769aa02007-12-27 18:26:09 +01002675 Add a condition to report a failure to a monitor HTTP request.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002676 May be used in sections : defaults | frontend | listen | backend
2677 no | yes | yes | no
Willy Tarreau0ba27502007-12-24 16:55:16 +01002678 Arguments :
2679 if <cond> the monitor request will fail if the condition is satisfied,
2680 and will succeed otherwise. The condition should describe a
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002681 combined test which must induce a failure if all conditions
Willy Tarreau0ba27502007-12-24 16:55:16 +01002682 are met, for instance a low number of servers both in a
2683 backend and its backup.
2684
2685 unless <cond> the monitor request will succeed only if the condition is
2686 satisfied, and will fail otherwise. Such a condition may be
2687 based on a test on the presence of a minimum number of active
2688 servers in a list of backends.
2689
2690 This statement adds a condition which can force the response to a monitor
2691 request to report a failure. By default, when an external component queries
2692 the URI dedicated to monitoring, a 200 response is returned. When one of the
2693 conditions above is met, haproxy will return 503 instead of 200. This is
2694 very useful to report a site failure to an external component which may base
2695 routing advertisements between multiple sites on the availability reported by
2696 haproxy. In this case, one would rely on an ACL involving the "nbsrv"
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002697 criterion. Note that "monitor fail" only works in HTTP mode. Both status
2698 messages may be tweaked using "errorfile" or "errorloc" if needed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002699
2700 Example:
2701 frontend www
Willy Tarreau2769aa02007-12-27 18:26:09 +01002702 mode http
Willy Tarreau0ba27502007-12-24 16:55:16 +01002703 acl site_dead nbsrv(dynamic) lt 2
2704 acl site_dead nbsrv(static) lt 2
2705 monitor-uri /site_alive
2706 monitor fail if site_dead
2707
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002708 See also : "monitor-net", "monitor-uri", "errorfile", "errorloc"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002709
2710
2711monitor-net <source>
2712 Declare a source network which is limited to monitor requests
2713 May be used in sections : defaults | frontend | listen | backend
2714 yes | yes | yes | no
2715 Arguments :
2716 <source> is the source IPv4 address or network which will only be able to
2717 get monitor responses to any request. It can be either an IPv4
2718 address, a host name, or an address followed by a slash ('/')
2719 followed by a mask.
2720
2721 In TCP mode, any connection coming from a source matching <source> will cause
2722 the connection to be immediately closed without any log. This allows another
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002723 equipment to probe the port and verify that it is still listening, without
Willy Tarreau2769aa02007-12-27 18:26:09 +01002724 forwarding the connection to a remote server.
2725
2726 In HTTP mode, a connection coming from a source matching <source> will be
2727 accepted, the following response will be sent without waiting for a request,
2728 then the connection will be closed : "HTTP/1.0 200 OK". This is normally
2729 enough for any front-end HTTP probe to detect that the service is UP and
Willy Tarreau82569f92012-09-27 23:48:56 +02002730 running without forwarding the request to a backend server. Note that this
2731 response is sent in raw format, without any transformation. This is important
2732 as it means that it will not be SSL-encrypted on SSL listeners.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002733
Willy Tarreau82569f92012-09-27 23:48:56 +02002734 Monitor requests are processed very early, just after tcp-request connection
2735 ACLs which are the only ones able to block them. These connections are short
2736 lived and never wait for any data from the client. They cannot be logged, and
2737 it is the intended purpose. They are only used to report HAProxy's health to
2738 an upper component, nothing more. Please note that "monitor fail" rules do
2739 not apply to connections intercepted by "monitor-net".
Willy Tarreau2769aa02007-12-27 18:26:09 +01002740
Willy Tarreau95cd2832010-03-04 23:36:33 +01002741 Last, please note that only one "monitor-net" statement can be specified in
2742 a frontend. If more than one is found, only the last one will be considered.
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002743
Willy Tarreau2769aa02007-12-27 18:26:09 +01002744 Example :
2745 # addresses .252 and .253 are just probing us.
2746 frontend www
2747 monitor-net 192.168.0.252/31
2748
2749 See also : "monitor fail", "monitor-uri"
2750
2751
2752monitor-uri <uri>
2753 Intercept a URI used by external components' monitor requests
2754 May be used in sections : defaults | frontend | listen | backend
2755 yes | yes | yes | no
2756 Arguments :
2757 <uri> is the exact URI which we want to intercept to return HAProxy's
2758 health status instead of forwarding the request.
2759
2760 When an HTTP request referencing <uri> will be received on a frontend,
2761 HAProxy will not forward it nor log it, but instead will return either
2762 "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
2763 conditions defined with "monitor fail". This is normally enough for any
2764 front-end HTTP probe to detect that the service is UP and running without
2765 forwarding the request to a backend server. Note that the HTTP method, the
2766 version and all headers are ignored, but the request must at least be valid
2767 at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
2768
2769 Monitor requests are processed very early. It is not possible to block nor
2770 divert them using ACLs. They cannot be logged either, and it is the intended
2771 purpose. They are only used to report HAProxy's health to an upper component,
2772 nothing more. However, it is possible to add any number of conditions using
2773 "monitor fail" and ACLs so that the result can be adjusted to whatever check
2774 can be imagined (most often the number of available servers in a backend).
2775
2776 Example :
2777 # Use /haproxy_test to report haproxy's status
2778 frontend www
2779 mode http
2780 monitor-uri /haproxy_test
2781
2782 See also : "monitor fail", "monitor-net"
2783
Willy Tarreau0ba27502007-12-24 16:55:16 +01002784
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002785option abortonclose
2786no option abortonclose
2787 Enable or disable early dropping of aborted requests pending in queues.
2788 May be used in sections : defaults | frontend | listen | backend
2789 yes | no | yes | yes
2790 Arguments : none
2791
2792 In presence of very high loads, the servers will take some time to respond.
2793 The per-instance connection queue will inflate, and the response time will
2794 increase respective to the size of the queue times the average per-session
2795 response time. When clients will wait for more than a few seconds, they will
Willy Tarreau198a7442008-01-17 12:05:32 +01002796 often hit the "STOP" button on their browser, leaving a useless request in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002797 the queue, and slowing down other users, and the servers as well, because the
2798 request will eventually be served, then aborted at the first error
2799 encountered while delivering the response.
2800
2801 As there is no way to distinguish between a full STOP and a simple output
2802 close on the client side, HTTP agents should be conservative and consider
2803 that the client might only have closed its output channel while waiting for
2804 the response. However, this introduces risks of congestion when lots of users
2805 do the same, and is completely useless nowadays because probably no client at
2806 all will close the session while waiting for the response. Some HTTP agents
Willy Tarreaud72758d2010-01-12 10:42:19 +01002807 support this behaviour (Squid, Apache, HAProxy), and others do not (TUX, most
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002808 hardware-based load balancers). So the probability for a closed input channel
Willy Tarreau198a7442008-01-17 12:05:32 +01002809 to represent a user hitting the "STOP" button is close to 100%, and the risk
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002810 of being the single component to break rare but valid traffic is extremely
2811 low, which adds to the temptation to be able to abort a session early while
2812 still not served and not pollute the servers.
2813
2814 In HAProxy, the user can choose the desired behaviour using the option
2815 "abortonclose". By default (without the option) the behaviour is HTTP
2816 compliant and aborted requests will be served. But when the option is
2817 specified, a session with an incoming channel closed will be aborted while
2818 it is still possible, either pending in the queue for a connection slot, or
2819 during the connection establishment if the server has not yet acknowledged
2820 the connection request. This considerably reduces the queue size and the load
2821 on saturated servers when users are tempted to click on STOP, which in turn
Willy Tarreaud72758d2010-01-12 10:42:19 +01002822 reduces the response time for other users.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002823
2824 If this option has been enabled in a "defaults" section, it can be disabled
2825 in a specific instance by prepending the "no" keyword before it.
2826
2827 See also : "timeout queue" and server's "maxconn" and "maxqueue" parameters
2828
2829
Willy Tarreau4076a152009-04-02 15:18:36 +02002830option accept-invalid-http-request
2831no option accept-invalid-http-request
2832 Enable or disable relaxing of HTTP request parsing
2833 May be used in sections : defaults | frontend | listen | backend
2834 yes | yes | yes | no
2835 Arguments : none
2836
2837 By default, HAProxy complies with RFC2616 in terms of message parsing. This
2838 means that invalid characters in header names are not permitted and cause an
2839 error to be returned to the client. This is the desired behaviour as such
2840 forbidden characters are essentially used to build attacks exploiting server
2841 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
2842 server will emit invalid header names for whatever reason (configuration,
2843 implementation) and the issue will not be immediately fixed. In such a case,
2844 it is possible to relax HAProxy's header name parser to accept any character
Willy Tarreau422246e2012-01-07 23:54:13 +01002845 even if that does not make sense, by specifying this option. Similarly, the
2846 list of characters allowed to appear in a URI is well defined by RFC3986, and
2847 chars 0-31, 32 (space), 34 ('"'), 60 ('<'), 62 ('>'), 92 ('\'), 94 ('^'), 96
2848 ('`'), 123 ('{'), 124 ('|'), 125 ('}'), 127 (delete) and anything above are
2849 not allowed at all. Haproxy always blocks a number of them (0..32, 127). The
2850 remaining ones are blocked by default unless this option is enabled.
Willy Tarreau4076a152009-04-02 15:18:36 +02002851
2852 This option should never be enabled by default as it hides application bugs
2853 and open security breaches. It should only be deployed after a problem has
2854 been confirmed.
2855
2856 When this option is enabled, erroneous header names will still be accepted in
2857 requests, but the complete request will be captured in order to permit later
Willy Tarreau422246e2012-01-07 23:54:13 +01002858 analysis using the "show errors" request on the UNIX stats socket. Similarly,
2859 requests containing invalid chars in the URI part will be logged. Doing this
Willy Tarreau4076a152009-04-02 15:18:36 +02002860 also helps confirming that the issue has been solved.
2861
2862 If this option has been enabled in a "defaults" section, it can be disabled
2863 in a specific instance by prepending the "no" keyword before it.
2864
2865 See also : "option accept-invalid-http-response" and "show errors" on the
2866 stats socket.
2867
2868
2869option accept-invalid-http-response
2870no option accept-invalid-http-response
2871 Enable or disable relaxing of HTTP response parsing
2872 May be used in sections : defaults | frontend | listen | backend
2873 yes | no | yes | yes
2874 Arguments : none
2875
2876 By default, HAProxy complies with RFC2616 in terms of message parsing. This
2877 means that invalid characters in header names are not permitted and cause an
2878 error to be returned to the client. This is the desired behaviour as such
2879 forbidden characters are essentially used to build attacks exploiting server
2880 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
2881 server will emit invalid header names for whatever reason (configuration,
2882 implementation) and the issue will not be immediately fixed. In such a case,
2883 it is possible to relax HAProxy's header name parser to accept any character
2884 even if that does not make sense, by specifying this option.
2885
2886 This option should never be enabled by default as it hides application bugs
2887 and open security breaches. It should only be deployed after a problem has
2888 been confirmed.
2889
2890 When this option is enabled, erroneous header names will still be accepted in
2891 responses, but the complete response will be captured in order to permit
2892 later analysis using the "show errors" request on the UNIX stats socket.
2893 Doing this also helps confirming that the issue has been solved.
2894
2895 If this option has been enabled in a "defaults" section, it can be disabled
2896 in a specific instance by prepending the "no" keyword before it.
2897
2898 See also : "option accept-invalid-http-request" and "show errors" on the
2899 stats socket.
2900
2901
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002902option allbackups
2903no option allbackups
2904 Use either all backup servers at a time or only the first one
2905 May be used in sections : defaults | frontend | listen | backend
2906 yes | no | yes | yes
2907 Arguments : none
2908
2909 By default, the first operational backup server gets all traffic when normal
2910 servers are all down. Sometimes, it may be preferred to use multiple backups
2911 at once, because one will not be enough. When "option allbackups" is enabled,
2912 the load balancing will be performed among all backup servers when all normal
2913 ones are unavailable. The same load balancing algorithm will be used and the
2914 servers' weights will be respected. Thus, there will not be any priority
2915 order between the backup servers anymore.
2916
2917 This option is mostly used with static server farms dedicated to return a
2918 "sorry" page when an application is completely offline.
2919
2920 If this option has been enabled in a "defaults" section, it can be disabled
2921 in a specific instance by prepending the "no" keyword before it.
2922
2923
2924option checkcache
2925no option checkcache
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002926 Analyze all server responses and block requests with cacheable cookies
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002927 May be used in sections : defaults | frontend | listen | backend
2928 yes | no | yes | yes
2929 Arguments : none
2930
2931 Some high-level frameworks set application cookies everywhere and do not
2932 always let enough control to the developer to manage how the responses should
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002933 be cached. When a session cookie is returned on a cacheable object, there is a
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002934 high risk of session crossing or stealing between users traversing the same
2935 caches. In some situations, it is better to block the response than to let
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02002936 some sensitive session information go in the wild.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002937
2938 The option "checkcache" enables deep inspection of all server responses for
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002939 strict compliance with HTTP specification in terms of cacheability. It
Willy Tarreau198a7442008-01-17 12:05:32 +01002940 carefully checks "Cache-control", "Pragma" and "Set-cookie" headers in server
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002941 response to check if there's a risk of caching a cookie on a client-side
2942 proxy. When this option is enabled, the only responses which can be delivered
Willy Tarreau198a7442008-01-17 12:05:32 +01002943 to the client are :
2944 - all those without "Set-Cookie" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002945 - all those with a return code other than 200, 203, 206, 300, 301, 410,
Willy Tarreau198a7442008-01-17 12:05:32 +01002946 provided that the server has not set a "Cache-control: public" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002947 - all those that come from a POST request, provided that the server has not
2948 set a 'Cache-Control: public' header ;
2949 - those with a 'Pragma: no-cache' header
2950 - those with a 'Cache-control: private' header
2951 - those with a 'Cache-control: no-store' header
2952 - those with a 'Cache-control: max-age=0' header
2953 - those with a 'Cache-control: s-maxage=0' header
2954 - those with a 'Cache-control: no-cache' header
2955 - those with a 'Cache-control: no-cache="set-cookie"' header
2956 - those with a 'Cache-control: no-cache="set-cookie,' header
2957 (allowing other fields after set-cookie)
2958
2959 If a response doesn't respect these requirements, then it will be blocked
Willy Tarreau198a7442008-01-17 12:05:32 +01002960 just as if it was from an "rspdeny" filter, with an "HTTP 502 bad gateway".
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002961 The session state shows "PH--" meaning that the proxy blocked the response
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002962 during headers processing. Additionally, an alert will be sent in the logs so
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002963 that admins are informed that there's something to be fixed.
2964
2965 Due to the high impact on the application, the application should be tested
2966 in depth with the option enabled before going to production. It is also a
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002967 good practice to always activate it during tests, even if it is not used in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002968 production, as it will report potentially dangerous application behaviours.
2969
2970 If this option has been enabled in a "defaults" section, it can be disabled
2971 in a specific instance by prepending the "no" keyword before it.
2972
2973
2974option clitcpka
2975no option clitcpka
2976 Enable or disable the sending of TCP keepalive packets on the client side
2977 May be used in sections : defaults | frontend | listen | backend
2978 yes | yes | yes | no
2979 Arguments : none
2980
2981 When there is a firewall or any session-aware component between a client and
2982 a server, and when the protocol involves very long sessions with long idle
2983 periods (eg: remote desktops), there is a risk that one of the intermediate
2984 components decides to expire a session which has remained idle for too long.
2985
2986 Enabling socket-level TCP keep-alives makes the system regularly send packets
2987 to the other end of the connection, leaving it active. The delay between
2988 keep-alive probes is controlled by the system only and depends both on the
2989 operating system and its tuning parameters.
2990
2991 It is important to understand that keep-alive packets are neither emitted nor
2992 received at the application level. It is only the network stacks which sees
2993 them. For this reason, even if one side of the proxy already uses keep-alives
2994 to maintain its connection alive, those keep-alive packets will not be
2995 forwarded to the other side of the proxy.
2996
2997 Please note that this has nothing to do with HTTP keep-alive.
2998
2999 Using option "clitcpka" enables the emission of TCP keep-alive probes on the
3000 client side of a connection, which should help when session expirations are
3001 noticed between HAProxy and a client.
3002
3003 If this option has been enabled in a "defaults" section, it can be disabled
3004 in a specific instance by prepending the "no" keyword before it.
3005
3006 See also : "option srvtcpka", "option tcpka"
3007
3008
Willy Tarreau0ba27502007-12-24 16:55:16 +01003009option contstats
3010 Enable continuous traffic statistics updates
3011 May be used in sections : defaults | frontend | listen | backend
3012 yes | yes | yes | no
3013 Arguments : none
3014
3015 By default, counters used for statistics calculation are incremented
3016 only when a session finishes. It works quite well when serving small
3017 objects, but with big ones (for example large images or archives) or
3018 with A/V streaming, a graph generated from haproxy counters looks like
3019 a hedgehog. With this option enabled counters get incremented continuously,
3020 during a whole session. Recounting touches a hotpath directly so
3021 it is not enabled by default, as it has small performance impact (~0.5%).
3022
3023
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003024option dontlog-normal
3025no option dontlog-normal
3026 Enable or disable logging of normal, successful connections
3027 May be used in sections : defaults | frontend | listen | backend
3028 yes | yes | yes | no
3029 Arguments : none
3030
3031 There are large sites dealing with several thousand connections per second
3032 and for which logging is a major pain. Some of them are even forced to turn
3033 logs off and cannot debug production issues. Setting this option ensures that
3034 normal connections, those which experience no error, no timeout, no retry nor
3035 redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
3036 mode, the response status code is checked and return codes 5xx will still be
3037 logged.
3038
3039 It is strongly discouraged to use this option as most of the time, the key to
3040 complex issues is in the normal logs which will not be logged here. If you
3041 need to separate logs, see the "log-separate-errors" option instead.
3042
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003043 See also : "log", "dontlognull", "log-separate-errors" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003044 logging.
3045
3046
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003047option dontlognull
3048no option dontlognull
3049 Enable or disable logging of null connections
3050 May be used in sections : defaults | frontend | listen | backend
3051 yes | yes | yes | no
3052 Arguments : none
3053
3054 In certain environments, there are components which will regularly connect to
3055 various systems to ensure that they are still alive. It can be the case from
3056 another load balancer as well as from monitoring systems. By default, even a
3057 simple port probe or scan will produce a log. If those connections pollute
3058 the logs too much, it is possible to enable option "dontlognull" to indicate
3059 that a connection on which no data has been transferred will not be logged,
3060 which typically corresponds to those probes.
3061
3062 It is generally recommended not to use this option in uncontrolled
3063 environments (eg: internet), otherwise scans and other malicious activities
3064 would not be logged.
3065
3066 If this option has been enabled in a "defaults" section, it can be disabled
3067 in a specific instance by prepending the "no" keyword before it.
3068
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003069 See also : "log", "monitor-net", "monitor-uri" and section 8 about logging.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003070
3071
3072option forceclose
3073no option forceclose
3074 Enable or disable active connection closing after response is transferred.
3075 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaua31e5df2009-12-30 01:10:35 +01003076 yes | yes | yes | yes
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003077 Arguments : none
3078
3079 Some HTTP servers do not necessarily close the connections when they receive
3080 the "Connection: close" set by "option httpclose", and if the client does not
3081 close either, then the connection remains open till the timeout expires. This
3082 causes high number of simultaneous connections on the servers and shows high
3083 global session times in the logs.
3084
3085 When this happens, it is possible to use "option forceclose". It will
Willy Tarreau82eeaf22009-12-29 12:09:05 +01003086 actively close the outgoing server channel as soon as the server has finished
Willy Tarreau0dfdf192010-01-05 11:33:11 +01003087 to respond. This option implicitly enables the "httpclose" option. Note that
3088 this option also enables the parsing of the full request and response, which
3089 means we can close the connection to the server very quickly, releasing some
3090 resources earlier than with httpclose.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003091
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02003092 This option may also be combined with "option http-pretend-keepalive", which
3093 will disable sending of the "Connection: close" header, but will still cause
3094 the connection to be closed once the whole response is received.
3095
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003096 If this option has been enabled in a "defaults" section, it can be disabled
3097 in a specific instance by prepending the "no" keyword before it.
3098
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02003099 See also : "option httpclose" and "option http-pretend-keepalive"
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003100
3101
Willy Tarreau87cf5142011-08-19 22:57:24 +02003102option forwardfor [ except <network> ] [ header <name> ] [ if-none ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01003103 Enable insertion of the X-Forwarded-For header to requests sent to servers
3104 May be used in sections : defaults | frontend | listen | backend
3105 yes | yes | yes | yes
3106 Arguments :
3107 <network> is an optional argument used to disable this option for sources
3108 matching <network>
Ross Westaf72a1d2008-08-03 10:51:45 +02003109 <name> an optional argument to specify a different "X-Forwarded-For"
Willy Tarreaud72758d2010-01-12 10:42:19 +01003110 header name.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003111
3112 Since HAProxy works in reverse-proxy mode, the servers see its IP address as
3113 their client address. This is sometimes annoying when the client's IP address
3114 is expected in server logs. To solve this problem, the well-known HTTP header
3115 "X-Forwarded-For" may be added by HAProxy to all requests sent to the server.
3116 This header contains a value representing the client's IP address. Since this
3117 header is always appended at the end of the existing header list, the server
3118 must be configured to always use the last occurrence of this header only. See
Ross Westaf72a1d2008-08-03 10:51:45 +02003119 the server's manual to find how to enable use of this standard header. Note
3120 that only the last occurrence of the header must be used, since it is really
3121 possible that the client has already brought one.
3122
Willy Tarreaud72758d2010-01-12 10:42:19 +01003123 The keyword "header" may be used to supply a different header name to replace
Ross Westaf72a1d2008-08-03 10:51:45 +02003124 the default "X-Forwarded-For". This can be useful where you might already
Willy Tarreaud72758d2010-01-12 10:42:19 +01003125 have a "X-Forwarded-For" header from a different application (eg: stunnel),
3126 and you need preserve it. Also if your backend server doesn't use the
Ross Westaf72a1d2008-08-03 10:51:45 +02003127 "X-Forwarded-For" header and requires different one (eg: Zeus Web Servers
3128 require "X-Cluster-Client-IP").
Willy Tarreauc27debf2008-01-06 08:57:02 +01003129
3130 Sometimes, a same HAProxy instance may be shared between a direct client
3131 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
3132 used to decrypt HTTPS traffic). It is possible to disable the addition of the
3133 header for a known source address or network by adding the "except" keyword
3134 followed by the network address. In this case, any source IP matching the
3135 network will not cause an addition of this header. Most common uses are with
3136 private networks or 127.0.0.1.
3137
Willy Tarreau87cf5142011-08-19 22:57:24 +02003138 Alternatively, the keyword "if-none" states that the header will only be
3139 added if it is not present. This should only be used in perfectly trusted
3140 environment, as this might cause a security issue if headers reaching haproxy
3141 are under the control of the end-user.
3142
Willy Tarreauc27debf2008-01-06 08:57:02 +01003143 This option may be specified either in the frontend or in the backend. If at
Ross Westaf72a1d2008-08-03 10:51:45 +02003144 least one of them uses it, the header will be added. Note that the backend's
3145 setting of the header subargument takes precedence over the frontend's if
Willy Tarreau87cf5142011-08-19 22:57:24 +02003146 both are defined. In the case of the "if-none" argument, if at least one of
3147 the frontend or the backend does not specify it, it wants the addition to be
3148 mandatory, so it wins.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003149
Willy Tarreau87cf5142011-08-19 22:57:24 +02003150 It is important to note that by default, HAProxy works in tunnel mode and
3151 only inspects the first request of a connection, meaning that only the first
3152 request will have the header appended, which is certainly not what you want.
3153 In order to fix this, ensure that any of the "httpclose", "forceclose" or
3154 "http-server-close" options is set when using this option.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003155
Ross Westaf72a1d2008-08-03 10:51:45 +02003156 Examples :
Willy Tarreauc27debf2008-01-06 08:57:02 +01003157 # Public HTTP address also used by stunnel on the same machine
3158 frontend www
3159 mode http
3160 option forwardfor except 127.0.0.1 # stunnel already adds the header
3161
Ross Westaf72a1d2008-08-03 10:51:45 +02003162 # Those servers want the IP Address in X-Client
3163 backend www
3164 mode http
3165 option forwardfor header X-Client
3166
Willy Tarreau87cf5142011-08-19 22:57:24 +02003167 See also : "option httpclose", "option http-server-close",
3168 "option forceclose"
Willy Tarreauc27debf2008-01-06 08:57:02 +01003169
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02003170
Willy Tarreau96e31212011-05-30 18:10:30 +02003171option http-no-delay
3172no option http-no-delay
3173 Instruct the system to favor low interactive delays over performance in HTTP
3174 May be used in sections : defaults | frontend | listen | backend
3175 yes | yes | yes | yes
3176 Arguments : none
3177
3178 In HTTP, each payload is unidirectional and has no notion of interactivity.
3179 Any agent is expected to queue data somewhat for a reasonably low delay.
3180 There are some very rare server-to-server applications that abuse the HTTP
3181 protocol and expect the payload phase to be highly interactive, with many
3182 interleaved data chunks in both directions within a single request. This is
3183 absolutely not supported by the HTTP specification and will not work across
3184 most proxies or servers. When such applications attempt to do this through
3185 haproxy, it works but they will experience high delays due to the network
3186 optimizations which favor performance by instructing the system to wait for
3187 enough data to be available in order to only send full packets. Typical
3188 delays are around 200 ms per round trip. Note that this only happens with
3189 abnormal uses. Normal uses such as CONNECT requests nor WebSockets are not
3190 affected.
3191
3192 When "option http-no-delay" is present in either the frontend or the backend
3193 used by a connection, all such optimizations will be disabled in order to
3194 make the exchanges as fast as possible. Of course this offers no guarantee on
3195 the functionality, as it may break at any other place. But if it works via
3196 HAProxy, it will work as fast as possible. This option should never be used
3197 by default, and should never be used at all unless such a buggy application
3198 is discovered. The impact of using this option is an increase of bandwidth
3199 usage and CPU usage, which may significantly lower performance in high
3200 latency environments.
3201
3202
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02003203option http-pretend-keepalive
3204no option http-pretend-keepalive
3205 Define whether haproxy will announce keepalive to the server or not
3206 May be used in sections : defaults | frontend | listen | backend
3207 yes | yes | yes | yes
3208 Arguments : none
3209
3210 When running with "option http-server-close" or "option forceclose", haproxy
3211 adds a "Connection: close" header to the request forwarded to the server.
3212 Unfortunately, when some servers see this header, they automatically refrain
3213 from using the chunked encoding for responses of unknown length, while this
3214 is totally unrelated. The immediate effect is that this prevents haproxy from
3215 maintaining the client connection alive. A second effect is that a client or
3216 a cache could receive an incomplete response without being aware of it, and
3217 consider the response complete.
3218
3219 By setting "option http-pretend-keepalive", haproxy will make the server
3220 believe it will keep the connection alive. The server will then not fall back
3221 to the abnormal undesired above. When haproxy gets the whole response, it
3222 will close the connection with the server just as it would do with the
3223 "forceclose" option. That way the client gets a normal response and the
3224 connection is correctly closed on the server side.
3225
3226 It is recommended not to enable this option by default, because most servers
3227 will more efficiently close the connection themselves after the last packet,
3228 and release its buffers slightly earlier. Also, the added packet on the
3229 network could slightly reduce the overall peak performance. However it is
3230 worth noting that when this option is enabled, haproxy will have slightly
3231 less work to do. So if haproxy is the bottleneck on the whole architecture,
3232 enabling this option might save a few CPU cycles.
3233
3234 This option may be set both in a frontend and in a backend. It is enabled if
3235 at least one of the frontend or backend holding a connection has it enabled.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04003236 This option may be combined with "option httpclose", which will cause
Willy Tarreau22a95342010-09-29 14:31:41 +02003237 keepalive to be announced to the server and close to be announced to the
3238 client. This practice is discouraged though.
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02003239
3240 If this option has been enabled in a "defaults" section, it can be disabled
3241 in a specific instance by prepending the "no" keyword before it.
3242
3243 See also : "option forceclose" and "option http-server-close"
3244
Willy Tarreauc27debf2008-01-06 08:57:02 +01003245
Willy Tarreaub608feb2010-01-02 22:47:18 +01003246option http-server-close
3247no option http-server-close
3248 Enable or disable HTTP connection closing on the server side
3249 May be used in sections : defaults | frontend | listen | backend
3250 yes | yes | yes | yes
3251 Arguments : none
3252
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02003253 By default, when a client communicates with a server, HAProxy will only
3254 analyze, log, and process the first request of each connection. Setting
3255 "option http-server-close" enables HTTP connection-close mode on the server
3256 side while keeping the ability to support HTTP keep-alive and pipelining on
3257 the client side. This provides the lowest latency on the client side (slow
3258 network) and the fastest session reuse on the server side to save server
3259 resources, similarly to "option forceclose". It also permits non-keepalive
3260 capable servers to be served in keep-alive mode to the clients if they
3261 conform to the requirements of RFC2616. Please note that some servers do not
3262 always conform to those requirements when they see "Connection: close" in the
3263 request. The effect will be that keep-alive will never be used. A workaround
3264 consists in enabling "option http-pretend-keepalive".
Willy Tarreaub608feb2010-01-02 22:47:18 +01003265
3266 At the moment, logs will not indicate whether requests came from the same
3267 session or not. The accept date reported in the logs corresponds to the end
3268 of the previous request, and the request time corresponds to the time spent
3269 waiting for a new request. The keep-alive request time is still bound to the
Willy Tarreaub16a5742010-01-10 14:46:16 +01003270 timeout defined by "timeout http-keep-alive" or "timeout http-request" if
3271 not set.
Willy Tarreaub608feb2010-01-02 22:47:18 +01003272
3273 This option may be set both in a frontend and in a backend. It is enabled if
3274 at least one of the frontend or backend holding a connection has it enabled.
Willy Tarreau0dfdf192010-01-05 11:33:11 +01003275 It is worth noting that "option forceclose" has precedence over "option
3276 http-server-close" and that combining "http-server-close" with "httpclose"
3277 basically achieve the same result as "forceclose".
Willy Tarreaub608feb2010-01-02 22:47:18 +01003278
3279 If this option has been enabled in a "defaults" section, it can be disabled
3280 in a specific instance by prepending the "no" keyword before it.
3281
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02003282 See also : "option forceclose", "option http-pretend-keepalive",
3283 "option httpclose" and "1.1. The HTTP transaction model".
Willy Tarreaub608feb2010-01-02 22:47:18 +01003284
3285
Willy Tarreau88d349d2010-01-25 12:15:43 +01003286option http-use-proxy-header
Cyril Bontéf0c60612010-02-06 14:44:47 +01003287no option http-use-proxy-header
Willy Tarreau88d349d2010-01-25 12:15:43 +01003288 Make use of non-standard Proxy-Connection header instead of Connection
3289 May be used in sections : defaults | frontend | listen | backend
3290 yes | yes | yes | no
3291 Arguments : none
3292
3293 While RFC2616 explicitly states that HTTP/1.1 agents must use the
3294 Connection header to indicate their wish of persistent or non-persistent
3295 connections, both browsers and proxies ignore this header for proxied
3296 connections and make use of the undocumented, non-standard Proxy-Connection
3297 header instead. The issue begins when trying to put a load balancer between
3298 browsers and such proxies, because there will be a difference between what
3299 haproxy understands and what the client and the proxy agree on.
3300
3301 By setting this option in a frontend, haproxy can automatically switch to use
3302 that non-standard header if it sees proxied requests. A proxied request is
3303 defined here as one where the URI begins with neither a '/' nor a '*'. The
3304 choice of header only affects requests passing through proxies making use of
3305 one of the "httpclose", "forceclose" and "http-server-close" options. Note
3306 that this option can only be specified in a frontend and will affect the
3307 request along its whole life.
3308
Willy Tarreau844a7e72010-01-31 21:46:18 +01003309 Also, when this option is set, a request which requires authentication will
3310 automatically switch to use proxy authentication headers if it is itself a
3311 proxied request. That makes it possible to check or enforce authentication in
3312 front of an existing proxy.
3313
Willy Tarreau88d349d2010-01-25 12:15:43 +01003314 This option should normally never be used, except in front of a proxy.
3315
3316 See also : "option httpclose", "option forceclose" and "option
3317 http-server-close".
3318
3319
Willy Tarreaud63335a2010-02-26 12:56:52 +01003320option httpchk
3321option httpchk <uri>
3322option httpchk <method> <uri>
3323option httpchk <method> <uri> <version>
3324 Enable HTTP protocol to check on the servers health
3325 May be used in sections : defaults | frontend | listen | backend
3326 yes | no | yes | yes
3327 Arguments :
3328 <method> is the optional HTTP method used with the requests. When not set,
3329 the "OPTIONS" method is used, as it generally requires low server
3330 processing and is easy to filter out from the logs. Any method
3331 may be used, though it is not recommended to invent non-standard
3332 ones.
3333
3334 <uri> is the URI referenced in the HTTP requests. It defaults to " / "
3335 which is accessible by default on almost any server, but may be
3336 changed to any other URI. Query strings are permitted.
3337
3338 <version> is the optional HTTP version string. It defaults to "HTTP/1.0"
3339 but some servers might behave incorrectly in HTTP 1.0, so turning
3340 it to HTTP/1.1 may sometimes help. Note that the Host field is
3341 mandatory in HTTP/1.1, and as a trick, it is possible to pass it
3342 after "\r\n" following the version string.
3343
3344 By default, server health checks only consist in trying to establish a TCP
3345 connection. When "option httpchk" is specified, a complete HTTP request is
3346 sent once the TCP connection is established, and responses 2xx and 3xx are
3347 considered valid, while all other ones indicate a server failure, including
3348 the lack of any response.
3349
3350 The port and interval are specified in the server configuration.
3351
3352 This option does not necessarily require an HTTP backend, it also works with
3353 plain TCP backends. This is particularly useful to check simple scripts bound
3354 to some dedicated ports using the inetd daemon.
3355
3356 Examples :
3357 # Relay HTTPS traffic to Apache instance and check service availability
3358 # using HTTP request "OPTIONS * HTTP/1.1" on port 80.
3359 backend https_relay
3360 mode tcp
3361 option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
3362 server apache1 192.168.1.1:443 check port 80
3363
3364 See also : "option ssl-hello-chk", "option smtpchk", "option mysql-check",
Rauf Kuliyev38b41562011-01-04 15:14:13 +01003365 "option pgsql-check", "http-check" and the "check", "port" and
3366 "inter" server options.
Willy Tarreaud63335a2010-02-26 12:56:52 +01003367
3368
Willy Tarreauc27debf2008-01-06 08:57:02 +01003369option httpclose
3370no option httpclose
3371 Enable or disable passive HTTP connection closing
3372 May be used in sections : defaults | frontend | listen | backend
3373 yes | yes | yes | yes
3374 Arguments : none
3375
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02003376 By default, when a client communicates with a server, HAProxy will only
3377 analyze, log, and process the first request of each connection. If "option
3378 httpclose" is set, it will check if a "Connection: close" header is already
3379 set in each direction, and will add one if missing. Each end should react to
3380 this by actively closing the TCP connection after each transfer, thus
3381 resulting in a switch to the HTTP close mode. Any "Connection" header
3382 different from "close" will also be removed.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003383
3384 It seldom happens that some servers incorrectly ignore this header and do not
Jamie Gloudonaaa21002012-08-25 00:18:33 -04003385 close the connection even though they reply "Connection: close". For this
Willy Tarreau0dfdf192010-01-05 11:33:11 +01003386 reason, they are not compatible with older HTTP 1.0 browsers. If this happens
3387 it is possible to use the "option forceclose" which actively closes the
3388 request connection once the server responds. Option "forceclose" also
3389 releases the server connection earlier because it does not have to wait for
3390 the client to acknowledge it.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003391
3392 This option may be set both in a frontend and in a backend. It is enabled if
3393 at least one of the frontend or backend holding a connection has it enabled.
3394 If "option forceclose" is specified too, it has precedence over "httpclose".
Willy Tarreau0dfdf192010-01-05 11:33:11 +01003395 If "option http-server-close" is enabled at the same time as "httpclose", it
3396 basically achieves the same result as "option forceclose".
Willy Tarreauc27debf2008-01-06 08:57:02 +01003397
3398 If this option has been enabled in a "defaults" section, it can be disabled
3399 in a specific instance by prepending the "no" keyword before it.
3400
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02003401 See also : "option forceclose", "option http-server-close" and
3402 "1.1. The HTTP transaction model".
Willy Tarreauc27debf2008-01-06 08:57:02 +01003403
3404
Emeric Brun3a058f32009-06-30 18:26:00 +02003405option httplog [ clf ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01003406 Enable logging of HTTP request, session state and timers
3407 May be used in sections : defaults | frontend | listen | backend
3408 yes | yes | yes | yes
Emeric Brun3a058f32009-06-30 18:26:00 +02003409 Arguments :
3410 clf if the "clf" argument is added, then the output format will be
3411 the CLF format instead of HAProxy's default HTTP format. You can
3412 use this when you need to feed HAProxy's logs through a specific
3413 log analyser which only support the CLF format and which is not
3414 extensible.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003415
3416 By default, the log output format is very poor, as it only contains the
3417 source and destination addresses, and the instance name. By specifying
3418 "option httplog", each log line turns into a much richer format including,
3419 but not limited to, the HTTP request, the connection timers, the session
3420 status, the connections numbers, the captured headers and cookies, the
3421 frontend, backend and server name, and of course the source address and
3422 ports.
3423
3424 This option may be set either in the frontend or the backend.
3425
Emeric Brun3a058f32009-06-30 18:26:00 +02003426 If this option has been enabled in a "defaults" section, it can be disabled
3427 in a specific instance by prepending the "no" keyword before it. Specifying
3428 only "option httplog" will automatically clear the 'clf' mode if it was set
3429 by default.
3430
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003431 See also : section 8 about logging.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003432
Willy Tarreau55165fe2009-05-10 12:02:55 +02003433
3434option http_proxy
3435no option http_proxy
3436 Enable or disable plain HTTP proxy mode
3437 May be used in sections : defaults | frontend | listen | backend
3438 yes | yes | yes | yes
3439 Arguments : none
3440
3441 It sometimes happens that people need a pure HTTP proxy which understands
3442 basic proxy requests without caching nor any fancy feature. In this case,
3443 it may be worth setting up an HAProxy instance with the "option http_proxy"
3444 set. In this mode, no server is declared, and the connection is forwarded to
3445 the IP address and port found in the URL after the "http://" scheme.
3446
3447 No host address resolution is performed, so this only works when pure IP
3448 addresses are passed. Since this option's usage perimeter is rather limited,
3449 it will probably be used only by experts who know they need exactly it. Last,
3450 if the clients are susceptible of sending keep-alive requests, it will be
Cyril Bonté2409e682010-12-14 22:47:51 +01003451 needed to add "option httpclose" to ensure that all requests will correctly
Willy Tarreau55165fe2009-05-10 12:02:55 +02003452 be analyzed.
3453
3454 If this option has been enabled in a "defaults" section, it can be disabled
3455 in a specific instance by prepending the "no" keyword before it.
3456
3457 Example :
3458 # this backend understands HTTP proxy requests and forwards them directly.
3459 backend direct_forward
3460 option httpclose
3461 option http_proxy
3462
3463 See also : "option httpclose"
3464
Willy Tarreau211ad242009-10-03 21:45:07 +02003465
Jamie Gloudon801a0a32012-08-25 00:18:33 -04003466option independent-streams
3467no option independent-streams
3468 Enable or disable independent timeout processing for both directions
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02003469 May be used in sections : defaults | frontend | listen | backend
3470 yes | yes | yes | yes
3471 Arguments : none
3472
3473 By default, when data is sent over a socket, both the write timeout and the
3474 read timeout for that socket are refreshed, because we consider that there is
3475 activity on that socket, and we have no other means of guessing if we should
3476 receive data or not.
3477
3478 While this default behaviour is desirable for almost all applications, there
3479 exists a situation where it is desirable to disable it, and only refresh the
3480 read timeout if there are incoming data. This happens on sessions with large
3481 timeouts and low amounts of exchanged data such as telnet session. If the
3482 server suddenly disappears, the output data accumulates in the system's
3483 socket buffers, both timeouts are correctly refreshed, and there is no way
3484 to know the server does not receive them, so we don't timeout. However, when
3485 the underlying protocol always echoes sent data, it would be enough by itself
3486 to detect the issue using the read timeout. Note that this problem does not
3487 happen with more verbose protocols because data won't accumulate long in the
3488 socket buffers.
3489
3490 When this option is set on the frontend, it will disable read timeout updates
3491 on data sent to the client. There probably is little use of this case. When
3492 the option is set on the backend, it will disable read timeout updates on
3493 data sent to the server. Doing so will typically break large HTTP posts from
3494 slow lines, so use it with caution.
3495
Jamie Gloudon801a0a32012-08-25 00:18:33 -04003496 Note: older versions used to call this setting "option independant-streams"
3497 with a spelling mistake. This spelling is still supported but
3498 deprecated.
3499
Willy Tarreauce887fd2012-05-12 12:50:00 +02003500 See also : "timeout client", "timeout server" and "timeout tunnel"
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02003501
3502
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02003503option ldap-check
3504 Use LDAPv3 health checks for server testing
3505 May be used in sections : defaults | frontend | listen | backend
3506 yes | no | yes | yes
3507 Arguments : none
3508
3509 It is possible to test that the server correctly talks LDAPv3 instead of just
3510 testing that it accepts the TCP connection. When this option is set, an
3511 LDAPv3 anonymous simple bind message is sent to the server, and the response
3512 is analyzed to find an LDAPv3 bind response message.
3513
3514 The server is considered valid only when the LDAP response contains success
3515 resultCode (http://tools.ietf.org/html/rfc4511#section-4.1.9).
3516
3517 Logging of bind requests is server dependent see your documentation how to
3518 configure it.
3519
3520 Example :
3521 option ldap-check
3522
3523 See also : "option httpchk"
3524
3525
Willy Tarreau211ad242009-10-03 21:45:07 +02003526option log-health-checks
3527no option log-health-checks
3528 Enable or disable logging of health checks
3529 May be used in sections : defaults | frontend | listen | backend
3530 yes | no | yes | yes
3531 Arguments : none
3532
3533 Enable health checks logging so it possible to check for example what
3534 was happening before a server crash. Failed health check are logged if
3535 server is UP and succeeded health checks if server is DOWN, so the amount
3536 of additional information is limited.
3537
3538 If health check logging is enabled no health check status is printed
3539 when servers is set up UP/DOWN/ENABLED/DISABLED.
3540
3541 See also: "log" and section 8 about logging.
3542
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003543
3544option log-separate-errors
3545no option log-separate-errors
3546 Change log level for non-completely successful connections
3547 May be used in sections : defaults | frontend | listen | backend
3548 yes | yes | yes | no
3549 Arguments : none
3550
3551 Sometimes looking for errors in logs is not easy. This option makes haproxy
3552 raise the level of logs containing potentially interesting information such
3553 as errors, timeouts, retries, redispatches, or HTTP status codes 5xx. The
3554 level changes from "info" to "err". This makes it possible to log them
3555 separately to a different file with most syslog daemons. Be careful not to
3556 remove them from the original file, otherwise you would lose ordering which
3557 provides very important information.
3558
3559 Using this option, large sites dealing with several thousand connections per
3560 second may log normal traffic to a rotating buffer and only archive smaller
3561 error logs.
3562
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003563 See also : "log", "dontlognull", "dontlog-normal" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003564 logging.
3565
Willy Tarreauc27debf2008-01-06 08:57:02 +01003566
3567option logasap
3568no option logasap
3569 Enable or disable early logging of HTTP requests
3570 May be used in sections : defaults | frontend | listen | backend
3571 yes | yes | yes | no
3572 Arguments : none
3573
3574 By default, HTTP requests are logged upon termination so that the total
3575 transfer time and the number of bytes appear in the logs. When large objects
3576 are being transferred, it may take a while before the request appears in the
3577 logs. Using "option logasap", the request gets logged as soon as the server
3578 sends the complete headers. The only missing information in the logs will be
3579 the total number of bytes which will indicate everything except the amount
3580 of data transferred, and the total time which will not take the transfer
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01003581 time into account. In such a situation, it's a good practice to capture the
Willy Tarreauc27debf2008-01-06 08:57:02 +01003582 "Content-Length" response header so that the logs at least indicate how many
3583 bytes are expected to be transferred.
3584
Willy Tarreaucc6c8912009-02-22 10:53:55 +01003585 Examples :
3586 listen http_proxy 0.0.0.0:80
3587 mode http
3588 option httplog
3589 option logasap
3590 log 192.168.2.200 local3
3591
3592 >>> Feb 6 12:14:14 localhost \
3593 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
3594 static/srv1 9/10/7/14/+30 200 +243 - - ---- 3/1/1/1/0 1/0 \
3595 "GET /image.iso HTTP/1.0"
3596
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003597 See also : "option httplog", "capture response header", and section 8 about
Willy Tarreauc27debf2008-01-06 08:57:02 +01003598 logging.
3599
3600
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02003601option mysql-check [ user <username> ]
3602 Use MySQL health checks for server testing
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01003603 May be used in sections : defaults | frontend | listen | backend
3604 yes | no | yes | yes
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02003605 Arguments :
Cyril Bonté108cf6e2012-04-21 23:30:29 +02003606 <username> This is the username which will be used when connecting to MySQL
3607 server.
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02003608
3609 If you specify a username, the check consists of sending two MySQL packet,
3610 one Client Authentication packet, and one QUIT packet, to correctly close
3611 MySQL session. We then parse the MySQL Handshake Initialisation packet and/or
3612 Error packet. It is a basic but useful test which does not produce error nor
3613 aborted connect on the server. However, it requires adding an authorization
3614 in the MySQL table, like this :
3615
3616 USE mysql;
3617 INSERT INTO user (Host,User) values ('<ip_of_haproxy>','<username>');
3618 FLUSH PRIVILEGES;
3619
3620 If you don't specify a username (it is deprecated and not recommended), the
3621 check only consists in parsing the Mysql Handshake Initialisation packet or
3622 Error packet, we don't send anything in this mode. It was reported that it
3623 can generate lockout if check is too frequent and/or if there is not enough
3624 traffic. In fact, you need in this case to check MySQL "max_connect_errors"
3625 value as if a connection is established successfully within fewer than MySQL
3626 "max_connect_errors" attempts after a previous connection was interrupted,
3627 the error count for the host is cleared to zero. If HAProxy's server get
3628 blocked, the "FLUSH HOSTS" statement is the only way to unblock it.
3629
3630 Remember that this does not check database presence nor database consistency.
3631 To do this, you can use an external check with xinetd for example.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01003632
Hervé COMMOWICK212f7782011-06-10 14:05:59 +02003633 The check requires MySQL >=3.22, for older version, please use TCP check.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01003634
3635 Most often, an incoming MySQL server needs to see the client's IP address for
3636 various purposes, including IP privilege matching and connection logging.
3637 When possible, it is often wise to masquerade the client's IP address when
3638 connecting to the server using the "usesrc" argument of the "source" keyword,
3639 which requires the cttproxy feature to be compiled in, and the MySQL server
3640 to route the client via the machine hosting haproxy.
3641
3642 See also: "option httpchk"
3643
Rauf Kuliyev38b41562011-01-04 15:14:13 +01003644option pgsql-check [ user <username> ]
3645 Use PostgreSQL health checks for server testing
3646 May be used in sections : defaults | frontend | listen | backend
3647 yes | no | yes | yes
3648 Arguments :
Cyril Bonté108cf6e2012-04-21 23:30:29 +02003649 <username> This is the username which will be used when connecting to
3650 PostgreSQL server.
Rauf Kuliyev38b41562011-01-04 15:14:13 +01003651
3652 The check sends a PostgreSQL StartupMessage and waits for either
3653 Authentication request or ErrorResponse message. It is a basic but useful
3654 test which does not produce error nor aborted connect on the server.
3655 This check is identical with the "mysql-check".
3656
3657 See also: "option httpchk"
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01003658
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003659option nolinger
3660no option nolinger
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003661 Enable or disable immediate session resource cleaning after close
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003662 May be used in sections: defaults | frontend | listen | backend
3663 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003664 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003665
3666 When clients or servers abort connections in a dirty way (eg: they are
3667 physically disconnected), the session timeouts triggers and the session is
3668 closed. But it will remain in FIN_WAIT1 state for some time in the system,
3669 using some resources and possibly limiting the ability to establish newer
3670 connections.
3671
3672 When this happens, it is possible to activate "option nolinger" which forces
3673 the system to immediately remove any socket's pending data on close. Thus,
3674 the session is instantly purged from the system's tables. This usually has
3675 side effects such as increased number of TCP resets due to old retransmits
3676 getting immediately rejected. Some firewalls may sometimes complain about
3677 this too.
3678
3679 For this reason, it is not recommended to use this option when not absolutely
3680 needed. You know that you need it when you have thousands of FIN_WAIT1
3681 sessions on your system (TIME_WAIT ones do not count).
3682
3683 This option may be used both on frontends and backends, depending on the side
3684 where it is required. Use it on the frontend for clients, and on the backend
3685 for servers.
3686
3687 If this option has been enabled in a "defaults" section, it can be disabled
3688 in a specific instance by prepending the "no" keyword before it.
3689
3690
Willy Tarreau55165fe2009-05-10 12:02:55 +02003691option originalto [ except <network> ] [ header <name> ]
3692 Enable insertion of the X-Original-To header to requests sent to servers
3693 May be used in sections : defaults | frontend | listen | backend
3694 yes | yes | yes | yes
3695 Arguments :
3696 <network> is an optional argument used to disable this option for sources
3697 matching <network>
3698 <name> an optional argument to specify a different "X-Original-To"
3699 header name.
3700
3701 Since HAProxy can work in transparent mode, every request from a client can
3702 be redirected to the proxy and HAProxy itself can proxy every request to a
3703 complex SQUID environment and the destination host from SO_ORIGINAL_DST will
3704 be lost. This is annoying when you want access rules based on destination ip
3705 addresses. To solve this problem, a new HTTP header "X-Original-To" may be
3706 added by HAProxy to all requests sent to the server. This header contains a
3707 value representing the original destination IP address. Since this must be
3708 configured to always use the last occurrence of this header only. Note that
3709 only the last occurrence of the header must be used, since it is really
3710 possible that the client has already brought one.
3711
3712 The keyword "header" may be used to supply a different header name to replace
3713 the default "X-Original-To". This can be useful where you might already
3714 have a "X-Original-To" header from a different application, and you need
3715 preserve it. Also if your backend server doesn't use the "X-Original-To"
3716 header and requires different one.
3717
3718 Sometimes, a same HAProxy instance may be shared between a direct client
3719 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
3720 used to decrypt HTTPS traffic). It is possible to disable the addition of the
3721 header for a known source address or network by adding the "except" keyword
3722 followed by the network address. In this case, any source IP matching the
3723 network will not cause an addition of this header. Most common uses are with
3724 private networks or 127.0.0.1.
3725
3726 This option may be specified either in the frontend or in the backend. If at
3727 least one of them uses it, the header will be added. Note that the backend's
3728 setting of the header subargument takes precedence over the frontend's if
3729 both are defined.
3730
Willy Tarreau87cf5142011-08-19 22:57:24 +02003731 It is important to note that by default, HAProxy works in tunnel mode and
3732 only inspects the first request of a connection, meaning that only the first
3733 request will have the header appended, which is certainly not what you want.
3734 In order to fix this, ensure that any of the "httpclose", "forceclose" or
3735 "http-server-close" options is set when using this option.
Willy Tarreau55165fe2009-05-10 12:02:55 +02003736
3737 Examples :
3738 # Original Destination address
3739 frontend www
3740 mode http
3741 option originalto except 127.0.0.1
3742
3743 # Those servers want the IP Address in X-Client-Dst
3744 backend www
3745 mode http
3746 option originalto header X-Client-Dst
3747
Willy Tarreau87cf5142011-08-19 22:57:24 +02003748 See also : "option httpclose", "option http-server-close",
3749 "option forceclose"
Willy Tarreau55165fe2009-05-10 12:02:55 +02003750
3751
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003752option persist
3753no option persist
3754 Enable or disable forced persistence on down servers
3755 May be used in sections: defaults | frontend | listen | backend
3756 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003757 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003758
3759 When an HTTP request reaches a backend with a cookie which references a dead
3760 server, by default it is redispatched to another server. It is possible to
3761 force the request to be sent to the dead server first using "option persist"
3762 if absolutely needed. A common use case is when servers are under extreme
3763 load and spend their time flapping. In this case, the users would still be
3764 directed to the server they opened the session on, in the hope they would be
3765 correctly served. It is recommended to use "option redispatch" in conjunction
3766 with this option so that in the event it would not be possible to connect to
3767 the server at all (server definitely dead), the client would finally be
3768 redirected to another valid server.
3769
3770 If this option has been enabled in a "defaults" section, it can be disabled
3771 in a specific instance by prepending the "no" keyword before it.
3772
Willy Tarreau4de91492010-01-22 19:10:05 +01003773 See also : "option redispatch", "retries", "force-persist"
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003774
3775
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003776option redispatch
3777no option redispatch
3778 Enable or disable session redistribution in case of connection failure
3779 May be used in sections: defaults | frontend | listen | backend
3780 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003781 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003782
3783 In HTTP mode, if a server designated by a cookie is down, clients may
3784 definitely stick to it because they cannot flush the cookie, so they will not
3785 be able to access the service anymore.
3786
3787 Specifying "option redispatch" will allow the proxy to break their
3788 persistence and redistribute them to a working server.
3789
3790 It also allows to retry last connection to another server in case of multiple
3791 connection failures. Of course, it requires having "retries" set to a nonzero
3792 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01003793
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003794 This form is the preferred form, which replaces both the "redispatch" and
3795 "redisp" keywords.
3796
3797 If this option has been enabled in a "defaults" section, it can be disabled
3798 in a specific instance by prepending the "no" keyword before it.
3799
Willy Tarreau4de91492010-01-22 19:10:05 +01003800 See also : "redispatch", "retries", "force-persist"
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003801
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003802
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02003803option redis-check
3804 Use redis health checks for server testing
3805 May be used in sections : defaults | frontend | listen | backend
3806 yes | no | yes | yes
3807 Arguments : none
3808
3809 It is possible to test that the server correctly talks REDIS protocol instead
3810 of just testing that it accepts the TCP connection. When this option is set,
3811 a PING redis command is sent to the server, and the response is analyzed to
3812 find the "+PONG" response message.
3813
3814 Example :
3815 option redis-check
3816
3817 See also : "option httpchk"
3818
3819
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003820option smtpchk
3821option smtpchk <hello> <domain>
3822 Use SMTP health checks for server testing
3823 May be used in sections : defaults | frontend | listen | backend
3824 yes | no | yes | yes
Willy Tarreaud72758d2010-01-12 10:42:19 +01003825 Arguments :
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003826 <hello> is an optional argument. It is the "hello" command to use. It can
3827 be either "HELO" (for SMTP) or "EHLO" (for ESTMP). All other
3828 values will be turned into the default command ("HELO").
3829
3830 <domain> is the domain name to present to the server. It may only be
3831 specified (and is mandatory) if the hello command has been
3832 specified. By default, "localhost" is used.
3833
3834 When "option smtpchk" is set, the health checks will consist in TCP
3835 connections followed by an SMTP command. By default, this command is
3836 "HELO localhost". The server's return code is analyzed and only return codes
3837 starting with a "2" will be considered as valid. All other responses,
3838 including a lack of response will constitute an error and will indicate a
3839 dead server.
3840
3841 This test is meant to be used with SMTP servers or relays. Depending on the
3842 request, it is possible that some servers do not log each connection attempt,
3843 so you may want to experiment to improve the behaviour. Using telnet on port
3844 25 is often easier than adjusting the configuration.
3845
3846 Most often, an incoming SMTP server needs to see the client's IP address for
3847 various purposes, including spam filtering, anti-spoofing and logging. When
3848 possible, it is often wise to masquerade the client's IP address when
3849 connecting to the server using the "usesrc" argument of the "source" keyword,
3850 which requires the cttproxy feature to be compiled in.
3851
3852 Example :
3853 option smtpchk HELO mydomain.org
3854
3855 See also : "option httpchk", "source"
3856
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003857
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02003858option socket-stats
3859no option socket-stats
3860
3861 Enable or disable collecting & providing separate statistics for each socket.
3862 May be used in sections : defaults | frontend | listen | backend
3863 yes | yes | yes | no
3864
3865 Arguments : none
3866
3867
Willy Tarreauff4f82d2009-02-06 11:28:13 +01003868option splice-auto
3869no option splice-auto
3870 Enable or disable automatic kernel acceleration on sockets in both directions
3871 May be used in sections : defaults | frontend | listen | backend
3872 yes | yes | yes | yes
3873 Arguments : none
3874
3875 When this option is enabled either on a frontend or on a backend, haproxy
3876 will automatically evaluate the opportunity to use kernel tcp splicing to
3877 forward data between the client and the server, in either direction. Haproxy
3878 uses heuristics to estimate if kernel splicing might improve performance or
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003879 not. Both directions are handled independently. Note that the heuristics used
Willy Tarreauff4f82d2009-02-06 11:28:13 +01003880 are not much aggressive in order to limit excessive use of splicing. This
3881 option requires splicing to be enabled at compile time, and may be globally
3882 disabled with the global option "nosplice". Since splice uses pipes, using it
3883 requires that there are enough spare pipes.
3884
3885 Important note: kernel-based TCP splicing is a Linux-specific feature which
3886 first appeared in kernel 2.6.25. It offers kernel-based acceleration to
3887 transfer data between sockets without copying these data to user-space, thus
3888 providing noticeable performance gains and CPU cycles savings. Since many
3889 early implementations are buggy, corrupt data and/or are inefficient, this
3890 feature is not enabled by default, and it should be used with extreme care.
3891 While it is not possible to detect the correctness of an implementation,
3892 2.6.29 is the first version offering a properly working implementation. In
3893 case of doubt, splicing may be globally disabled using the global "nosplice"
3894 keyword.
3895
3896 Example :
3897 option splice-auto
3898
3899 If this option has been enabled in a "defaults" section, it can be disabled
3900 in a specific instance by prepending the "no" keyword before it.
3901
3902 See also : "option splice-request", "option splice-response", and global
3903 options "nosplice" and "maxpipes"
3904
3905
3906option splice-request
3907no option splice-request
3908 Enable or disable automatic kernel acceleration on sockets for requests
3909 May be used in sections : defaults | frontend | listen | backend
3910 yes | yes | yes | yes
3911 Arguments : none
3912
3913 When this option is enabled either on a frontend or on a backend, haproxy
Jamie Gloudonaaa21002012-08-25 00:18:33 -04003914 will use kernel tcp splicing whenever possible to forward data going from
Willy Tarreauff4f82d2009-02-06 11:28:13 +01003915 the client to the server. It might still use the recv/send scheme if there
3916 are no spare pipes left. This option requires splicing to be enabled at
3917 compile time, and may be globally disabled with the global option "nosplice".
3918 Since splice uses pipes, using it requires that there are enough spare pipes.
3919
3920 Important note: see "option splice-auto" for usage limitations.
3921
3922 Example :
3923 option splice-request
3924
3925 If this option has been enabled in a "defaults" section, it can be disabled
3926 in a specific instance by prepending the "no" keyword before it.
3927
3928 See also : "option splice-auto", "option splice-response", and global options
3929 "nosplice" and "maxpipes"
3930
3931
3932option splice-response
3933no option splice-response
3934 Enable or disable automatic kernel acceleration on sockets for responses
3935 May be used in sections : defaults | frontend | listen | backend
3936 yes | yes | yes | yes
3937 Arguments : none
3938
3939 When this option is enabled either on a frontend or on a backend, haproxy
Jamie Gloudonaaa21002012-08-25 00:18:33 -04003940 will use kernel tcp splicing whenever possible to forward data going from
Willy Tarreauff4f82d2009-02-06 11:28:13 +01003941 the server to the client. It might still use the recv/send scheme if there
3942 are no spare pipes left. This option requires splicing to be enabled at
3943 compile time, and may be globally disabled with the global option "nosplice".
3944 Since splice uses pipes, using it requires that there are enough spare pipes.
3945
3946 Important note: see "option splice-auto" for usage limitations.
3947
3948 Example :
3949 option splice-response
3950
3951 If this option has been enabled in a "defaults" section, it can be disabled
3952 in a specific instance by prepending the "no" keyword before it.
3953
3954 See also : "option splice-auto", "option splice-request", and global options
3955 "nosplice" and "maxpipes"
3956
3957
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003958option srvtcpka
3959no option srvtcpka
3960 Enable or disable the sending of TCP keepalive packets on the server side
3961 May be used in sections : defaults | frontend | listen | backend
3962 yes | no | yes | yes
3963 Arguments : none
3964
3965 When there is a firewall or any session-aware component between a client and
3966 a server, and when the protocol involves very long sessions with long idle
3967 periods (eg: remote desktops), there is a risk that one of the intermediate
3968 components decides to expire a session which has remained idle for too long.
3969
3970 Enabling socket-level TCP keep-alives makes the system regularly send packets
3971 to the other end of the connection, leaving it active. The delay between
3972 keep-alive probes is controlled by the system only and depends both on the
3973 operating system and its tuning parameters.
3974
3975 It is important to understand that keep-alive packets are neither emitted nor
3976 received at the application level. It is only the network stacks which sees
3977 them. For this reason, even if one side of the proxy already uses keep-alives
3978 to maintain its connection alive, those keep-alive packets will not be
3979 forwarded to the other side of the proxy.
3980
3981 Please note that this has nothing to do with HTTP keep-alive.
3982
3983 Using option "srvtcpka" enables the emission of TCP keep-alive probes on the
3984 server side of a connection, which should help when session expirations are
3985 noticed between HAProxy and a server.
3986
3987 If this option has been enabled in a "defaults" section, it can be disabled
3988 in a specific instance by prepending the "no" keyword before it.
3989
3990 See also : "option clitcpka", "option tcpka"
3991
3992
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003993option ssl-hello-chk
3994 Use SSLv3 client hello health checks for server testing
3995 May be used in sections : defaults | frontend | listen | backend
3996 yes | no | yes | yes
3997 Arguments : none
3998
3999 When some SSL-based protocols are relayed in TCP mode through HAProxy, it is
4000 possible to test that the server correctly talks SSL instead of just testing
4001 that it accepts the TCP connection. When "option ssl-hello-chk" is set, pure
4002 SSLv3 client hello messages are sent once the connection is established to
4003 the server, and the response is analyzed to find an SSL server hello message.
4004 The server is considered valid only when the response contains this server
4005 hello message.
4006
4007 All servers tested till there correctly reply to SSLv3 client hello messages,
4008 and most servers tested do not even log the requests containing only hello
4009 messages, which is appreciable.
4010
Willy Tarreau763a95b2012-10-04 23:15:39 +02004011 Note that this check works even when SSL support was not built into haproxy
4012 because it forges the SSL message. When SSL support is available, it is best
4013 to use native SSL health checks instead of this one.
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004014
Willy Tarreau763a95b2012-10-04 23:15:39 +02004015 See also: "option httpchk", "check-ssl"
4016
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004017
Willy Tarreau9ea05a72009-06-14 12:07:01 +02004018option tcp-smart-accept
4019no option tcp-smart-accept
4020 Enable or disable the saving of one ACK packet during the accept sequence
4021 May be used in sections : defaults | frontend | listen | backend
4022 yes | yes | yes | no
4023 Arguments : none
4024
4025 When an HTTP connection request comes in, the system acknowledges it on
4026 behalf of HAProxy, then the client immediately sends its request, and the
4027 system acknowledges it too while it is notifying HAProxy about the new
4028 connection. HAProxy then reads the request and responds. This means that we
4029 have one TCP ACK sent by the system for nothing, because the request could
4030 very well be acknowledged by HAProxy when it sends its response.
4031
4032 For this reason, in HTTP mode, HAProxy automatically asks the system to avoid
4033 sending this useless ACK on platforms which support it (currently at least
4034 Linux). It must not cause any problem, because the system will send it anyway
4035 after 40 ms if the response takes more time than expected to come.
4036
4037 During complex network debugging sessions, it may be desirable to disable
4038 this optimization because delayed ACKs can make troubleshooting more complex
4039 when trying to identify where packets are delayed. It is then possible to
4040 fall back to normal behaviour by specifying "no option tcp-smart-accept".
4041
4042 It is also possible to force it for non-HTTP proxies by simply specifying
4043 "option tcp-smart-accept". For instance, it can make sense with some services
4044 such as SMTP where the server speaks first.
4045
4046 It is recommended to avoid forcing this option in a defaults section. In case
4047 of doubt, consider setting it back to automatic values by prepending the
4048 "default" keyword before it, or disabling it using the "no" keyword.
4049
Willy Tarreaud88edf22009-06-14 15:48:17 +02004050 See also : "option tcp-smart-connect"
4051
4052
4053option tcp-smart-connect
4054no option tcp-smart-connect
4055 Enable or disable the saving of one ACK packet during the connect sequence
4056 May be used in sections : defaults | frontend | listen | backend
4057 yes | no | yes | yes
4058 Arguments : none
4059
4060 On certain systems (at least Linux), HAProxy can ask the kernel not to
4061 immediately send an empty ACK upon a connection request, but to directly
4062 send the buffer request instead. This saves one packet on the network and
4063 thus boosts performance. It can also be useful for some servers, because they
4064 immediately get the request along with the incoming connection.
4065
4066 This feature is enabled when "option tcp-smart-connect" is set in a backend.
4067 It is not enabled by default because it makes network troubleshooting more
4068 complex.
4069
4070 It only makes sense to enable it with protocols where the client speaks first
4071 such as HTTP. In other situations, if there is no data to send in place of
4072 the ACK, a normal ACK is sent.
4073
4074 If this option has been enabled in a "defaults" section, it can be disabled
4075 in a specific instance by prepending the "no" keyword before it.
4076
4077 See also : "option tcp-smart-accept"
4078
Willy Tarreau9ea05a72009-06-14 12:07:01 +02004079
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004080option tcpka
4081 Enable or disable the sending of TCP keepalive packets on both sides
4082 May be used in sections : defaults | frontend | listen | backend
4083 yes | yes | yes | yes
4084 Arguments : none
4085
4086 When there is a firewall or any session-aware component between a client and
4087 a server, and when the protocol involves very long sessions with long idle
4088 periods (eg: remote desktops), there is a risk that one of the intermediate
4089 components decides to expire a session which has remained idle for too long.
4090
4091 Enabling socket-level TCP keep-alives makes the system regularly send packets
4092 to the other end of the connection, leaving it active. The delay between
4093 keep-alive probes is controlled by the system only and depends both on the
4094 operating system and its tuning parameters.
4095
4096 It is important to understand that keep-alive packets are neither emitted nor
4097 received at the application level. It is only the network stacks which sees
4098 them. For this reason, even if one side of the proxy already uses keep-alives
4099 to maintain its connection alive, those keep-alive packets will not be
4100 forwarded to the other side of the proxy.
4101
4102 Please note that this has nothing to do with HTTP keep-alive.
4103
4104 Using option "tcpka" enables the emission of TCP keep-alive probes on both
4105 the client and server sides of a connection. Note that this is meaningful
4106 only in "defaults" or "listen" sections. If this option is used in a
4107 frontend, only the client side will get keep-alives, and if this option is
4108 used in a backend, only the server side will get keep-alives. For this
4109 reason, it is strongly recommended to explicitly use "option clitcpka" and
4110 "option srvtcpka" when the configuration is split between frontends and
4111 backends.
4112
4113 See also : "option clitcpka", "option srvtcpka"
4114
Willy Tarreau844e3c52008-01-11 16:28:18 +01004115
4116option tcplog
4117 Enable advanced logging of TCP connections with session state and timers
4118 May be used in sections : defaults | frontend | listen | backend
4119 yes | yes | yes | yes
4120 Arguments : none
4121
4122 By default, the log output format is very poor, as it only contains the
4123 source and destination addresses, and the instance name. By specifying
4124 "option tcplog", each log line turns into a much richer format including, but
4125 not limited to, the connection timers, the session status, the connections
4126 numbers, the frontend, backend and server name, and of course the source
4127 address and ports. This option is useful for pure TCP proxies in order to
4128 find which of the client or server disconnects or times out. For normal HTTP
4129 proxies, it's better to use "option httplog" which is even more complete.
4130
4131 This option may be set either in the frontend or the backend.
4132
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004133 See also : "option httplog", and section 8 about logging.
Willy Tarreau844e3c52008-01-11 16:28:18 +01004134
4135
Willy Tarreau844e3c52008-01-11 16:28:18 +01004136option transparent
4137no option transparent
4138 Enable client-side transparent proxying
4139 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01004140 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01004141 Arguments : none
4142
4143 This option was introduced in order to provide layer 7 persistence to layer 3
4144 load balancers. The idea is to use the OS's ability to redirect an incoming
4145 connection for a remote address to a local process (here HAProxy), and let
4146 this process know what address was initially requested. When this option is
4147 used, sessions without cookies will be forwarded to the original destination
4148 IP address of the incoming request (which should match that of another
4149 equipment), while requests with cookies will still be forwarded to the
4150 appropriate server.
4151
4152 Note that contrary to a common belief, this option does NOT make HAProxy
4153 present the client's IP to the server when establishing the connection.
4154
Willy Tarreaua1146052011-03-01 09:51:54 +01004155 See also: the "usesrc" argument of the "source" keyword, and the
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004156 "transparent" option of the "bind" keyword.
Willy Tarreau844e3c52008-01-11 16:28:18 +01004157
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004158
Emeric Brun647caf12009-06-30 17:57:00 +02004159persist rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02004160persist rdp-cookie(<name>)
Emeric Brun647caf12009-06-30 17:57:00 +02004161 Enable RDP cookie-based persistence
4162 May be used in sections : defaults | frontend | listen | backend
4163 yes | no | yes | yes
4164 Arguments :
4165 <name> is the optional name of the RDP cookie to check. If omitted, the
Willy Tarreau61e28f22010-05-16 22:31:05 +02004166 default cookie name "msts" will be used. There currently is no
4167 valid reason to change this name.
Emeric Brun647caf12009-06-30 17:57:00 +02004168
4169 This statement enables persistence based on an RDP cookie. The RDP cookie
4170 contains all information required to find the server in the list of known
4171 servers. So when this option is set in the backend, the request is analysed
4172 and if an RDP cookie is found, it is decoded. If it matches a known server
4173 which is still UP (or if "option persist" is set), then the connection is
4174 forwarded to this server.
4175
4176 Note that this only makes sense in a TCP backend, but for this to work, the
4177 frontend must have waited long enough to ensure that an RDP cookie is present
4178 in the request buffer. This is the same requirement as with the "rdp-cookie"
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004179 load-balancing method. Thus it is highly recommended to put all statements in
Emeric Brun647caf12009-06-30 17:57:00 +02004180 a single "listen" section.
4181
Willy Tarreau61e28f22010-05-16 22:31:05 +02004182 Also, it is important to understand that the terminal server will emit this
4183 RDP cookie only if it is configured for "token redirection mode", which means
4184 that the "IP address redirection" option is disabled.
4185
Emeric Brun647caf12009-06-30 17:57:00 +02004186 Example :
4187 listen tse-farm
4188 bind :3389
4189 # wait up to 5s for an RDP cookie in the request
4190 tcp-request inspect-delay 5s
4191 tcp-request content accept if RDP_COOKIE
4192 # apply RDP cookie persistence
4193 persist rdp-cookie
4194 # if server is unknown, let's balance on the same cookie.
Cyril Bontédc4d9032012-04-08 21:57:39 +02004195 # alternatively, "balance leastconn" may be useful too.
Emeric Brun647caf12009-06-30 17:57:00 +02004196 balance rdp-cookie
4197 server srv1 1.1.1.1:3389
4198 server srv2 1.1.1.2:3389
4199
Simon Hormanab814e02011-06-24 14:50:20 +09004200 See also : "balance rdp-cookie", "tcp-request", the "req_rdp_cookie" ACL and
4201 the rdp_cookie pattern fetch function.
Emeric Brun647caf12009-06-30 17:57:00 +02004202
4203
Willy Tarreau3a7d2072009-03-05 23:48:25 +01004204rate-limit sessions <rate>
4205 Set a limit on the number of new sessions accepted per second on a frontend
4206 May be used in sections : defaults | frontend | listen | backend
4207 yes | yes | yes | no
4208 Arguments :
4209 <rate> The <rate> parameter is an integer designating the maximum number
4210 of new sessions per second to accept on the frontend.
4211
4212 When the frontend reaches the specified number of new sessions per second, it
4213 stops accepting new connections until the rate drops below the limit again.
4214 During this time, the pending sessions will be kept in the socket's backlog
4215 (in system buffers) and haproxy will not even be aware that sessions are
4216 pending. When applying very low limit on a highly loaded service, it may make
4217 sense to increase the socket's backlog using the "backlog" keyword.
4218
4219 This feature is particularly efficient at blocking connection-based attacks
4220 or service abuse on fragile servers. Since the session rate is measured every
4221 millisecond, it is extremely accurate. Also, the limit applies immediately,
4222 no delay is needed at all to detect the threshold.
4223
4224 Example : limit the connection rate on SMTP to 10 per second max
4225 listen smtp
4226 mode tcp
4227 bind :25
4228 rate-limit sessions 10
4229 server 127.0.0.1:1025
4230
Willy Tarreaua17c2d92011-07-25 08:16:20 +02004231 Note : when the maximum rate is reached, the frontend's status is not changed
4232 but its sockets appear as "WAITING" in the statistics if the
4233 "socket-stats" option is enabled.
Willy Tarreau3a7d2072009-03-05 23:48:25 +01004234
4235 See also : the "backlog" keyword and the "fe_sess_rate" ACL criterion.
4236
4237
Willy Tarreau2e1dca82012-09-12 08:43:15 +02004238redirect location <loc> [code <code>] <option> [{if | unless} <condition>]
4239redirect prefix <pfx> [code <code>] <option> [{if | unless} <condition>]
4240redirect scheme <sch> [code <code>] <option> [{if | unless} <condition>]
Willy Tarreaub463dfb2008-06-07 23:08:56 +02004241 Return an HTTP redirection if/unless a condition is matched
4242 May be used in sections : defaults | frontend | listen | backend
4243 no | yes | yes | yes
4244
4245 If/unless the condition is matched, the HTTP request will lead to a redirect
Willy Tarreauf285f542010-01-03 20:03:03 +01004246 response. If no condition is specified, the redirect applies unconditionally.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02004247
Willy Tarreau0140f252008-11-19 21:07:09 +01004248 Arguments :
Willy Tarreau2e1dca82012-09-12 08:43:15 +02004249 <loc> With "redirect location", the exact value in <loc> is placed into
4250 the HTTP "Location" header.
4251
4252 <pfx> With "redirect prefix", the "Location" header is built from the
4253 concatenation of <pfx> and the complete URI path, including the
4254 query string, unless the "drop-query" option is specified (see
4255 below). As a special case, if <pfx> equals exactly "/", then
4256 nothing is inserted before the original URI. It allows one to
4257 redirect to the same URL (for instance, to insert a cookie).
4258
4259 <sch> With "redirect scheme", then the "Location" header is built by
4260 concatenating <sch> with "://" then the first occurrence of the
4261 "Host" header, and then the URI path, including the query string
4262 unless the "drop-query" option is specified (see below). If no
4263 path is found or if the path is "*", then "/" is used instead. If
4264 no "Host" header is found, then an empty host component will be
4265 returned, which most recent browsers interprete as redirecting to
4266 the same host. This directive is mostly used to redirect HTTP to
4267 HTTPS.
Willy Tarreau0140f252008-11-19 21:07:09 +01004268
4269 <code> The code is optional. It indicates which type of HTTP redirection
4270 is desired. Only codes 301, 302 and 303 are supported, and 302 is
4271 used if no code is specified. 301 means "Moved permanently", and
4272 a browser may cache the Location. 302 means "Moved permanently"
4273 and means that the browser should not cache the redirection. 303
4274 is equivalent to 302 except that the browser will fetch the
4275 location with a GET method.
4276
4277 <option> There are several options which can be specified to adjust the
4278 expected behaviour of a redirection :
4279
4280 - "drop-query"
4281 When this keyword is used in a prefix-based redirection, then the
4282 location will be set without any possible query-string, which is useful
4283 for directing users to a non-secure page for instance. It has no effect
4284 with a location-type redirect.
4285
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01004286 - "append-slash"
4287 This keyword may be used in conjunction with "drop-query" to redirect
4288 users who use a URL not ending with a '/' to the same one with the '/'.
4289 It can be useful to ensure that search engines will only see one URL.
4290 For this, a return code 301 is preferred.
4291
Willy Tarreau0140f252008-11-19 21:07:09 +01004292 - "set-cookie NAME[=value]"
4293 A "Set-Cookie" header will be added with NAME (and optionally "=value")
4294 to the response. This is sometimes used to indicate that a user has
4295 been seen, for instance to protect against some types of DoS. No other
4296 cookie option is added, so the cookie will be a session cookie. Note
4297 that for a browser, a sole cookie name without an equal sign is
4298 different from a cookie with an equal sign.
4299
4300 - "clear-cookie NAME[=]"
4301 A "Set-Cookie" header will be added with NAME (and optionally "="), but
4302 with the "Max-Age" attribute set to zero. This will tell the browser to
4303 delete this cookie. It is useful for instance on logout pages. It is
4304 important to note that clearing the cookie "NAME" will not remove a
4305 cookie set with "NAME=value". You have to clear the cookie "NAME=" for
4306 that, because the browser makes the difference.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02004307
4308 Example: move the login URL only to HTTPS.
4309 acl clear dst_port 80
4310 acl secure dst_port 8080
4311 acl login_page url_beg /login
Willy Tarreau0140f252008-11-19 21:07:09 +01004312 acl logout url_beg /logout
Willy Tarreau79da4692008-11-19 20:03:04 +01004313 acl uid_given url_reg /login?userid=[^&]+
Willy Tarreau0140f252008-11-19 21:07:09 +01004314 acl cookie_set hdr_sub(cookie) SEEN=1
4315
4316 redirect prefix https://mysite.com set-cookie SEEN=1 if !cookie_set
Willy Tarreau79da4692008-11-19 20:03:04 +01004317 redirect prefix https://mysite.com if login_page !secure
4318 redirect prefix http://mysite.com drop-query if login_page !uid_given
4319 redirect location http://mysite.com/ if !login_page secure
Willy Tarreau0140f252008-11-19 21:07:09 +01004320 redirect location / clear-cookie USERID= if logout
Willy Tarreaub463dfb2008-06-07 23:08:56 +02004321
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01004322 Example: send redirects for request for articles without a '/'.
4323 acl missing_slash path_reg ^/article/[^/]*$
4324 redirect code 301 prefix / drop-query append-slash if missing_slash
4325
Willy Tarreau2e1dca82012-09-12 08:43:15 +02004326 Example: redirect all HTTP traffic to HTTPS when SSL is handled by haproxy.
4327 redirect scheme https if !{ is_ssl }
4328
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004329 See section 7 about ACL usage.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02004330
4331
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004332redisp (deprecated)
4333redispatch (deprecated)
4334 Enable or disable session redistribution in case of connection failure
4335 May be used in sections: defaults | frontend | listen | backend
4336 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004337 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004338
4339 In HTTP mode, if a server designated by a cookie is down, clients may
4340 definitely stick to it because they cannot flush the cookie, so they will not
4341 be able to access the service anymore.
4342
4343 Specifying "redispatch" will allow the proxy to break their persistence and
4344 redistribute them to a working server.
4345
4346 It also allows to retry last connection to another server in case of multiple
4347 connection failures. Of course, it requires having "retries" set to a nonzero
4348 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01004349
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004350 This form is deprecated, do not use it in any new configuration, use the new
4351 "option redispatch" instead.
4352
4353 See also : "option redispatch"
4354
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004355
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01004356reqadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01004357 Add a header at the end of the HTTP request
4358 May be used in sections : defaults | frontend | listen | backend
4359 no | yes | yes | yes
4360 Arguments :
4361 <string> is the complete line to be added. Any space or known delimiter
4362 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004363 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004364
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01004365 <cond> is an optional matching condition built from ACLs. It makes it
4366 possible to ignore this rule when other conditions are not met.
4367
Willy Tarreau303c0352008-01-17 19:01:39 +01004368 A new line consisting in <string> followed by a line feed will be added after
4369 the last header of an HTTP request.
4370
4371 Header transformations only apply to traffic which passes through HAProxy,
4372 and not to traffic generated by HAProxy, such as health-checks or error
4373 responses.
4374
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01004375 Example : add "X-Proto: SSL" to requests coming via port 81
4376 acl is-ssl dst_port 81
4377 reqadd X-Proto:\ SSL if is-ssl
4378
4379 See also: "rspadd", section 6 about HTTP header manipulation, and section 7
4380 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004381
4382
Willy Tarreau5321c422010-01-28 20:35:13 +01004383reqallow <search> [{if | unless} <cond>]
4384reqiallow <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004385 Definitely allow an HTTP request if a line matches a regular expression
4386 May be used in sections : defaults | frontend | listen | backend
4387 no | yes | yes | yes
4388 Arguments :
4389 <search> is the regular expression applied to HTTP headers and to the
4390 request line. This is an extended regular expression. Parenthesis
4391 grouping is supported and no preliminary backslash is required.
4392 Any space or known delimiter must be escaped using a backslash
4393 ('\'). The pattern applies to a full line at a time. The
4394 "reqallow" keyword strictly matches case while "reqiallow"
4395 ignores case.
4396
Willy Tarreau5321c422010-01-28 20:35:13 +01004397 <cond> is an optional matching condition built from ACLs. It makes it
4398 possible to ignore this rule when other conditions are not met.
4399
Willy Tarreau303c0352008-01-17 19:01:39 +01004400 A request containing any line which matches extended regular expression
4401 <search> will mark the request as allowed, even if any later test would
4402 result in a deny. The test applies both to the request line and to request
4403 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01004404 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01004405
4406 It is easier, faster and more powerful to use ACLs to write access policies.
4407 Reqdeny, reqallow and reqpass should be avoided in new designs.
4408
4409 Example :
4410 # allow www.* but refuse *.local
4411 reqiallow ^Host:\ www\.
4412 reqideny ^Host:\ .*\.local
4413
Willy Tarreau5321c422010-01-28 20:35:13 +01004414 See also: "reqdeny", "block", section 6 about HTTP header manipulation, and
4415 section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004416
4417
Willy Tarreau5321c422010-01-28 20:35:13 +01004418reqdel <search> [{if | unless} <cond>]
4419reqidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004420 Delete all headers matching a regular expression in an HTTP request
4421 May be used in sections : defaults | frontend | listen | backend
4422 no | yes | yes | yes
4423 Arguments :
4424 <search> is the regular expression applied to HTTP headers and to the
4425 request line. This is an extended regular expression. Parenthesis
4426 grouping is supported and no preliminary backslash is required.
4427 Any space or known delimiter must be escaped using a backslash
4428 ('\'). The pattern applies to a full line at a time. The "reqdel"
4429 keyword strictly matches case while "reqidel" ignores case.
4430
Willy Tarreau5321c422010-01-28 20:35:13 +01004431 <cond> is an optional matching condition built from ACLs. It makes it
4432 possible to ignore this rule when other conditions are not met.
4433
Willy Tarreau303c0352008-01-17 19:01:39 +01004434 Any header line matching extended regular expression <search> in the request
4435 will be completely deleted. Most common use of this is to remove unwanted
4436 and/or dangerous headers or cookies from a request before passing it to the
4437 next servers.
4438
4439 Header transformations only apply to traffic which passes through HAProxy,
4440 and not to traffic generated by HAProxy, such as health-checks or error
4441 responses. Keep in mind that header names are not case-sensitive.
4442
4443 Example :
4444 # remove X-Forwarded-For header and SERVER cookie
4445 reqidel ^X-Forwarded-For:.*
4446 reqidel ^Cookie:.*SERVER=
4447
Willy Tarreau5321c422010-01-28 20:35:13 +01004448 See also: "reqadd", "reqrep", "rspdel", section 6 about HTTP header
4449 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004450
4451
Willy Tarreau5321c422010-01-28 20:35:13 +01004452reqdeny <search> [{if | unless} <cond>]
4453reqideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004454 Deny an HTTP request if a line matches a regular expression
4455 May be used in sections : defaults | frontend | listen | backend
4456 no | yes | yes | yes
4457 Arguments :
4458 <search> is the regular expression applied to HTTP headers and to the
4459 request line. This is an extended regular expression. Parenthesis
4460 grouping is supported and no preliminary backslash is required.
4461 Any space or known delimiter must be escaped using a backslash
4462 ('\'). The pattern applies to a full line at a time. The
4463 "reqdeny" keyword strictly matches case while "reqideny" ignores
4464 case.
4465
Willy Tarreau5321c422010-01-28 20:35:13 +01004466 <cond> is an optional matching condition built from ACLs. It makes it
4467 possible to ignore this rule when other conditions are not met.
4468
Willy Tarreau303c0352008-01-17 19:01:39 +01004469 A request containing any line which matches extended regular expression
4470 <search> will mark the request as denied, even if any later test would
4471 result in an allow. The test applies both to the request line and to request
4472 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01004473 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01004474
Willy Tarreauced27012008-01-17 20:35:34 +01004475 A denied request will generate an "HTTP 403 forbidden" response once the
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004476 complete request has been parsed. This is consistent with what is practiced
Willy Tarreaud72758d2010-01-12 10:42:19 +01004477 using ACLs.
Willy Tarreauced27012008-01-17 20:35:34 +01004478
Willy Tarreau303c0352008-01-17 19:01:39 +01004479 It is easier, faster and more powerful to use ACLs to write access policies.
4480 Reqdeny, reqallow and reqpass should be avoided in new designs.
4481
4482 Example :
4483 # refuse *.local, then allow www.*
4484 reqideny ^Host:\ .*\.local
4485 reqiallow ^Host:\ www\.
4486
Willy Tarreau5321c422010-01-28 20:35:13 +01004487 See also: "reqallow", "rspdeny", "block", section 6 about HTTP header
4488 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004489
4490
Willy Tarreau5321c422010-01-28 20:35:13 +01004491reqpass <search> [{if | unless} <cond>]
4492reqipass <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004493 Ignore any HTTP request line matching a regular expression in next rules
4494 May be used in sections : defaults | frontend | listen | backend
4495 no | yes | yes | yes
4496 Arguments :
4497 <search> is the regular expression applied to HTTP headers and to the
4498 request line. This is an extended regular expression. Parenthesis
4499 grouping is supported and no preliminary backslash is required.
4500 Any space or known delimiter must be escaped using a backslash
4501 ('\'). The pattern applies to a full line at a time. The
4502 "reqpass" keyword strictly matches case while "reqipass" ignores
4503 case.
4504
Willy Tarreau5321c422010-01-28 20:35:13 +01004505 <cond> is an optional matching condition built from ACLs. It makes it
4506 possible to ignore this rule when other conditions are not met.
4507
Willy Tarreau303c0352008-01-17 19:01:39 +01004508 A request containing any line which matches extended regular expression
4509 <search> will skip next rules, without assigning any deny or allow verdict.
4510 The test applies both to the request line and to request headers. Keep in
4511 mind that URLs in request line are case-sensitive while header names are not.
4512
4513 It is easier, faster and more powerful to use ACLs to write access policies.
4514 Reqdeny, reqallow and reqpass should be avoided in new designs.
4515
4516 Example :
4517 # refuse *.local, then allow www.*, but ignore "www.private.local"
4518 reqipass ^Host:\ www.private\.local
4519 reqideny ^Host:\ .*\.local
4520 reqiallow ^Host:\ www\.
4521
Willy Tarreau5321c422010-01-28 20:35:13 +01004522 See also: "reqallow", "reqdeny", "block", section 6 about HTTP header
4523 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004524
4525
Willy Tarreau5321c422010-01-28 20:35:13 +01004526reqrep <search> <string> [{if | unless} <cond>]
4527reqirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004528 Replace a regular expression with a string in an HTTP request line
4529 May be used in sections : defaults | frontend | listen | backend
4530 no | yes | yes | yes
4531 Arguments :
4532 <search> is the regular expression applied to HTTP headers and to the
4533 request line. This is an extended regular expression. Parenthesis
4534 grouping is supported and no preliminary backslash is required.
4535 Any space or known delimiter must be escaped using a backslash
4536 ('\'). The pattern applies to a full line at a time. The "reqrep"
4537 keyword strictly matches case while "reqirep" ignores case.
4538
4539 <string> is the complete line to be added. Any space or known delimiter
4540 must be escaped using a backslash ('\'). References to matched
4541 pattern groups are possible using the common \N form, with N
4542 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004543 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004544
Willy Tarreau5321c422010-01-28 20:35:13 +01004545 <cond> is an optional matching condition built from ACLs. It makes it
4546 possible to ignore this rule when other conditions are not met.
4547
Willy Tarreau303c0352008-01-17 19:01:39 +01004548 Any line matching extended regular expression <search> in the request (both
4549 the request line and header lines) will be completely replaced with <string>.
4550 Most common use of this is to rewrite URLs or domain names in "Host" headers.
4551
4552 Header transformations only apply to traffic which passes through HAProxy,
4553 and not to traffic generated by HAProxy, such as health-checks or error
4554 responses. Note that for increased readability, it is suggested to add enough
4555 spaces between the request and the response. Keep in mind that URLs in
4556 request line are case-sensitive while header names are not.
4557
4558 Example :
4559 # replace "/static/" with "/" at the beginning of any request path.
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04004560 reqrep ^([^\ :]*)\ /static/(.*) \1\ /\2
Willy Tarreau303c0352008-01-17 19:01:39 +01004561 # replace "www.mydomain.com" with "www" in the host name.
4562 reqirep ^Host:\ www.mydomain.com Host:\ www
4563
Dmitry Sivachenkof6f4f7b2012-10-21 18:10:25 +04004564 See also: "reqadd", "reqdel", "rsprep", "tune.bufsize", section 6 about
4565 HTTP header manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004566
4567
Willy Tarreau5321c422010-01-28 20:35:13 +01004568reqtarpit <search> [{if | unless} <cond>]
4569reqitarpit <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004570 Tarpit an HTTP request containing a line matching a regular expression
4571 May be used in sections : defaults | frontend | listen | backend
4572 no | yes | yes | yes
4573 Arguments :
4574 <search> is the regular expression applied to HTTP headers and to the
4575 request line. This is an extended regular expression. Parenthesis
4576 grouping is supported and no preliminary backslash is required.
4577 Any space or known delimiter must be escaped using a backslash
4578 ('\'). The pattern applies to a full line at a time. The
4579 "reqtarpit" keyword strictly matches case while "reqitarpit"
4580 ignores case.
4581
Willy Tarreau5321c422010-01-28 20:35:13 +01004582 <cond> is an optional matching condition built from ACLs. It makes it
4583 possible to ignore this rule when other conditions are not met.
4584
Willy Tarreau303c0352008-01-17 19:01:39 +01004585 A request containing any line which matches extended regular expression
4586 <search> will be tarpitted, which means that it will connect to nowhere, will
Willy Tarreauced27012008-01-17 20:35:34 +01004587 be kept open for a pre-defined time, then will return an HTTP error 500 so
4588 that the attacker does not suspect it has been tarpitted. The status 500 will
4589 be reported in the logs, but the completion flags will indicate "PT". The
Willy Tarreau303c0352008-01-17 19:01:39 +01004590 delay is defined by "timeout tarpit", or "timeout connect" if the former is
4591 not set.
4592
4593 The goal of the tarpit is to slow down robots attacking servers with
4594 identifiable requests. Many robots limit their outgoing number of connections
4595 and stay connected waiting for a reply which can take several minutes to
4596 come. Depending on the environment and attack, it may be particularly
4597 efficient at reducing the load on the network and firewalls.
4598
Willy Tarreau5321c422010-01-28 20:35:13 +01004599 Examples :
Willy Tarreau303c0352008-01-17 19:01:39 +01004600 # ignore user-agents reporting any flavour of "Mozilla" or "MSIE", but
4601 # block all others.
4602 reqipass ^User-Agent:\.*(Mozilla|MSIE)
4603 reqitarpit ^User-Agent:
4604
Willy Tarreau5321c422010-01-28 20:35:13 +01004605 # block bad guys
4606 acl badguys src 10.1.0.3 172.16.13.20/28
4607 reqitarpit . if badguys
4608
4609 See also: "reqallow", "reqdeny", "reqpass", section 6 about HTTP header
4610 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004611
4612
Willy Tarreaue5c5ce92008-06-20 17:27:19 +02004613retries <value>
4614 Set the number of retries to perform on a server after a connection failure
4615 May be used in sections: defaults | frontend | listen | backend
4616 yes | no | yes | yes
4617 Arguments :
4618 <value> is the number of times a connection attempt should be retried on
4619 a server when a connection either is refused or times out. The
4620 default value is 3.
4621
4622 It is important to understand that this value applies to the number of
4623 connection attempts, not full requests. When a connection has effectively
4624 been established to a server, there will be no more retry.
4625
4626 In order to avoid immediate reconnections to a server which is restarting,
4627 a turn-around timer of 1 second is applied before a retry occurs.
4628
4629 When "option redispatch" is set, the last retry may be performed on another
4630 server even if a cookie references a different server.
4631
4632 See also : "option redispatch"
4633
4634
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004635rspadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01004636 Add a header at the end of the HTTP response
4637 May be used in sections : defaults | frontend | listen | backend
4638 no | yes | yes | yes
4639 Arguments :
4640 <string> is the complete line to be added. Any space or known delimiter
4641 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004642 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004643
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004644 <cond> is an optional matching condition built from ACLs. It makes it
4645 possible to ignore this rule when other conditions are not met.
4646
Willy Tarreau303c0352008-01-17 19:01:39 +01004647 A new line consisting in <string> followed by a line feed will be added after
4648 the last header of an HTTP response.
4649
4650 Header transformations only apply to traffic which passes through HAProxy,
4651 and not to traffic generated by HAProxy, such as health-checks or error
4652 responses.
4653
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004654 See also: "reqadd", section 6 about HTTP header manipulation, and section 7
4655 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004656
4657
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004658rspdel <search> [{if | unless} <cond>]
4659rspidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004660 Delete all headers matching a regular expression in an HTTP response
4661 May be used in sections : defaults | frontend | listen | backend
4662 no | yes | yes | yes
4663 Arguments :
4664 <search> is the regular expression applied to HTTP headers and to the
4665 response line. This is an extended regular expression, so
4666 parenthesis grouping is supported and no preliminary backslash
4667 is required. Any space or known delimiter must be escaped using
4668 a backslash ('\'). The pattern applies to a full line at a time.
4669 The "rspdel" keyword strictly matches case while "rspidel"
4670 ignores case.
4671
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004672 <cond> is an optional matching condition built from ACLs. It makes it
4673 possible to ignore this rule when other conditions are not met.
4674
Willy Tarreau303c0352008-01-17 19:01:39 +01004675 Any header line matching extended regular expression <search> in the response
4676 will be completely deleted. Most common use of this is to remove unwanted
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02004677 and/or sensitive headers or cookies from a response before passing it to the
Willy Tarreau303c0352008-01-17 19:01:39 +01004678 client.
4679
4680 Header transformations only apply to traffic which passes through HAProxy,
4681 and not to traffic generated by HAProxy, such as health-checks or error
4682 responses. Keep in mind that header names are not case-sensitive.
4683
4684 Example :
4685 # remove the Server header from responses
4686 reqidel ^Server:.*
4687
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004688 See also: "rspadd", "rsprep", "reqdel", section 6 about HTTP header
4689 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004690
4691
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004692rspdeny <search> [{if | unless} <cond>]
4693rspideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004694 Block an HTTP response if a line matches a regular expression
4695 May be used in sections : defaults | frontend | listen | backend
4696 no | yes | yes | yes
4697 Arguments :
4698 <search> is the regular expression applied to HTTP headers and to the
4699 response line. This is an extended regular expression, so
4700 parenthesis grouping is supported and no preliminary backslash
4701 is required. Any space or known delimiter must be escaped using
4702 a backslash ('\'). The pattern applies to a full line at a time.
4703 The "rspdeny" keyword strictly matches case while "rspideny"
4704 ignores case.
4705
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004706 <cond> is an optional matching condition built from ACLs. It makes it
4707 possible to ignore this rule when other conditions are not met.
4708
Willy Tarreau303c0352008-01-17 19:01:39 +01004709 A response containing any line which matches extended regular expression
4710 <search> will mark the request as denied. The test applies both to the
4711 response line and to response headers. Keep in mind that header names are not
4712 case-sensitive.
4713
4714 Main use of this keyword is to prevent sensitive information leak and to
Willy Tarreauced27012008-01-17 20:35:34 +01004715 block the response before it reaches the client. If a response is denied, it
4716 will be replaced with an HTTP 502 error so that the client never retrieves
4717 any sensitive data.
Willy Tarreau303c0352008-01-17 19:01:39 +01004718
4719 It is easier, faster and more powerful to use ACLs to write access policies.
4720 Rspdeny should be avoided in new designs.
4721
4722 Example :
4723 # Ensure that no content type matching ms-word will leak
4724 rspideny ^Content-type:\.*/ms-word
4725
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004726 See also: "reqdeny", "acl", "block", section 6 about HTTP header manipulation
4727 and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004728
4729
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004730rsprep <search> <string> [{if | unless} <cond>]
4731rspirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004732 Replace a regular expression with a string in an HTTP response line
4733 May be used in sections : defaults | frontend | listen | backend
4734 no | yes | yes | yes
4735 Arguments :
4736 <search> is the regular expression applied to HTTP headers and to the
4737 response line. This is an extended regular expression, so
4738 parenthesis grouping is supported and no preliminary backslash
4739 is required. Any space or known delimiter must be escaped using
4740 a backslash ('\'). The pattern applies to a full line at a time.
4741 The "rsprep" keyword strictly matches case while "rspirep"
4742 ignores case.
4743
4744 <string> is the complete line to be added. Any space or known delimiter
4745 must be escaped using a backslash ('\'). References to matched
4746 pattern groups are possible using the common \N form, with N
4747 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004748 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004749
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004750 <cond> is an optional matching condition built from ACLs. It makes it
4751 possible to ignore this rule when other conditions are not met.
4752
Willy Tarreau303c0352008-01-17 19:01:39 +01004753 Any line matching extended regular expression <search> in the response (both
4754 the response line and header lines) will be completely replaced with
4755 <string>. Most common use of this is to rewrite Location headers.
4756
4757 Header transformations only apply to traffic which passes through HAProxy,
4758 and not to traffic generated by HAProxy, such as health-checks or error
4759 responses. Note that for increased readability, it is suggested to add enough
4760 spaces between the request and the response. Keep in mind that header names
4761 are not case-sensitive.
4762
4763 Example :
4764 # replace "Location: 127.0.0.1:8080" with "Location: www.mydomain.com"
4765 rspirep ^Location:\ 127.0.0.1:8080 Location:\ www.mydomain.com
4766
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004767 See also: "rspadd", "rspdel", "reqrep", section 6 about HTTP header
4768 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004769
4770
David du Colombier486df472011-03-17 10:40:26 +01004771server <name> <address>[:[port]] [param*]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004772 Declare a server in a backend
4773 May be used in sections : defaults | frontend | listen | backend
4774 no | no | yes | yes
4775 Arguments :
4776 <name> is the internal name assigned to this server. This name will
Cyril Bonté941a0c62012-10-15 19:44:24 +02004777 appear in logs and alerts. If "http-send-name-header" is
Mark Lamourinec2247f02012-01-04 13:02:01 -05004778 set, it will be added to the request header sent to the server.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004779
David du Colombier486df472011-03-17 10:40:26 +01004780 <address> is the IPv4 or IPv6 address of the server. Alternatively, a
4781 resolvable hostname is supported, but this name will be resolved
4782 during start-up. Address "0.0.0.0" or "*" has a special meaning.
4783 It indicates that the connection will be forwarded to the same IP
Willy Tarreaud669a4f2010-07-13 14:49:50 +02004784 address as the one from the client connection. This is useful in
4785 transparent proxy architectures where the client's connection is
4786 intercepted and haproxy must forward to the original destination
4787 address. This is more or less what the "transparent" keyword does
4788 except that with a server it's possible to limit concurrency and
4789 to report statistics.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004790
Willy Tarreaub6205fd2012-09-24 12:27:33 +02004791 <port> is an optional port specification. If set, all connections will
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004792 be sent to this port. If unset, the same port the client
4793 connected to will be used. The port may also be prefixed by a "+"
4794 or a "-". In this case, the server's port will be determined by
4795 adding this value to the client's port.
4796
4797 <param*> is a list of parameters for this server. The "server" keywords
4798 accepts an important number of options and has a complete section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004799 dedicated to it. Please refer to section 5 for more details.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004800
4801 Examples :
4802 server first 10.1.1.1:1080 cookie first check inter 1000
4803 server second 10.1.1.2:1080 cookie second check inter 1000
4804
Mark Lamourinec2247f02012-01-04 13:02:01 -05004805 See also: "default-server", "http-send-name-header" and section 5 about
4806 server options
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004807
4808
4809source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02004810source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreaud53f96b2009-02-04 18:46:54 +01004811source <addr>[:<port>] [interface <name>]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004812 Set the source address for outgoing connections
4813 May be used in sections : defaults | frontend | listen | backend
4814 yes | no | yes | yes
4815 Arguments :
4816 <addr> is the IPv4 address HAProxy will bind to before connecting to a
4817 server. This address is also used as a source for health checks.
4818 The default value of 0.0.0.0 means that the system will select
4819 the most appropriate address to reach its destination.
4820
4821 <port> is an optional port. It is normally not needed but may be useful
4822 in some very specific contexts. The default value of zero means
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02004823 the system will select a free port. Note that port ranges are not
4824 supported in the backend. If you want to force port ranges, you
4825 have to specify them on each "server" line.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004826
4827 <addr2> is the IP address to present to the server when connections are
4828 forwarded in full transparent proxy mode. This is currently only
4829 supported on some patched Linux kernels. When this address is
4830 specified, clients connecting to the server will be presented
4831 with this address, while health checks will still use the address
4832 <addr>.
4833
4834 <port2> is the optional port to present to the server when connections
4835 are forwarded in full transparent proxy mode (see <addr2> above).
4836 The default value of zero means the system will select a free
4837 port.
4838
Willy Tarreaubce70882009-09-07 11:51:47 +02004839 <hdr> is the name of a HTTP header in which to fetch the IP to bind to.
4840 This is the name of a comma-separated header list which can
4841 contain multiple IP addresses. By default, the last occurrence is
4842 used. This is designed to work with the X-Forwarded-For header
4843 and to automatically bind to the the client's IP address as seen
4844 by previous proxy, typically Stunnel. In order to use another
4845 occurrence from the last one, please see the <occ> parameter
4846 below. When the header (or occurrence) is not found, no binding
4847 is performed so that the proxy's default IP address is used. Also
4848 keep in mind that the header name is case insensitive, as for any
4849 HTTP header.
4850
4851 <occ> is the occurrence number of a value to be used in a multi-value
4852 header. This is to be used in conjunction with "hdr_ip(<hdr>)",
Jamie Gloudonaaa21002012-08-25 00:18:33 -04004853 in order to specify which occurrence to use for the source IP
Willy Tarreaubce70882009-09-07 11:51:47 +02004854 address. Positive values indicate a position from the first
4855 occurrence, 1 being the first one. Negative values indicate
4856 positions relative to the last one, -1 being the last one. This
4857 is helpful for situations where an X-Forwarded-For header is set
4858 at the entry point of an infrastructure and must be used several
4859 proxy layers away. When this value is not specified, -1 is
4860 assumed. Passing a zero here disables the feature.
4861
Willy Tarreaud53f96b2009-02-04 18:46:54 +01004862 <name> is an optional interface name to which to bind to for outgoing
4863 traffic. On systems supporting this features (currently, only
4864 Linux), this allows one to bind all traffic to the server to
4865 this interface even if it is not the one the system would select
4866 based on routing tables. This should be used with extreme care.
4867 Note that using this option requires root privileges.
4868
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004869 The "source" keyword is useful in complex environments where a specific
4870 address only is allowed to connect to the servers. It may be needed when a
4871 private address must be used through a public gateway for instance, and it is
4872 known that the system cannot determine the adequate source address by itself.
4873
4874 An extension which is available on certain patched Linux kernels may be used
4875 through the "usesrc" optional keyword. It makes it possible to connect to the
4876 servers with an IP address which does not belong to the system itself. This
4877 is called "full transparent proxy mode". For this to work, the destination
4878 servers have to route their traffic back to this address through the machine
4879 running HAProxy, and IP forwarding must generally be enabled on this machine.
4880
4881 In this "full transparent proxy" mode, it is possible to force a specific IP
4882 address to be presented to the servers. This is not much used in fact. A more
4883 common use is to tell HAProxy to present the client's IP address. For this,
4884 there are two methods :
4885
4886 - present the client's IP and port addresses. This is the most transparent
4887 mode, but it can cause problems when IP connection tracking is enabled on
4888 the machine, because a same connection may be seen twice with different
4889 states. However, this solution presents the huge advantage of not
4890 limiting the system to the 64k outgoing address+port couples, because all
4891 of the client ranges may be used.
4892
4893 - present only the client's IP address and select a spare port. This
4894 solution is still quite elegant but slightly less transparent (downstream
4895 firewalls logs will not match upstream's). It also presents the downside
4896 of limiting the number of concurrent connections to the usual 64k ports.
4897 However, since the upstream and downstream ports are different, local IP
4898 connection tracking on the machine will not be upset by the reuse of the
4899 same session.
4900
4901 Note that depending on the transparent proxy technology used, it may be
4902 required to force the source address. In fact, cttproxy version 2 requires an
4903 IP address in <addr> above, and does not support setting of "0.0.0.0" as the
4904 IP address because it creates NAT entries which much match the exact outgoing
4905 address. Tproxy version 4 and some other kernel patches which work in pure
4906 forwarding mode generally will not have this limitation.
4907
4908 This option sets the default source for all servers in the backend. It may
4909 also be specified in a "defaults" section. Finer source address specification
4910 is possible at the server level using the "source" server option. Refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004911 section 5 for more information.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004912
4913 Examples :
4914 backend private
4915 # Connect to the servers using our 192.168.1.200 source address
4916 source 192.168.1.200
4917
4918 backend transparent_ssl1
4919 # Connect to the SSL farm from the client's source address
4920 source 192.168.1.200 usesrc clientip
4921
4922 backend transparent_ssl2
4923 # Connect to the SSL farm from the client's source address and port
4924 # not recommended if IP conntrack is present on the local machine.
4925 source 192.168.1.200 usesrc client
4926
4927 backend transparent_ssl3
4928 # Connect to the SSL farm from the client's source address. It
4929 # is more conntrack-friendly.
4930 source 192.168.1.200 usesrc clientip
4931
4932 backend transparent_smtp
4933 # Connect to the SMTP farm from the client's source address/port
4934 # with Tproxy version 4.
4935 source 0.0.0.0 usesrc clientip
4936
Willy Tarreaubce70882009-09-07 11:51:47 +02004937 backend transparent_http
4938 # Connect to the servers using the client's IP as seen by previous
4939 # proxy.
4940 source 0.0.0.0 usesrc hdr_ip(x-forwarded-for,-1)
4941
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004942 See also : the "source" server option in section 5, the Tproxy patches for
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004943 the Linux kernel on www.balabit.com, the "bind" keyword.
4944
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004945
Willy Tarreau844e3c52008-01-11 16:28:18 +01004946srvtimeout <timeout> (deprecated)
4947 Set the maximum inactivity time on the server side.
4948 May be used in sections : defaults | frontend | listen | backend
4949 yes | no | yes | yes
4950 Arguments :
4951 <timeout> is the timeout value specified in milliseconds by default, but
4952 can be in any other unit if the number is suffixed by the unit,
4953 as explained at the top of this document.
4954
4955 The inactivity timeout applies when the server is expected to acknowledge or
4956 send data. In HTTP mode, this timeout is particularly important to consider
4957 during the first phase of the server's response, when it has to send the
4958 headers, as it directly represents the server's processing time for the
4959 request. To find out what value to put there, it's often good to start with
4960 what would be considered as unacceptable response times, then check the logs
4961 to observe the response time distribution, and adjust the value accordingly.
4962
4963 The value is specified in milliseconds by default, but can be in any other
4964 unit if the number is suffixed by the unit, as specified at the top of this
4965 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
4966 recommended that the client timeout remains equal to the server timeout in
4967 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004968 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01004969 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreaud72758d2010-01-12 10:42:19 +01004970 seconds (eg: 4 or 5 seconds minimum).
Willy Tarreau844e3c52008-01-11 16:28:18 +01004971
4972 This parameter is specific to backends, but can be specified once for all in
4973 "defaults" sections. This is in fact one of the easiest solutions not to
4974 forget about it. An unspecified timeout results in an infinite timeout, which
4975 is not recommended. Such a usage is accepted and works but reports a warning
4976 during startup because it may results in accumulation of expired sessions in
4977 the system if the system's timeouts are not configured either.
4978
4979 This parameter is provided for compatibility but is currently deprecated.
4980 Please use "timeout server" instead.
4981
Willy Tarreauce887fd2012-05-12 12:50:00 +02004982 See also : "timeout server", "timeout tunnel", "timeout client" and
4983 "clitimeout".
Willy Tarreau844e3c52008-01-11 16:28:18 +01004984
4985
Cyril Bonté66c327d2010-10-12 00:14:37 +02004986stats admin { if | unless } <cond>
4987 Enable statistics admin level if/unless a condition is matched
4988 May be used in sections : defaults | frontend | listen | backend
4989 no | no | yes | yes
4990
4991 This statement enables the statistics admin level if/unless a condition is
4992 matched.
4993
4994 The admin level allows to enable/disable servers from the web interface. By
4995 default, statistics page is read-only for security reasons.
4996
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01004997 Note : Consider not using this feature in multi-process mode (nbproc > 1)
4998 unless you know what you do : memory is not shared between the
4999 processes, which can result in random behaviours.
5000
Cyril Bonté23b39d92011-02-10 22:54:44 +01005001 Currently, the POST request is limited to the buffer size minus the reserved
5002 buffer space, which means that if the list of servers is too long, the
5003 request won't be processed. It is recommended to alter few servers at a
5004 time.
Cyril Bonté66c327d2010-10-12 00:14:37 +02005005
5006 Example :
5007 # statistics admin level only for localhost
5008 backend stats_localhost
5009 stats enable
5010 stats admin if LOCALHOST
5011
5012 Example :
5013 # statistics admin level always enabled because of the authentication
5014 backend stats_auth
5015 stats enable
5016 stats auth admin:AdMiN123
5017 stats admin if TRUE
5018
5019 Example :
5020 # statistics admin level depends on the authenticated user
5021 userlist stats-auth
5022 group admin users admin
5023 user admin insecure-password AdMiN123
5024 group readonly users haproxy
5025 user haproxy insecure-password haproxy
5026
5027 backend stats_auth
5028 stats enable
5029 acl AUTH http_auth(stats-auth)
5030 acl AUTH_ADMIN http_auth_group(stats-auth) admin
5031 stats http-request auth unless AUTH
5032 stats admin if AUTH_ADMIN
5033
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005034 See also : "stats enable", "stats auth", "stats http-request", "nbproc",
5035 "bind-process", section 3.4 about userlists and section 7 about
5036 ACL usage.
Cyril Bonté66c327d2010-10-12 00:14:37 +02005037
5038
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005039stats auth <user>:<passwd>
5040 Enable statistics with authentication and grant access to an account
5041 May be used in sections : defaults | frontend | listen | backend
5042 yes | no | yes | yes
5043 Arguments :
5044 <user> is a user name to grant access to
5045
5046 <passwd> is the cleartext password associated to this user
5047
5048 This statement enables statistics with default settings, and restricts access
5049 to declared users only. It may be repeated as many times as necessary to
5050 allow as many users as desired. When a user tries to access the statistics
5051 without a valid account, a "401 Forbidden" response will be returned so that
5052 the browser asks the user to provide a valid user and password. The real
5053 which will be returned to the browser is configurable using "stats realm".
5054
5055 Since the authentication method is HTTP Basic Authentication, the passwords
5056 circulate in cleartext on the network. Thus, it was decided that the
5057 configuration file would also use cleartext passwords to remind the users
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02005058 that those ones should not be sensitive and not shared with any other account.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005059
5060 It is also possible to reduce the scope of the proxies which appear in the
5061 report using "stats scope".
5062
5063 Though this statement alone is enough to enable statistics reporting, it is
5064 recommended to set all other settings in order to avoid relying on default
5065 unobvious parameters.
5066
5067 Example :
5068 # public access (limited to this backend only)
5069 backend public_www
5070 server srv1 192.168.0.1:80
5071 stats enable
5072 stats hide-version
5073 stats scope .
5074 stats uri /admin?stats
5075 stats realm Haproxy\ Statistics
5076 stats auth admin1:AdMiN123
5077 stats auth admin2:AdMiN321
5078
5079 # internal monitoring access (unlimited)
5080 backend private_monitoring
5081 stats enable
5082 stats uri /admin?stats
5083 stats refresh 5s
5084
5085 See also : "stats enable", "stats realm", "stats scope", "stats uri"
5086
5087
5088stats enable
5089 Enable statistics reporting with default settings
5090 May be used in sections : defaults | frontend | listen | backend
5091 yes | no | yes | yes
5092 Arguments : none
5093
5094 This statement enables statistics reporting with default settings defined
5095 at build time. Unless stated otherwise, these settings are used :
5096 - stats uri : /haproxy?stats
5097 - stats realm : "HAProxy Statistics"
5098 - stats auth : no authentication
5099 - stats scope : no restriction
5100
5101 Though this statement alone is enough to enable statistics reporting, it is
5102 recommended to set all other settings in order to avoid relying on default
5103 unobvious parameters.
5104
5105 Example :
5106 # public access (limited to this backend only)
5107 backend public_www
5108 server srv1 192.168.0.1:80
5109 stats enable
5110 stats hide-version
5111 stats scope .
5112 stats uri /admin?stats
5113 stats realm Haproxy\ Statistics
5114 stats auth admin1:AdMiN123
5115 stats auth admin2:AdMiN321
5116
5117 # internal monitoring access (unlimited)
5118 backend private_monitoring
5119 stats enable
5120 stats uri /admin?stats
5121 stats refresh 5s
5122
5123 See also : "stats auth", "stats realm", "stats uri"
5124
5125
Willy Tarreaud63335a2010-02-26 12:56:52 +01005126stats hide-version
5127 Enable statistics and hide HAProxy version reporting
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02005128 May be used in sections : defaults | frontend | listen | backend
5129 yes | no | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +01005130 Arguments : none
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02005131
Willy Tarreaud63335a2010-02-26 12:56:52 +01005132 By default, the stats page reports some useful status information along with
5133 the statistics. Among them is HAProxy's version. However, it is generally
5134 considered dangerous to report precise version to anyone, as it can help them
5135 target known weaknesses with specific attacks. The "stats hide-version"
5136 statement removes the version from the statistics report. This is recommended
5137 for public sites or any site with a weak login/password.
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02005138
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02005139 Though this statement alone is enough to enable statistics reporting, it is
5140 recommended to set all other settings in order to avoid relying on default
5141 unobvious parameters.
5142
Willy Tarreaud63335a2010-02-26 12:56:52 +01005143 Example :
5144 # public access (limited to this backend only)
5145 backend public_www
5146 server srv1 192.168.0.1:80
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02005147 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01005148 stats hide-version
5149 stats scope .
5150 stats uri /admin?stats
5151 stats realm Haproxy\ Statistics
5152 stats auth admin1:AdMiN123
5153 stats auth admin2:AdMiN321
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02005154
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02005155 # internal monitoring access (unlimited)
5156 backend private_monitoring
5157 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01005158 stats uri /admin?stats
5159 stats refresh 5s
Krzysztof Piotr Oledzki15514c22010-01-04 16:03:09 +01005160
Willy Tarreaud63335a2010-02-26 12:56:52 +01005161 See also : "stats auth", "stats enable", "stats realm", "stats uri"
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02005162
Willy Tarreau983e01e2010-01-11 18:42:06 +01005163
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02005164stats http-request { allow | deny | auth [realm <realm>] }
5165 [ { if | unless } <condition> ]
5166 Access control for statistics
5167
5168 May be used in sections: defaults | frontend | listen | backend
5169 no | no | yes | yes
5170
5171 As "http-request", these set of options allow to fine control access to
5172 statistics. Each option may be followed by if/unless and acl.
5173 First option with matched condition (or option without condition) is final.
5174 For "deny" a 403 error will be returned, for "allow" normal processing is
5175 performed, for "auth" a 401/407 error code is returned so the client
5176 should be asked to enter a username and password.
5177
5178 There is no fixed limit to the number of http-request statements per
5179 instance.
5180
5181 See also : "http-request", section 3.4 about userlists and section 7
5182 about ACL usage.
5183
5184
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005185stats realm <realm>
5186 Enable statistics and set authentication realm
5187 May be used in sections : defaults | frontend | listen | backend
5188 yes | no | yes | yes
5189 Arguments :
5190 <realm> is the name of the HTTP Basic Authentication realm reported to
5191 the browser. The browser uses it to display it in the pop-up
5192 inviting the user to enter a valid username and password.
5193
5194 The realm is read as a single word, so any spaces in it should be escaped
5195 using a backslash ('\').
5196
5197 This statement is useful only in conjunction with "stats auth" since it is
5198 only related to authentication.
5199
5200 Though this statement alone is enough to enable statistics reporting, it is
5201 recommended to set all other settings in order to avoid relying on default
5202 unobvious parameters.
5203
5204 Example :
5205 # public access (limited to this backend only)
5206 backend public_www
5207 server srv1 192.168.0.1:80
5208 stats enable
5209 stats hide-version
5210 stats scope .
5211 stats uri /admin?stats
5212 stats realm Haproxy\ Statistics
5213 stats auth admin1:AdMiN123
5214 stats auth admin2:AdMiN321
5215
5216 # internal monitoring access (unlimited)
5217 backend private_monitoring
5218 stats enable
5219 stats uri /admin?stats
5220 stats refresh 5s
5221
5222 See also : "stats auth", "stats enable", "stats uri"
5223
5224
5225stats refresh <delay>
5226 Enable statistics with automatic refresh
5227 May be used in sections : defaults | frontend | listen | backend
5228 yes | no | yes | yes
5229 Arguments :
5230 <delay> is the suggested refresh delay, specified in seconds, which will
5231 be returned to the browser consulting the report page. While the
5232 browser is free to apply any delay, it will generally respect it
5233 and refresh the page this every seconds. The refresh interval may
5234 be specified in any other non-default time unit, by suffixing the
5235 unit after the value, as explained at the top of this document.
5236
5237 This statement is useful on monitoring displays with a permanent page
5238 reporting the load balancer's activity. When set, the HTML report page will
5239 include a link "refresh"/"stop refresh" so that the user can select whether
5240 he wants automatic refresh of the page or not.
5241
5242 Though this statement alone is enough to enable statistics reporting, it is
5243 recommended to set all other settings in order to avoid relying on default
5244 unobvious parameters.
5245
5246 Example :
5247 # public access (limited to this backend only)
5248 backend public_www
5249 server srv1 192.168.0.1:80
5250 stats enable
5251 stats hide-version
5252 stats scope .
5253 stats uri /admin?stats
5254 stats realm Haproxy\ Statistics
5255 stats auth admin1:AdMiN123
5256 stats auth admin2:AdMiN321
5257
5258 # internal monitoring access (unlimited)
5259 backend private_monitoring
5260 stats enable
5261 stats uri /admin?stats
5262 stats refresh 5s
5263
5264 See also : "stats auth", "stats enable", "stats realm", "stats uri"
5265
5266
5267stats scope { <name> | "." }
5268 Enable statistics and limit access scope
5269 May be used in sections : defaults | frontend | listen | backend
5270 yes | no | yes | yes
5271 Arguments :
5272 <name> is the name of a listen, frontend or backend section to be
5273 reported. The special name "." (a single dot) designates the
5274 section in which the statement appears.
5275
5276 When this statement is specified, only the sections enumerated with this
5277 statement will appear in the report. All other ones will be hidden. This
5278 statement may appear as many times as needed if multiple sections need to be
5279 reported. Please note that the name checking is performed as simple string
5280 comparisons, and that it is never checked that a give section name really
5281 exists.
5282
5283 Though this statement alone is enough to enable statistics reporting, it is
5284 recommended to set all other settings in order to avoid relying on default
5285 unobvious parameters.
5286
5287 Example :
5288 # public access (limited to this backend only)
5289 backend public_www
5290 server srv1 192.168.0.1:80
5291 stats enable
5292 stats hide-version
5293 stats scope .
5294 stats uri /admin?stats
5295 stats realm Haproxy\ Statistics
5296 stats auth admin1:AdMiN123
5297 stats auth admin2:AdMiN321
5298
5299 # internal monitoring access (unlimited)
5300 backend private_monitoring
5301 stats enable
5302 stats uri /admin?stats
5303 stats refresh 5s
5304
5305 See also : "stats auth", "stats enable", "stats realm", "stats uri"
5306
Willy Tarreaud63335a2010-02-26 12:56:52 +01005307
Willy Tarreauc9705a12010-07-27 20:05:50 +02005308stats show-desc [ <desc> ]
Willy Tarreaud63335a2010-02-26 12:56:52 +01005309 Enable reporting of a description on the statistics page.
5310 May be used in sections : defaults | frontend | listen | backend
5311 yes | no | yes | yes
5312
Willy Tarreauc9705a12010-07-27 20:05:50 +02005313 <desc> is an optional description to be reported. If unspecified, the
Willy Tarreaud63335a2010-02-26 12:56:52 +01005314 description from global section is automatically used instead.
5315
5316 This statement is useful for users that offer shared services to their
5317 customers, where node or description should be different for each customer.
5318
5319 Though this statement alone is enough to enable statistics reporting, it is
5320 recommended to set all other settings in order to avoid relying on default
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04005321 unobvious parameters. By default description is not shown.
Willy Tarreaud63335a2010-02-26 12:56:52 +01005322
5323 Example :
5324 # internal monitoring access (unlimited)
5325 backend private_monitoring
5326 stats enable
5327 stats show-desc Master node for Europe, Asia, Africa
5328 stats uri /admin?stats
5329 stats refresh 5s
5330
5331 See also: "show-node", "stats enable", "stats uri" and "description" in
5332 global section.
5333
5334
5335stats show-legends
5336 Enable reporting additional informations on the statistics page :
5337 - cap: capabilities (proxy)
5338 - mode: one of tcp, http or health (proxy)
5339 - id: SNMP ID (proxy, socket, server)
5340 - IP (socket, server)
5341 - cookie (backend, server)
5342
5343 Though this statement alone is enough to enable statistics reporting, it is
5344 recommended to set all other settings in order to avoid relying on default
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04005345 unobvious parameters. Default behaviour is not to show this information.
Willy Tarreaud63335a2010-02-26 12:56:52 +01005346
5347 See also: "stats enable", "stats uri".
5348
5349
5350stats show-node [ <name> ]
5351 Enable reporting of a host name on the statistics page.
5352 May be used in sections : defaults | frontend | listen | backend
5353 yes | no | yes | yes
5354 Arguments:
5355 <name> is an optional name to be reported. If unspecified, the
5356 node name from global section is automatically used instead.
5357
5358 This statement is useful for users that offer shared services to their
5359 customers, where node or description might be different on a stats page
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04005360 provided for each customer. Default behaviour is not to show host name.
Willy Tarreaud63335a2010-02-26 12:56:52 +01005361
5362 Though this statement alone is enough to enable statistics reporting, it is
5363 recommended to set all other settings in order to avoid relying on default
5364 unobvious parameters.
5365
5366 Example:
5367 # internal monitoring access (unlimited)
5368 backend private_monitoring
5369 stats enable
5370 stats show-node Europe-1
5371 stats uri /admin?stats
5372 stats refresh 5s
5373
5374 See also: "show-desc", "stats enable", "stats uri", and "node" in global
5375 section.
5376
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005377
5378stats uri <prefix>
5379 Enable statistics and define the URI prefix to access them
5380 May be used in sections : defaults | frontend | listen | backend
5381 yes | no | yes | yes
5382 Arguments :
5383 <prefix> is the prefix of any URI which will be redirected to stats. This
5384 prefix may contain a question mark ('?') to indicate part of a
5385 query string.
5386
5387 The statistics URI is intercepted on the relayed traffic, so it appears as a
5388 page within the normal application. It is strongly advised to ensure that the
5389 selected URI will never appear in the application, otherwise it will never be
5390 possible to reach it in the application.
5391
5392 The default URI compiled in haproxy is "/haproxy?stats", but this may be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005393 changed at build time, so it's better to always explicitly specify it here.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005394 It is generally a good idea to include a question mark in the URI so that
5395 intermediate proxies refrain from caching the results. Also, since any string
5396 beginning with the prefix will be accepted as a stats request, the question
5397 mark helps ensuring that no valid URI will begin with the same words.
5398
5399 It is sometimes very convenient to use "/" as the URI prefix, and put that
5400 statement in a "listen" instance of its own. That makes it easy to dedicate
5401 an address or a port to statistics only.
5402
5403 Though this statement alone is enough to enable statistics reporting, it is
5404 recommended to set all other settings in order to avoid relying on default
5405 unobvious parameters.
5406
5407 Example :
5408 # public access (limited to this backend only)
5409 backend public_www
5410 server srv1 192.168.0.1:80
5411 stats enable
5412 stats hide-version
5413 stats scope .
5414 stats uri /admin?stats
5415 stats realm Haproxy\ Statistics
5416 stats auth admin1:AdMiN123
5417 stats auth admin2:AdMiN321
5418
5419 # internal monitoring access (unlimited)
5420 backend private_monitoring
5421 stats enable
5422 stats uri /admin?stats
5423 stats refresh 5s
5424
5425 See also : "stats auth", "stats enable", "stats realm"
5426
5427
Willy Tarreaud63335a2010-02-26 12:56:52 +01005428stick match <pattern> [table <table>] [{if | unless} <cond>]
5429 Define a request pattern matching condition to stick a user to a server
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005430 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaud63335a2010-02-26 12:56:52 +01005431 no | no | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005432
5433 Arguments :
5434 <pattern> is a pattern extraction rule as described in section 7.8. It
5435 describes what elements of the incoming request or connection
5436 will be analysed in the hope to find a matching entry in a
5437 stickiness table. This rule is mandatory.
5438
5439 <table> is an optional stickiness table name. If unspecified, the same
5440 backend's table is used. A stickiness table is declared using
5441 the "stick-table" statement.
5442
5443 <cond> is an optional matching condition. It makes it possible to match
5444 on a certain criterion only when other conditions are met (or
5445 not met). For instance, it could be used to match on a source IP
5446 address except when a request passes through a known proxy, in
5447 which case we'd match on a header containing that IP address.
5448
5449 Some protocols or applications require complex stickiness rules and cannot
5450 always simply rely on cookies nor hashing. The "stick match" statement
5451 describes a rule to extract the stickiness criterion from an incoming request
5452 or connection. See section 7 for a complete list of possible patterns and
5453 transformation rules.
5454
5455 The table has to be declared using the "stick-table" statement. It must be of
5456 a type compatible with the pattern. By default it is the one which is present
5457 in the same backend. It is possible to share a table with other backends by
5458 referencing it using the "table" keyword. If another table is referenced,
5459 the server's ID inside the backends are used. By default, all server IDs
5460 start at 1 in each backend, so the server ordering is enough. But in case of
5461 doubt, it is highly recommended to force server IDs using their "id" setting.
5462
5463 It is possible to restrict the conditions where a "stick match" statement
5464 will apply, using "if" or "unless" followed by a condition. See section 7 for
5465 ACL based conditions.
5466
5467 There is no limit on the number of "stick match" statements. The first that
5468 applies and matches will cause the request to be directed to the same server
5469 as was used for the request which created the entry. That way, multiple
5470 matches can be used as fallbacks.
5471
5472 The stick rules are checked after the persistence cookies, so they will not
5473 affect stickiness if a cookie has already been used to select a server. That
5474 way, it becomes very easy to insert cookies and match on IP addresses in
5475 order to maintain stickiness between HTTP and HTTPS.
5476
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005477 Note : Consider not using this feature in multi-process mode (nbproc > 1)
5478 unless you know what you do : memory is not shared between the
5479 processes, which can result in random behaviours.
5480
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005481 Example :
5482 # forward SMTP users to the same server they just used for POP in the
5483 # last 30 minutes
5484 backend pop
5485 mode tcp
5486 balance roundrobin
5487 stick store-request src
5488 stick-table type ip size 200k expire 30m
5489 server s1 192.168.1.1:110
5490 server s2 192.168.1.1:110
5491
5492 backend smtp
5493 mode tcp
5494 balance roundrobin
5495 stick match src table pop
5496 server s1 192.168.1.1:25
5497 server s2 192.168.1.1:25
5498
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005499 See also : "stick-table", "stick on", "nbproc", "bind-process" and section 7
5500 about ACLs and pattern extraction.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005501
5502
5503stick on <pattern> [table <table>] [{if | unless} <condition>]
5504 Define a request pattern to associate a user to a server
5505 May be used in sections : defaults | frontend | listen | backend
5506 no | no | yes | yes
5507
5508 Note : This form is exactly equivalent to "stick match" followed by
5509 "stick store-request", all with the same arguments. Please refer
5510 to both keywords for details. It is only provided as a convenience
5511 for writing more maintainable configurations.
5512
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005513 Note : Consider not using this feature in multi-process mode (nbproc > 1)
5514 unless you know what you do : memory is not shared between the
5515 processes, which can result in random behaviours.
5516
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005517 Examples :
5518 # The following form ...
Willy Tarreauec579d82010-02-26 19:15:04 +01005519 stick on src table pop if !localhost
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005520
5521 # ...is strictly equivalent to this one :
5522 stick match src table pop if !localhost
5523 stick store-request src table pop if !localhost
5524
5525
5526 # Use cookie persistence for HTTP, and stick on source address for HTTPS as
5527 # well as HTTP without cookie. Share the same table between both accesses.
5528 backend http
5529 mode http
5530 balance roundrobin
5531 stick on src table https
5532 cookie SRV insert indirect nocache
5533 server s1 192.168.1.1:80 cookie s1
5534 server s2 192.168.1.1:80 cookie s2
5535
5536 backend https
5537 mode tcp
5538 balance roundrobin
5539 stick-table type ip size 200k expire 30m
5540 stick on src
5541 server s1 192.168.1.1:443
5542 server s2 192.168.1.1:443
5543
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005544 See also : "stick match", "stick store-request", "nbproc" and "bind-process".
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005545
5546
5547stick store-request <pattern> [table <table>] [{if | unless} <condition>]
5548 Define a request pattern used to create an entry in a stickiness table
5549 May be used in sections : defaults | frontend | listen | backend
5550 no | no | yes | yes
5551
5552 Arguments :
5553 <pattern> is a pattern extraction rule as described in section 7.8. It
5554 describes what elements of the incoming request or connection
5555 will be analysed, extracted and stored in the table once a
5556 server is selected.
5557
5558 <table> is an optional stickiness table name. If unspecified, the same
5559 backend's table is used. A stickiness table is declared using
5560 the "stick-table" statement.
5561
5562 <cond> is an optional storage condition. It makes it possible to store
5563 certain criteria only when some conditions are met (or not met).
5564 For instance, it could be used to store the source IP address
5565 except when the request passes through a known proxy, in which
5566 case we'd store a converted form of a header containing that IP
5567 address.
5568
5569 Some protocols or applications require complex stickiness rules and cannot
5570 always simply rely on cookies nor hashing. The "stick store-request" statement
5571 describes a rule to decide what to extract from the request and when to do
5572 it, in order to store it into a stickiness table for further requests to
5573 match it using the "stick match" statement. Obviously the extracted part must
5574 make sense and have a chance to be matched in a further request. Storing a
5575 client's IP address for instance often makes sense. Storing an ID found in a
5576 URL parameter also makes sense. Storing a source port will almost never make
5577 any sense because it will be randomly matched. See section 7 for a complete
5578 list of possible patterns and transformation rules.
5579
5580 The table has to be declared using the "stick-table" statement. It must be of
5581 a type compatible with the pattern. By default it is the one which is present
5582 in the same backend. It is possible to share a table with other backends by
5583 referencing it using the "table" keyword. If another table is referenced,
5584 the server's ID inside the backends are used. By default, all server IDs
5585 start at 1 in each backend, so the server ordering is enough. But in case of
5586 doubt, it is highly recommended to force server IDs using their "id" setting.
5587
5588 It is possible to restrict the conditions where a "stick store-request"
5589 statement will apply, using "if" or "unless" followed by a condition. This
5590 condition will be evaluated while parsing the request, so any criteria can be
5591 used. See section 7 for ACL based conditions.
5592
5593 There is no limit on the number of "stick store-request" statements, but
5594 there is a limit of 8 simultaneous stores per request or response. This
5595 makes it possible to store up to 8 criteria, all extracted from either the
5596 request or the response, regardless of the number of rules. Only the 8 first
5597 ones which match will be kept. Using this, it is possible to feed multiple
5598 tables at once in the hope to increase the chance to recognize a user on
5599 another protocol or access method.
5600
5601 The "store-request" rules are evaluated once the server connection has been
5602 established, so that the table will contain the real server that processed
5603 the request.
5604
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005605 Note : Consider not using this feature in multi-process mode (nbproc > 1)
5606 unless you know what you do : memory is not shared between the
5607 processes, which can result in random behaviours.
5608
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005609 Example :
5610 # forward SMTP users to the same server they just used for POP in the
5611 # last 30 minutes
5612 backend pop
5613 mode tcp
5614 balance roundrobin
5615 stick store-request src
5616 stick-table type ip size 200k expire 30m
5617 server s1 192.168.1.1:110
5618 server s2 192.168.1.1:110
5619
5620 backend smtp
5621 mode tcp
5622 balance roundrobin
5623 stick match src table pop
5624 server s1 192.168.1.1:25
5625 server s2 192.168.1.1:25
5626
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005627 See also : "stick-table", "stick on", "nbproc", "bind-process" and section 7
5628 about ACLs and pattern extraction.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005629
5630
Emeric Brun7c6b82e2010-09-24 16:34:28 +02005631stick-table type {ip | integer | string [len <length>] | binary [len <length>]}
Emeric Brunf099e792010-09-27 12:05:28 +02005632 size <size> [expire <expire>] [nopurge] [peers <peersect>]
5633 [store <data_type>]*
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005634 Configure the stickiness table for the current backend
5635 May be used in sections : defaults | frontend | listen | backend
Willy Tarreauc00cdc22010-06-06 16:48:26 +02005636 no | yes | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005637
5638 Arguments :
5639 ip a table declared with "type ip" will only store IPv4 addresses.
5640 This form is very compact (about 50 bytes per entry) and allows
5641 very fast entry lookup and stores with almost no overhead. This
5642 is mainly used to store client source IP addresses.
5643
David du Colombier9a6d3c92011-03-17 10:40:24 +01005644 ipv6 a table declared with "type ipv6" will only store IPv6 addresses.
5645 This form is very compact (about 60 bytes per entry) and allows
5646 very fast entry lookup and stores with almost no overhead. This
5647 is mainly used to store client source IP addresses.
5648
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005649 integer a table declared with "type integer" will store 32bit integers
5650 which can represent a client identifier found in a request for
5651 instance.
5652
5653 string a table declared with "type string" will store substrings of up
5654 to <len> characters. If the string provided by the pattern
5655 extractor is larger than <len>, it will be truncated before
5656 being stored. During matching, at most <len> characters will be
5657 compared between the string in the table and the extracted
5658 pattern. When not specified, the string is automatically limited
Emeric Brun7c6b82e2010-09-24 16:34:28 +02005659 to 32 characters.
5660
5661 binary a table declared with "type binary" will store binary blocks
5662 of <len> bytes. If the block provided by the pattern
5663 extractor is larger than <len>, it will be truncated before
5664 being stored. If the block provided by the pattern extractor
5665 is shorter than <len>, it will be padded by 0. When not
5666 specified, the block is automatically limited to 32 bytes.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005667
5668 <length> is the maximum number of characters that will be stored in a
Emeric Brun7c6b82e2010-09-24 16:34:28 +02005669 "string" type table (See type "string" above). Or the number
5670 of bytes of the block in "binary" type table. Be careful when
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005671 changing this parameter as memory usage will proportionally
5672 increase.
5673
5674 <size> is the maximum number of entries that can fit in the table. This
Cyril Bonté78caf842010-03-10 22:41:43 +01005675 value directly impacts memory usage. Count approximately
5676 50 bytes per entry, plus the size of a string if any. The size
5677 supports suffixes "k", "m", "g" for 2^10, 2^20 and 2^30 factors.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005678
5679 [nopurge] indicates that we refuse to purge older entries when the table
5680 is full. When not specified and the table is full when haproxy
5681 wants to store an entry in it, it will flush a few of the oldest
5682 entries in order to release some space for the new ones. This is
5683 most often the desired behaviour. In some specific cases, it
5684 be desirable to refuse new entries instead of purging the older
5685 ones. That may be the case when the amount of data to store is
5686 far above the hardware limits and we prefer not to offer access
5687 to new clients than to reject the ones already connected. When
5688 using this parameter, be sure to properly set the "expire"
5689 parameter (see below).
5690
Emeric Brunf099e792010-09-27 12:05:28 +02005691 <peersect> is the name of the peers section to use for replication. Entries
5692 which associate keys to server IDs are kept synchronized with
5693 the remote peers declared in this section. All entries are also
5694 automatically learned from the local peer (old process) during a
5695 soft restart.
5696
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01005697 NOTE : peers can't be used in multi-process mode.
5698
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005699 <expire> defines the maximum duration of an entry in the table since it
5700 was last created, refreshed or matched. The expiration delay is
5701 defined using the standard time format, similarly as the various
5702 timeouts. The maximum duration is slightly above 24 days. See
5703 section 2.2 for more information. If this delay is not specified,
Cyril Bontédc4d9032012-04-08 21:57:39 +02005704 the session won't automatically expire, but older entries will
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005705 be removed once full. Be sure not to use the "nopurge" parameter
5706 if not expiration delay is specified.
5707
Willy Tarreau08d5f982010-06-06 13:34:54 +02005708 <data_type> is used to store additional information in the stick-table. This
5709 may be used by ACLs in order to control various criteria related
5710 to the activity of the client matching the stick-table. For each
5711 item specified here, the size of each entry will be inflated so
Willy Tarreauc9705a12010-07-27 20:05:50 +02005712 that the additional data can fit. Several data types may be
5713 stored with an entry. Multiple data types may be specified after
5714 the "store" keyword, as a comma-separated list. Alternatively,
5715 it is possible to repeat the "store" keyword followed by one or
5716 several data types. Except for the "server_id" type which is
5717 automatically detected and enabled, all data types must be
5718 explicitly declared to be stored. If an ACL references a data
5719 type which is not stored, the ACL will simply not match. Some
5720 data types require an argument which must be passed just after
5721 the type between parenthesis. See below for the supported data
5722 types and their arguments.
5723
5724 The data types that can be stored with an entry are the following :
5725 - server_id : this is an integer which holds the numeric ID of the server a
5726 request was assigned to. It is used by the "stick match", "stick store",
5727 and "stick on" rules. It is automatically enabled when referenced.
5728
5729 - gpc0 : first General Purpose Counter. It is a positive 32-bit integer
5730 integer which may be used for anything. Most of the time it will be used
5731 to put a special tag on some entries, for instance to note that a
5732 specific behaviour was detected and must be known for future matches.
5733
5734 - conn_cnt : Connection Count. It is a positive 32-bit integer which counts
5735 the absolute number of connections received from clients which matched
5736 this entry. It does not mean the connections were accepted, just that
5737 they were received.
5738
5739 - conn_cur : Current Connections. It is a positive 32-bit integer which
5740 stores the concurrent connection counts for the entry. It is incremented
5741 once an incoming connection matches the entry, and decremented once the
5742 connection leaves. That way it is possible to know at any time the exact
5743 number of concurrent connections for an entry.
5744
5745 - conn_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5746 integer parameter <period> which indicates in milliseconds the length
5747 of the period over which the average is measured. It reports the average
5748 incoming connection rate over that period, in connections per period. The
5749 result is an integer which can be matched using ACLs.
5750
5751 - sess_cnt : Session Count. It is a positive 32-bit integer which counts
5752 the absolute number of sessions received from clients which matched this
5753 entry. A session is a connection that was accepted by the layer 4 rules.
5754
5755 - sess_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5756 integer parameter <period> which indicates in milliseconds the length
5757 of the period over which the average is measured. It reports the average
5758 incoming session rate over that period, in sessions per period. The
5759 result is an integer which can be matched using ACLs.
5760
5761 - http_req_cnt : HTTP request Count. It is a positive 32-bit integer which
5762 counts the absolute number of HTTP requests received from clients which
5763 matched this entry. It does not matter whether they are valid requests or
5764 not. Note that this is different from sessions when keep-alive is used on
5765 the client side.
5766
5767 - http_req_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5768 integer parameter <period> which indicates in milliseconds the length
5769 of the period over which the average is measured. It reports the average
5770 HTTP request rate over that period, in requests per period. The result is
5771 an integer which can be matched using ACLs. It does not matter whether
5772 they are valid requests or not. Note that this is different from sessions
5773 when keep-alive is used on the client side.
5774
5775 - http_err_cnt : HTTP Error Count. It is a positive 32-bit integer which
5776 counts the absolute number of HTTP requests errors induced by clients
5777 which matched this entry. Errors are counted on invalid and truncated
5778 requests, as well as on denied or tarpitted requests, and on failed
5779 authentications. If the server responds with 4xx, then the request is
5780 also counted as an error since it's an error triggered by the client
5781 (eg: vulnerability scan).
5782
5783 - http_err_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5784 integer parameter <period> which indicates in milliseconds the length
5785 of the period over which the average is measured. It reports the average
5786 HTTP request error rate over that period, in requests per period (see
5787 http_err_cnt above for what is accounted as an error). The result is an
5788 integer which can be matched using ACLs.
5789
5790 - bytes_in_cnt : client to server byte count. It is a positive 64-bit
5791 integer which counts the cumulated amount of bytes received from clients
5792 which matched this entry. Headers are included in the count. This may be
5793 used to limit abuse of upload features on photo or video servers.
5794
5795 - bytes_in_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5796 integer parameter <period> which indicates in milliseconds the length
5797 of the period over which the average is measured. It reports the average
5798 incoming bytes rate over that period, in bytes per period. It may be used
5799 to detect users which upload too much and too fast. Warning: with large
5800 uploads, it is possible that the amount of uploaded data will be counted
5801 once upon termination, thus causing spikes in the average transfer speed
5802 instead of having a smooth one. This may partially be smoothed with
5803 "option contstats" though this is not perfect yet. Use of byte_in_cnt is
5804 recommended for better fairness.
5805
5806 - bytes_out_cnt : server to client byte count. It is a positive 64-bit
5807 integer which counts the cumulated amount of bytes sent to clients which
5808 matched this entry. Headers are included in the count. This may be used
5809 to limit abuse of bots sucking the whole site.
5810
5811 - bytes_out_rate(<period>) : frequency counter (takes 12 bytes). It takes
5812 an integer parameter <period> which indicates in milliseconds the length
5813 of the period over which the average is measured. It reports the average
5814 outgoing bytes rate over that period, in bytes per period. It may be used
5815 to detect users which download too much and too fast. Warning: with large
5816 transfers, it is possible that the amount of transferred data will be
5817 counted once upon termination, thus causing spikes in the average
5818 transfer speed instead of having a smooth one. This may partially be
5819 smoothed with "option contstats" though this is not perfect yet. Use of
5820 byte_out_cnt is recommended for better fairness.
Willy Tarreau08d5f982010-06-06 13:34:54 +02005821
Willy Tarreauc00cdc22010-06-06 16:48:26 +02005822 There is only one stick-table per proxy. At the moment of writing this doc,
5823 it does not seem useful to have multiple tables per proxy. If this happens
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005824 to be required, simply create a dummy backend with a stick-table in it and
5825 reference it.
5826
5827 It is important to understand that stickiness based on learning information
5828 has some limitations, including the fact that all learned associations are
5829 lost upon restart. In general it can be good as a complement but not always
5830 as an exclusive stickiness.
5831
Willy Tarreauc9705a12010-07-27 20:05:50 +02005832 Last, memory requirements may be important when storing many data types.
5833 Indeed, storing all indicators above at once in each entry requires 116 bytes
5834 per entry, or 116 MB for a 1-million entries table. This is definitely not
5835 something that can be ignored.
5836
5837 Example:
5838 # Keep track of counters of up to 1 million IP addresses over 5 minutes
5839 # and store a general purpose counter and the average connection rate
5840 # computed over a sliding window of 30 seconds.
5841 stick-table type ip size 1m expire 5m store gpc0,conn_rate(30s)
5842
5843 See also : "stick match", "stick on", "stick store-request", section 2.2
David du Colombiera13d1b92011-03-17 10:40:22 +01005844 about time format and section 7 about ACLs.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005845
5846
Emeric Brun6a1cefa2010-09-24 18:15:17 +02005847stick store-response <pattern> [table <table>] [{if | unless} <condition>]
5848 Define a request pattern used to create an entry in a stickiness table
5849 May be used in sections : defaults | frontend | listen | backend
5850 no | no | yes | yes
5851
5852 Arguments :
5853 <pattern> is a pattern extraction rule as described in section 7.8. It
5854 describes what elements of the response or connection will
5855 be analysed, extracted and stored in the table once a
5856 server is selected.
5857
5858 <table> is an optional stickiness table name. If unspecified, the same
5859 backend's table is used. A stickiness table is declared using
5860 the "stick-table" statement.
5861
5862 <cond> is an optional storage condition. It makes it possible to store
5863 certain criteria only when some conditions are met (or not met).
5864 For instance, it could be used to store the SSL session ID only
5865 when the response is a SSL server hello.
5866
5867 Some protocols or applications require complex stickiness rules and cannot
5868 always simply rely on cookies nor hashing. The "stick store-response"
5869 statement describes a rule to decide what to extract from the response and
5870 when to do it, in order to store it into a stickiness table for further
5871 requests to match it using the "stick match" statement. Obviously the
5872 extracted part must make sense and have a chance to be matched in a further
Cyril Bonté108cf6e2012-04-21 23:30:29 +02005873 request. Storing an ID found in a header of a response makes sense.
Emeric Brun6a1cefa2010-09-24 18:15:17 +02005874 See section 7 for a complete list of possible patterns and transformation
5875 rules.
5876
5877 The table has to be declared using the "stick-table" statement. It must be of
5878 a type compatible with the pattern. By default it is the one which is present
5879 in the same backend. It is possible to share a table with other backends by
5880 referencing it using the "table" keyword. If another table is referenced,
5881 the server's ID inside the backends are used. By default, all server IDs
5882 start at 1 in each backend, so the server ordering is enough. But in case of
5883 doubt, it is highly recommended to force server IDs using their "id" setting.
5884
5885 It is possible to restrict the conditions where a "stick store-response"
5886 statement will apply, using "if" or "unless" followed by a condition. This
5887 condition will be evaluated while parsing the response, so any criteria can
5888 be used. See section 7 for ACL based conditions.
5889
5890 There is no limit on the number of "stick store-response" statements, but
5891 there is a limit of 8 simultaneous stores per request or response. This
5892 makes it possible to store up to 8 criteria, all extracted from either the
5893 request or the response, regardless of the number of rules. Only the 8 first
5894 ones which match will be kept. Using this, it is possible to feed multiple
5895 tables at once in the hope to increase the chance to recognize a user on
5896 another protocol or access method.
5897
5898 The table will contain the real server that processed the request.
5899
5900 Example :
5901 # Learn SSL session ID from both request and response and create affinity.
5902 backend https
5903 mode tcp
5904 balance roundrobin
Cyril Bontédc4d9032012-04-08 21:57:39 +02005905 # maximum SSL session ID length is 32 bytes.
Emeric Brun6a1cefa2010-09-24 18:15:17 +02005906 stick-table type binary len 32 size 30k expire 30m
Cyril Bonté108cf6e2012-04-21 23:30:29 +02005907
Emeric Brun6a1cefa2010-09-24 18:15:17 +02005908 acl clienthello req_ssl_hello_type 1
5909 acl serverhello rep_ssl_hello_type 2
5910
5911 # use tcp content accepts to detects ssl client and server hello.
5912 tcp-request inspect-delay 5s
5913 tcp-request content accept if clienthello
5914
5915 # no timeout on response inspect delay by default.
5916 tcp-response content accept if serverhello
Cyril Bonté108cf6e2012-04-21 23:30:29 +02005917
Emeric Brun6a1cefa2010-09-24 18:15:17 +02005918 # SSL session ID (SSLID) may be present on a client or server hello.
5919 # Its length is coded on 1 byte at offset 43 and its value starts
5920 # at offset 44.
5921
5922 # Match and learn on request if client hello.
5923 stick on payload_lv(43,1) if clienthello
5924
5925 # Learn on response if server hello.
5926 stick store-response payload_lv(43,1) if serverhello
Cyril Bontédc4d9032012-04-08 21:57:39 +02005927
Emeric Brun6a1cefa2010-09-24 18:15:17 +02005928 server s1 192.168.1.1:443
5929 server s2 192.168.1.1:443
5930
5931 See also : "stick-table", "stick on", and section 7 about ACLs and pattern
5932 extraction.
5933
5934
Willy Tarreaue9656522010-08-17 15:40:09 +02005935tcp-request connection <action> [{if | unless} <condition>]
5936 Perform an action on an incoming connection depending on a layer 4 condition
Willy Tarreau1a687942010-05-23 22:40:30 +02005937 May be used in sections : defaults | frontend | listen | backend
5938 no | yes | yes | no
Willy Tarreaue9656522010-08-17 15:40:09 +02005939 Arguments :
5940 <action> defines the action to perform if the condition applies. Valid
5941 actions include : "accept", "reject", "track-sc1", "track-sc2".
5942 See below for more details.
Willy Tarreau1a687942010-05-23 22:40:30 +02005943
Willy Tarreaue9656522010-08-17 15:40:09 +02005944 <condition> is a standard layer4-only ACL-based condition (see section 7).
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005945
5946 Immediately after acceptance of a new incoming connection, it is possible to
5947 evaluate some conditions to decide whether this connection must be accepted
Willy Tarreaue9656522010-08-17 15:40:09 +02005948 or dropped or have its counters tracked. Those conditions cannot make use of
5949 any data contents because the connection has not been read from yet, and the
5950 buffers are not yet allocated. This is used to selectively and very quickly
5951 accept or drop connections from various sources with a very low overhead. If
5952 some contents need to be inspected in order to take the decision, the
5953 "tcp-request content" statements must be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005954
Willy Tarreaue9656522010-08-17 15:40:09 +02005955 The "tcp-request connection" rules are evaluated in their exact declaration
5956 order. If no rule matches or if there is no rule, the default action is to
5957 accept the incoming connection. There is no specific limit to the number of
5958 rules which may be inserted.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005959
Willy Tarreaue9656522010-08-17 15:40:09 +02005960 Three types of actions are supported :
5961 - accept :
5962 accepts the connection if the condition is true (when used with "if")
5963 or false (when used with "unless"). The first such rule executed ends
5964 the rules evaluation.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005965
Willy Tarreaue9656522010-08-17 15:40:09 +02005966 - reject :
5967 rejects the connection if the condition is true (when used with "if")
5968 or false (when used with "unless"). The first such rule executed ends
5969 the rules evaluation. Rejected connections do not even become a
5970 session, which is why they are accounted separately for in the stats,
5971 as "denied connections". They are not considered for the session
5972 rate-limit and are not logged either. The reason is that these rules
5973 should only be used to filter extremely high connection rates such as
5974 the ones encountered during a massive DDoS attack. Under these extreme
5975 conditions, the simple action of logging each event would make the
5976 system collapse and would considerably lower the filtering capacity. If
5977 logging is absolutely desired, then "tcp-request content" rules should
5978 be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005979
Willy Tarreaue9656522010-08-17 15:40:09 +02005980 - { track-sc1 | track-sc2 } <key> [table <table>] :
5981 enables tracking of sticky counters from current connection. These
5982 rules do not stop evaluation and do not change default action. Two sets
5983 of counters may be simultaneously tracked by the same connection. The
5984 first "track-sc1" rule executed enables tracking of the counters of the
5985 specified table as the first set. The first "track-sc2" rule executed
5986 enables tracking of the counters of the specified table as the second
5987 set. It is a recommended practice to use the first set of counters for
5988 the per-frontend counters and the second set for the per-backend ones.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005989
Willy Tarreaue9656522010-08-17 15:40:09 +02005990 These actions take one or two arguments :
5991 <key> is mandatory, and defines the criterion the tracking key will
5992 be derived from. At the moment, only "src" is supported. With
5993 it, the key will be the connection's source IPv4 address.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005994
Willy Tarreaue9656522010-08-17 15:40:09 +02005995 <table> is an optional table to be used instead of the default one,
5996 which is the stick-table declared in the current proxy. All
5997 the counters for the matches and updates for the key will
5998 then be performed in that table until the session ends.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005999
Willy Tarreaue9656522010-08-17 15:40:09 +02006000 Once a "track-sc*" rule is executed, the key is looked up in the table
6001 and if it is not found, an entry is allocated for it. Then a pointer to
6002 that entry is kept during all the session's life, and this entry's
6003 counters are updated as often as possible, every time the session's
6004 counters are updated, and also systematically when the session ends.
6005 If the entry tracks concurrent connection counters, one connection is
6006 counted for as long as the entry is tracked, and the entry will not
6007 expire during that time. Tracking counters also provides a performance
6008 advantage over just checking the keys, because only one table lookup is
6009 performed for all ACL checks that make use of it.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006010
Willy Tarreaue9656522010-08-17 15:40:09 +02006011 Note that the "if/unless" condition is optional. If no condition is set on
6012 the action, it is simply performed unconditionally. That can be useful for
6013 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006014
Willy Tarreaue9656522010-08-17 15:40:09 +02006015 Example: accept all connections from white-listed hosts, reject too fast
6016 connection without counting them, and track accepted connections.
6017 This results in connection rate being capped from abusive sources.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006018
Willy Tarreaue9656522010-08-17 15:40:09 +02006019 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006020 tcp-request connection reject if { src_conn_rate gt 10 }
Willy Tarreaue9656522010-08-17 15:40:09 +02006021 tcp-request connection track-sc1 src
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006022
Willy Tarreaue9656522010-08-17 15:40:09 +02006023 Example: accept all connections from white-listed hosts, count all other
6024 connections and reject too fast ones. This results in abusive ones
6025 being blocked as long as they don't slow down.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006026
Willy Tarreaue9656522010-08-17 15:40:09 +02006027 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
6028 tcp-request connection track-sc1 src
6029 tcp-request connection reject if { sc1_conn_rate gt 10 }
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006030
6031 See section 7 about ACL usage.
6032
Willy Tarreaue9656522010-08-17 15:40:09 +02006033 See also : "tcp-request content", "stick-table"
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006034
6035
Willy Tarreaue9656522010-08-17 15:40:09 +02006036tcp-request content <action> [{if | unless} <condition>]
6037 Perform an action on a new session depending on a layer 4-7 condition
Willy Tarreau62644772008-07-16 18:36:06 +02006038 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02006039 no | yes | yes | yes
Willy Tarreaue9656522010-08-17 15:40:09 +02006040 Arguments :
6041 <action> defines the action to perform if the condition applies. Valid
6042 actions include : "accept", "reject", "track-sc1", "track-sc2".
6043 See "tcp-request connection" above for their signification.
Willy Tarreau62644772008-07-16 18:36:06 +02006044
Willy Tarreaue9656522010-08-17 15:40:09 +02006045 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
Willy Tarreau62644772008-07-16 18:36:06 +02006046
Willy Tarreaue9656522010-08-17 15:40:09 +02006047 A request's contents can be analysed at an early stage of request processing
6048 called "TCP content inspection". During this stage, ACL-based rules are
6049 evaluated every time the request contents are updated, until either an
6050 "accept" or a "reject" rule matches, or the TCP request inspection delay
6051 expires with no matching rule.
Willy Tarreau62644772008-07-16 18:36:06 +02006052
Willy Tarreaue9656522010-08-17 15:40:09 +02006053 The first difference between these rules and "tcp-request connection" rules
6054 is that "tcp-request content" rules can make use of contents to take a
6055 decision. Most often, these decisions will consider a protocol recognition or
6056 validity. The second difference is that content-based rules can be used in
6057 both frontends and backends. In frontends, they will be evaluated upon new
6058 connections. In backends, they will be evaluated once a session is assigned
6059 a backend. This means that a single frontend connection may be evaluated
6060 several times by one or multiple backends when a session gets reassigned
6061 (for instance after a client-side HTTP keep-alive request).
Willy Tarreau62644772008-07-16 18:36:06 +02006062
Willy Tarreaue9656522010-08-17 15:40:09 +02006063 Content-based rules are evaluated in their exact declaration order. If no
6064 rule matches or if there is no rule, the default action is to accept the
6065 contents. There is no specific limit to the number of rules which may be
6066 inserted.
Willy Tarreau62644772008-07-16 18:36:06 +02006067
Willy Tarreaue9656522010-08-17 15:40:09 +02006068 Three types of actions are supported :
6069 - accept :
6070 - reject :
6071 - { track-sc1 | track-sc2 } <key> [table <table>]
Willy Tarreau62644772008-07-16 18:36:06 +02006072
Willy Tarreaue9656522010-08-17 15:40:09 +02006073 They have the same meaning as their counter-parts in "tcp-request connection"
6074 so please refer to that section for a complete description.
Willy Tarreau62644772008-07-16 18:36:06 +02006075
Willy Tarreaue9656522010-08-17 15:40:09 +02006076 Also, it is worth noting that if sticky counters are tracked from a rule
6077 defined in a backend, this tracking will automatically end when the session
6078 releases the backend. That allows per-backend counter tracking even in case
6079 of HTTP keep-alive requests when the backend changes. While there is nothing
6080 mandatory about it, it is recommended to use the track-sc1 pointer to track
6081 per-frontend counters and track-sc2 to track per-backend counters.
Willy Tarreau62644772008-07-16 18:36:06 +02006082
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006083 Note that the "if/unless" condition is optional. If no condition is set on
Willy Tarreaue9656522010-08-17 15:40:09 +02006084 the action, it is simply performed unconditionally. That can be useful for
6085 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau62644772008-07-16 18:36:06 +02006086
Willy Tarreaue9656522010-08-17 15:40:09 +02006087 It is perfectly possible to match layer 7 contents with "tcp-request content"
Willy Tarreauc0239e02012-04-16 14:42:55 +02006088 rules, since HTTP-specific ACL matches are able to preliminarily parse the
6089 contents of a buffer before extracting the required data. If the buffered
6090 contents do not parse as a valid HTTP message, then the ACL does not match.
6091 The parser which is involved there is exactly the same as for all other HTTP
6092 processing, so there is no risk of parsing something differently.
Willy Tarreau62644772008-07-16 18:36:06 +02006093
6094 Example:
Willy Tarreaue9656522010-08-17 15:40:09 +02006095 # Accept HTTP requests containing a Host header saying "example.com"
6096 # and reject everything else.
6097 acl is_host_com hdr(Host) -i example.com
6098 tcp-request inspect-delay 30s
Willy Tarreauc0239e02012-04-16 14:42:55 +02006099 tcp-request content accept if is_host_com
Willy Tarreaue9656522010-08-17 15:40:09 +02006100 tcp-request content reject
6101
6102 Example:
Willy Tarreau62644772008-07-16 18:36:06 +02006103 # reject SMTP connection if client speaks first
6104 tcp-request inspect-delay 30s
6105 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006106 tcp-request content reject if content_present
Willy Tarreau62644772008-07-16 18:36:06 +02006107
6108 # Forward HTTPS connection only if client speaks
6109 tcp-request inspect-delay 30s
6110 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +02006111 tcp-request content accept if content_present
Willy Tarreaue9656522010-08-17 15:40:09 +02006112 tcp-request content reject
6113
6114 Example: track per-frontend and per-backend counters, block abusers at the
6115 frontend when the backend detects abuse.
6116
6117 frontend http
6118 # Use General Purpose Couter 0 in SC1 as a global abuse counter
6119 # protecting all our sites
6120 stick-table type ip size 1m expire 5m store gpc0
6121 tcp-request connection track-sc1 src
6122 tcp-request connection reject if { sc1_get_gpc0 gt 0 }
6123 ...
6124 use_backend http_dynamic if { path_end .php }
6125
6126 backend http_dynamic
6127 # if a source makes too fast requests to this dynamic site (tracked
6128 # by SC2), block it globally in the frontend.
6129 stick-table type ip size 1m expire 5m store http_req_rate(10s)
6130 acl click_too_fast sc2_http_req_rate gt 10
6131 acl mark_as_abuser sc1_inc_gpc0
6132 tcp-request content track-sc2 src
6133 tcp-request content reject if click_too_fast mark_as_abuser
Willy Tarreau62644772008-07-16 18:36:06 +02006134
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006135 See section 7 about ACL usage.
Willy Tarreau62644772008-07-16 18:36:06 +02006136
Willy Tarreaue9656522010-08-17 15:40:09 +02006137 See also : "tcp-request connection", "tcp-request inspect-delay"
Willy Tarreau62644772008-07-16 18:36:06 +02006138
6139
6140tcp-request inspect-delay <timeout>
6141 Set the maximum allowed time to wait for data during content inspection
6142 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02006143 no | yes | yes | yes
Willy Tarreau62644772008-07-16 18:36:06 +02006144 Arguments :
6145 <timeout> is the timeout value specified in milliseconds by default, but
6146 can be in any other unit if the number is suffixed by the unit,
6147 as explained at the top of this document.
6148
6149 People using haproxy primarily as a TCP relay are often worried about the
6150 risk of passing any type of protocol to a server without any analysis. In
6151 order to be able to analyze the request contents, we must first withhold
6152 the data then analyze them. This statement simply enables withholding of
6153 data for at most the specified amount of time.
6154
Willy Tarreaufb356202010-08-03 14:02:05 +02006155 TCP content inspection applies very early when a connection reaches a
6156 frontend, then very early when the connection is forwarded to a backend. This
6157 means that a connection may experience a first delay in the frontend and a
6158 second delay in the backend if both have tcp-request rules.
6159
Willy Tarreau62644772008-07-16 18:36:06 +02006160 Note that when performing content inspection, haproxy will evaluate the whole
6161 rules for every new chunk which gets in, taking into account the fact that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006162 those data are partial. If no rule matches before the aforementioned delay,
Willy Tarreau62644772008-07-16 18:36:06 +02006163 a last check is performed upon expiration, this time considering that the
Willy Tarreaud869b242009-03-15 14:43:58 +01006164 contents are definitive. If no delay is set, haproxy will not wait at all
6165 and will immediately apply a verdict based on the available information.
6166 Obviously this is unlikely to be very useful and might even be racy, so such
6167 setups are not recommended.
Willy Tarreau62644772008-07-16 18:36:06 +02006168
6169 As soon as a rule matches, the request is released and continues as usual. If
6170 the timeout is reached and no rule matches, the default policy will be to let
6171 it pass through unaffected.
6172
6173 For most protocols, it is enough to set it to a few seconds, as most clients
6174 send the full request immediately upon connection. Add 3 or more seconds to
6175 cover TCP retransmits but that's all. For some protocols, it may make sense
Willy Tarreaud72758d2010-01-12 10:42:19 +01006176 to use large values, for instance to ensure that the client never talks
Willy Tarreau62644772008-07-16 18:36:06 +02006177 before the server (eg: SMTP), or to wait for a client to talk before passing
6178 data to the server (eg: SSL). Note that the client timeout must cover at
Willy Tarreaub824b002010-09-29 16:36:16 +02006179 least the inspection delay, otherwise it will expire first. If the client
6180 closes the connection or if the buffer is full, the delay immediately expires
6181 since the contents will not be able to change anymore.
Willy Tarreau62644772008-07-16 18:36:06 +02006182
Willy Tarreau55165fe2009-05-10 12:02:55 +02006183 See also : "tcp-request content accept", "tcp-request content reject",
Willy Tarreau62644772008-07-16 18:36:06 +02006184 "timeout client".
6185
6186
Emeric Brun0a3b67f2010-09-24 15:34:53 +02006187tcp-response content <action> [{if | unless} <condition>]
6188 Perform an action on a session response depending on a layer 4-7 condition
6189 May be used in sections : defaults | frontend | listen | backend
6190 no | no | yes | yes
6191 Arguments :
6192 <action> defines the action to perform if the condition applies. Valid
6193 actions include : "accept", "reject".
6194 See "tcp-request connection" above for their signification.
6195
6196 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
6197
6198 Response contents can be analysed at an early stage of response processing
6199 called "TCP content inspection". During this stage, ACL-based rules are
6200 evaluated every time the response contents are updated, until either an
6201 "accept" or a "reject" rule matches, or a TCP response inspection delay is
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006202 set and expires with no matching rule.
Emeric Brun0a3b67f2010-09-24 15:34:53 +02006203
6204 Most often, these decisions will consider a protocol recognition or validity.
6205
6206 Content-based rules are evaluated in their exact declaration order. If no
6207 rule matches or if there is no rule, the default action is to accept the
6208 contents. There is no specific limit to the number of rules which may be
6209 inserted.
6210
6211 Two types of actions are supported :
6212 - accept :
6213 accepts the response if the condition is true (when used with "if")
6214 or false (when used with "unless"). The first such rule executed ends
6215 the rules evaluation.
6216
6217 - reject :
6218 rejects the response if the condition is true (when used with "if")
6219 or false (when used with "unless"). The first such rule executed ends
Jamie Gloudonaaa21002012-08-25 00:18:33 -04006220 the rules evaluation. Rejected session are immediately closed.
Emeric Brun0a3b67f2010-09-24 15:34:53 +02006221
6222 Note that the "if/unless" condition is optional. If no condition is set on
6223 the action, it is simply performed unconditionally. That can be useful for
6224 for changing the default action to a reject.
6225
Jamie Gloudonaaa21002012-08-25 00:18:33 -04006226 It is perfectly possible to match layer 7 contents with "tcp-response
6227 content" rules, but then it is important to ensure that a full response has
6228 been buffered, otherwise no contents will match. In order to achieve this,
6229 the best solution involves detecting the HTTP protocol during the inspection
Emeric Brun0a3b67f2010-09-24 15:34:53 +02006230 period.
6231
6232 See section 7 about ACL usage.
6233
6234 See also : "tcp-request content", "tcp-response inspect-delay"
6235
6236
6237tcp-response inspect-delay <timeout>
6238 Set the maximum allowed time to wait for a response during content inspection
6239 May be used in sections : defaults | frontend | listen | backend
6240 no | no | yes | yes
6241 Arguments :
6242 <timeout> is the timeout value specified in milliseconds by default, but
6243 can be in any other unit if the number is suffixed by the unit,
6244 as explained at the top of this document.
6245
6246 See also : "tcp-response content", "tcp-request inspect-delay".
6247
6248
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01006249timeout check <timeout>
6250 Set additional check timeout, but only after a connection has been already
6251 established.
6252
6253 May be used in sections: defaults | frontend | listen | backend
6254 yes | no | yes | yes
6255 Arguments:
6256 <timeout> is the timeout value specified in milliseconds by default, but
6257 can be in any other unit if the number is suffixed by the unit,
6258 as explained at the top of this document.
6259
6260 If set, haproxy uses min("timeout connect", "inter") as a connect timeout
6261 for check and "timeout check" as an additional read timeout. The "min" is
6262 used so that people running with *very* long "timeout connect" (eg. those
6263 who needed this due to the queue or tarpit) do not slow down their checks.
Willy Tarreaud7550a22010-02-10 05:10:19 +01006264 (Please also note that there is no valid reason to have such long connect
6265 timeouts, because "timeout queue" and "timeout tarpit" can always be used to
6266 avoid that).
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01006267
6268 If "timeout check" is not set haproxy uses "inter" for complete check
6269 timeout (connect + read) exactly like all <1.3.15 version.
6270
6271 In most cases check request is much simpler and faster to handle than normal
6272 requests and people may want to kick out laggy servers so this timeout should
Willy Tarreau41a340d2008-01-22 12:25:31 +01006273 be smaller than "timeout server".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01006274
6275 This parameter is specific to backends, but can be specified once for all in
6276 "defaults" sections. This is in fact one of the easiest solutions not to
6277 forget about it.
6278
Willy Tarreau41a340d2008-01-22 12:25:31 +01006279 See also: "timeout connect", "timeout queue", "timeout server",
6280 "timeout tarpit".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01006281
6282
Willy Tarreau0ba27502007-12-24 16:55:16 +01006283timeout client <timeout>
6284timeout clitimeout <timeout> (deprecated)
6285 Set the maximum inactivity time on the client side.
6286 May be used in sections : defaults | frontend | listen | backend
6287 yes | yes | yes | no
6288 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01006289 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01006290 can be in any other unit if the number is suffixed by the unit,
6291 as explained at the top of this document.
6292
6293 The inactivity timeout applies when the client is expected to acknowledge or
6294 send data. In HTTP mode, this timeout is particularly important to consider
6295 during the first phase, when the client sends the request, and during the
6296 response while it is reading data sent by the server. The value is specified
6297 in milliseconds by default, but can be in any other unit if the number is
6298 suffixed by the unit, as specified at the top of this document. In TCP mode
6299 (and to a lesser extent, in HTTP mode), it is highly recommended that the
6300 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01006301 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01006302 losses by specifying timeouts that are slightly above multiples of 3 seconds
Willy Tarreauce887fd2012-05-12 12:50:00 +02006303 (eg: 4 or 5 seconds). If some long-lived sessions are mixed with short-lived
6304 sessions (eg: WebSocket and HTTP), it's worth considering "timeout tunnel",
6305 which overrides "timeout client" and "timeout server" for tunnels.
Willy Tarreau0ba27502007-12-24 16:55:16 +01006306
6307 This parameter is specific to frontends, but can be specified once for all in
6308 "defaults" sections. This is in fact one of the easiest solutions not to
6309 forget about it. An unspecified timeout results in an infinite timeout, which
6310 is not recommended. Such a usage is accepted and works but reports a warning
6311 during startup because it may results in accumulation of expired sessions in
6312 the system if the system's timeouts are not configured either.
6313
6314 This parameter replaces the old, deprecated "clitimeout". It is recommended
6315 to use it to write new configurations. The form "timeout clitimeout" is
6316 provided only by backwards compatibility but its use is strongly discouraged.
6317
Willy Tarreauce887fd2012-05-12 12:50:00 +02006318 See also : "clitimeout", "timeout server", "timeout tunnel".
Willy Tarreau0ba27502007-12-24 16:55:16 +01006319
6320
6321timeout connect <timeout>
6322timeout contimeout <timeout> (deprecated)
6323 Set the maximum time to wait for a connection attempt to a server to succeed.
6324 May be used in sections : defaults | frontend | listen | backend
6325 yes | no | yes | yes
6326 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01006327 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01006328 can be in any other unit if the number is suffixed by the unit,
6329 as explained at the top of this document.
6330
6331 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01006332 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01006333 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01006334 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01006335 connect timeout also presets both queue and tarpit timeouts to the same value
6336 if these have not been specified.
Willy Tarreau0ba27502007-12-24 16:55:16 +01006337
6338 This parameter is specific to backends, but can be specified once for all in
6339 "defaults" sections. This is in fact one of the easiest solutions not to
6340 forget about it. An unspecified timeout results in an infinite timeout, which
6341 is not recommended. Such a usage is accepted and works but reports a warning
6342 during startup because it may results in accumulation of failed sessions in
6343 the system if the system's timeouts are not configured either.
6344
6345 This parameter replaces the old, deprecated "contimeout". It is recommended
6346 to use it to write new configurations. The form "timeout contimeout" is
6347 provided only by backwards compatibility but its use is strongly discouraged.
6348
Willy Tarreau41a340d2008-01-22 12:25:31 +01006349 See also: "timeout check", "timeout queue", "timeout server", "contimeout",
6350 "timeout tarpit".
Willy Tarreau0ba27502007-12-24 16:55:16 +01006351
6352
Willy Tarreaub16a5742010-01-10 14:46:16 +01006353timeout http-keep-alive <timeout>
6354 Set the maximum allowed time to wait for a new HTTP request to appear
6355 May be used in sections : defaults | frontend | listen | backend
6356 yes | yes | yes | yes
6357 Arguments :
6358 <timeout> is the timeout value specified in milliseconds by default, but
6359 can be in any other unit if the number is suffixed by the unit,
6360 as explained at the top of this document.
6361
6362 By default, the time to wait for a new request in case of keep-alive is set
6363 by "timeout http-request". However this is not always convenient because some
6364 people want very short keep-alive timeouts in order to release connections
6365 faster, and others prefer to have larger ones but still have short timeouts
6366 once the request has started to present itself.
6367
6368 The "http-keep-alive" timeout covers these needs. It will define how long to
6369 wait for a new HTTP request to start coming after a response was sent. Once
6370 the first byte of request has been seen, the "http-request" timeout is used
6371 to wait for the complete request to come. Note that empty lines prior to a
6372 new request do not refresh the timeout and are not counted as a new request.
6373
6374 There is also another difference between the two timeouts : when a connection
6375 expires during timeout http-keep-alive, no error is returned, the connection
6376 just closes. If the connection expires in "http-request" while waiting for a
6377 connection to complete, a HTTP 408 error is returned.
6378
6379 In general it is optimal to set this value to a few tens to hundreds of
6380 milliseconds, to allow users to fetch all objects of a page at once but
6381 without waiting for further clicks. Also, if set to a very small value (eg:
6382 1 millisecond) it will probably only accept pipelined requests but not the
6383 non-pipelined ones. It may be a nice trade-off for very large sites running
Patrick Mézard2382ad62010-05-09 10:43:32 +02006384 with tens to hundreds of thousands of clients.
Willy Tarreaub16a5742010-01-10 14:46:16 +01006385
6386 If this parameter is not set, the "http-request" timeout applies, and if both
6387 are not set, "timeout client" still applies at the lower level. It should be
6388 set in the frontend to take effect, unless the frontend is in TCP mode, in
6389 which case the HTTP backend's timeout will be used.
6390
6391 See also : "timeout http-request", "timeout client".
6392
6393
Willy Tarreau036fae02008-01-06 13:24:40 +01006394timeout http-request <timeout>
6395 Set the maximum allowed time to wait for a complete HTTP request
6396 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaucd7afc02009-07-12 10:03:17 +02006397 yes | yes | yes | yes
Willy Tarreau036fae02008-01-06 13:24:40 +01006398 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01006399 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau036fae02008-01-06 13:24:40 +01006400 can be in any other unit if the number is suffixed by the unit,
6401 as explained at the top of this document.
6402
6403 In order to offer DoS protection, it may be required to lower the maximum
6404 accepted time to receive a complete HTTP request without affecting the client
6405 timeout. This helps protecting against established connections on which
6406 nothing is sent. The client timeout cannot offer a good protection against
6407 this abuse because it is an inactivity timeout, which means that if the
6408 attacker sends one character every now and then, the timeout will not
6409 trigger. With the HTTP request timeout, no matter what speed the client
6410 types, the request will be aborted if it does not complete in time.
6411
6412 Note that this timeout only applies to the header part of the request, and
6413 not to any data. As soon as the empty line is received, this timeout is not
Willy Tarreaub16a5742010-01-10 14:46:16 +01006414 used anymore. It is used again on keep-alive connections to wait for a second
6415 request if "timeout http-keep-alive" is not set.
Willy Tarreau036fae02008-01-06 13:24:40 +01006416
6417 Generally it is enough to set it to a few seconds, as most clients send the
6418 full request immediately upon connection. Add 3 or more seconds to cover TCP
6419 retransmits but that's all. Setting it to very low values (eg: 50 ms) will
6420 generally work on local networks as long as there are no packet losses. This
6421 will prevent people from sending bare HTTP requests using telnet.
6422
6423 If this parameter is not set, the client timeout still applies between each
Willy Tarreaucd7afc02009-07-12 10:03:17 +02006424 chunk of the incoming request. It should be set in the frontend to take
6425 effect, unless the frontend is in TCP mode, in which case the HTTP backend's
6426 timeout will be used.
Willy Tarreau036fae02008-01-06 13:24:40 +01006427
Willy Tarreaub16a5742010-01-10 14:46:16 +01006428 See also : "timeout http-keep-alive", "timeout client".
Willy Tarreau036fae02008-01-06 13:24:40 +01006429
Willy Tarreau844e3c52008-01-11 16:28:18 +01006430
6431timeout queue <timeout>
6432 Set the maximum time to wait in the queue for a connection slot to be free
6433 May be used in sections : defaults | frontend | listen | backend
6434 yes | no | yes | yes
6435 Arguments :
6436 <timeout> is the timeout value specified in milliseconds by default, but
6437 can be in any other unit if the number is suffixed by the unit,
6438 as explained at the top of this document.
6439
6440 When a server's maxconn is reached, connections are left pending in a queue
6441 which may be server-specific or global to the backend. In order not to wait
6442 indefinitely, a timeout is applied to requests pending in the queue. If the
6443 timeout is reached, it is considered that the request will almost never be
6444 served, so it is dropped and a 503 error is returned to the client.
6445
6446 The "timeout queue" statement allows to fix the maximum time for a request to
6447 be left pending in a queue. If unspecified, the same value as the backend's
6448 connection timeout ("timeout connect") is used, for backwards compatibility
6449 with older versions with no "timeout queue" parameter.
6450
6451 See also : "timeout connect", "contimeout".
6452
6453
6454timeout server <timeout>
6455timeout srvtimeout <timeout> (deprecated)
6456 Set the maximum inactivity time on the server side.
6457 May be used in sections : defaults | frontend | listen | backend
6458 yes | no | yes | yes
6459 Arguments :
6460 <timeout> is the timeout value specified in milliseconds by default, but
6461 can be in any other unit if the number is suffixed by the unit,
6462 as explained at the top of this document.
6463
6464 The inactivity timeout applies when the server is expected to acknowledge or
6465 send data. In HTTP mode, this timeout is particularly important to consider
6466 during the first phase of the server's response, when it has to send the
6467 headers, as it directly represents the server's processing time for the
6468 request. To find out what value to put there, it's often good to start with
6469 what would be considered as unacceptable response times, then check the logs
6470 to observe the response time distribution, and adjust the value accordingly.
6471
6472 The value is specified in milliseconds by default, but can be in any other
6473 unit if the number is suffixed by the unit, as specified at the top of this
6474 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
6475 recommended that the client timeout remains equal to the server timeout in
6476 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01006477 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01006478 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreauce887fd2012-05-12 12:50:00 +02006479 seconds (eg: 4 or 5 seconds minimum). If some long-lived sessions are mixed
6480 with short-lived sessions (eg: WebSocket and HTTP), it's worth considering
6481 "timeout tunnel", which overrides "timeout client" and "timeout server" for
6482 tunnels.
Willy Tarreau844e3c52008-01-11 16:28:18 +01006483
6484 This parameter is specific to backends, but can be specified once for all in
6485 "defaults" sections. This is in fact one of the easiest solutions not to
6486 forget about it. An unspecified timeout results in an infinite timeout, which
6487 is not recommended. Such a usage is accepted and works but reports a warning
6488 during startup because it may results in accumulation of expired sessions in
6489 the system if the system's timeouts are not configured either.
6490
6491 This parameter replaces the old, deprecated "srvtimeout". It is recommended
6492 to use it to write new configurations. The form "timeout srvtimeout" is
6493 provided only by backwards compatibility but its use is strongly discouraged.
6494
Willy Tarreauce887fd2012-05-12 12:50:00 +02006495 See also : "srvtimeout", "timeout client" and "timeout tunnel".
Willy Tarreau844e3c52008-01-11 16:28:18 +01006496
6497
6498timeout tarpit <timeout>
Cyril Bonté78caf842010-03-10 22:41:43 +01006499 Set the duration for which tarpitted connections will be maintained
Willy Tarreau844e3c52008-01-11 16:28:18 +01006500 May be used in sections : defaults | frontend | listen | backend
6501 yes | yes | yes | yes
6502 Arguments :
6503 <timeout> is the tarpit duration specified in milliseconds by default, but
6504 can be in any other unit if the number is suffixed by the unit,
6505 as explained at the top of this document.
6506
6507 When a connection is tarpitted using "reqtarpit", it is maintained open with
6508 no activity for a certain amount of time, then closed. "timeout tarpit"
6509 defines how long it will be maintained open.
6510
6511 The value is specified in milliseconds by default, but can be in any other
6512 unit if the number is suffixed by the unit, as specified at the top of this
6513 document. If unspecified, the same value as the backend's connection timeout
6514 ("timeout connect") is used, for backwards compatibility with older versions
Cyril Bonté78caf842010-03-10 22:41:43 +01006515 with no "timeout tarpit" parameter.
Willy Tarreau844e3c52008-01-11 16:28:18 +01006516
6517 See also : "timeout connect", "contimeout".
6518
6519
Willy Tarreauce887fd2012-05-12 12:50:00 +02006520timeout tunnel <timeout>
6521 Set the maximum inactivity time on the client and server side for tunnels.
6522 May be used in sections : defaults | frontend | listen | backend
6523 yes | no | yes | yes
6524 Arguments :
6525 <timeout> is the timeout value specified in milliseconds by default, but
6526 can be in any other unit if the number is suffixed by the unit,
6527 as explained at the top of this document.
6528
Jamie Gloudonaaa21002012-08-25 00:18:33 -04006529 The tunnel timeout applies when a bidirectional connection is established
Willy Tarreauce887fd2012-05-12 12:50:00 +02006530 between a client and a server, and the connection remains inactive in both
6531 directions. This timeout supersedes both the client and server timeouts once
6532 the connection becomes a tunnel. In TCP, this timeout is used as soon as no
6533 analyser remains attached to either connection (eg: tcp content rules are
6534 accepted). In HTTP, this timeout is used when a connection is upgraded (eg:
6535 when switching to the WebSocket protocol, or forwarding a CONNECT request
6536 to a proxy), or after the first response when no keepalive/close option is
6537 specified.
6538
6539 The value is specified in milliseconds by default, but can be in any other
6540 unit if the number is suffixed by the unit, as specified at the top of this
6541 document. Whatever the expected normal idle time, it is a good practice to
6542 cover at least one or several TCP packet losses by specifying timeouts that
6543 are slightly above multiples of 3 seconds (eg: 4 or 5 seconds minimum).
6544
6545 This parameter is specific to backends, but can be specified once for all in
6546 "defaults" sections. This is in fact one of the easiest solutions not to
6547 forget about it.
6548
6549 Example :
6550 defaults http
6551 option http-server-close
6552 timeout connect 5s
6553 timeout client 30s
6554 timeout client 30s
6555 timeout server 30s
6556 timeout tunnel 1h # timeout to use with WebSocket and CONNECT
6557
6558 See also : "timeout client", "timeout server".
6559
6560
Willy Tarreau844e3c52008-01-11 16:28:18 +01006561transparent (deprecated)
6562 Enable client-side transparent proxying
6563 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01006564 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01006565 Arguments : none
6566
6567 This keyword was introduced in order to provide layer 7 persistence to layer
6568 3 load balancers. The idea is to use the OS's ability to redirect an incoming
6569 connection for a remote address to a local process (here HAProxy), and let
6570 this process know what address was initially requested. When this option is
6571 used, sessions without cookies will be forwarded to the original destination
6572 IP address of the incoming request (which should match that of another
6573 equipment), while requests with cookies will still be forwarded to the
6574 appropriate server.
6575
6576 The "transparent" keyword is deprecated, use "option transparent" instead.
6577
6578 Note that contrary to a common belief, this option does NOT make HAProxy
6579 present the client's IP to the server when establishing the connection.
6580
Willy Tarreau844e3c52008-01-11 16:28:18 +01006581 See also: "option transparent"
6582
William Lallemanda73203e2012-03-12 12:48:57 +01006583unique-id-format <string>
6584 Generate a unique ID for each request.
6585 May be used in sections : defaults | frontend | listen | backend
6586 yes | yes | yes | no
6587 Arguments :
6588 <string> is a log-format string.
6589
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006590 This keyword creates a ID for each request using the custom log format. A
6591 unique ID is useful to trace a request passing through many components of
6592 a complex infrastructure. The newly created ID may also be logged using the
6593 %ID tag the log-format string.
William Lallemanda73203e2012-03-12 12:48:57 +01006594
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006595 The format should be composed from elements that are guaranteed to be
6596 unique when combined together. For instance, if multiple haproxy instances
6597 are involved, it might be important to include the node name. It is often
6598 needed to log the incoming connection's source and destination addresses
6599 and ports. Note that since multiple requests may be performed over the same
6600 connection, including a request counter may help differentiate them.
6601 Similarly, a timestamp may protect against a rollover of the counter.
6602 Logging the process ID will avoid collisions after a service restart.
William Lallemanda73203e2012-03-12 12:48:57 +01006603
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006604 It is recommended to use hexadecimal notation for many fields since it
6605 makes them more compact and saves space in logs.
William Lallemanda73203e2012-03-12 12:48:57 +01006606
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006607 Example:
William Lallemanda73203e2012-03-12 12:48:57 +01006608
6609 unique-id-format %{+X}o\ %Ci:%Cp_%Fi:%Fp_%Ts_%rt:%pid
6610
6611 will generate:
6612
6613 7F000001:8296_7F00001E:1F90_4F7B0A69_0003:790A
6614
6615 See also: "unique-id-header"
6616
6617unique-id-header <name>
6618 Add a unique ID header in the HTTP request.
6619 May be used in sections : defaults | frontend | listen | backend
6620 yes | yes | yes | no
6621 Arguments :
6622 <name> is the name of the header.
6623
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006624 Add a unique-id header in the HTTP request sent to the server, using the
6625 unique-id-format. It can't work if the unique-id-format doesn't exist.
William Lallemanda73203e2012-03-12 12:48:57 +01006626
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006627 Example:
William Lallemanda73203e2012-03-12 12:48:57 +01006628
6629 unique-id-format %{+X}o\ %Ci:%Cp_%Fi:%Fp_%Ts_%rt:%pid
6630 unique-id-header X-Unique-ID
6631
6632 will generate:
6633
6634 X-Unique-ID: 7F000001:8296_7F00001E:1F90_4F7B0A69_0003:790A
6635
6636 See also: "unique-id-format"
Willy Tarreau844e3c52008-01-11 16:28:18 +01006637
6638use_backend <backend> if <condition>
6639use_backend <backend> unless <condition>
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02006640 Switch to a specific backend if/unless an ACL-based condition is matched.
Willy Tarreau844e3c52008-01-11 16:28:18 +01006641 May be used in sections : defaults | frontend | listen | backend
6642 no | yes | yes | no
6643 Arguments :
6644 <backend> is the name of a valid backend or "listen" section.
6645
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006646 <condition> is a condition composed of ACLs, as described in section 7.
Willy Tarreau844e3c52008-01-11 16:28:18 +01006647
6648 When doing content-switching, connections arrive on a frontend and are then
6649 dispatched to various backends depending on a number of conditions. The
6650 relation between the conditions and the backends is described with the
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02006651 "use_backend" keyword. While it is normally used with HTTP processing, it can
6652 also be used in pure TCP, either without content using stateless ACLs (eg:
6653 source address validation) or combined with a "tcp-request" rule to wait for
6654 some payload.
Willy Tarreau844e3c52008-01-11 16:28:18 +01006655
6656 There may be as many "use_backend" rules as desired. All of these rules are
6657 evaluated in their declaration order, and the first one which matches will
6658 assign the backend.
6659
6660 In the first form, the backend will be used if the condition is met. In the
6661 second form, the backend will be used if the condition is not met. If no
6662 condition is valid, the backend defined with "default_backend" will be used.
6663 If no default backend is defined, either the servers in the same section are
6664 used (in case of a "listen" section) or, in case of a frontend, no server is
6665 used and a 503 service unavailable response is returned.
6666
Willy Tarreau51aecc72009-07-12 09:47:04 +02006667 Note that it is possible to switch from a TCP frontend to an HTTP backend. In
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006668 this case, either the frontend has already checked that the protocol is HTTP,
Willy Tarreau51aecc72009-07-12 09:47:04 +02006669 and backend processing will immediately follow, or the backend will wait for
6670 a complete HTTP request to get in. This feature is useful when a frontend
6671 must decode several protocols on a unique port, one of them being HTTP.
6672
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02006673 See also: "default_backend", "tcp-request", and section 7 about ACLs.
Willy Tarreaud72758d2010-01-12 10:42:19 +01006674
Willy Tarreau036fae02008-01-06 13:24:40 +01006675
Willy Tarreau4a5cade2012-04-05 21:09:48 +02006676use-server <server> if <condition>
6677use-server <server> unless <condition>
6678 Only use a specific server if/unless an ACL-based condition is matched.
6679 May be used in sections : defaults | frontend | listen | backend
6680 no | no | yes | yes
6681 Arguments :
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006682 <server> is the name of a valid server in the same backend section.
Willy Tarreau4a5cade2012-04-05 21:09:48 +02006683
6684 <condition> is a condition composed of ACLs, as described in section 7.
6685
6686 By default, connections which arrive to a backend are load-balanced across
6687 the available servers according to the configured algorithm, unless a
6688 persistence mechanism such as a cookie is used and found in the request.
6689
6690 Sometimes it is desirable to forward a particular request to a specific
6691 server without having to declare a dedicated backend for this server. This
6692 can be achieved using the "use-server" rules. These rules are evaluated after
6693 the "redirect" rules and before evaluating cookies, and they have precedence
6694 on them. There may be as many "use-server" rules as desired. All of these
6695 rules are evaluated in their declaration order, and the first one which
6696 matches will assign the server.
6697
6698 If a rule designates a server which is down, and "option persist" is not used
6699 and no force-persist rule was validated, it is ignored and evaluation goes on
6700 with the next rules until one matches.
6701
6702 In the first form, the server will be used if the condition is met. In the
6703 second form, the server will be used if the condition is not met. If no
6704 condition is valid, the processing continues and the server will be assigned
6705 according to other persistence mechanisms.
6706
6707 Note that even if a rule is matched, cookie processing is still performed but
6708 does not assign the server. This allows prefixed cookies to have their prefix
6709 stripped.
6710
6711 The "use-server" statement works both in HTTP and TCP mode. This makes it
6712 suitable for use with content-based inspection. For instance, a server could
6713 be selected in a farm according to the TLS SNI field. And if these servers
6714 have their weight set to zero, they will not be used for other traffic.
6715
6716 Example :
6717 # intercept incoming TLS requests based on the SNI field
6718 use-server www if { req_ssl_sni -i www.example.com }
6719 server www 192.168.0.1:443 weight 0
6720 use-server mail if { req_ssl_sni -i mail.example.com }
6721 server mail 192.168.0.1:587 weight 0
6722 use-server imap if { req_ssl_sni -i imap.example.com }
6723 server mail 192.168.0.1:993 weight 0
6724 # all the rest is forwarded to this server
6725 server default 192.168.0.2:443 check
6726
6727 See also: "use_backend", serction 5 about server and section 7 about ACLs.
6728
Willy Tarreaub6205fd2012-09-24 12:27:33 +02006729
67305. Bind and Server options
6731--------------------------
6732
6733The "bind", "server" and "default-server" keywords support a number of settings
6734depending on some build options and on the system HAProxy was built on. These
6735settings generally each consist in one word sometimes followed by a value,
6736written on the same line as the "bind" or "server" line. All these options are
6737described in this section.
6738
6739
67405.1. Bind options
6741-----------------
6742
6743The "bind" keyword supports a certain number of settings which are all passed
6744as arguments on the same line. The order in which those arguments appear makes
6745no importance, provided that they appear after the bind address. All of these
6746parameters are optional. Some of them consist in a single words (booleans),
6747while other ones expect a value after them. In this case, the value must be
6748provided immediately after the setting name.
6749
6750The currently supported settings are the following ones.
6751
6752accept-proxy
6753 Enforces the use of the PROXY protocol over any connection accepted by any of
6754 the sockets declared on the same line. The PROXY protocol dictates the layer
6755 3/4 addresses of the incoming connection to be used everywhere an address is
6756 used, with the only exception of "tcp-request connection" rules which will
6757 only see the real connection address. Logs will reflect the addresses
6758 indicated in the protocol, unless it is violated, in which case the real
6759 address will still be used. This keyword combined with support from external
6760 components can be used as an efficient and reliable alternative to the
6761 X-Forwarded-For mechanism which is not always reliable and not even always
6762 usable.
6763
6764backlog <backlog>
6765 Sets the socket's backlog to this value. If unspecified, the frontend's
6766 backlog is used instead, which generally defaults to the maxconn value.
6767
Emeric Brun7fb34422012-09-28 15:26:15 +02006768ecdhe <named curve>
6769 This setting is only available when support for OpenSSL was built in. It sets
6770 the named curve (RFC 4492) used to generate ECDH ephemeral keys and makes
6771 ECDHE cipher suites usable.
6772
Emeric Brunfd33a262012-10-11 16:28:27 +02006773ca-file <cafile>
Emeric Brun1a073b42012-09-28 17:07:34 +02006774 This setting is only available when support for OpenSSL was built in. It
6775 designates a PEM file from which to load CA certificates used to verify
6776 client's certificate.
6777
Emeric Brunb6dc9342012-09-28 17:55:37 +02006778ca-ignore-err [all|<errorID>,...]
6779 This setting is only available when support for OpenSSL was built in.
6780 Sets a comma separated list of errorIDs to ignore during verify at depth > 0.
6781 If set to 'all', all errors are ignored. SSL handshake is not aborted if an
6782 error is ignored.
6783
Willy Tarreaub6205fd2012-09-24 12:27:33 +02006784ciphers <ciphers>
6785 This setting is only available when support for OpenSSL was built in. It sets
6786 the string describing the list of cipher algorithms ("cipher suite") that are
6787 negociated during the SSL/TLS handshake. The format of the string is defined
6788 in "man 1 ciphers" from OpenSSL man pages, and can be for instance a string
6789 such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes).
6790
Emeric Brunfd33a262012-10-11 16:28:27 +02006791crl-file <crlfile>
Emeric Brun1a073b42012-09-28 17:07:34 +02006792 This setting is only available when support for OpenSSL was built in. It
6793 designates a PEM file from which to load certificate revocation list used
6794 to verify client's certificate.
6795
Willy Tarreaub6205fd2012-09-24 12:27:33 +02006796crt <cert>
6797 This setting is only available when support for OpenSSL was built in.
6798 It designates a PEM file from which to load both a certificate and the
6799 associated private key. This file can be built by concatenating both PEM
Emeric Brune032bfa2012-09-28 13:01:45 +02006800 files into one. If the OpenSSL used supports Diffie-Hellman, parameters
6801 present in this file are also loaded. If a directory name is used instead of a
6802 PEM file, then all files found in that directory will be loaded. This
6803 directive may be specified multiple times in order to load certificates from
6804 multiple files or directories. The certificates will be presented to clients
6805 who provide a valid TLS Server Name Indication field matching one of their CN
6806 or alt subjects. Wildcards are supported, where a wildcard character '*' is
6807 used instead of the first hostname component (eg: *.example.org matches
Willy Tarreaub6205fd2012-09-24 12:27:33 +02006808 www.example.org but not www.sub.example.org). If no SNI is provided by the
Emeric Brune032bfa2012-09-28 13:01:45 +02006809 client or if the SSL library does not support TLS extensions, or if the client
6810 provides and SNI which does not match any certificate, then the first loaded
6811 certificate will be presented. This means that when loading certificates from
6812 a directory, it is highly recommended to load the default one first as a file.
6813 Note that the same cert may be loaded multiple times without side effects.
Willy Tarreaub6205fd2012-09-24 12:27:33 +02006814
Emeric Brunb6dc9342012-09-28 17:55:37 +02006815crt-ignore-err <errors>
6816 This setting is only available when support for OpenSSL was built in.
6817 Sets a comma separated list of errorIDs to ignore during verify at depth == 0.
6818 If set to 'all', all errors are ignored. SSL handshake is not abored if an
6819 error is ignored.
6820
Willy Tarreaub6205fd2012-09-24 12:27:33 +02006821defer-accept
6822 Is an optional keyword which is supported only on certain Linux kernels. It
6823 states that a connection will only be accepted once some data arrive on it,
6824 or at worst after the first retransmit. This should be used only on protocols
6825 for which the client talks first (eg: HTTP). It can slightly improve
6826 performance by ensuring that most of the request is already available when
6827 the connection is accepted. On the other hand, it will not be able to detect
6828 connections which don't talk. It is important to note that this option is
6829 broken in all kernels up to 2.6.31, as the connection is never accepted until
6830 the client talks. This can cause issues with front firewalls which would see
6831 an established connection while the proxy will only see it in SYN_RECV. This
6832 option is only supported on TCPv4/TCPv6 sockets and ignored by other ones.
6833
Emeric Brun2cb7ae52012-10-05 14:14:21 +02006834force-sslv3
6835 This option enforces use of SSLv3 only on SSL connections instanciated from
6836 this listener. SSLv3 is generally less expensive than the TLS counterparts
6837 for high connection rates. See also "force-tls*", "no-sslv3", and "no-tls*".
6838
6839force-tlsv10
6840 This option enforces use of TLSv1.0 only on SSL connections instanciated from
6841 this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
6842
6843force-tlsv11
6844 This option enforces use of TLSv1.1 only on SSL connections instanciated from
6845 this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
6846
6847force-tlsv12
6848 This option enforces use of TLSv1.2 only on SSL connections instanciated from
6849 this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
6850
Willy Tarreaub6205fd2012-09-24 12:27:33 +02006851gid <gid>
6852 Sets the group of the UNIX sockets to the designated system gid. It can also
6853 be set by default in the global section's "unix-bind" statement. Note that
6854 some platforms simply ignore this. This setting is equivalent to the "group"
6855 setting except that the group ID is used instead of its name. This setting is
6856 ignored by non UNIX sockets.
6857
6858group <group>
6859 Sets the group of the UNIX sockets to the designated system group. It can
6860 also be set by default in the global section's "unix-bind" statement. Note
6861 that some platforms simply ignore this. This setting is equivalent to the
6862 "gid" setting except that the group name is used instead of its gid. This
6863 setting is ignored by non UNIX sockets.
6864
6865id <id>
6866 Fixes the socket ID. By default, socket IDs are automatically assigned, but
6867 sometimes it is more convenient to fix them to ease monitoring. This value
6868 must be strictly positive and unique within the listener/frontend. This
6869 option can only be used when defining only a single socket.
6870
6871interface <interface>
6872 Sets the name of the network interface to listen. This is currently only
6873 supported on Linux. The interface must be a primary system interface, not an
6874 aliased interface. When specified, all addresses on the same line will only
6875 be accepted if the incoming packets physically come through the designated
6876 interface. It is also possible to bind multiple frontends to the same address
6877 if they are bound to different interfaces. Note that binding to a network
6878 interface requires root privileges. This parameter is only compatible with
6879 TCPv4/TCPv6 sockets.
6880
Willy Tarreauabb175f2012-09-24 12:43:26 +02006881level <level>
6882 This setting is used with the stats sockets only to restrict the nature of
6883 the commands that can be issued on the socket. It is ignored by other
6884 sockets. <level> can be one of :
6885 - "user" is the least privileged level ; only non-sensitive stats can be
6886 read, and no change is allowed. It would make sense on systems where it
6887 is not easy to restrict access to the socket.
6888 - "operator" is the default level and fits most common uses. All data can
6889 be read, and only non-sensitive changes are permitted (eg: clear max
6890 counters).
6891 - "admin" should be used with care, as everything is permitted (eg: clear
6892 all counters).
6893
Willy Tarreaub6205fd2012-09-24 12:27:33 +02006894maxconn <maxconn>
6895 Limits the sockets to this number of concurrent connections. Extraneous
6896 connections will remain in the system's backlog until a connection is
6897 released. If unspecified, the limit will be the same as the frontend's
6898 maxconn. Note that in case of port ranges or multiple addresses, the same
6899 value will be applied to each socket. This setting enables different
6900 limitations on expensive sockets, for instance SSL entries which may easily
6901 eat all memory.
6902
6903mode <mode>
6904 Sets the octal mode used to define access permissions on the UNIX socket. It
6905 can also be set by default in the global section's "unix-bind" statement.
6906 Note that some platforms simply ignore this. This setting is ignored by non
6907 UNIX sockets.
6908
6909mss <maxseg>
6910 Sets the TCP Maximum Segment Size (MSS) value to be advertised on incoming
6911 connections. This can be used to force a lower MSS for certain specific
6912 ports, for instance for connections passing through a VPN. Note that this
6913 relies on a kernel feature which is theoretically supported under Linux but
6914 was buggy in all versions prior to 2.6.28. It may or may not work on other
6915 operating systems. It may also not change the advertised value but change the
6916 effective size of outgoing segments. The commonly advertised value for TCPv4
6917 over Ethernet networks is 1460 = 1500(MTU) - 40(IP+TCP). If this value is
6918 positive, it will be used as the advertised MSS. If it is negative, it will
6919 indicate by how much to reduce the incoming connection's advertised MSS for
6920 outgoing segments. This parameter is only compatible with TCP v4/v6 sockets.
6921
6922name <name>
6923 Sets an optional name for these sockets, which will be reported on the stats
6924 page.
6925
6926nice <nice>
6927 Sets the 'niceness' of connections initiated from the socket. Value must be
6928 in the range -1024..1024 inclusive, and defaults to zero. Positive values
6929 means that such connections are more friendly to others and easily offer
6930 their place in the scheduler. On the opposite, negative values mean that
6931 connections want to run with a higher priority than others. The difference
6932 only happens under high loads when the system is close to saturation.
6933 Negative values are appropriate for low-latency or administration services,
6934 and high values are generally recommended for CPU intensive tasks such as SSL
6935 processing or bulk transfers which are less sensible to latency. For example,
6936 it may make sense to use a positive value for an SMTP socket and a negative
6937 one for an RDP socket.
6938
Emeric Brun9b3009b2012-10-05 11:55:06 +02006939no-sslv3
Willy Tarreaub6205fd2012-09-24 12:27:33 +02006940 This setting is only available when support for OpenSSL was built in. It
6941 disables support for SSLv3 on any sockets instanciated from the listener when
6942 SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
Emeric Brun2cb7ae52012-10-05 14:14:21 +02006943 be enabled using any configuration option. See also "force-tls*",
6944 and "force-sslv3".
Willy Tarreaub6205fd2012-09-24 12:27:33 +02006945
Emeric Brun90ad8722012-10-02 14:00:59 +02006946no-tls-tickets
6947 This setting is only available when support for OpenSSL was built in. It
6948 disables the stateless session resumption (RFC 5077 TLS Ticket
6949 extension) and force to use stateful session resumption. Stateless
6950 session resumption is more expensive in CPU usage.
6951
Emeric Brun9b3009b2012-10-05 11:55:06 +02006952no-tlsv10
Willy Tarreaub6205fd2012-09-24 12:27:33 +02006953 This setting is only available when support for OpenSSL was built in. It
Emeric Brun2cb7ae52012-10-05 14:14:21 +02006954 disables support for TLSv1.0 on any sockets instanciated from the listener
6955 when SSL is supported. Note that SSLv2 is forced disabled in the code and
6956 cannot be enabled using any configuration option. See also "force-tls*",
6957 and "force-sslv3".
Willy Tarreaub6205fd2012-09-24 12:27:33 +02006958
Emeric Brun9b3009b2012-10-05 11:55:06 +02006959no-tlsv11
Emeric Brunf5da4932012-09-28 19:42:54 +02006960 This setting is only available when support for OpenSSL was built in. It
Emeric Brun2cb7ae52012-10-05 14:14:21 +02006961 disables support for TLSv1.1 on any sockets instanciated from the listener
6962 when SSL is supported. Note that SSLv2 is forced disabled in the code and
6963 cannot be enabled using any configuration option. See also "force-tls*",
6964 and "force-sslv3".
Emeric Brunf5da4932012-09-28 19:42:54 +02006965
Emeric Brun9b3009b2012-10-05 11:55:06 +02006966no-tlsv12
Emeric Brunf5da4932012-09-28 19:42:54 +02006967 This setting is only available when support for OpenSSL was built in. It
Emeric Brun2cb7ae52012-10-05 14:14:21 +02006968 disables support for TLSv1.2 on any sockets instanciated from the listener
6969 when SSL is supported. Note that SSLv2 is forced disabled in the code and
6970 cannot be enabled using any configuration option. See also "force-tls*",
6971 and "force-sslv3".
Emeric Brunf5da4932012-09-28 19:42:54 +02006972
Willy Tarreau6c9a3d52012-10-18 18:57:14 +02006973npn <protocols>
6974 This enables the NPN TLS extension and advertises the specified protocol list
6975 as supported on top of NPN. The protocol list consists in a comma-delimited
6976 list of protocol names, for instance: "http/1.1,http/1.0" (without quotes).
6977 This requires that the SSL library is build with support for TLS extensions
6978 enabled (check with haproxy -vv).
6979
Willy Tarreaub6205fd2012-09-24 12:27:33 +02006980ssl
6981 This setting is only available when support for OpenSSL was built in. It
6982 enables SSL deciphering on connections instanciated from this listener. A
6983 certificate is necessary (see "crt" above). All contents in the buffers will
6984 appear in clear text, so that ACLs and HTTP processing will only have access
6985 to deciphered contents.
6986
Willy Tarreau1c862c52012-10-05 16:21:00 +02006987tfo
6988 Is an optional keyword which is supported only on Linux kernels >= 3.6. It
6989 enables TCP Fast Open on the listening socket, which means that clients which
6990 support this feature will be able to send a request and receive a response
6991 during the 3-way handshake starting from second connection, thus saving one
6992 round-trip after the first connection. This only makes sense with protocols
6993 that use high connection rates and where each round trip matters. This can
6994 possibly cause issues with many firewalls which do not accept data on SYN
6995 packets, so this option should only be enabled once well tested. This option
6996 is only supported on TCPv4/TCPv6 sockets and ignored by other ones.
6997
Willy Tarreaub6205fd2012-09-24 12:27:33 +02006998transparent
6999 Is an optional keyword which is supported only on certain Linux kernels. It
7000 indicates that the addresses will be bound even if they do not belong to the
7001 local machine, and that packets targeting any of these addresses will be
7002 intercepted just as if the addresses were locally configured. This normally
7003 requires that IP forwarding is enabled. Caution! do not use this with the
7004 default address '*', as it would redirect any traffic for the specified port.
7005 This keyword is available only when HAProxy is built with USE_LINUX_TPROXY=1.
7006 This parameter is only compatible with TCPv4 and TCPv6 sockets, depending on
7007 kernel version. Some distribution kernels include backports of the feature,
7008 so check for support with your vendor.
7009
7010uid <uid>
7011 Sets the owner of the UNIX sockets to the designated system uid. It can also
7012 be set by default in the global section's "unix-bind" statement. Note that
7013 some platforms simply ignore this. This setting is equivalent to the "user"
7014 setting except that the user numeric ID is used instead of its name. This
7015 setting is ignored by non UNIX sockets.
7016
7017user <user>
7018 Sets the owner of the UNIX sockets to the designated system user. It can also
7019 be set by default in the global section's "unix-bind" statement. Note that
7020 some platforms simply ignore this. This setting is equivalent to the "uid"
7021 setting except that the user name is used instead of its uid. This setting is
7022 ignored by non UNIX sockets.
7023
Emeric Brun1a073b42012-09-28 17:07:34 +02007024verify [none|optional|required]
7025 This setting is only available when support for OpenSSL was built in. If set
7026 to 'none', client certificate is not requested. This is the default. In other
7027 cases, a client certificate is requested. If the client does not provide a
7028 certificate after the request and if 'verify' is set to 'required', then the
7029 handshake is aborted, while it would have succeeded if set to 'optional'. The
Emeric Brunfd33a262012-10-11 16:28:27 +02007030 certificate provided by the client is always verified using CAs from
7031 'ca-file' and optional CRLs from 'crl-file'. On verify failure the handshake
7032 is aborted, regardless of the 'verify' option, unless the error code exactly
7033 matches one of those listed with 'ca-ignore-err' or 'crt-ignore-err'.
Willy Tarreau4a5cade2012-04-05 21:09:48 +02007034
Willy Tarreaub6205fd2012-09-24 12:27:33 +020070355.2. Server and default-server options
Cyril Bontéf0c60612010-02-06 14:44:47 +01007036------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02007037
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01007038The "server" and "default-server" keywords support a certain number of settings
7039which are all passed as arguments on the server line. The order in which those
7040arguments appear does not count, and they are all optional. Some of those
7041settings are single words (booleans) while others expect one or several values
7042after them. In this case, the values must immediately follow the setting name.
7043Except default-server, all those settings must be specified after the server's
7044address if they are used:
Willy Tarreau6a06a402007-07-15 20:15:28 +02007045
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007046 server <name> <address>[:port] [settings ...]
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01007047 default-server [settings ...]
Willy Tarreau6a06a402007-07-15 20:15:28 +02007048
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007049The currently supported settings are the following ones.
Willy Tarreau0ba27502007-12-24 16:55:16 +01007050
Willy Tarreauceb4ac92012-04-28 00:41:46 +02007051addr <ipv4|ipv6>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007052 Using the "addr" parameter, it becomes possible to use a different IP address
7053 to send health-checks. On some servers, it may be desirable to dedicate an IP
7054 address to specific component able to perform complex tests which are more
7055 suitable to health-checks than the application. This parameter is ignored if
7056 the "check" parameter is not set. See also the "port" parameter.
Willy Tarreau6a06a402007-07-15 20:15:28 +02007057
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007058 Supported in default-server: No
7059
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007060backup
7061 When "backup" is present on a server line, the server is only used in load
7062 balancing when all other non-backup servers are unavailable. Requests coming
7063 with a persistence cookie referencing the server will always be served
7064 though. By default, only the first operational backup server is used, unless
7065 the "allbackups" option is set in the backend. See also the "allbackups"
7066 option.
Willy Tarreau6a06a402007-07-15 20:15:28 +02007067
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007068 Supported in default-server: No
7069
Emeric Brunef42d922012-10-11 16:11:36 +02007070ca-file <cafile>
7071 This setting is only available when support for OpenSSL was built in. It
7072 designates a PEM file from which to load CA certificates used to verify
7073 server's certificate.
7074
7075 Supported in default-server: No
7076
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007077check
7078 This option enables health checks on the server. By default, a server is
Patrick Mézardb7aeec62012-01-22 16:01:22 +01007079 always considered available. If "check" is set, the server is available when
7080 accepting periodic TCP connections, to ensure that it is really able to serve
7081 requests. The default address and port to send the tests to are those of the
7082 server, and the default source is the same as the one defined in the
7083 backend. It is possible to change the address using the "addr" parameter, the
7084 port using the "port" parameter, the source address using the "source"
7085 address, and the interval and timers using the "inter", "rise" and "fall"
7086 parameters. The request method is define in the backend using the "httpchk",
7087 "smtpchk", "mysql-check", "pgsql-check" and "ssl-hello-chk" options. Please
7088 refer to those options and parameters for more information.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007089
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007090 Supported in default-server: No
7091
Willy Tarreau6c16adc2012-10-05 00:04:16 +02007092check-send-proxy
7093 This option forces emission of a PROXY protocol line with outgoing health
7094 checks, regardless of whether the server uses send-proxy or not for the
7095 normal traffic. By default, the PROXY protocol is enabled for health checks
7096 if it is already enabled for normal traffic and if no "port" nor "addr"
7097 directive is present. However, if such a directive is present, the
7098 "check-send-proxy" option needs to be used to force the use of the
7099 protocol. See also the "send-proxy" option for more information.
7100
7101 Supported in default-server: No
7102
Willy Tarreau763a95b2012-10-04 23:15:39 +02007103check-ssl
7104 This option forces encryption of all health checks over SSL, regardless of
7105 whether the server uses SSL or not for the normal traffic. This is generally
7106 used when an explicit "port" or "addr" directive is specified and SSL health
7107 checks are not inherited. It is important to understand that this option
7108 inserts an SSL transport layer below the ckecks, so that a simple TCP connect
7109 check becomes an SSL connect, which replaces the old ssl-hello-chk. The most
7110 common use is to send HTTPS checks by combining "httpchk" with SSL checks.
7111 All SSL settings are common to health checks and traffic (eg: ciphers).
7112 See the "ssl" option for more information.
7113
7114 Supported in default-server: No
7115
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02007116ciphers <ciphers>
7117 This option sets the string describing the list of cipher algorithms that is
7118 is negociated during the SSL/TLS handshake with the server. The format of the
7119 string is defined in "man 1 ciphers". When SSL is used to communicate with
7120 servers on the local network, it is common to see a weaker set of algorithms
7121 than what is used over the internet. Doing so reduces CPU usage on both the
7122 server and haproxy while still keeping it compatible with deployed software.
7123 Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all
7124 is needed and just connectivity, using DES can be appropriate.
7125
Willy Tarreau763a95b2012-10-04 23:15:39 +02007126 Supported in default-server: No
7127
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007128cookie <value>
7129 The "cookie" parameter sets the cookie value assigned to the server to
7130 <value>. This value will be checked in incoming requests, and the first
7131 operational server possessing the same value will be selected. In return, in
7132 cookie insertion or rewrite modes, this value will be assigned to the cookie
7133 sent to the client. There is nothing wrong in having several servers sharing
7134 the same cookie value, and it is in fact somewhat common between normal and
7135 backup servers. See also the "cookie" keyword in backend section.
7136
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007137 Supported in default-server: No
7138
Emeric Brunef42d922012-10-11 16:11:36 +02007139crl-file <crlfile>
7140 This setting is only available when support for OpenSSL was built in. It
7141 designates a PEM file from which to load certificate revocation list used
7142 to verify server's certificate.
7143
7144 Supported in default-server: No
7145
Willy Tarreau96839092010-03-29 10:02:24 +02007146disabled
7147 The "disabled" keyword starts the server in the "disabled" state. That means
7148 that it is marked down in maintenance mode, and no connection other than the
7149 ones allowed by persist mode will reach it. It is very well suited to setup
7150 new servers, because normal traffic will never reach them, while it is still
7151 possible to test the service by making use of the force-persist mechanism.
7152
7153 Supported in default-server: No
7154
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007155error-limit <count>
Willy Tarreau983e01e2010-01-11 18:42:06 +01007156 If health observing is enabled, the "error-limit" parameter specifies the
7157 number of consecutive errors that triggers event selected by the "on-error"
7158 option. By default it is set to 10 consecutive errors.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01007159
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007160 Supported in default-server: Yes
7161
7162 See also the "check", "error-limit" and "on-error".
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01007163
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007164fall <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007165 The "fall" parameter states that a server will be considered as dead after
7166 <count> consecutive unsuccessful health checks. This value defaults to 3 if
7167 unspecified. See also the "check", "inter" and "rise" parameters.
7168
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007169 Supported in default-server: Yes
7170
Emeric Brun8694b9a2012-10-05 14:39:07 +02007171force-sslv3
7172 This option enforces use of SSLv3 only when SSL is used to communicate with
7173 the server. SSLv3 is generally less expensive than the TLS counterparts for
7174 high connection rates. See also "no-tlsv*", "no-sslv3".
7175
7176 Supported in default-server: No
7177
7178force-tlsv10
7179 This option enforces use of TLSv1.0 only when SSL is used to communicate with
7180 the server. See also "no-tlsv*", "no-sslv3".
7181
7182 Supported in default-server: No
7183
7184force-tlsv11
7185 This option enforces use of TLSv1.1 only when SSL is used to communicate with
7186 the server. See also "no-tlsv*", "no-sslv3".
7187
7188 Supported in default-server: No
7189
7190force-tlsv12
7191 This option enforces use of TLSv1.2 only when SSL is used to communicate with
7192 the server. See also "no-tlsv*", "no-sslv3".
7193
7194 Supported in default-server: No
7195
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007196id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02007197 Set a persistent ID for the server. This ID must be positive and unique for
7198 the proxy. An unused ID will automatically be assigned if unset. The first
7199 assigned value will be 1. This ID is currently only returned in statistics.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007200
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007201 Supported in default-server: No
7202
7203inter <delay>
7204fastinter <delay>
7205downinter <delay>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007206 The "inter" parameter sets the interval between two consecutive health checks
7207 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
7208 It is also possible to use "fastinter" and "downinter" to optimize delays
7209 between checks depending on the server state :
7210
7211 Server state | Interval used
7212 ---------------------------------+-----------------------------------------
7213 UP 100% (non-transitional) | "inter"
7214 ---------------------------------+-----------------------------------------
7215 Transitionally UP (going down), |
7216 Transitionally DOWN (going up), | "fastinter" if set, "inter" otherwise.
7217 or yet unchecked. |
7218 ---------------------------------+-----------------------------------------
7219 DOWN 100% (non-transitional) | "downinter" if set, "inter" otherwise.
7220 ---------------------------------+-----------------------------------------
Willy Tarreaud72758d2010-01-12 10:42:19 +01007221
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007222 Just as with every other time-based parameter, they can be entered in any
7223 other explicit unit among { us, ms, s, m, h, d }. The "inter" parameter also
7224 serves as a timeout for health checks sent to servers if "timeout check" is
7225 not set. In order to reduce "resonance" effects when multiple servers are
7226 hosted on the same hardware, the health-checks of all servers are started
7227 with a small time offset between them. It is also possible to add some random
7228 noise in the health checks interval using the global "spread-checks"
7229 keyword. This makes sense for instance when a lot of backends use the same
7230 servers.
7231
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007232 Supported in default-server: Yes
7233
7234maxconn <maxconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007235 The "maxconn" parameter specifies the maximal number of concurrent
7236 connections that will be sent to this server. If the number of incoming
7237 concurrent requests goes higher than this value, they will be queued, waiting
7238 for a connection to be released. This parameter is very important as it can
7239 save fragile servers from going down under extreme loads. If a "minconn"
7240 parameter is specified, the limit becomes dynamic. The default value is "0"
7241 which means unlimited. See also the "minconn" and "maxqueue" parameters, and
7242 the backend's "fullconn" keyword.
7243
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007244 Supported in default-server: Yes
7245
7246maxqueue <maxqueue>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007247 The "maxqueue" parameter specifies the maximal number of connections which
7248 will wait in the queue for this server. If this limit is reached, next
7249 requests will be redispatched to other servers instead of indefinitely
7250 waiting to be served. This will break persistence but may allow people to
7251 quickly re-log in when the server they try to connect to is dying. The
7252 default value is "0" which means the queue is unlimited. See also the
7253 "maxconn" and "minconn" parameters.
7254
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007255 Supported in default-server: Yes
7256
7257minconn <minconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007258 When the "minconn" parameter is set, the maxconn limit becomes a dynamic
7259 limit following the backend's load. The server will always accept at least
7260 <minconn> connections, never more than <maxconn>, and the limit will be on
7261 the ramp between both values when the backend has less than <fullconn>
7262 concurrent connections. This makes it possible to limit the load on the
7263 server during normal loads, but push it further for important loads without
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007264 overloading the server during exceptional loads. See also the "maxconn"
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007265 and "maxqueue" parameters, as well as the "fullconn" backend keyword.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01007266
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007267 Supported in default-server: Yes
7268
Emeric Brun9b3009b2012-10-05 11:55:06 +02007269no-sslv3
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02007270 This option disables support for SSLv3 when SSL is used to communicate with
7271 the server. Note that SSLv2 is disabled in the code and cannot be enabled
Emeric Brun8694b9a2012-10-05 14:39:07 +02007272 using any configuration option. See also "force-sslv3", "force-tlsv*".
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02007273
Willy Tarreau763a95b2012-10-04 23:15:39 +02007274 Supported in default-server: No
7275
Emeric Brunf9c5c472012-10-11 15:28:34 +02007276no-tls-tickets
7277 This setting is only available when support for OpenSSL was built in. It
7278 disables the stateless session resumption (RFC 5077 TLS Ticket
7279 extension) and force to use stateful session resumption. Stateless
7280 session resumption is more expensive in CPU usage for servers.
7281
7282 Supported in default-server: No
7283
Emeric Brun9b3009b2012-10-05 11:55:06 +02007284no-tlsv10
Emeric Brun8694b9a2012-10-05 14:39:07 +02007285 This option disables support for TLSv1.0 when SSL is used to communicate with
Emeric Brunf5da4932012-09-28 19:42:54 +02007286 the server. Note that SSLv2 is disabled in the code and cannot be enabled
7287 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun8694b9a2012-10-05 14:39:07 +02007288 often makes sense to disable it when communicating with local servers. See
7289 also "force-sslv3", "force-tlsv*".
Emeric Brunf5da4932012-09-28 19:42:54 +02007290
Willy Tarreau763a95b2012-10-04 23:15:39 +02007291 Supported in default-server: No
7292
Emeric Brun9b3009b2012-10-05 11:55:06 +02007293no-tlsv11
Emeric Brun8694b9a2012-10-05 14:39:07 +02007294 This option disables support for TLSv1.1 when SSL is used to communicate with
Emeric Brunf5da4932012-09-28 19:42:54 +02007295 the server. Note that SSLv2 is disabled in the code and cannot be enabled
7296 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun8694b9a2012-10-05 14:39:07 +02007297 often makes sense to disable it when communicating with local servers. See
7298 also "force-sslv3", "force-tlsv*".
Emeric Brunf5da4932012-09-28 19:42:54 +02007299
Willy Tarreau763a95b2012-10-04 23:15:39 +02007300 Supported in default-server: No
7301
Emeric Brun9b3009b2012-10-05 11:55:06 +02007302no-tlsv12
Emeric Brun8694b9a2012-10-05 14:39:07 +02007303 This option disables support for TLSv1.2 when SSL is used to communicate with
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02007304 the server. Note that SSLv2 is disabled in the code and cannot be enabled
7305 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun8694b9a2012-10-05 14:39:07 +02007306 often makes sense to disable it when communicating with local servers. See
7307 also "force-sslv3", "force-tlsv*".
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02007308
Willy Tarreau763a95b2012-10-04 23:15:39 +02007309 Supported in default-server: No
7310
Simon Hormanfa461682011-06-25 09:39:49 +09007311non-stick
7312 Never add connections allocated to this sever to a stick-table.
7313 This may be used in conjunction with backup to ensure that
7314 stick-table persistence is disabled for backup servers.
7315
Willy Tarreau763a95b2012-10-04 23:15:39 +02007316 Supported in default-server: No
7317
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01007318observe <mode>
7319 This option enables health adjusting based on observing communication with
7320 the server. By default this functionality is disabled and enabling it also
7321 requires to enable health checks. There are two supported modes: "layer4" and
7322 "layer7". In layer4 mode, only successful/unsuccessful tcp connections are
7323 significant. In layer7, which is only allowed for http proxies, responses
7324 received from server are verified, like valid/wrong http code, unparsable
Willy Tarreau150d1462012-03-10 08:19:02 +01007325 headers, a timeout, etc. Valid status codes include 100 to 499, 501 and 505.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01007326
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007327 Supported in default-server: No
7328
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01007329 See also the "check", "on-error" and "error-limit".
7330
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007331on-error <mode>
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01007332 Select what should happen when enough consecutive errors are detected.
7333 Currently, four modes are available:
7334 - fastinter: force fastinter
7335 - fail-check: simulate a failed check, also forces fastinter (default)
7336 - sudden-death: simulate a pre-fatal failed health check, one more failed
7337 check will mark a server down, forces fastinter
7338 - mark-down: mark the server immediately down and force fastinter
7339
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007340 Supported in default-server: Yes
7341
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01007342 See also the "check", "observe" and "error-limit".
7343
Simon Hormane0d1bfb2011-06-21 14:34:58 +09007344on-marked-down <action>
7345 Modify what occurs when a server is marked down.
7346 Currently one action is available:
Justin Karnegeseb2c24a2012-05-24 15:28:52 -07007347 - shutdown-sessions: Shutdown peer sessions. When this setting is enabled,
7348 all connections to the server are immediately terminated when the server
7349 goes down. It might be used if the health check detects more complex cases
7350 than a simple connection status, and long timeouts would cause the service
7351 to remain unresponsive for too long a time. For instance, a health check
7352 might detect that a database is stuck and that there's no chance to reuse
7353 existing connections anymore. Connections killed this way are logged with
7354 a 'D' termination code (for "Down").
Simon Hormane0d1bfb2011-06-21 14:34:58 +09007355
7356 Actions are disabled by default
7357
7358 Supported in default-server: Yes
7359
Justin Karnegeseb2c24a2012-05-24 15:28:52 -07007360on-marked-up <action>
7361 Modify what occurs when a server is marked up.
7362 Currently one action is available:
7363 - shutdown-backup-sessions: Shutdown sessions on all backup servers. This is
7364 done only if the server is not in backup state and if it is not disabled
7365 (it must have an effective weight > 0). This can be used sometimes to force
7366 an active server to take all the traffic back after recovery when dealing
7367 with long sessions (eg: LDAP, SQL, ...). Doing this can cause more trouble
7368 than it tries to solve (eg: incomplete transactions), so use this feature
7369 with extreme care. Sessions killed because a server comes up are logged
7370 with an 'U' termination code (for "Up").
7371
7372 Actions are disabled by default
7373
7374 Supported in default-server: Yes
7375
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007376port <port>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007377 Using the "port" parameter, it becomes possible to use a different port to
7378 send health-checks. On some servers, it may be desirable to dedicate a port
7379 to a specific component able to perform complex tests which are more suitable
7380 to health-checks than the application. It is common to run a simple script in
7381 inetd for instance. This parameter is ignored if the "check" parameter is not
7382 set. See also the "addr" parameter.
7383
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007384 Supported in default-server: Yes
7385
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007386redir <prefix>
7387 The "redir" parameter enables the redirection mode for all GET and HEAD
7388 requests addressing this server. This means that instead of having HAProxy
7389 forward the request to the server, it will send an "HTTP 302" response with
7390 the "Location" header composed of this prefix immediately followed by the
7391 requested URI beginning at the leading '/' of the path component. That means
7392 that no trailing slash should be used after <prefix>. All invalid requests
7393 will be rejected, and all non-GET or HEAD requests will be normally served by
7394 the server. Note that since the response is completely forged, no header
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007395 mangling nor cookie insertion is possible in the response. However, cookies in
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007396 requests are still analysed, making this solution completely usable to direct
7397 users to a remote location in case of local disaster. Main use consists in
7398 increasing bandwidth for static servers by having the clients directly
7399 connect to them. Note: never use a relative location here, it would cause a
7400 loop between the client and HAProxy!
7401
7402 Example : server srv1 192.168.1.1:80 redir http://image1.mydomain.com check
7403
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007404 Supported in default-server: No
7405
7406rise <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007407 The "rise" parameter states that a server will be considered as operational
7408 after <count> consecutive successful health checks. This value defaults to 2
7409 if unspecified. See also the "check", "inter" and "fall" parameters.
7410
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007411 Supported in default-server: Yes
7412
Willy Tarreau5ab04ec2011-03-20 10:32:26 +01007413send-proxy
7414 The "send-proxy" parameter enforces use of the PROXY protocol over any
7415 connection established to this server. The PROXY protocol informs the other
7416 end about the layer 3/4 addresses of the incoming connection, so that it can
7417 know the client's address or the public address it accessed to, whatever the
7418 upper layer protocol. For connections accepted by an "accept-proxy" listener,
7419 the advertised address will be used. Only TCPv4 and TCPv6 address families
7420 are supported. Other families such as Unix sockets, will report an UNKNOWN
7421 family. Servers using this option can fully be chained to another instance of
7422 haproxy listening with an "accept-proxy" setting. This setting must not be
Willy Tarreau6c16adc2012-10-05 00:04:16 +02007423 used if the server isn't aware of the protocol. When health checks are sent
7424 to the server, the PROXY protocol is automatically used when this option is
7425 set, unless there is an explicit "port" or "addr" directive, in which case an
7426 explicit "check-send-proxy" directive would also be needed to use the PROXY
7427 protocol. See also the "accept-proxy" option of the "bind" keyword.
Willy Tarreau5ab04ec2011-03-20 10:32:26 +01007428
7429 Supported in default-server: No
7430
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007431slowstart <start_time_in_ms>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007432 The "slowstart" parameter for a server accepts a value in milliseconds which
7433 indicates after how long a server which has just come back up will run at
7434 full speed. Just as with every other time-based parameter, it can be entered
7435 in any other explicit unit among { us, ms, s, m, h, d }. The speed grows
7436 linearly from 0 to 100% during this time. The limitation applies to two
7437 parameters :
7438
7439 - maxconn: the number of connections accepted by the server will grow from 1
7440 to 100% of the usual dynamic limit defined by (minconn,maxconn,fullconn).
7441
7442 - weight: when the backend uses a dynamic weighted algorithm, the weight
7443 grows linearly from 1 to 100%. In this case, the weight is updated at every
7444 health-check. For this reason, it is important that the "inter" parameter
7445 is smaller than the "slowstart", in order to maximize the number of steps.
7446
7447 The slowstart never applies when haproxy starts, otherwise it would cause
7448 trouble to running servers. It only applies when a server has been previously
7449 seen as failed.
7450
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007451 Supported in default-server: Yes
7452
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02007453source <addr>[:<pl>[-<ph>]] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02007454source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02007455source <addr>[:<pl>[-<ph>]] [interface <name>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007456 The "source" parameter sets the source address which will be used when
7457 connecting to the server. It follows the exact same parameters and principle
7458 as the backend "source" keyword, except that it only applies to the server
7459 referencing it. Please consult the "source" keyword for details.
7460
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02007461 Additionally, the "source" statement on a server line allows one to specify a
7462 source port range by indicating the lower and higher bounds delimited by a
7463 dash ('-'). Some operating systems might require a valid IP address when a
7464 source port range is specified. It is permitted to have the same IP/range for
7465 several servers. Doing so makes it possible to bypass the maximum of 64k
7466 total concurrent connections. The limit will then reach 64k connections per
7467 server.
7468
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007469 Supported in default-server: No
7470
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02007471ssl
Willy Tarreau763a95b2012-10-04 23:15:39 +02007472 This option enables SSL ciphering on outgoing connections to the server. At
7473 the moment, server certificates are not checked, so this is prone to man in
7474 the middle attacks. The real intended use is to permit SSL communication
7475 with software which cannot work in other modes over networks that would
7476 otherwise be considered safe enough for clear text communications. When this
7477 option is used, health checks are automatically sent in SSL too unless there
7478 is a "port" or an "addr" directive indicating the check should be sent to a
7479 different location. See the "check-ssl" optino to force SSL health checks.
7480
7481 Supported in default-server: No
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02007482
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007483track [<proxy>/]<server>
7484 This option enables ability to set the current state of the server by
7485 tracking another one. Only a server with checks enabled can be tracked
7486 so it is not possible for example to track a server that tracks another
7487 one. If <proxy> is omitted the current one is used. If disable-on-404 is
7488 used, it has to be enabled on both proxies.
7489
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007490 Supported in default-server: No
7491
Emeric Brunef42d922012-10-11 16:11:36 +02007492verify [none|required]
7493 This setting is only available when support for OpenSSL was built in. If set
7494 to 'none', server certificate is not verified. This is the default. In the
7495 other case, The certificate provided by the server is verified using CAs from
7496 'ca-file' and optional CRLs from 'crl-file'. On verify failure the handshake
7497 is aborted.
7498
7499 Supported in default-server: No
7500
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007501weight <weight>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007502 The "weight" parameter is used to adjust the server's weight relative to
7503 other servers. All servers will receive a load proportional to their weight
7504 relative to the sum of all weights, so the higher the weight, the higher the
Willy Tarreau6704d672009-06-15 10:56:05 +02007505 load. The default weight is 1, and the maximal value is 256. A value of 0
7506 means the server will not participate in load-balancing but will still accept
7507 persistent connections. If this parameter is used to distribute the load
7508 according to server's capacity, it is recommended to start with values which
7509 can both grow and shrink, for instance between 10 and 100 to leave enough
7510 room above and below for later adjustments.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007511
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01007512 Supported in default-server: Yes
7513
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007514
75156. HTTP header manipulation
7516---------------------------
7517
7518In HTTP mode, it is possible to rewrite, add or delete some of the request and
7519response headers based on regular expressions. It is also possible to block a
7520request or a response if a particular header matches a regular expression,
7521which is enough to stop most elementary protocol attacks, and to protect
7522against information leak from the internal network. But there is a limitation
7523to this : since HAProxy's HTTP engine does not support keep-alive, only headers
7524passed during the first request of a TCP session will be seen. All subsequent
7525headers will be considered data only and not analyzed. Furthermore, HAProxy
7526never touches data contents, it stops analysis at the end of headers.
7527
Willy Tarreau816b9792009-09-15 21:25:21 +02007528There is an exception though. If HAProxy encounters an "Informational Response"
7529(status code 1xx), it is able to process all rsp* rules which can allow, deny,
7530rewrite or delete a header, but it will refuse to add a header to any such
7531messages as this is not HTTP-compliant. The reason for still processing headers
7532in such responses is to stop and/or fix any possible information leak which may
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007533happen, for instance because another downstream equipment would unconditionally
Willy Tarreau816b9792009-09-15 21:25:21 +02007534add a header, or if a server name appears there. When such messages are seen,
7535normal processing still occurs on the next non-informational messages.
7536
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007537This section covers common usage of the following keywords, described in detail
7538in section 4.2 :
7539
7540 - reqadd <string>
7541 - reqallow <search>
7542 - reqiallow <search>
7543 - reqdel <search>
7544 - reqidel <search>
7545 - reqdeny <search>
7546 - reqideny <search>
7547 - reqpass <search>
7548 - reqipass <search>
7549 - reqrep <search> <replace>
7550 - reqirep <search> <replace>
7551 - reqtarpit <search>
7552 - reqitarpit <search>
7553 - rspadd <string>
7554 - rspdel <search>
7555 - rspidel <search>
7556 - rspdeny <search>
7557 - rspideny <search>
7558 - rsprep <search> <replace>
7559 - rspirep <search> <replace>
7560
7561With all these keywords, the same conventions are used. The <search> parameter
7562is a POSIX extended regular expression (regex) which supports grouping through
7563parenthesis (without the backslash). Spaces and other delimiters must be
7564prefixed with a backslash ('\') to avoid confusion with a field delimiter.
7565Other characters may be prefixed with a backslash to change their meaning :
7566
7567 \t for a tab
7568 \r for a carriage return (CR)
7569 \n for a new line (LF)
7570 \ to mark a space and differentiate it from a delimiter
7571 \# to mark a sharp and differentiate it from a comment
7572 \\ to use a backslash in a regex
7573 \\\\ to use a backslash in the text (*2 for regex, *2 for haproxy)
7574 \xXX to write the ASCII hex code XX as in the C language
7575
7576The <replace> parameter contains the string to be used to replace the largest
7577portion of text matching the regex. It can make use of the special characters
7578above, and can reference a substring which is delimited by parenthesis in the
7579regex, by writing a backslash ('\') immediately followed by one digit from 0 to
75809 indicating the group position (0 designating the entire line). This practice
7581is very common to users of the "sed" program.
7582
7583The <string> parameter represents the string which will systematically be added
7584after the last header line. It can also use special character sequences above.
7585
7586Notes related to these keywords :
7587---------------------------------
7588 - these keywords are not always convenient to allow/deny based on header
7589 contents. It is strongly recommended to use ACLs with the "block" keyword
7590 instead, resulting in far more flexible and manageable rules.
7591
7592 - lines are always considered as a whole. It is not possible to reference
7593 a header name only or a value only. This is important because of the way
7594 headers are written (notably the number of spaces after the colon).
7595
7596 - the first line is always considered as a header, which makes it possible to
7597 rewrite or filter HTTP requests URIs or response codes, but in turn makes
7598 it harder to distinguish between headers and request line. The regex prefix
7599 ^[^\ \t]*[\ \t] matches any HTTP method followed by a space, and the prefix
7600 ^[^ \t:]*: matches any header name followed by a colon.
7601
7602 - for performances reasons, the number of characters added to a request or to
7603 a response is limited at build time to values between 1 and 4 kB. This
7604 should normally be far more than enough for most usages. If it is too short
7605 on occasional usages, it is possible to gain some space by removing some
7606 useless headers before adding new ones.
7607
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007608 - keywords beginning with "reqi" and "rspi" are the same as their counterpart
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007609 without the 'i' letter except that they ignore case when matching patterns.
7610
7611 - when a request passes through a frontend then a backend, all req* rules
7612 from the frontend will be evaluated, then all req* rules from the backend
7613 will be evaluated. The reverse path is applied to responses.
7614
7615 - req* statements are applied after "block" statements, so that "block" is
7616 always the first one, but before "use_backend" in order to permit rewriting
Willy Tarreaud72758d2010-01-12 10:42:19 +01007617 before switching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007618
7619
Willy Tarreaub937b7e2010-01-12 15:27:54 +010076207. Using ACLs and pattern extraction
7621------------------------------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007622
7623The use of Access Control Lists (ACL) provides a flexible solution to perform
7624content switching and generally to take decisions based on content extracted
7625from the request, the response or any environmental status. The principle is
7626simple :
7627
7628 - define test criteria with sets of values
7629 - perform actions only if a set of tests is valid
7630
7631The actions generally consist in blocking the request, or selecting a backend.
7632
7633In order to define a test, the "acl" keyword is used. The syntax is :
7634
7635 acl <aclname> <criterion> [flags] [operator] <value> ...
7636
7637This creates a new ACL <aclname> or completes an existing one with new tests.
7638Those tests apply to the portion of request/response specified in <criterion>
7639and may be adjusted with optional flags [flags]. Some criteria also support
7640an operator which may be specified before the set of values. The values are
7641of the type supported by the criterion, and are separated by spaces.
7642
7643ACL names must be formed from upper and lower case letters, digits, '-' (dash),
7644'_' (underscore) , '.' (dot) and ':' (colon). ACL names are case-sensitive,
7645which means that "my_acl" and "My_Acl" are two different ACLs.
7646
7647There is no enforced limit to the number of ACLs. The unused ones do not affect
7648performance, they just consume a small amount of memory.
7649
7650The following ACL flags are currently supported :
7651
Willy Tarreau2b5285d2010-05-09 23:45:24 +02007652 -i : ignore case during matching of all subsequent patterns.
7653 -f : load patterns from a file.
Willy Tarreau6a06a402007-07-15 20:15:28 +02007654 -- : force end of flags. Useful when a string looks like one of the flags.
7655
Willy Tarreau2b5285d2010-05-09 23:45:24 +02007656The "-f" flag is special as it loads all of the lines it finds in the file
7657specified in argument and loads all of them before continuing. It is even
7658possible to pass multiple "-f" arguments if the patterns are to be loaded from
Willy Tarreau58215a02010-05-13 22:07:43 +02007659multiple files. Empty lines as well as lines beginning with a sharp ('#') will
7660be ignored. All leading spaces and tabs will be stripped. If it is absolutely
7661needed to insert a valid pattern beginning with a sharp, just prefix it with a
7662space so that it is not taken for a comment. Depending on the data type and
7663match method, haproxy may load the lines into a binary tree, allowing very fast
7664lookups. This is true for IPv4 and exact string matching. In this case,
7665duplicates will automatically be removed. Also, note that the "-i" flag applies
Jamie Gloudonaaa21002012-08-25 00:18:33 -04007666to subsequent entries and not to entries loaded from files preceding it. For
Willy Tarreau58215a02010-05-13 22:07:43 +02007667instance :
Willy Tarreau2b5285d2010-05-09 23:45:24 +02007668
7669 acl valid-ua hdr(user-agent) -f exact-ua.lst -i -f generic-ua.lst test
7670
7671In this example, each line of "exact-ua.lst" will be exactly matched against
7672the "user-agent" header of the request. Then each line of "generic-ua" will be
7673case-insensitively matched. Then the word "test" will be insensitively matched
7674too.
7675
7676Note that right now it is difficult for the ACL parsers to report errors, so if
7677a file is unreadable or unparsable, the most you'll get is a parse error in the
7678ACL. Thus, file-based ACLs should only be produced by reliable processes.
7679
Willy Tarreau6a06a402007-07-15 20:15:28 +02007680Supported types of values are :
Willy Tarreau0ba27502007-12-24 16:55:16 +01007681
Willy Tarreau6a06a402007-07-15 20:15:28 +02007682 - integers or integer ranges
7683 - strings
7684 - regular expressions
7685 - IP addresses and networks
7686
7687
Willy Tarreauc57f0e22009-05-10 13:12:33 +020076887.1. Matching integers
7689----------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02007690
7691Matching integers is special in that ranges and operators are permitted. Note
7692that integer matching only applies to positive values. A range is a value
7693expressed with a lower and an upper bound separated with a colon, both of which
7694may be omitted.
7695
7696For instance, "1024:65535" is a valid range to represent a range of
7697unprivileged ports, and "1024:" would also work. "0:1023" is a valid
7698representation of privileged ports, and ":1023" would also work.
7699
Willy Tarreau62644772008-07-16 18:36:06 +02007700As a special case, some ACL functions support decimal numbers which are in fact
7701two integers separated by a dot. This is used with some version checks for
7702instance. All integer properties apply to those decimal numbers, including
7703ranges and operators.
7704
Willy Tarreau6a06a402007-07-15 20:15:28 +02007705For an easier usage, comparison operators are also supported. Note that using
Willy Tarreau0ba27502007-12-24 16:55:16 +01007706operators with ranges does not make much sense and is strongly discouraged.
7707Similarly, it does not make much sense to perform order comparisons with a set
7708of values.
Willy Tarreau6a06a402007-07-15 20:15:28 +02007709
Willy Tarreau0ba27502007-12-24 16:55:16 +01007710Available operators for integer matching are :
Willy Tarreau6a06a402007-07-15 20:15:28 +02007711
7712 eq : true if the tested value equals at least one value
7713 ge : true if the tested value is greater than or equal to at least one value
7714 gt : true if the tested value is greater than at least one value
7715 le : true if the tested value is less than or equal to at least one value
7716 lt : true if the tested value is less than at least one value
7717
Willy Tarreau0ba27502007-12-24 16:55:16 +01007718For instance, the following ACL matches any negative Content-Length header :
Willy Tarreau6a06a402007-07-15 20:15:28 +02007719
7720 acl negative-length hdr_val(content-length) lt 0
7721
Willy Tarreau62644772008-07-16 18:36:06 +02007722This one matches SSL versions between 3.0 and 3.1 (inclusive) :
7723
7724 acl sslv3 req_ssl_ver 3:3.1
7725
Willy Tarreau6a06a402007-07-15 20:15:28 +02007726
Willy Tarreauc57f0e22009-05-10 13:12:33 +020077277.2. Matching strings
7728---------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02007729
7730String matching applies to verbatim strings as they are passed, with the
7731exception of the backslash ("\") which makes it possible to escape some
7732characters such as the space. If the "-i" flag is passed before the first
7733string, then the matching will be performed ignoring the case. In order
7734to match the string "-i", either set it second, or pass the "--" flag
Willy Tarreau0ba27502007-12-24 16:55:16 +01007735before the first string. Same applies of course to match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02007736
7737
Willy Tarreauc57f0e22009-05-10 13:12:33 +020077387.3. Matching regular expressions (regexes)
7739-------------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02007740
7741Just like with string matching, regex matching applies to verbatim strings as
7742they are passed, with the exception of the backslash ("\") which makes it
7743possible to escape some characters such as the space. If the "-i" flag is
7744passed before the first regex, then the matching will be performed ignoring
7745the case. In order to match the string "-i", either set it second, or pass
Willy Tarreau0ba27502007-12-24 16:55:16 +01007746the "--" flag before the first string. Same principle applies of course to
7747match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02007748
7749
Willy Tarreauceb4ac92012-04-28 00:41:46 +020077507.4. Matching IPv4 and IPv6 addresses
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007751----------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02007752
7753IPv4 addresses values can be specified either as plain addresses or with a
7754netmask appended, in which case the IPv4 address matches whenever it is
7755within the network. Plain addresses may also be replaced with a resolvable
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01007756host name, but this practice is generally discouraged as it makes it more
Willy Tarreau0ba27502007-12-24 16:55:16 +01007757difficult to read and debug configurations. If hostnames are used, you should
7758at least ensure that they are present in /etc/hosts so that the configuration
7759does not depend on any random DNS match at the moment the configuration is
7760parsed.
Willy Tarreau6a06a402007-07-15 20:15:28 +02007761
Willy Tarreauceb4ac92012-04-28 00:41:46 +02007762IPv6 may be entered in their usual form, with or without a netmask appended.
7763Only bit counts are accepted for IPv6 netmasks. In order to avoid any risk of
7764trouble with randomly resolved IP addresses, host names are never allowed in
7765IPv6 patterns.
7766
7767HAProxy is also able to match IPv4 addresses with IPv6 addresses in the
7768following situations :
7769 - tested address is IPv4, pattern address is IPv4, the match applies
7770 in IPv4 using the supplied mask if any.
7771 - tested address is IPv6, pattern address is IPv6, the match applies
7772 in IPv6 using the supplied mask if any.
7773 - tested address is IPv6, pattern address is IPv4, the match applies in IPv4
7774 using the pattern's mask if the IPv6 address matches with 2002:IPV4::,
7775 ::IPV4 or ::ffff:IPV4, otherwise it fails.
7776 - tested address is IPv4, pattern address is IPv6, the IPv4 address is first
7777 converted to IPv6 by prefixing ::ffff: in front of it, then the match is
7778 applied in IPv6 using the supplied IPv6 mask.
7779
Willy Tarreau6a06a402007-07-15 20:15:28 +02007780
Willy Tarreauc57f0e22009-05-10 13:12:33 +020077817.5. Available matching criteria
7782--------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02007783
Willy Tarreauc57f0e22009-05-10 13:12:33 +020077847.5.1. Matching at Layer 4 and below
7785------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01007786
7787A first set of criteria applies to information which does not require any
7788analysis of the request or response contents. Those generally include TCP/IP
Jamie Gloudon801a0a32012-08-25 00:18:33 -04007789addresses and ports, as well as internal values independent on the stream.
Willy Tarreau0ba27502007-12-24 16:55:16 +01007790
Willy Tarreau6a06a402007-07-15 20:15:28 +02007791always_false
7792 This one never matches. All values and flags are ignored. It may be used as
7793 a temporary replacement for another one when adjusting configurations.
7794
7795always_true
7796 This one always matches. All values and flags are ignored. It may be used as
7797 a temporary replacement for another one when adjusting configurations.
7798
Willy Tarreaud63335a2010-02-26 12:56:52 +01007799avg_queue <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007800avg_queue(<backend>) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007801 Returns the total number of queued connections of the designated backend
7802 divided by the number of active servers. This is very similar to "queue"
7803 except that the size of the farm is considered, in order to give a more
7804 accurate measurement of the time it may take for a new connection to be
7805 processed. The main usage is to return a sorry page to new users when it
7806 becomes certain they will get a degraded service. Note that in the event
7807 there would not be any active server anymore, we would consider twice the
7808 number of queued connections as the measured value. This is a fair estimate,
7809 as we expect one server to get back soon anyway, but we still prefer to send
7810 new traffic to another backend if in better shape. See also the "queue",
7811 "be_conn", and "be_sess_rate" criteria.
Krzysztof Piotr Oledzki346f76d2010-01-12 21:59:30 +01007812
Willy Tarreaua36af912009-10-10 12:02:45 +02007813be_conn <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007814be_conn(<backend>) <integer>
Willy Tarreaua36af912009-10-10 12:02:45 +02007815 Applies to the number of currently established connections on the backend,
7816 possibly including the connection being evaluated. If no backend name is
7817 specified, the current one is used. But it is also possible to check another
7818 backend. It can be used to use a specific farm when the nominal one is full.
7819 See also the "fe_conn", "queue" and "be_sess_rate" criteria.
Willy Tarreau6a06a402007-07-15 20:15:28 +02007820
Hervé COMMOWICK35ed8012010-12-15 14:04:51 +01007821be_id <integer>
7822 Applies to the backend's id. Can be used in frontends to check from which
7823 backend it was called.
7824
Willy Tarreaud63335a2010-02-26 12:56:52 +01007825be_sess_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007826be_sess_rate(<backend>) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007827 Returns true when the sessions creation rate on the backend matches the
7828 specified values or ranges, in number of new sessions per second. This is
7829 used to switch to an alternate backend when an expensive or fragile one
7830 reaches too high a session rate, or to limit abuse of service (eg. prevent
7831 sucking of an online dictionary).
7832
7833 Example :
7834 # Redirect to an error page if the dictionary is requested too often
7835 backend dynamic
7836 mode http
7837 acl being_scanned be_sess_rate gt 100
7838 redirect location /denied.html if being_scanned
Willy Tarreau0ba27502007-12-24 16:55:16 +01007839
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08007840connslots <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007841connslots(<backend>) <integer>
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08007842 The basic idea here is to be able to measure the number of connection "slots"
Willy Tarreau55165fe2009-05-10 12:02:55 +02007843 still available (connection + queue), so that anything beyond that (intended
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08007844 usage; see "use_backend" keyword) can be redirected to a different backend.
7845
Willy Tarreau55165fe2009-05-10 12:02:55 +02007846 'connslots' = number of available server connection slots, + number of
7847 available server queue slots.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08007848
Willy Tarreaua36af912009-10-10 12:02:45 +02007849 Note that while "fe_conn" may be used, "connslots" comes in especially
Willy Tarreau55165fe2009-05-10 12:02:55 +02007850 useful when you have a case of traffic going to one single ip, splitting into
7851 multiple backends (perhaps using acls to do name-based load balancing) and
7852 you want to be able to differentiate between different backends, and their
7853 available "connslots". Also, whereas "nbsrv" only measures servers that are
7854 actually *down*, this acl is more fine-grained and looks into the number of
Willy Tarreaua36af912009-10-10 12:02:45 +02007855 available connection slots as well. See also "queue" and "avg_queue".
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08007856
Willy Tarreau55165fe2009-05-10 12:02:55 +02007857 OTHER CAVEATS AND NOTES: at this point in time, the code does not take care
7858 of dynamic connections. Also, if any of the server maxconn, or maxqueue is 0,
7859 then this acl clearly does not make sense, in which case the value returned
7860 will be -1.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08007861
Willy Tarreaud63335a2010-02-26 12:56:52 +01007862dst <ip_address>
Willy Tarreauceb4ac92012-04-28 00:41:46 +02007863 Applies to the local IPv4 or IPv6 address the client connected to. It can be
7864 used to switch to a different backend for some alternative addresses.
Willy Tarreaua36af912009-10-10 12:02:45 +02007865
Willy Tarreaud63335a2010-02-26 12:56:52 +01007866dst_conn <integer>
7867 Applies to the number of currently established connections on the same socket
7868 including the one being evaluated. It can be used to either return a sorry
7869 page before hard-blocking, or to use a specific backend to drain new requests
7870 when the socket is considered saturated. This offers the ability to assign
7871 different limits to different listening ports or addresses. See also the
7872 "fe_conn" and "be_conn" criteria.
7873
7874dst_port <integer>
7875 Applies to the local port the client connected to. It can be used to switch
7876 to a different backend for some alternative ports.
7877
7878fe_conn <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007879fe_conn(<frontend>) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007880 Applies to the number of currently established connections on the frontend,
7881 possibly including the connection being evaluated. If no frontend name is
7882 specified, the current one is used. But it is also possible to check another
7883 frontend. It can be used to either return a sorry page before hard-blocking,
7884 or to use a specific backend to drain new requests when the farm is
7885 considered saturated. See also the "dst_conn", "be_conn" and "fe_sess_rate"
7886 criteria.
7887
7888fe_id <integer>
Cyril Bonté78caf842010-03-10 22:41:43 +01007889 Applies to the frontend's id. Can be used in backends to check from which
Willy Tarreaud63335a2010-02-26 12:56:52 +01007890 frontend it was called.
Willy Tarreaua36af912009-10-10 12:02:45 +02007891
Willy Tarreau079ff0a2009-03-05 21:34:28 +01007892fe_sess_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007893fe_sess_rate(<frontend>) <integer>
Willy Tarreau079ff0a2009-03-05 21:34:28 +01007894 Returns true when the session creation rate on the current or the named
7895 frontend matches the specified values or ranges, expressed in new sessions
7896 per second. This is used to limit the connection rate to acceptable ranges in
7897 order to prevent abuse of service at the earliest moment. This can be
7898 combined with layer 4 ACLs in order to force the clients to wait a bit for
7899 the rate to go down below the limit.
7900
7901 Example :
7902 # This frontend limits incoming mails to 10/s with a max of 100
7903 # concurrent connections. We accept any connection below 10/s, and
7904 # force excess clients to wait for 100 ms. Since clients are limited to
7905 # 100 max, there cannot be more than 10 incoming mails per second.
7906 frontend mail
7907 bind :25
7908 mode tcp
7909 maxconn 100
7910 acl too_fast fe_sess_rate ge 10
7911 tcp-request inspect-delay 100ms
7912 tcp-request content accept if ! too_fast
7913 tcp-request content accept if WAIT_END
Willy Tarreaud72758d2010-01-12 10:42:19 +01007914
Willy Tarreaud63335a2010-02-26 12:56:52 +01007915nbsrv <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007916nbsrv(<backend>) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007917 Returns true when the number of usable servers of either the current backend
7918 or the named backend matches the values or ranges specified. This is used to
7919 switch to an alternate backend when the number of servers is too low to
7920 to handle some load. It is useful to report a failure when combined with
7921 "monitor fail".
Willy Tarreau079ff0a2009-03-05 21:34:28 +01007922
Willy Tarreaud63335a2010-02-26 12:56:52 +01007923queue <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02007924queue(<backend>) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01007925 Returns the total number of queued connections of the designated backend,
7926 including all the connections in server queues. If no backend name is
7927 specified, the current one is used, but it is also possible to check another
7928 one. This can be used to take actions when queuing goes above a known level,
7929 generally indicating a surge of traffic or a massive slowdown on the servers.
7930 One possible action could be to reject new users but still accept old ones.
7931 See also the "avg_queue", "be_conn", and "be_sess_rate" criteria.
7932
Willy Tarreaue9656522010-08-17 15:40:09 +02007933sc1_bytes_in_rate
7934sc2_bytes_in_rate
7935 Returns the average client-to-server bytes rate from the currently tracked
7936 counters, measured in amount of bytes over the period configured in the
7937 table. See also src_bytes_in_rate.
7938
7939sc1_bytes_out_rate
7940sc2_bytes_out_rate
7941 Returns the average server-to-client bytes rate from the currently tracked
7942 counters, measured in amount of bytes over the period configured in the
7943 table. See also src_bytes_out_rate.
7944
Willy Tarreauf73cd112011-08-13 01:45:16 +02007945sc1_clr_gpc0
7946sc2_clr_gpc0
7947 Clears the first General Purpose Counter associated to the currently tracked
7948 counters, and returns its previous value. Before the first invocation, the
7949 stored value is zero, so first invocation will always return zero. The test
7950 can also be used alone and always returns true. This is typically used as a
7951 second ACL in an expression in order to mark a connection when a first ACL
7952 was verified :
7953
7954 # block if 5 consecutive requests continue to come faster than 10 sess
7955 # per second, and reset the counter as soon as the traffic slows down.
7956 acl abuse sc1_http_req_rate gt 10
7957 acl kill sc1_inc_gpc0 gt 5
7958 acl save sc1_clr_gpc0
7959 tcp-request connection accept if !abuse save
7960 tcp-request connection reject if abuse kill
7961
Willy Tarreaue9656522010-08-17 15:40:09 +02007962sc1_conn_cnt
7963sc2_conn_cnt
7964 Returns the cumulated number of incoming connections from currently tracked
7965 counters. See also src_conn_cnt.
7966
7967sc1_conn_cur
7968sc2_conn_cur
7969 Returns the current amount of concurrent connections tracking the same
7970 tracked counters. This number is automatically incremented when tracking
7971 begins and decremented when tracking stops. See also src_conn_cur.
7972
7973sc1_conn_rate
7974sc2_conn_rate
7975 Returns the average connection rate from the currently tracked counters,
7976 measured in amount of connections over the period configured in the table.
7977 See also src_conn_rate.
7978
7979sc1_get_gpc0
7980sc2_get_gpc0
7981 Returns the value of the first General Purpose Counter associated to the
7982 currently tracked counters. See also src_get_gpc0 and sc1/sc2_inc_gpc0.
7983
7984sc1_http_err_cnt
7985sc2_http_err_cnt
7986 Returns the cumulated number of HTTP errors from the currently tracked
7987 counters. This includes the both request errors and 4xx error responses.
7988 See also src_http_err_cnt.
7989
7990sc1_http_err_rate
7991sc2_http_err_rate
7992 Returns the average rate of HTTP errors from the currently tracked counters,
7993 measured in amount of errors over the period configured in the table. This
7994 includes the both request errors and 4xx error responses. See also
7995 src_http_err_rate.
7996
7997sc1_http_req_cnt
7998sc2_http_req_cnt
7999 Returns the cumulated number of HTTP requests from the currently tracked
8000 counters. This includes every started request, valid or not. See also
8001 src_http_req_cnt.
8002
8003sc1_http_req_rate
8004sc2_http_req_rate
8005 Returns the average rate of HTTP requests from the currently tracked
8006 counters, measured in amount of requests over the period configured in
8007 the table. This includes every started request, valid or not. See also
8008 src_http_req_rate.
8009
8010sc1_inc_gpc0
8011sc2_inc_gpc0
8012 Increments the first General Purpose Counter associated to the currently
8013 tracked counters, and returns its value. Before the first invocation, the
8014 stored value is zero, so first invocation will increase it to 1 and will
8015 return 1. The test can also be used alone and always returns true. This is
8016 typically used as a second ACL in an expression in order to mark a connection
8017 when a first ACL was verified :
8018
8019 acl abuse sc1_http_req_rate gt 10
8020 acl kill sc1_inc_gpc0
8021 tcp-request connection reject if abuse kill
8022
8023sc1_kbytes_in
8024sc2_kbytes_in
8025 Returns the amount of client-to-server data from the currently tracked
8026 counters, measured in kilobytes over the period configured in the table. The
8027 test is currently performed on 32-bit integers, which limits values to 4
8028 terabytes. See also src_kbytes_in.
8029
8030sc1_kbytes_out
8031sc2_kbytes_out
8032 Returns the amount of server-to-client data from the currently tracked
8033 counters, measured in kilobytes over the period configured in the table. The
8034 test is currently performed on 32-bit integers, which limits values to 4
8035 terabytes. See also src_kbytes_out.
8036
8037sc1_sess_cnt
8038sc2_sess_cnt
8039 Returns the cumulated number of incoming connections that were transformed
8040 into sessions, which means that they were accepted by a "tcp-request
8041 connection" rule, from the currently tracked counters. A backend may count
8042 more sessions than connections because each connection could result in many
Jamie Gloudonaaa21002012-08-25 00:18:33 -04008043 backend sessions if some HTTP keep-alive is performed over the connection
Willy Tarreaue9656522010-08-17 15:40:09 +02008044 with the client. See also src_sess_cnt.
8045
8046sc1_sess_rate
8047sc2_sess_rate
8048 Returns the average session rate from the currently tracked counters,
8049 measured in amount of sessions over the period configured in the table. A
8050 session is a connection that got past the early "tcp-request connection"
8051 rules. A backend may count more sessions than connections because each
8052 connection could result in many backend sessions if some HTTP keep-alive is
Jamie Gloudonaaa21002012-08-25 00:18:33 -04008053 performed over the connection with the client. See also src_sess_rate.
Willy Tarreaue9656522010-08-17 15:40:09 +02008054
Willy Tarreaud63335a2010-02-26 12:56:52 +01008055so_id <integer>
8056 Applies to the socket's id. Useful in frontends with many bind keywords.
8057
8058src <ip_address>
Willy Tarreauceb4ac92012-04-28 00:41:46 +02008059 Applies to the client's IPv4 or IPv6 address. It is usually used to limit
8060 access to certain resources such as statistics. Note that it is the TCP-level
8061 source address which is used, and not the address of a client behind a proxy.
Willy Tarreaud63335a2010-02-26 12:56:52 +01008062
Willy Tarreauc9705a12010-07-27 20:05:50 +02008063src_bytes_in_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008064src_bytes_in_rate(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02008065 Returns the average bytes rate from the connection's source IPv4 address in
8066 the current proxy's stick-table or in the designated stick-table, measured in
8067 amount of bytes over the period configured in the table. If the address is
Willy Tarreaue9656522010-08-17 15:40:09 +02008068 not found, zero is returned. See also sc1/sc2_bytes_in_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02008069
8070src_bytes_out_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008071src_bytes_out_rate(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02008072 Returns the average bytes rate to the connection's source IPv4 address in the
8073 current proxy's stick-table or in the designated stick-table, measured in
8074 amount of bytes over the period configured in the table. If the address is
Willy Tarreaue9656522010-08-17 15:40:09 +02008075 not found, zero is returned. See also sc1/sc2_bytes_out_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02008076
Willy Tarreauf73cd112011-08-13 01:45:16 +02008077src_clr_gpc0 <integer>
8078src_clr_gpc0(<table>) <integer>
8079 Clears the first General Purpose Counter associated to the connection's
8080 source IPv4 address in the current proxy's stick-table or in the designated
8081 stick-table, and returns its previous value. If the address is not found, an
8082 entry is created and 0 is returned. The test can also be used alone and
8083 always returns true. This is typically used as a second ACL in an expression
8084 in order to mark a connection when a first ACL was verified :
8085
8086 # block if 5 consecutive requests continue to come faster than 10 sess
8087 # per second, and reset the counter as soon as the traffic slows down.
8088 acl abuse src_http_req_rate gt 10
8089 acl kill src_inc_gpc0 gt 5
8090 acl save src_clr_gpc0
8091 tcp-request connection accept if !abuse save
8092 tcp-request connection reject if abuse kill
8093
Willy Tarreauc9705a12010-07-27 20:05:50 +02008094src_conn_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008095src_conn_cnt(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02008096 Returns the cumulated number of connections initiated from the current
8097 connection's source IPv4 address in the current proxy's stick-table or in
8098 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreaue9656522010-08-17 15:40:09 +02008099 See also sc1/sc2_conn_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02008100
8101src_conn_cur <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008102src_conn_cur(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02008103 Returns the current amount of concurrent connections initiated from the
8104 current connection's source IPv4 address in the current proxy's stick-table
8105 or in the designated stick-table. If the address is not found, zero is
Willy Tarreaue9656522010-08-17 15:40:09 +02008106 returned. See also sc1/sc2_conn_cur.
Willy Tarreauc9705a12010-07-27 20:05:50 +02008107
8108src_conn_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008109src_conn_rate(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02008110 Returns the average connection rate from the connection's source IPv4 address
8111 in the current proxy's stick-table or in the designated stick-table, measured
8112 in amount of connections over the period configured in the table. If the
Willy Tarreaue9656522010-08-17 15:40:09 +02008113 address is not found, zero is returned. See also sc1/sc2_conn_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02008114
8115src_get_gpc0 <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008116src_get_gpc0(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02008117 Returns the value of the first General Purpose Counter associated to the
8118 connection's source IPv4 address in the current proxy's stick-table or in
8119 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreaue9656522010-08-17 15:40:09 +02008120 See also sc1/sc2_get_gpc0 and src_inc_gpc0.
Willy Tarreauc9705a12010-07-27 20:05:50 +02008121
8122src_http_err_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008123src_http_err_cnt(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02008124 Returns the cumulated number of HTTP errors from the current connection's
8125 source IPv4 address in the current proxy's stick-table or in the designated
8126 stick-table. This includes the both request errors and 4xx error responses.
Willy Tarreaue9656522010-08-17 15:40:09 +02008127 If the address is not found, zero is returned. See also sc1/sc2_http_err_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02008128
8129src_http_err_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008130src_http_err_rate(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02008131 Returns the average rate of HTTP errors from the current connection's source
8132 IPv4 address in the current proxy's stick-table or in the designated stick-
8133 table, measured in amount of errors over the period configured in the table.
8134 This includes the both request errors and 4xx error responses. If the address
Willy Tarreaue9656522010-08-17 15:40:09 +02008135 is not found, zero is returned. See also sc1/sc2_http_err_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02008136
8137src_http_req_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008138src_http_req_cnt(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02008139 Returns the cumulated number of HTTP requests from the current connection's
8140 source IPv4 address in the current proxy's stick-table or in the designated
8141 stick-table. This includes every started request, valid or not. If the
Willy Tarreaue9656522010-08-17 15:40:09 +02008142 address is not found, zero is returned. See also sc1/sc2_http_req_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02008143
8144src_http_req_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008145src_http_req_rate(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02008146 Returns the average rate of HTTP requests from the current connection's
8147 source IPv4 address in the current proxy's stick-table or in the designated
8148 stick-table, measured in amount of requests over the period configured in the
8149 table. This includes every started request, valid or not. If the address is
Willy Tarreaue9656522010-08-17 15:40:09 +02008150 not found, zero is returned. See also sc1/sc2_http_req_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02008151
8152src_inc_gpc0 <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008153src_inc_gpc0(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02008154 Increments the first General Purpose Counter associated to the connection's
8155 source IPv4 address in the current proxy's stick-table or in the designated
8156 stick-table, and returns its value. If the address is not found, an entry is
8157 created and 1 is returned. The test can also be used alone and always returns
8158 true. This is typically used as a second ACL in an expression in order to
8159 mark a connection when a first ACL was verified :
8160
8161 acl abuse src_http_req_rate gt 10
8162 acl kill src_inc_gpc0
Willy Tarreaue9656522010-08-17 15:40:09 +02008163 tcp-request connection reject if abuse kill
Willy Tarreauc9705a12010-07-27 20:05:50 +02008164
8165src_kbytes_in <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008166src_kbytes_in(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02008167 Returns the amount of data received from the connection's source IPv4 address
8168 in the current proxy's stick-table or in the designated stick-table, measured
8169 in kilobytes over the period configured in the table. If the address is not
8170 found, zero is returned. The test is currently performed on 32-bit integers,
Willy Tarreaue9656522010-08-17 15:40:09 +02008171 which limits values to 4 terabytes. See also sc1/sc2_kbytes_in.
Willy Tarreauc9705a12010-07-27 20:05:50 +02008172
8173src_kbytes_out <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008174src_kbytes_out(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02008175 Returns the amount of data sent to the connection's source IPv4 address in
8176 the current proxy's stick-table or in the designated stick-table, measured
8177 in kilobytes over the period configured in the table. If the address is not
8178 found, zero is returned. The test is currently performed on 32-bit integers,
Willy Tarreaue9656522010-08-17 15:40:09 +02008179 which limits values to 4 terabytes. See also sc1/sc2_kbytes_out.
Willy Tarreaua975b8f2010-06-05 19:13:27 +02008180
Willy Tarreaud63335a2010-02-26 12:56:52 +01008181src_port <integer>
8182 Applies to the client's TCP source port. This has a very limited usage.
Willy Tarreau079ff0a2009-03-05 21:34:28 +01008183
Willy Tarreauc9705a12010-07-27 20:05:50 +02008184src_sess_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008185src_sess_cnt(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02008186 Returns the cumulated number of connections initiated from the current
8187 connection's source IPv4 address in the current proxy's stick-table or in the
8188 designated stick-table, that were transformed into sessions, which means that
8189 they were accepted by "tcp-request" rules. If the address is not found, zero
Willy Tarreaue9656522010-08-17 15:40:09 +02008190 is returned. See also sc1/sc2_sess_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02008191
8192src_sess_rate <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008193src_sess_rate(<table>) <integer>
Willy Tarreauc9705a12010-07-27 20:05:50 +02008194 Returns the average session rate from the connection's source IPv4 address in
8195 the current proxy's stick-table or in the designated stick-table, measured in
8196 amount of sessions over the period configured in the table. A session is a
8197 connection that got past the early "tcp-request" rules. If the address is not
Willy Tarreaue9656522010-08-17 15:40:09 +02008198 found, zero is returned. See also sc1/sc2_sess_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02008199
8200src_updt_conn_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008201src_updt_conn_cnt(<table>) <integer>
Willy Tarreaua975b8f2010-06-05 19:13:27 +02008202 Creates or updates the entry associated to the source IPv4 address in the
Willy Tarreauc9705a12010-07-27 20:05:50 +02008203 current proxy's stick-table or in the designated stick-table. This table
8204 must be configured to store the "conn_cnt" data type, otherwise the match
Willy Tarreaua975b8f2010-06-05 19:13:27 +02008205 will be ignored. The current count is incremented by one, and the expiration
8206 timer refreshed. The updated count is returned, so this match can't return
8207 zero. This is used to reject service abusers based on their source address.
Willy Tarreauc9705a12010-07-27 20:05:50 +02008208 Note: it is recommended to use the more complete "track-counters" instead.
Willy Tarreaua975b8f2010-06-05 19:13:27 +02008209
8210 Example :
8211 # This frontend limits incoming SSH connections to 3 per 10 second for
8212 # each source address, and rejects excess connections until a 10 second
8213 # silence is observed. At most 20 addresses are tracked.
8214 listen ssh
8215 bind :22
8216 mode tcp
8217 maxconn 100
Willy Tarreauc9705a12010-07-27 20:05:50 +02008218 stick-table type ip size 20 expire 10s store conn_cnt
Willy Tarreaua975b8f2010-06-05 19:13:27 +02008219 tcp-request content reject if { src_update_count gt 3 }
8220 server local 127.0.0.1:22
8221
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008222srv_conn(<backend>/<server>) <integer>
Hervé COMMOWICKdaa824e2011-08-05 12:09:44 +02008223 Applies to the number of currently established connections on the server,
8224 possibly including the connection being evaluated.
8225 It can be used to use a specific farm when one server is full.
8226 See also the "fe_conn", "be_conn" and "queue" criteria.
8227
Hervé COMMOWICK35ed8012010-12-15 14:04:51 +01008228srv_id <integer>
8229 Applies to the server's id. Can be used in frontends or backends.
8230
Willy Tarreau0b1cd942010-05-16 22:18:27 +02008231srv_is_up(<server>)
8232srv_is_up(<backend>/<server>)
8233 Returns true when the designated server is UP, and false when it is either
8234 DOWN or in maintenance mode. If <backend> is omitted, then the server is
8235 looked up in the current backend. The function takes no arguments since it
8236 is used as a boolean. It is mainly used to take action based on an external
8237 status reported via a health check (eg: a geographical site's availability).
8238 Another possible use which is more of a hack consists in using dummy servers
8239 as boolean variables that can be enabled or disabled from the CLI, so that
8240 rules depending on those ACLs can be tweaked in realtime.
8241
Willy Tarreauc735a072011-03-29 00:57:02 +02008242table_avl <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008243table_avl(<table>) <integer>
Willy Tarreauc735a072011-03-29 00:57:02 +02008244 Returns the total number of available entries in the current proxy's
8245 stick-table or in the designated stick-table. See also table_cnt.
8246
8247table_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008248table_cnt(<table>) <integer>
Willy Tarreauc735a072011-03-29 00:57:02 +02008249 Returns the total number of entries currently in use in the current proxy's
8250 stick-table or in the designated stick-table. See also src_conn_cnt and
8251 table_avl for other entry counting methods.
8252
Willy Tarreau0ba27502007-12-24 16:55:16 +01008253
Willy Tarreaue9656522010-08-17 15:40:09 +020082547.5.2. Matching contents at Layer 4 (also called Layer 6)
8255---------------------------------------------------------
Willy Tarreau62644772008-07-16 18:36:06 +02008256
8257A second set of criteria depends on data found in buffers, but which can change
8258during analysis. This requires that some data has been buffered, for instance
Willy Tarreaue9656522010-08-17 15:40:09 +02008259through TCP request content inspection. Please see the "tcp-request content"
8260keyword for more detailed information on the subject.
Willy Tarreau62644772008-07-16 18:36:06 +02008261
Emeric Brunb4354082012-09-28 17:28:03 +02008262client_crt
8263 Returns true if a client certificate is present in an incoming connection over
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02008264 SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'.
Emeric Brunb4354082012-09-28 17:28:03 +02008265
Willy Tarreau7875d092012-09-10 08:20:03 +02008266is_ssl
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02008267 Returns true when the incoming connection was made via an SSL/TLS transport
8268 layer and is locally deciphered. This means it has matched a socket declared
8269 with a "bind" line having the "ssl" option.
Willy Tarreau7875d092012-09-10 08:20:03 +02008270
Willy Tarreaub6672b52011-12-12 17:23:41 +01008271rep_ssl_hello_type <integer>
8272 Returns true when data in the response buffer looks like a complete SSL (v3
8273 or superior) hello message and handshake type is equal to <integer>.
8274 This test was designed to be used with TCP response content inspection: a
Willy Tarreau7875d092012-09-10 08:20:03 +02008275 SSL session ID may be fetched. Note that this only applies to raw contents
8276 found in the request buffer and not to contents deciphered via an SSL data
8277 layer, so this will not work with "bind" lines having the "ssl" option.
Willy Tarreaub6672b52011-12-12 17:23:41 +01008278
Willy Tarreau62644772008-07-16 18:36:06 +02008279req_len <integer>
Emeric Brunbede3d02009-06-30 17:54:00 +02008280 Returns true when the length of the data in the request buffer matches the
Willy Tarreau62644772008-07-16 18:36:06 +02008281 specified range. It is important to understand that this test does not
8282 return false as long as the buffer is changing. This means that a check with
8283 equality to zero will almost always immediately match at the beginning of the
8284 session, while a test for more data will wait for that data to come in and
8285 return false only when haproxy is certain that no more data will come in.
8286 This test was designed to be used with TCP request content inspection.
8287
Willy Tarreau2492d5b2009-07-11 00:06:00 +02008288req_proto_http
8289 Returns true when data in the request buffer look like HTTP and correctly
8290 parses as such. It is the same parser as the common HTTP request parser which
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008291 is used so there should be no surprises. This test can be used for instance
Willy Tarreau2492d5b2009-07-11 00:06:00 +02008292 to direct HTTP traffic to a given port and HTTPS traffic to another one
8293 using TCP request content inspection rules.
8294
Emeric Brunbede3d02009-06-30 17:54:00 +02008295req_rdp_cookie <string>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008296req_rdp_cookie(<name>) <string>
Emeric Brunbede3d02009-06-30 17:54:00 +02008297 Returns true when data in the request buffer look like the RDP protocol, and
8298 a cookie is present and equal to <string>. By default, any cookie name is
8299 checked, but a specific cookie name can be specified in parenthesis. The
8300 parser only checks for the first cookie, as illustrated in the RDP protocol
8301 specification. The cookie name is case insensitive. This ACL can be useful
8302 with the "MSTS" cookie, as it can contain the user name of the client
8303 connecting to the server if properly configured on the client. This can be
8304 used to restrict access to certain servers to certain users.
8305
8306req_rdp_cookie_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008307req_rdp_cookie_cnt(<name>) <integer>
Emeric Brunbede3d02009-06-30 17:54:00 +02008308 Returns true when the data in the request buffer look like the RDP protocol
8309 and the number of RDP cookies matches the specified range (typically zero or
8310 one). Optionally a specific cookie name can be checked. This is a simple way
8311 of detecting the RDP protocol, as clients generally send the MSTS or MSTSHASH
8312 cookies.
8313
Willy Tarreaub6672b52011-12-12 17:23:41 +01008314req_ssl_hello_type <integer>
8315 Returns true when data in the request buffer looks like a complete SSL (v3
8316 or superior) hello message and handshake type is equal to <integer>.
8317 This test was designed to be used with TCP request content inspection: an
Willy Tarreau7875d092012-09-10 08:20:03 +02008318 SSL session ID may be fetched. Note that this only applies to raw contents
8319 found in the request buffer and not to contents deciphered via an SSL data
8320 layer, so this will not work with "bind" lines having the "ssl" option.
Willy Tarreaub6672b52011-12-12 17:23:41 +01008321
8322req_ssl_sni <string>
8323 Returns true when data in the request buffer looks like a complete SSL (v3
8324 or superior) client hello message with a Server Name Indication TLS extension
8325 (SNI) matching <string>. SNI normally contains the name of the host the
8326 client tries to connect to (for recent browsers). SNI is useful for allowing
8327 or denying access to certain hosts when SSL/TLS is used by the client. This
8328 test was designed to be used with TCP request content inspection. If content
8329 switching is needed, it is recommended to first wait for a complete client
Willy Tarreau7875d092012-09-10 08:20:03 +02008330 hello (type 1), like in the example below. Note that this only applies to raw
8331 contents found in the request buffer and not to contents deciphered via an
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02008332 SSL transport layer, so this will not work with "bind" lines having the "ssl"
Willy Tarreau7875d092012-09-10 08:20:03 +02008333 option. See also "ssl_sni" below.
Willy Tarreaub6672b52011-12-12 17:23:41 +01008334
8335 Examples :
8336 # Wait for a client hello for at most 5 seconds
8337 tcp-request inspect-delay 5s
8338 tcp-request content accept if { req_ssl_hello_type 1 }
8339 use_backend bk_allow if { req_ssl_sni -f allowed_sites }
8340 default_backend bk_sorry_page
8341
Willy Tarreau62644772008-07-16 18:36:06 +02008342req_ssl_ver <decimal>
8343 Returns true when data in the request buffer look like SSL, with a protocol
8344 version matching the specified range. Both SSLv2 hello messages and SSLv3
8345 messages are supported. The test tries to be strict enough to avoid being
8346 easily fooled. In particular, it waits for as many bytes as announced in the
8347 message header if this header looks valid (bound to the buffer size). Note
8348 that TLSv1 is announced as SSL version 3.1. This test was designed to be used
Willy Tarreau7875d092012-09-10 08:20:03 +02008349 with TCP request content inspection. Note that this only applies to raw
8350 contents found in the request buffer and not to contents deciphered via an
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02008351 SSL transport layer, so this will not work with "bind" lines having the "ssl"
Willy Tarreau7875d092012-09-10 08:20:03 +02008352 option.
8353
Willy Tarreau7875d092012-09-10 08:20:03 +02008354ssl_has_sni
8355 This is used to check for presence of a Server Name Indication TLS extension
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02008356 in an incoming connection was made over an SSL/TLS transport layer. Returns
8357 true when the incoming connection presents a TLS SNI field. This requires
8358 that the SSL library is build with support for TLS extensions enabled (check
8359 haproxy -vv).
Willy Tarreau7875d092012-09-10 08:20:03 +02008360
Willy Tarreaua33c6542012-10-15 13:19:06 +02008361ssl_npn <string>
8362 Returns true when the incoming connection was made over an SSL/TLS transport
8363 layer which deciphered it and found a Next Protocol Negociation TLS extension
8364 sent by the client, matching the specified string. This requires that the SSL
8365 library is build with support for TLS extensions enabled (check haproxy -vv).
Willy Tarreau6c9a3d52012-10-18 18:57:14 +02008366 Note that the TLS NPN extension is not advertised unless the "npn" keyword on
8367 the "bind" line specifies a protocol list. Also, nothing forces the client to
8368 pick a protocol from this list, any other one may be requested.
Willy Tarreaua33c6542012-10-15 13:19:06 +02008369
Willy Tarreau7875d092012-09-10 08:20:03 +02008370ssl_sni <string>
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02008371 Returns true when the incoming connection was made over an SSL/TLS transport
8372 layer which deciphered it and found a Server Name Indication TLS extension
8373 sent by the client, matching the specified string. In HTTPS, the SNI field
8374 (when present) is equal to the requested host name. This match is different
Cyril Bonté9c1eb1e2012-10-09 22:45:34 +02008375 from "req_ssl_sni" above in that it applies to the connection being
8376 deciphered by haproxy and not to SSL contents being blindly forwarded.
8377 See also "ssl_sni_end" and "ssl_sni_req" below. This requires that the SSL
8378 library is build with support for TLS extensions enabled (check haproxy -vv).
Willy Tarreau7875d092012-09-10 08:20:03 +02008379
8380ssl_sni_end <string>
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02008381 Returns true when the incoming connection was made over an SSL/TLS transport
8382 layer which deciphered it and found a Server Name Indication TLS extension
8383 sent by the client, ending like the specified string. In HTTPS, the SNI field
8384 (when present) is equal to the requested host name. This match is different
Cyril Bonté9c1eb1e2012-10-09 22:45:34 +02008385 from "req_ssl_sni" above in that it applies to the connection being
8386 deciphered by haproxy and not to SSL contents being blindly forwarded. This
8387 requires that the SSL library is build with support for TLS extensions
8388 enabled (check haproxy -vv).
Willy Tarreau7875d092012-09-10 08:20:03 +02008389
8390ssl_sni_req <regex>
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02008391 Returns true when the incoming connection was made over an SSL/TLS transport
8392 layer which deciphered it and found a Server Name Indication TLS extension
8393 sent by the client, matching the specified regex. In HTTPS, the SNI field
8394 (when present) is equal to the requested host name. This match is different
Cyril Bonté9c1eb1e2012-10-09 22:45:34 +02008395 from "req_ssl_sni" above in that it applies to the connection being
8396 deciphered by haproxy and not to SSL contents being blindly forwarded. This
8397 requires that the SSL library is build with support for TLS extensions
8398 enabled (check haproxy -vv).
Willy Tarreau62644772008-07-16 18:36:06 +02008399
Emeric Brun3603fbe2012-09-28 18:35:15 +02008400ssl_verify_caerr <errorID>
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02008401 Returns true when the incoming connection was made over an SSL/TLS transport
8402 layer and the ID of the first error detected during verify at depth > 0 match
8403 the errorID.
Emeric Brun3603fbe2012-09-28 18:35:15 +02008404
8405ssl_verify_caerr_depth <depth>
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02008406 Returns true when the incoming connection was made over an SSL/TLS transport
8407 layer and the depth of the first error detected during verify match the
8408 depth.
Emeric Brun3603fbe2012-09-28 18:35:15 +02008409
8410ssl_verify_crterr <errorID>
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02008411 Returns true when the incoming connection was made over an SSL/TLS transport
8412 layer and the ID of the first error detected during verify at depth == 0
8413 match the errorID.
Emeric Brun3603fbe2012-09-28 18:35:15 +02008414
Emeric Brunc68af8d2012-09-28 18:14:24 +02008415ssl_verify_result <errorID>
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02008416 Returns true when the incoming connection was made over an SSL/TLS transport
8417 layer and the verify result match the errorID.
Emeric Brunc68af8d2012-09-28 18:14:24 +02008418
Willy Tarreaub6fb4202008-07-20 11:18:28 +02008419wait_end
8420 Waits for the end of the analysis period to return true. This may be used in
8421 conjunction with content analysis to avoid returning a wrong verdict early.
8422 It may also be used to delay some actions, such as a delayed reject for some
8423 special addresses. Since it either stops the rules evaluation or immediately
8424 returns true, it is recommended to use this acl as the last one in a rule.
8425 Please note that the default ACL "WAIT_END" is always usable without prior
8426 declaration. This test was designed to be used with TCP request content
8427 inspection.
8428
8429 Examples :
8430 # delay every incoming request by 2 seconds
8431 tcp-request inspect-delay 2s
8432 tcp-request content accept if WAIT_END
8433
8434 # don't immediately tell bad guys they are rejected
8435 tcp-request inspect-delay 10s
8436 acl goodguys src 10.0.0.0/24
8437 acl badguys src 10.0.1.0/24
8438 tcp-request content accept if goodguys
8439 tcp-request content reject if badguys WAIT_END
8440 tcp-request content reject
8441
Willy Tarreau62644772008-07-16 18:36:06 +02008442
Willy Tarreauc57f0e22009-05-10 13:12:33 +020084437.5.3. Matching at Layer 7
8444--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01008445
Willy Tarreau62644772008-07-16 18:36:06 +02008446A third set of criteria applies to information which can be found at the
Willy Tarreau0ba27502007-12-24 16:55:16 +01008447application layer (layer 7). Those require that a full HTTP request has been
8448read, and are only evaluated then. They may require slightly more CPU resources
8449than the layer 4 ones, but not much since the request and response are indexed.
8450
Willy Tarreaua7ad50c2012-04-29 15:39:40 +02008451base <string>
8452 Returns true when the concatenation of the first Host header and the path
8453 part of the request, which starts at the first slash and ends before the
8454 question mark, equals one of the strings. It may be used to match known
8455 files in virtual hosting environments, such as "www.example.com/favicon.ico".
8456 See also "path" and "uri".
8457
8458base_beg <string>
8459 Returns true when the base (see above) begins with one of the strings. This
8460 can be used to send certain directory names to alternative backends. See also
8461 "path_beg".
8462
8463base_dir <string>
8464 Returns true when one of the strings is found isolated or delimited with
8465 slashes in the base (see above). Probably of little use, see "url_dir" and
8466 "path_dir" instead.
8467
8468base_dom <string>
8469 Returns true when one of the strings is found isolated or delimited with dots
8470 in the base (see above). Probably of little use, see "path_dom" and "url_dom"
8471 instead.
8472
8473base_end <string>
8474 Returns true when the base (see above) ends with one of the strings. This may
8475 be used to control file name extension, though "path_end" is cheaper.
8476
8477base_len <integer>
8478 Returns true when the base (see above) length matches the values or ranges
8479 specified. This may be used to detect abusive requests for instance.
8480
8481base_reg <regex>
8482 Returns true when the base (see above) matches one of the regular
8483 expressions. It can be used any time, but it is important to remember that
8484 regex matching is slower than other methods. See also "path_reg", "url_reg"
8485 and all "base_" criteria.
8486
8487base_sub <string>
8488 Returns true when the base (see above) contains one of the strings. It can be
8489 used to detect particular patterns in paths, such as "../" for example. See
8490 also "base_dir".
8491
Willy Tarreau04aa6a92012-04-06 18:57:55 +02008492cook(<name>) <string>
8493 All "cook*" matching criteria inspect all "Cookie" headers to find a cookie
8494 with the name between parenthesis. If multiple occurrences of the cookie are
8495 found in the request, they will all be evaluated. Spaces around the name and
8496 the value are ignored as requested by the Cookie specification (RFC6265). The
8497 cookie name is case-sensitive. Use the scook() variant for response cookies
8498 sent by the server.
8499
8500 The "cook" criteria returns true if any of the request cookies <name> match
8501 any of the strings. This can be used to check exact for values. For instance,
8502 checking that the "profile" cookie is set to either "silver" or "gold" :
8503
8504 cook(profile) silver gold
8505
8506cook_beg(<name>) <string>
8507 Returns true if any of the request cookies <name> begins with one of the
8508 strings. See "cook" for more information on cookie matching. Use the
8509 scook_beg() variant for response cookies sent by the server.
8510
8511cook_cnt(<name>) <integer>
8512 Returns true when the number of occurrences of the specified cookie matches
8513 the values or ranges specified. This is used to detect presence, absence or
8514 abuse of a specific cookie. See "cook" for more information on header
8515 matching. Use the scook_cnt() variant for response cookies sent by the
8516 server.
8517
8518cook_dir(<name>) <string>
8519 Returns true if any of the request cookies <name> contains one of the strings
8520 either isolated or delimited by slashes. This is used to perform filename or
8521 directory name matching, though it generally is of limited use with cookies.
8522 See "cook" for more information on cookie matching. Use the scook_dir()
8523 variant for response cookies sent by the server.
8524
8525cook_dom(<name>) <string>
8526 Returns true if any of the request cookies <name> contains one of the strings
8527 either isolated or delimited by dots. This is used to perform domain name
8528 matching. See "cook" for more information on cookie matching. Use the
8529 scook_dom() variant for response cookies sent by the server.
8530
8531cook_end(<name>) <string>
8532 Returns true if any of the request cookies <name> ends with one of the
8533 strings. See "cook" for more information on cookie matching. Use the
8534 scook_end() variant for response cookies sent by the server.
8535
8536cook_len(<name>) <integer>
8537 Returns true if any of the request cookies <name> has a length which matches
8538 the values or ranges specified. This may be used to detect empty or too large
8539 cookie values. Note that an absent cookie does not match a zero-length test.
8540 See "cook" for more information on cookie matching. Use the scook_len()
8541 variant for response cookies sent by the server.
8542
8543cook_reg(<name>) <regex>
8544 Returns true if any of the request cookies <name> matches any of the regular
8545 expressions. It can be used at any time, but it is important to remember that
8546 regex matching is slower than other methods. See also other "cook_" criteria,
8547 as well as "cook" for more information on cookie matching. Use the
8548 scook_reg() variant for response cookies sent by the server.
8549
8550cook_sub(<name>) <string>
8551 Returns true if any of the request cookies <name> contains at least one of
8552 the strings. See "cook" for more information on cookie matching. Use the
8553 scook_sub() variant for response cookies sent by the server.
8554
Willy Tarreau51539362012-05-08 12:46:28 +02008555cook_val(<name>) <integer>
8556 Returns true if any of the request cookies <name> starts with a number which
8557 matches the values or ranges specified. This may be used to select a server
8558 based on application-specific cookies. Note that an absent cookie does not
8559 match any value. See "cook" for more information on cookie matching. Use the
8560 scook_val() variant for response cookies sent by the server.
8561
Willy Tarreaud63335a2010-02-26 12:56:52 +01008562hdr <string>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008563hdr(<header>[,<occ>]) <string>
Willy Tarreaud63335a2010-02-26 12:56:52 +01008564 Note: all the "hdr*" matching criteria either apply to all headers, or to a
8565 particular header whose name is passed between parenthesis and without any
8566 space. The header name is not case-sensitive. The header matching complies
8567 with RFC2616, and treats as separate headers all values delimited by commas.
Willy Tarreau185b5c42012-04-26 15:11:51 +02008568 If an occurrence number is specified as the optional second argument, only
8569 this occurrence will be considered. Positive values indicate a position from
8570 the first occurrence, 1 being the first one. Negative values indicate
8571 positions relative to the last one, -1 being the last one. Use the shdr()
8572 variant for response headers sent by the server.
Willy Tarreaud63335a2010-02-26 12:56:52 +01008573
8574 The "hdr" criteria returns true if any of the headers matching the criteria
Willy Tarreau25c1ebc2012-04-25 16:21:44 +02008575 match any of the strings. This can be used to check for exact values. For
Willy Tarreaud63335a2010-02-26 12:56:52 +01008576 instance, checking that "connection: close" is set :
8577
8578 hdr(Connection) -i close
8579
8580hdr_beg <string>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008581hdr_beg(<header>[,<occ>]) <string>
Willy Tarreaud63335a2010-02-26 12:56:52 +01008582 Returns true when one of the headers begins with one of the strings. See
8583 "hdr" for more information on header matching. Use the shdr_beg() variant for
8584 response headers sent by the server.
8585
8586hdr_cnt <integer>
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008587hdr_cnt(<header>) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01008588 Returns true when the number of occurrence of the specified header matches
8589 the values or ranges specified. It is important to remember that one header
8590 line may count as several headers if it has several values. This is used to
8591 detect presence, absence or abuse of a specific header, as well as to block
8592 request smuggling attacks by rejecting requests which contain more than one
8593 of certain headers. See "hdr" for more information on header matching. Use
8594 the shdr_cnt() variant for response headers sent by the server.
8595
8596hdr_dir <string>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008597hdr_dir(<header>[,<occ>]) <string>
Willy Tarreaud63335a2010-02-26 12:56:52 +01008598 Returns true when one of the headers contains one of the strings either
8599 isolated or delimited by slashes. This is used to perform filename or
8600 directory name matching, and may be used with Referer. See "hdr" for more
8601 information on header matching. Use the shdr_dir() variant for response
8602 headers sent by the server.
8603
8604hdr_dom <string>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008605hdr_dom(<header>[,<occ>]) <string>
Willy Tarreaud63335a2010-02-26 12:56:52 +01008606 Returns true when one of the headers contains one of the strings either
8607 isolated or delimited by dots. This is used to perform domain name matching,
8608 and may be used with the Host header. See "hdr" for more information on
8609 header matching. Use the shdr_dom() variant for response headers sent by the
8610 server.
8611
8612hdr_end <string>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008613hdr_end(<header>[,<occ>]) <string>
Willy Tarreaud63335a2010-02-26 12:56:52 +01008614 Returns true when one of the headers ends with one of the strings. See "hdr"
8615 for more information on header matching. Use the shdr_end() variant for
8616 response headers sent by the server.
8617
8618hdr_ip <ip_address>
Willy Tarreauceb4ac92012-04-28 00:41:46 +02008619hdr_ip(<header>[,<occ>]) <address>
8620 Returns true when one of the headers' values contains an IPv4 or IPv6 address
8621 matching <address>. This is mainly used with headers such as X-Forwarded-For
8622 or X-Client-IP. See "hdr" for more information on header matching. Use the
Willy Tarreaud63335a2010-02-26 12:56:52 +01008623 shdr_ip() variant for response headers sent by the server.
8624
Willy Tarreau0e698542011-09-16 08:32:32 +02008625hdr_len <integer>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008626hdr_len(<header>[,<occ>]) <integer>
Willy Tarreau0e698542011-09-16 08:32:32 +02008627 Returns true when at least one of the headers has a length which matches the
8628 values or ranges specified. This may be used to detect empty or too large
8629 headers. See "hdr" for more information on header matching. Use the
8630 shdr_len() variant for response headers sent by the server.
8631
Willy Tarreaud63335a2010-02-26 12:56:52 +01008632hdr_reg <regex>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008633hdr_reg(<header>[,<occ>]) <regex>
Willy Tarreau04aa6a92012-04-06 18:57:55 +02008634 Returns true it one of the headers matches one of the regular expressions. It
Willy Tarreaud63335a2010-02-26 12:56:52 +01008635 can be used at any time, but it is important to remember that regex matching
8636 is slower than other methods. See also other "hdr_" criteria, as well as
8637 "hdr" for more information on header matching. Use the shdr_reg() variant for
8638 response headers sent by the server.
8639
8640hdr_sub <string>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008641hdr_sub(<header>[,<occ>]) <string>
Willy Tarreaud63335a2010-02-26 12:56:52 +01008642 Returns true when one of the headers contains one of the strings. See "hdr"
8643 for more information on header matching. Use the shdr_sub() variant for
8644 response headers sent by the server.
8645
8646hdr_val <integer>
Willy Tarreau185b5c42012-04-26 15:11:51 +02008647hdr_val(<header>[,<occ>]) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01008648 Returns true when one of the headers starts with a number which matches the
8649 values or ranges specified. This may be used to limit content-length to
8650 acceptable values for example. See "hdr" for more information on header
8651 matching. Use the shdr_val() variant for response headers sent by the server.
8652
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02008653http_auth(<userlist>)
8654http_auth_group(<userlist>) <group> [<group>]*
Willy Tarreaud63335a2010-02-26 12:56:52 +01008655 Returns true when authentication data received from the client matches
8656 username & password stored on the userlist. It is also possible to
8657 use http_auth_group to check if the user is assigned to at least one
8658 of specified groups.
8659
8660 Currently only http basic auth is supported.
8661
Willy Tarreau85c27da2011-09-16 07:53:52 +02008662http_first_req
Willy Tarreau7f18e522010-10-22 20:04:13 +02008663 Returns true when the request being processed is the first one of the
8664 connection. This can be used to add or remove headers that may be missing
8665 from some requests when a request is not the first one, or even to perform
8666 some specific ACL checks only on the first request.
8667
Willy Tarreau6a06a402007-07-15 20:15:28 +02008668method <string>
8669 Applies to the method in the HTTP request, eg: "GET". Some predefined ACL
8670 already check for most common methods.
8671
Willy Tarreau6a06a402007-07-15 20:15:28 +02008672path <string>
8673 Returns true when the path part of the request, which starts at the first
8674 slash and ends before the question mark, equals one of the strings. It may be
8675 used to match known files, such as /favicon.ico.
8676
8677path_beg <string>
Willy Tarreau0ba27502007-12-24 16:55:16 +01008678 Returns true when the path begins with one of the strings. This can be used
8679 to send certain directory names to alternative backends.
Willy Tarreau6a06a402007-07-15 20:15:28 +02008680
Willy Tarreau6a06a402007-07-15 20:15:28 +02008681path_dir <string>
8682 Returns true when one of the strings is found isolated or delimited with
8683 slashes in the path. This is used to perform filename or directory name
8684 matching without the risk of wrong match due to colliding prefixes. See also
8685 "url_dir" and "path_sub".
8686
8687path_dom <string>
8688 Returns true when one of the strings is found isolated or delimited with dots
8689 in the path. This may be used to perform domain name matching in proxy
8690 requests. See also "path_sub" and "url_dom".
8691
Willy Tarreaud63335a2010-02-26 12:56:52 +01008692path_end <string>
8693 Returns true when the path ends with one of the strings. This may be used to
8694 control file name extension.
8695
Willy Tarreau0e698542011-09-16 08:32:32 +02008696path_len <integer>
8697 Returns true when the path length matches the values or ranges specified.
8698 This may be used to detect abusive requests for instance.
8699
Willy Tarreau6a06a402007-07-15 20:15:28 +02008700path_reg <regex>
8701 Returns true when the path matches one of the regular expressions. It can be
8702 used any time, but it is important to remember that regex matching is slower
8703 than other methods. See also "url_reg" and all "path_" criteria.
8704
Willy Tarreaud63335a2010-02-26 12:56:52 +01008705path_sub <string>
8706 Returns true when the path contains one of the strings. It can be used to
8707 detect particular patterns in paths, such as "../" for example. See also
8708 "path_dir".
8709
Willy Tarreau0ce3aa02012-04-25 18:46:33 +02008710payload(<offset>,<length>) <string>
8711 Returns true if the block of <length> bytes, starting at byte <offset> in the
8712 request or response buffer (depending on the rule) exactly matches one of the
8713 strings.
8714
8715payload_lv(<offset1>,<length>[,<offset2>])
8716 Returns true if the block whose size is specified at <offset1> for <length>
8717 bytes, and which starts at <offset2> if specified or just after the length in
8718 the request or response buffer (depending on the rule) exactly matches one of
8719 the strings. The <offset2> parameter also supports relative offsets if
8720 prepended with a '+' or '-' sign.
8721
Willy Tarreaud63335a2010-02-26 12:56:52 +01008722req_ver <string>
8723 Applies to the version string in the HTTP request, eg: "1.0". Some predefined
8724 ACL already check for versions 1.0 and 1.1.
8725
8726status <integer>
8727 Applies to the HTTP status code in the HTTP response, eg: "302". It can be
8728 used to act on responses depending on status ranges, for instance, remove
8729 any Location header if the response is not a 3xx.
8730
Willy Tarreau6a06a402007-07-15 20:15:28 +02008731url <string>
8732 Applies to the whole URL passed in the request. The only real use is to match
Willy Tarreaua7ad50c2012-04-29 15:39:40 +02008733 "*", for which there already is a predefined ACL. See also "base".
Willy Tarreau6a06a402007-07-15 20:15:28 +02008734
8735url_beg <string>
8736 Returns true when the URL begins with one of the strings. This can be used to
Willy Tarreaua7ad50c2012-04-29 15:39:40 +02008737 check whether a URL begins with a slash or with a protocol scheme. See also
8738 "base_beg".
Willy Tarreau6a06a402007-07-15 20:15:28 +02008739
Willy Tarreau6a06a402007-07-15 20:15:28 +02008740url_dir <string>
8741 Returns true when one of the strings is found isolated or delimited with
8742 slashes in the URL. This is used to perform filename or directory name
8743 matching without the risk of wrong match due to colliding prefixes. See also
8744 "path_dir" and "url_sub".
8745
8746url_dom <string>
8747 Returns true when one of the strings is found isolated or delimited with dots
8748 in the URL. This is used to perform domain name matching without the risk of
8749 wrong match due to colliding prefixes. See also "url_sub".
8750
Willy Tarreaud63335a2010-02-26 12:56:52 +01008751url_end <string>
8752 Returns true when the URL ends with one of the strings. It has very limited
8753 use. "path_end" should be used instead for filename matching.
Willy Tarreau6a06a402007-07-15 20:15:28 +02008754
Willy Tarreauceb4ac92012-04-28 00:41:46 +02008755url_ip <address>
8756 Applies to the IPv4 or IPv6 address specified in the absolute URI in an HTTP
8757 request. It can be used to prevent access to certain resources such as local
8758 network. It is useful with option "http_proxy".
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01008759
Willy Tarreau0e698542011-09-16 08:32:32 +02008760url_len <integer>
8761 Returns true when the url length matches the values or ranges specified. This
8762 may be used to detect abusive requests for instance.
8763
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01008764url_port <integer>
Willy Tarreau0ba27502007-12-24 16:55:16 +01008765 Applies to the port specified in the absolute URI in an HTTP request. It can
8766 be used to prevent access to certain resources. It is useful with option
Willy Tarreau198a7442008-01-17 12:05:32 +01008767 "http_proxy". Note that if the port is not specified in the request, port 80
Willy Tarreau0ba27502007-12-24 16:55:16 +01008768 is assumed.
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01008769
Willy Tarreaud63335a2010-02-26 12:56:52 +01008770url_reg <regex>
8771 Returns true when the URL matches one of the regular expressions. It can be
8772 used any time, but it is important to remember that regex matching is slower
Willy Tarreaua7ad50c2012-04-29 15:39:40 +02008773 than other methods. See also "base_reg", "path_reg" and all "url_" criteria.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01008774
Willy Tarreaud63335a2010-02-26 12:56:52 +01008775url_sub <string>
8776 Returns true when the URL contains one of the strings. It can be used to
8777 detect particular patterns in query strings for example. See also "path_sub".
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01008778
Willy Tarreau25c1ebc2012-04-25 16:21:44 +02008779urlp(<name>) <string>
8780 Note: all "urlp*" matching criteria apply to the first occurrence of the
8781 parameter <name> in the query string. The parameter name is case-sensitive.
8782
8783 The "urlp" matching criteria returns true if the designated URL parameter
8784 matches any of the strings. This can be used to check for exact values.
8785
8786urlp_beg(<name>) <string>
8787 Returns true when the URL parameter "<name>" begins with one of the strings.
8788 This can be used to check whether a URL begins with a slash or with a
8789 protocol scheme.
8790
8791urlp_dir(<name>) <string>
8792 Returns true when the URL parameter "<name>" contains one of the strings
8793 either isolated or delimited with slashes. This is used to perform filename
8794 or directory name matching in a specific URL parameter without the risk of
8795 wrong match due to colliding prefixes. See also "path_dir" and "urlp_sub".
8796
8797urlp_dom(<name>) <string>
8798 Returns true when one of the strings is found isolated or delimited with dots
8799 in the URL parameter "<name>". This is used to perform domain name matching
8800 in a specific URL parameter without the risk of wrong match due to colliding
8801 prefixes. See also "urlp_sub".
8802
8803urlp_end(<name>) <string>
8804 Returns true when the URL parameter "<name>" ends with one of the strings.
8805
8806urlp_ip(<name>) <ip_address>
Willy Tarreauceb4ac92012-04-28 00:41:46 +02008807 Returns true when the URL parameter "<name>" contains an IPv4 or IPv6 address
8808 which matches one of the specified addresses.
Willy Tarreau25c1ebc2012-04-25 16:21:44 +02008809
8810urlp_len(<name>) <integer>
8811 Returns true when the URL parameter "<name>" has a length matching the values
8812 or ranges specified. This is used to detect abusive requests for instance.
8813
8814urlp_reg(<name>) <regex>
8815 Returns true when the URL parameter "<name>" matches one of the regular
8816 expressions. It can be used any time, but it is important to remember that
8817 regex matching is slower than other methods. See also "path_reg" and all
8818 "urlp_" criteria.
8819
8820urlp_sub(<name>) <string>
8821 Returns true when the URL parameter "<name>" contains one of the strings. It
8822 can be used to detect particular patterns in query strings for example. See
8823 also "path_sub" and other "urlp_" criteria.
8824
Willy Tarreaua9fddca2012-07-31 07:51:48 +02008825urlp_val(<name>) <integer>
8826 Returns true when the URL parameter "<name>" starts with a number matching
8827 the values or ranges specified. Note that the absence of the parameter does
8828 not match anything. Integers are unsigned so it is not possible to match
8829 negative data.
8830
Willy Tarreau198a7442008-01-17 12:05:32 +01008831
Willy Tarreauc57f0e22009-05-10 13:12:33 +020088327.6. Pre-defined ACLs
8833---------------------
Willy Tarreauced27012008-01-17 20:35:34 +01008834
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008835Some predefined ACLs are hard-coded so that they do not have to be declared in
8836every frontend which needs them. They all have their names in upper case in
Patrick Mézard2382ad62010-05-09 10:43:32 +02008837order to avoid confusion. Their equivalence is provided below.
Willy Tarreauced27012008-01-17 20:35:34 +01008838
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008839ACL name Equivalent to Usage
8840---------------+-----------------------------+---------------------------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008841FALSE always_false never match
Willy Tarreau2492d5b2009-07-11 00:06:00 +02008842HTTP req_proto_http match if protocol is valid HTTP
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008843HTTP_1.0 req_ver 1.0 match HTTP version 1.0
8844HTTP_1.1 req_ver 1.1 match HTTP version 1.1
Willy Tarreaud63335a2010-02-26 12:56:52 +01008845HTTP_CONTENT hdr_val(content-length) gt 0 match an existing content-length
8846HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme
8847HTTP_URL_SLASH url_beg / match URL beginning with "/"
8848HTTP_URL_STAR url * match URL equal to "*"
8849LOCALHOST src 127.0.0.1/8 match connection from local host
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008850METH_CONNECT method CONNECT match HTTP CONNECT method
8851METH_GET method GET HEAD match HTTP GET or HEAD method
8852METH_HEAD method HEAD match HTTP HEAD method
8853METH_OPTIONS method OPTIONS match HTTP OPTIONS method
8854METH_POST method POST match HTTP POST method
8855METH_TRACE method TRACE match HTTP TRACE method
Emeric Brunbede3d02009-06-30 17:54:00 +02008856RDP_COOKIE req_rdp_cookie_cnt gt 0 match presence of an RDP cookie
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008857REQ_CONTENT req_len gt 0 match data in the request buffer
Willy Tarreaud63335a2010-02-26 12:56:52 +01008858TRUE always_true always match
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008859WAIT_END wait_end wait for end of content analysis
8860---------------+-----------------------------+---------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +01008861
Willy Tarreauced27012008-01-17 20:35:34 +01008862
Willy Tarreauc57f0e22009-05-10 13:12:33 +020088637.7. Using ACLs to form conditions
8864----------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +01008865
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008866Some actions are only performed upon a valid condition. A condition is a
8867combination of ACLs with operators. 3 operators are supported :
Willy Tarreauced27012008-01-17 20:35:34 +01008868
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008869 - AND (implicit)
8870 - OR (explicit with the "or" keyword or the "||" operator)
8871 - Negation with the exclamation mark ("!")
Willy Tarreauced27012008-01-17 20:35:34 +01008872
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008873A condition is formed as a disjunctive form:
Willy Tarreauced27012008-01-17 20:35:34 +01008874
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008875 [!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ...
Willy Tarreauced27012008-01-17 20:35:34 +01008876
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008877Such conditions are generally used after an "if" or "unless" statement,
8878indicating when the condition will trigger the action.
Willy Tarreauced27012008-01-17 20:35:34 +01008879
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008880For instance, to block HTTP requests to the "*" URL with methods other than
8881"OPTIONS", as well as POST requests without content-length, and GET or HEAD
8882requests with a content-length greater than 0, and finally every request which
8883is not either GET/HEAD/POST/OPTIONS !
Willy Tarreauced27012008-01-17 20:35:34 +01008884
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008885 acl missing_cl hdr_cnt(Content-length) eq 0
8886 block if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
8887 block if METH_GET HTTP_CONTENT
8888 block unless METH_GET or METH_POST or METH_OPTIONS
Willy Tarreauced27012008-01-17 20:35:34 +01008889
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008890To select a different backend for requests to static contents on the "www" site
8891and to every request on the "img", "video", "download" and "ftp" hosts :
Willy Tarreauced27012008-01-17 20:35:34 +01008892
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008893 acl url_static path_beg /static /images /img /css
8894 acl url_static path_end .gif .png .jpg .css .js
8895 acl host_www hdr_beg(host) -i www
8896 acl host_static hdr_beg(host) -i img. video. download. ftp.
Willy Tarreauced27012008-01-17 20:35:34 +01008897
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008898 # now use backend "static" for all static-only hosts, and for static urls
8899 # of host "www". Use backend "www" for the rest.
8900 use_backend static if host_static or host_www url_static
8901 use_backend www if host_www
Willy Tarreauced27012008-01-17 20:35:34 +01008902
Willy Tarreau95fa4692010-02-01 13:05:50 +01008903It is also possible to form rules using "anonymous ACLs". Those are unnamed ACL
8904expressions that are built on the fly without needing to be declared. They must
8905be enclosed between braces, with a space before and after each brace (because
Jamie Gloudon801a0a32012-08-25 00:18:33 -04008906the braces must be seen as independent words). Example :
Willy Tarreau95fa4692010-02-01 13:05:50 +01008907
8908 The following rule :
8909
8910 acl missing_cl hdr_cnt(Content-length) eq 0
8911 block if METH_POST missing_cl
8912
8913 Can also be written that way :
8914
8915 block if METH_POST { hdr_cnt(Content-length) eq 0 }
8916
8917It is generally not recommended to use this construct because it's a lot easier
8918to leave errors in the configuration when written that way. However, for very
8919simple rules matching only one source IP address for instance, it can make more
8920sense to use them than to declare ACLs with random names. Another example of
8921good use is the following :
8922
8923 With named ACLs :
8924
8925 acl site_dead nbsrv(dynamic) lt 2
8926 acl site_dead nbsrv(static) lt 2
8927 monitor fail if site_dead
8928
8929 With anonymous ACLs :
8930
8931 monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
8932
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008933See section 4.2 for detailed help on the "block" and "use_backend" keywords.
Willy Tarreauced27012008-01-17 20:35:34 +01008934
Willy Tarreau5764b382007-11-30 17:46:49 +01008935
Willy Tarreaub937b7e2010-01-12 15:27:54 +010089367.8. Pattern extraction
8937-----------------------
8938
8939The stickiness features relies on pattern extraction in the request and
8940response. Sometimes the data needs to be converted first before being stored,
8941for instance converted from ASCII to IP or upper case to lower case.
8942
8943All these operations of data extraction and conversion are defined as
8944"pattern extraction rules". A pattern rule always has the same format. It
8945begins with a single pattern fetch word, potentially followed by a list of
8946arguments within parenthesis then an optional list of transformations. As
8947much as possible, the pattern fetch functions use the same name as their
8948equivalent used in ACLs.
8949
8950The list of currently supported pattern fetch functions is the following :
8951
Willy Tarreaua7ad50c2012-04-29 15:39:40 +02008952 base This returns the concatenation of the first Host header and the
8953 path part of the request, which starts at the first slash and
8954 ends before the question mark. It can be useful in virtual
8955 hosted environments to detect URL abuses as well as to improve
8956 shared caches efficiency. Using this with a limited size stick
8957 table also allows one to collect statistics about most commonly
8958 requested objects by host/path.
Emeric Brunb4354082012-09-28 17:28:03 +02008959 client_crt
8960 Returns 1 if a client certificate is present in an incoming
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02008961 connection over SSL/TLS transport layer, otherwise 0.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +02008962
Willy Tarreaub937b7e2010-01-12 15:27:54 +01008963 src This is the source IPv4 address of the client of the session.
David du Colombier9a6d3c92011-03-17 10:40:24 +01008964 It is of type IPv4 and works on both IPv4 and IPv6 tables.
8965 On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent,
8966 according to RFC 4291.
8967
Willy Tarreaub937b7e2010-01-12 15:27:54 +01008968 dst This is the destination IPv4 address of the session on the
8969 client side, which is the address the client connected to.
8970 It can be useful when running in transparent mode. It is of
David du Colombier9a6d3c92011-03-17 10:40:24 +01008971 type IPv4 and works on both IPv4 and IPv6 tables.
8972 On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent,
8973 according to RFC 4291.
8974
Willy Tarreaub937b7e2010-01-12 15:27:54 +01008975 dst_port This is the destination TCP port of the session on the client
8976 side, which is the port the client connected to. This might be
8977 used when running in transparent mode or when assigning dynamic
8978 ports to some clients for a whole application session. It is of
8979 type integer and only works with such tables.
8980
Willy Tarreau185b5c42012-04-26 15:11:51 +02008981 hdr(<name>[,<occ>])
8982 This extracts the last occurrence of header <name> in an HTTP
8983 request. Optionally, a specific occurrence might be specified as
8984 a position number. Positive values indicate a position from the
8985 first occurrence, with 1 being the first one. Negative values
8986 indicate positions relative to the last one, with -1 being the
8987 last one. A typical use is with the X-Forwarded-For header once
Willy Tarreaue428fb72011-12-16 21:50:30 +01008988 converted to IP, associated with an IP stick-table.
Willy Tarreau4a568972010-05-12 08:08:50 +02008989
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02008990 is_ssl This checks the transport layer used by incoming connection, and
8991 returns 1 if the connection was made via an SSL/TLS transport
8992 layer, otherwise zero.
Willy Tarreau7875d092012-09-10 08:20:03 +02008993
Willy Tarreau6812bcf2012-04-29 09:28:50 +02008994 path This extracts the request's URL path (without the host part). A
8995 typical use is with prefetch-capable caches, and with portals
8996 which need to aggregate multiple information from databases and
8997 keep them in caches. Note that with outgoing caches, it would be
8998 wiser to use "url" instead.
8999
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02009000 payload(<offset>,<length>)
Emeric Brun6a1cefa2010-09-24 18:15:17 +02009001 This extracts a binary block of <length> bytes, and starting
9002 at bytes <offset> in the buffer of request or response (request
9003 on "stick on" or "stick match" or response in on "stick store
9004 response").
Willy Tarreaub937b7e2010-01-12 15:27:54 +01009005
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02009006 payload_lv(<offset1>,<length>[,<offset2>])
Emeric Brun6a1cefa2010-09-24 18:15:17 +02009007 This extracts a binary block. In a first step the size of the
9008 block is read from response or request buffer at <offset>
9009 bytes and considered coded on <length> bytes. In a second step
9010 data of the block are read from buffer at <offset2> bytes
9011 (by default <lengthoffset> + <lengthsize>).
9012 If <offset2> is prefixed by '+' or '-', it is relative to
9013 <lengthoffset> + <lengthsize> else it is absolute.
9014 Ex: see SSL session id example in "stick table" chapter.
Cyril Bonté108cf6e2012-04-21 23:30:29 +02009015
Willy Tarreau25c1ebc2012-04-25 16:21:44 +02009016 src_port This is the source TCP port of the session on the client side,
9017 which is the port the client connected from. It is very unlikely
9018 that this function will be useful but it's available at no cost.
9019 It is of type integer and only works with such tables.
9020
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02009021 ssl_has_sni This checks the transport layer used by incoming connection, and
9022 returns 1 if the connection was made via an SSL/TLS transport
9023 layer and the client sent a Server Name Indication TLS extension,
Willy Tarreau7875d092012-09-10 08:20:03 +02009024 otherwise zero. This requires that the SSL library is build with
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02009025 support for TLS extensions enabled (check haproxy -vv).
Willy Tarreau7875d092012-09-10 08:20:03 +02009026
Willy Tarreaua33c6542012-10-15 13:19:06 +02009027 ssl_npn This extracts the Next Protocol Negociation field from an
9028 incoming connection made via an SSL/TLS transport layer and
9029 locally deciphered by haproxy. The result is a string containing
9030 the protocol name advertised by the client. The SSL library must
9031 have been built with support for TLS extensions enabled (check
9032 haproxy -vv).
9033
Willy Tarreau7875d092012-09-10 08:20:03 +02009034 ssl_sni This extracts the Server Name Indication field from an incoming
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02009035 connection made via an SSL/TLS transport layer and locally
9036 deciphered by haproxy. The result typically is a string matching
9037 the HTTPS host name (253 chars or less). The SSL library must
9038 have been built with support for TLS extensions enabled (check
9039 haproxy -vv).
Willy Tarreau7875d092012-09-10 08:20:03 +02009040
Emeric Brun3603fbe2012-09-28 18:35:15 +02009041 ssl_verify_caerr
9042 Returns the ID of the first error detected during verify at
9043 depth > 0 or 0 if no errors.
9044
9045 ssl_verify_caerr_depth
9046 Returns the depth of the first error detected during verify.
9047
9048 ssl_verify_crterr
9049 Returns the ID of the first error detected during verify at
9050 depth == 0 or 0 if no errors.
9051
Emeric Brunc68af8d2012-09-28 18:14:24 +02009052 ssl_verify_result
9053 Returns the verify result errorID when the incoming connection
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02009054 was made over an SSL/TLS transport layer.
Emeric Brunc68af8d2012-09-28 18:14:24 +02009055
Willy Tarreau6812bcf2012-04-29 09:28:50 +02009056 url This extracts the request's URL as presented in the request. A
9057 typical use is with prefetch-capable caches, and with portals
9058 which need to aggregate multiple information from databases and
9059 keep them in caches. See also "path".
9060
9061 url_ip This extracts the IP address from the request's URL when the
9062 host part is presented as an IP address. Its use is very
9063 limited. For instance, a monitoring system might use this field
9064 as an alternative for the source IP in order to test what path a
9065 given source address would follow, or to force an entry in a
9066 table for a given source address.
9067
9068 url_port This extracts the port part from the request's URL. It probably
9069 is totally useless but it was available at no cost.
9070
bedis4c75cca2012-10-05 08:38:24 +02009071 url_param(<name>[,<delim>])
Cyril Bontédc4d9032012-04-08 21:57:39 +02009072 This extracts the first occurrence of the parameter <name> in
bedis4c75cca2012-10-05 08:38:24 +02009073 the parameter string of the request and uses the corresponding
9074 value to match. Optionally, a delimiter can be provided. If not
9075 then the question mark '?' is used by default.
9076 A typical use is to get sticky session through url for cases
9077 where cookies cannot be used.
9078
9079 Example :
9080 # match http://example.com/foo?PHPSESSIONID=some_id
9081 stick on url_param(PHPSESSIONID)
9082 # match http://example.com/foo;JSESSIONID=some_id
9083 stick on url_param(JSESSIONID,;)
David Cournapeau16023ee2010-12-23 20:55:41 +09009084
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02009085 rdp_cookie(<name>)
Cyril Bontédc4d9032012-04-08 21:57:39 +02009086 This extracts the value of the rdp cookie <name> as a string
9087 and uses this value to match. This enables implementation of
9088 persistence based on the mstshash cookie. This is typically
9089 done if there is no msts cookie present.
Simon Hormanab814e02011-06-24 14:50:20 +09009090
Cyril Bontédc4d9032012-04-08 21:57:39 +02009091 This differs from "balance rdp-cookie" in that any balancing
9092 algorithm may be used and thus the distribution of clients
9093 to backend servers is not linked to a hash of the RDP
9094 cookie. It is envisaged that using a balancing algorithm
9095 such as "balance roundrobin" or "balance leastconnect" will
9096 lead to a more even distribution of clients to backend
9097 servers than the hash used by "balance rdp-cookie".
Simon Hormanab814e02011-06-24 14:50:20 +09009098
Cyril Bontédc4d9032012-04-08 21:57:39 +02009099 Example :
9100 listen tse-farm
9101 bind 0.0.0.0:3389
9102 # wait up to 5s for an RDP cookie in the request
9103 tcp-request inspect-delay 5s
9104 tcp-request content accept if RDP_COOKIE
9105 # apply RDP cookie persistence
9106 persist rdp-cookie
9107 # Persist based on the mstshash cookie
9108 # This is only useful makes sense if
9109 # balance rdp-cookie is not used
9110 stick-table type string size 204800
9111 stick on rdp_cookie(mstshash)
9112 server srv1 1.1.1.1:3389
9113 server srv1 1.1.1.2:3389
Simon Hormanab814e02011-06-24 14:50:20 +09009114
Cyril Bontédc4d9032012-04-08 21:57:39 +02009115 See also : "balance rdp-cookie", "persist rdp-cookie",
9116 "tcp-request" and the "req_rdp_cookie" ACL.
Simon Hormanab814e02011-06-24 14:50:20 +09009117
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02009118 cookie(<name>)
Cyril Bontédc4d9032012-04-08 21:57:39 +02009119 This extracts the last occurrence of the cookie name <name> on a
Willy Tarreau28376d62012-04-26 21:26:10 +02009120 "Cookie" header line from the request, or a "Set-Cookie" header
9121 from the response, and uses the corresponding value to match. A
9122 typical use is to get multiple clients sharing a same profile
9123 use the same server. This can be similar to what "appsession"
9124 does with the "request-learn" statement, but with support for
9125 multi-peer synchronization and state keeping across restarts.
Willy Tarreaub3eb2212011-07-01 16:16:17 +02009126
Cyril Bontédc4d9032012-04-08 21:57:39 +02009127 See also : "appsession"
Willy Tarreaub3eb2212011-07-01 16:16:17 +02009128
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02009129 set-cookie(<name>)
Willy Tarreau28376d62012-04-26 21:26:10 +02009130 This fetch function is deprecated and has been superseded by the
9131 "cookie" fetch which is capable of handling both requests and
9132 responses. This keyword will disappear soon.
9133
Cyril Bontédc4d9032012-04-08 21:57:39 +02009134 This extracts the last occurrence of the cookie name <name> on a
9135 "Set-Cookie" header line from the response and uses the
9136 corresponding value to match. This can be comparable to what
9137 "appsession" does with default options, but with support for
9138 multi-peer synchronization and state keeping across restarts.
Willy Tarreaub3eb2212011-07-01 16:16:17 +02009139
Cyril Bontédc4d9032012-04-08 21:57:39 +02009140 See also : "appsession"
Willy Tarreaub3eb2212011-07-01 16:16:17 +02009141
Simon Hormanab814e02011-06-24 14:50:20 +09009142
Willy Tarreaub937b7e2010-01-12 15:27:54 +01009143The currently available list of transformations include :
9144
9145 lower Convert a string pattern to lower case. This can only be placed
9146 after a string pattern fetch function or after a conversion
9147 function returning a string type. The result is of type string.
9148
9149 upper Convert a string pattern to upper case. This can only be placed
9150 after a string pattern fetch function or after a conversion
9151 function returning a string type. The result is of type string.
9152
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02009153 ipmask(<mask>) Apply a mask to an IPv4 address, and use the result for lookups
Willy Tarreaud31d6eb2010-01-26 18:01:41 +01009154 and storage. This can be used to make all hosts within a
9155 certain mask to share the same table entries and as such use
9156 the same server. The mask can be passed in dotted form (eg:
9157 255.255.255.0) or in CIDR form (eg: 24).
9158
Willy Tarreaub937b7e2010-01-12 15:27:54 +01009159
Willy Tarreauc57f0e22009-05-10 13:12:33 +020091608. Logging
9161----------
Willy Tarreau844e3c52008-01-11 16:28:18 +01009162
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009163One of HAProxy's strong points certainly lies is its precise logs. It probably
9164provides the finest level of information available for such a product, which is
9165very important for troubleshooting complex environments. Standard information
9166provided in logs include client ports, TCP/HTTP state timers, precise session
9167state at termination and precise termination cause, information about decisions
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009168to direct traffic to a server, and of course the ability to capture arbitrary
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009169headers.
9170
9171In order to improve administrators reactivity, it offers a great transparency
9172about encountered problems, both internal and external, and it is possible to
9173send logs to different sources at the same time with different level filters :
9174
9175 - global process-level logs (system errors, start/stop, etc..)
9176 - per-instance system and internal errors (lack of resource, bugs, ...)
9177 - per-instance external troubles (servers up/down, max connections)
9178 - per-instance activity (client connections), either at the establishment or
9179 at the termination.
9180
9181The ability to distribute different levels of logs to different log servers
9182allow several production teams to interact and to fix their problems as soon
9183as possible. For example, the system team might monitor system-wide errors,
9184while the application team might be monitoring the up/down for their servers in
9185real time, and the security team might analyze the activity logs with one hour
9186delay.
9187
9188
Willy Tarreauc57f0e22009-05-10 13:12:33 +020091898.1. Log levels
9190---------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009191
Simon Hormandf791f52011-05-29 15:01:10 +09009192TCP and HTTP connections can be logged with information such as the date, time,
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009193source IP address, destination address, connection duration, response times,
Simon Hormandf791f52011-05-29 15:01:10 +09009194HTTP request, HTTP return code, number of bytes transmitted, conditions
9195in which the session ended, and even exchanged cookies values. For example
9196track a particular user's problems. All messages may be sent to up to two
9197syslog servers. Check the "log" keyword in section 4.2 for more information
9198about log facilities.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009199
9200
Willy Tarreauc57f0e22009-05-10 13:12:33 +020092018.2. Log formats
9202----------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009203
William Lallemand48940402012-01-30 16:47:22 +01009204HAProxy supports 5 log formats. Several fields are common between these formats
Simon Hormandf791f52011-05-29 15:01:10 +09009205and will be detailed in the following sections. A few of them may vary
9206slightly with the configuration, due to indicators specific to certain
9207options. The supported formats are as follows :
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009208
9209 - the default format, which is very basic and very rarely used. It only
9210 provides very basic information about the incoming connection at the moment
9211 it is accepted : source IP:port, destination IP:port, and frontend-name.
9212 This mode will eventually disappear so it will not be described to great
9213 extents.
9214
9215 - the TCP format, which is more advanced. This format is enabled when "option
9216 tcplog" is set on the frontend. HAProxy will then usually wait for the
9217 connection to terminate before logging. This format provides much richer
9218 information, such as timers, connection counts, queue size, etc... This
9219 format is recommended for pure TCP proxies.
9220
9221 - the HTTP format, which is the most advanced for HTTP proxying. This format
9222 is enabled when "option httplog" is set on the frontend. It provides the
9223 same information as the TCP format with some HTTP-specific fields such as
9224 the request, the status code, and captures of headers and cookies. This
9225 format is recommended for HTTP proxies.
9226
Emeric Brun3a058f32009-06-30 18:26:00 +02009227 - the CLF HTTP format, which is equivalent to the HTTP format, but with the
9228 fields arranged in the same order as the CLF format. In this mode, all
9229 timers, captures, flags, etc... appear one per field after the end of the
9230 common fields, in the same order they appear in the standard HTTP format.
9231
William Lallemand48940402012-01-30 16:47:22 +01009232 - the custom log format, allows you to make your own log line.
9233
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009234Next sections will go deeper into details for each of these formats. Format
9235specification will be performed on a "field" basis. Unless stated otherwise, a
9236field is a portion of text delimited by any number of spaces. Since syslog
9237servers are susceptible of inserting fields at the beginning of a line, it is
9238always assumed that the first field is the one containing the process name and
9239identifier.
9240
9241Note : Since log lines may be quite long, the log examples in sections below
9242 might be broken into multiple lines. The example log lines will be
9243 prefixed with 3 closing angle brackets ('>>>') and each time a log is
9244 broken into multiple lines, each non-final line will end with a
9245 backslash ('\') and the next line will start indented by two characters.
9246
9247
Willy Tarreauc57f0e22009-05-10 13:12:33 +020092488.2.1. Default log format
9249-------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009250
9251This format is used when no specific option is set. The log is emitted as soon
9252as the connection is accepted. One should note that this currently is the only
9253format which logs the request's destination IP and ports.
9254
9255 Example :
9256 listen www
9257 mode http
9258 log global
9259 server srv1 127.0.0.1:8000
9260
9261 >>> Feb 6 12:12:09 localhost \
9262 haproxy[14385]: Connect from 10.0.1.2:33312 to 10.0.3.31:8012 \
9263 (www/HTTP)
9264
9265 Field Format Extract from the example above
9266 1 process_name '[' pid ']:' haproxy[14385]:
9267 2 'Connect from' Connect from
9268 3 source_ip ':' source_port 10.0.1.2:33312
9269 4 'to' to
9270 5 destination_ip ':' destination_port 10.0.3.31:8012
9271 6 '(' frontend_name '/' mode ')' (www/HTTP)
9272
9273Detailed fields description :
9274 - "source_ip" is the IP address of the client which initiated the connection.
9275 - "source_port" is the TCP port of the client which initiated the connection.
9276 - "destination_ip" is the IP address the client connected to.
9277 - "destination_port" is the TCP port the client connected to.
9278 - "frontend_name" is the name of the frontend (or listener) which received
9279 and processed the connection.
9280 - "mode is the mode the frontend is operating (TCP or HTTP).
9281
Willy Tarreauceb24bc2010-11-09 12:46:41 +01009282In case of a UNIX socket, the source and destination addresses are marked as
9283"unix:" and the ports reflect the internal ID of the socket which accepted the
9284connection (the same ID as reported in the stats).
9285
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009286It is advised not to use this deprecated format for newer installations as it
9287will eventually disappear.
9288
9289
Willy Tarreauc57f0e22009-05-10 13:12:33 +020092908.2.2. TCP log format
9291---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009292
9293The TCP format is used when "option tcplog" is specified in the frontend, and
9294is the recommended format for pure TCP proxies. It provides a lot of precious
9295information for troubleshooting. Since this format includes timers and byte
9296counts, the log is normally emitted at the end of the session. It can be
9297emitted earlier if "option logasap" is specified, which makes sense in most
9298environments with long sessions such as remote terminals. Sessions which match
9299the "monitor" rules are never logged. It is also possible not to emit logs for
9300sessions for which no data were exchanged between the client and the server, by
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02009301specifying "option dontlognull" in the frontend. Successful connections will
9302not be logged if "option dontlog-normal" is specified in the frontend. A few
9303fields may slightly vary depending on some configuration options, those are
9304marked with a star ('*') after the field name below.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009305
9306 Example :
9307 frontend fnt
9308 mode tcp
9309 option tcplog
9310 log global
9311 default_backend bck
9312
9313 backend bck
9314 server srv1 127.0.0.1:8000
9315
9316 >>> Feb 6 12:12:56 localhost \
9317 haproxy[14387]: 10.0.1.2:33313 [06/Feb/2009:12:12:51.443] fnt \
9318 bck/srv1 0/0/5007 212 -- 0/0/0/0/3 0/0
9319
9320 Field Format Extract from the example above
9321 1 process_name '[' pid ']:' haproxy[14387]:
9322 2 client_ip ':' client_port 10.0.1.2:33313
9323 3 '[' accept_date ']' [06/Feb/2009:12:12:51.443]
9324 4 frontend_name fnt
9325 5 backend_name '/' server_name bck/srv1
9326 6 Tw '/' Tc '/' Tt* 0/0/5007
9327 7 bytes_read* 212
9328 8 termination_state --
9329 9 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 0/0/0/0/3
9330 10 srv_queue '/' backend_queue 0/0
9331
9332Detailed fields description :
9333 - "client_ip" is the IP address of the client which initiated the TCP
Willy Tarreauceb24bc2010-11-09 12:46:41 +01009334 connection to haproxy. If the connection was accepted on a UNIX socket
9335 instead, the IP address would be replaced with the word "unix". Note that
9336 when the connection is accepted on a socket configured with "accept-proxy"
9337 and the PROXY protocol is correctly used, then the logs will reflect the
9338 forwarded connection's information.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009339
9340 - "client_port" is the TCP port of the client which initiated the connection.
Willy Tarreauceb24bc2010-11-09 12:46:41 +01009341 If the connection was accepted on a UNIX socket instead, the port would be
9342 replaced with the ID of the accepting socket, which is also reported in the
9343 stats interface.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009344
9345 - "accept_date" is the exact date when the connection was received by haproxy
9346 (which might be very slightly different from the date observed on the
9347 network if there was some queuing in the system's backlog). This is usually
9348 the same date which may appear in any upstream firewall's log.
9349
9350 - "frontend_name" is the name of the frontend (or listener) which received
9351 and processed the connection.
9352
9353 - "backend_name" is the name of the backend (or listener) which was selected
9354 to manage the connection to the server. This will be the same as the
9355 frontend if no switching rule has been applied, which is common for TCP
9356 applications.
9357
9358 - "server_name" is the name of the last server to which the connection was
9359 sent, which might differ from the first one if there were connection errors
9360 and a redispatch occurred. Note that this server belongs to the backend
9361 which processed the request. If the connection was aborted before reaching
9362 a server, "<NOSRV>" is indicated instead of a server name.
9363
9364 - "Tw" is the total time in milliseconds spent waiting in the various queues.
9365 It can be "-1" if the connection was aborted before reaching the queue.
9366 See "Timers" below for more details.
9367
9368 - "Tc" is the total time in milliseconds spent waiting for the connection to
9369 establish to the final server, including retries. It can be "-1" if the
9370 connection was aborted before a connection could be established. See
9371 "Timers" below for more details.
9372
9373 - "Tt" is the total time in milliseconds elapsed between the accept and the
9374 last close. It covers all possible processings. There is one exception, if
9375 "option logasap" was specified, then the time counting stops at the moment
9376 the log is emitted. In this case, a '+' sign is prepended before the value,
9377 indicating that the final one will be larger. See "Timers" below for more
9378 details.
9379
9380 - "bytes_read" is the total number of bytes transmitted from the server to
9381 the client when the log is emitted. If "option logasap" is specified, the
9382 this value will be prefixed with a '+' sign indicating that the final one
9383 may be larger. Please note that this value is a 64-bit counter, so log
9384 analysis tools must be able to handle it without overflowing.
9385
9386 - "termination_state" is the condition the session was in when the session
9387 ended. This indicates the session state, which side caused the end of
9388 session to happen, and for what reason (timeout, error, ...). The normal
9389 flags should be "--", indicating the session was closed by either end with
9390 no data remaining in buffers. See below "Session state at disconnection"
9391 for more details.
9392
9393 - "actconn" is the total number of concurrent connections on the process when
Jamie Gloudonaaa21002012-08-25 00:18:33 -04009394 the session was logged. It is useful to detect when some per-process system
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009395 limits have been reached. For instance, if actconn is close to 512 when
9396 multiple connection errors occur, chances are high that the system limits
9397 the process to use a maximum of 1024 file descriptors and that all of them
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009398 are used. See section 3 "Global parameters" to find how to tune the system.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009399
9400 - "feconn" is the total number of concurrent connections on the frontend when
9401 the session was logged. It is useful to estimate the amount of resource
9402 required to sustain high loads, and to detect when the frontend's "maxconn"
9403 has been reached. Most often when this value increases by huge jumps, it is
9404 because there is congestion on the backend servers, but sometimes it can be
9405 caused by a denial of service attack.
9406
9407 - "beconn" is the total number of concurrent connections handled by the
9408 backend when the session was logged. It includes the total number of
9409 concurrent connections active on servers as well as the number of
9410 connections pending in queues. It is useful to estimate the amount of
9411 additional servers needed to support high loads for a given application.
9412 Most often when this value increases by huge jumps, it is because there is
9413 congestion on the backend servers, but sometimes it can be caused by a
9414 denial of service attack.
9415
9416 - "srv_conn" is the total number of concurrent connections still active on
9417 the server when the session was logged. It can never exceed the server's
9418 configured "maxconn" parameter. If this value is very often close or equal
9419 to the server's "maxconn", it means that traffic regulation is involved a
9420 lot, meaning that either the server's maxconn value is too low, or that
9421 there aren't enough servers to process the load with an optimal response
9422 time. When only one of the server's "srv_conn" is high, it usually means
9423 that this server has some trouble causing the connections to take longer to
9424 be processed than on other servers.
9425
9426 - "retries" is the number of connection retries experienced by this session
9427 when trying to connect to the server. It must normally be zero, unless a
9428 server is being stopped at the same moment the connection was attempted.
9429 Frequent retries generally indicate either a network problem between
9430 haproxy and the server, or a misconfigured system backlog on the server
9431 preventing new connections from being queued. This field may optionally be
9432 prefixed with a '+' sign, indicating that the session has experienced a
9433 redispatch after the maximal retry count has been reached on the initial
9434 server. In this case, the server name appearing in the log is the one the
9435 connection was redispatched to, and not the first one, though both may
9436 sometimes be the same in case of hashing for instance. So as a general rule
9437 of thumb, when a '+' is present in front of the retry count, this count
9438 should not be attributed to the logged server.
9439
9440 - "srv_queue" is the total number of requests which were processed before
9441 this one in the server queue. It is zero when the request has not gone
9442 through the server queue. It makes it possible to estimate the approximate
9443 server's response time by dividing the time spent in queue by the number of
9444 requests in the queue. It is worth noting that if a session experiences a
9445 redispatch and passes through two server queues, their positions will be
9446 cumulated. A request should not pass through both the server queue and the
9447 backend queue unless a redispatch occurs.
9448
9449 - "backend_queue" is the total number of requests which were processed before
9450 this one in the backend's global queue. It is zero when the request has not
9451 gone through the global queue. It makes it possible to estimate the average
9452 queue length, which easily translates into a number of missing servers when
9453 divided by a server's "maxconn" parameter. It is worth noting that if a
9454 session experiences a redispatch, it may pass twice in the backend's queue,
9455 and then both positions will be cumulated. A request should not pass
9456 through both the server queue and the backend queue unless a redispatch
9457 occurs.
9458
9459
Willy Tarreauc57f0e22009-05-10 13:12:33 +020094608.2.3. HTTP log format
9461----------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009462
9463The HTTP format is the most complete and the best suited for HTTP proxies. It
9464is enabled by when "option httplog" is specified in the frontend. It provides
9465the same level of information as the TCP format with additional features which
9466are specific to the HTTP protocol. Just like the TCP format, the log is usually
9467emitted at the end of the session, unless "option logasap" is specified, which
9468generally only makes sense for download sites. A session which matches the
9469"monitor" rules will never logged. It is also possible not to log sessions for
9470which no data were sent by the client by specifying "option dontlognull" in the
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02009471frontend. Successful connections will not be logged if "option dontlog-normal"
9472is specified in the frontend.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009473
9474Most fields are shared with the TCP log, some being different. A few fields may
9475slightly vary depending on some configuration options. Those ones are marked
9476with a star ('*') after the field name below.
9477
9478 Example :
9479 frontend http-in
9480 mode http
9481 option httplog
9482 log global
9483 default_backend bck
9484
9485 backend static
9486 server srv1 127.0.0.1:8000
9487
9488 >>> Feb 6 12:14:14 localhost \
9489 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
9490 static/srv1 10/0/30/69/109 200 2750 - - ---- 1/1/1/1/0 0/0 {1wt.eu} \
Willy Tarreaud72758d2010-01-12 10:42:19 +01009491 {} "GET /index.html HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009492
9493 Field Format Extract from the example above
9494 1 process_name '[' pid ']:' haproxy[14389]:
9495 2 client_ip ':' client_port 10.0.1.2:33317
9496 3 '[' accept_date ']' [06/Feb/2009:12:14:14.655]
9497 4 frontend_name http-in
9498 5 backend_name '/' server_name static/srv1
9499 6 Tq '/' Tw '/' Tc '/' Tr '/' Tt* 10/0/30/69/109
9500 7 status_code 200
9501 8 bytes_read* 2750
9502 9 captured_request_cookie -
9503 10 captured_response_cookie -
9504 11 termination_state ----
9505 12 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 1/1/1/1/0
9506 13 srv_queue '/' backend_queue 0/0
9507 14 '{' captured_request_headers* '}' {haproxy.1wt.eu}
9508 15 '{' captured_response_headers* '}' {}
9509 16 '"' http_request '"' "GET /index.html HTTP/1.1"
Willy Tarreaud72758d2010-01-12 10:42:19 +01009510
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009511
9512Detailed fields description :
9513 - "client_ip" is the IP address of the client which initiated the TCP
Willy Tarreauceb24bc2010-11-09 12:46:41 +01009514 connection to haproxy. If the connection was accepted on a UNIX socket
9515 instead, the IP address would be replaced with the word "unix". Note that
9516 when the connection is accepted on a socket configured with "accept-proxy"
9517 and the PROXY protocol is correctly used, then the logs will reflect the
9518 forwarded connection's information.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009519
9520 - "client_port" is the TCP port of the client which initiated the connection.
Willy Tarreauceb24bc2010-11-09 12:46:41 +01009521 If the connection was accepted on a UNIX socket instead, the port would be
9522 replaced with the ID of the accepting socket, which is also reported in the
9523 stats interface.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009524
9525 - "accept_date" is the exact date when the TCP connection was received by
9526 haproxy (which might be very slightly different from the date observed on
9527 the network if there was some queuing in the system's backlog). This is
9528 usually the same date which may appear in any upstream firewall's log. This
9529 does not depend on the fact that the client has sent the request or not.
9530
9531 - "frontend_name" is the name of the frontend (or listener) which received
9532 and processed the connection.
9533
9534 - "backend_name" is the name of the backend (or listener) which was selected
9535 to manage the connection to the server. This will be the same as the
9536 frontend if no switching rule has been applied.
9537
9538 - "server_name" is the name of the last server to which the connection was
9539 sent, which might differ from the first one if there were connection errors
9540 and a redispatch occurred. Note that this server belongs to the backend
9541 which processed the request. If the request was aborted before reaching a
9542 server, "<NOSRV>" is indicated instead of a server name. If the request was
9543 intercepted by the stats subsystem, "<STATS>" is indicated instead.
9544
9545 - "Tq" is the total time in milliseconds spent waiting for the client to send
9546 a full HTTP request, not counting data. It can be "-1" if the connection
9547 was aborted before a complete request could be received. It should always
9548 be very small because a request generally fits in one single packet. Large
9549 times here generally indicate network trouble between the client and
9550 haproxy. See "Timers" below for more details.
9551
9552 - "Tw" is the total time in milliseconds spent waiting in the various queues.
9553 It can be "-1" if the connection was aborted before reaching the queue.
9554 See "Timers" below for more details.
9555
9556 - "Tc" is the total time in milliseconds spent waiting for the connection to
9557 establish to the final server, including retries. It can be "-1" if the
9558 request was aborted before a connection could be established. See "Timers"
9559 below for more details.
9560
9561 - "Tr" is the total time in milliseconds spent waiting for the server to send
9562 a full HTTP response, not counting data. It can be "-1" if the request was
9563 aborted before a complete response could be received. It generally matches
9564 the server's processing time for the request, though it may be altered by
9565 the amount of data sent by the client to the server. Large times here on
9566 "GET" requests generally indicate an overloaded server. See "Timers" below
9567 for more details.
9568
9569 - "Tt" is the total time in milliseconds elapsed between the accept and the
9570 last close. It covers all possible processings. There is one exception, if
9571 "option logasap" was specified, then the time counting stops at the moment
9572 the log is emitted. In this case, a '+' sign is prepended before the value,
9573 indicating that the final one will be larger. See "Timers" below for more
9574 details.
9575
9576 - "status_code" is the HTTP status code returned to the client. This status
9577 is generally set by the server, but it might also be set by haproxy when
9578 the server cannot be reached or when its response is blocked by haproxy.
9579
9580 - "bytes_read" is the total number of bytes transmitted to the client when
9581 the log is emitted. This does include HTTP headers. If "option logasap" is
9582 specified, the this value will be prefixed with a '+' sign indicating that
9583 the final one may be larger. Please note that this value is a 64-bit
9584 counter, so log analysis tools must be able to handle it without
9585 overflowing.
9586
9587 - "captured_request_cookie" is an optional "name=value" entry indicating that
9588 the client had this cookie in the request. The cookie name and its maximum
9589 length are defined by the "capture cookie" statement in the frontend
9590 configuration. The field is a single dash ('-') when the option is not
9591 set. Only one cookie may be captured, it is generally used to track session
9592 ID exchanges between a client and a server to detect session crossing
9593 between clients due to application bugs. For more details, please consult
9594 the section "Capturing HTTP headers and cookies" below.
9595
9596 - "captured_response_cookie" is an optional "name=value" entry indicating
9597 that the server has returned a cookie with its response. The cookie name
9598 and its maximum length are defined by the "capture cookie" statement in the
9599 frontend configuration. The field is a single dash ('-') when the option is
9600 not set. Only one cookie may be captured, it is generally used to track
9601 session ID exchanges between a client and a server to detect session
9602 crossing between clients due to application bugs. For more details, please
9603 consult the section "Capturing HTTP headers and cookies" below.
9604
9605 - "termination_state" is the condition the session was in when the session
9606 ended. This indicates the session state, which side caused the end of
9607 session to happen, for what reason (timeout, error, ...), just like in TCP
9608 logs, and information about persistence operations on cookies in the last
9609 two characters. The normal flags should begin with "--", indicating the
9610 session was closed by either end with no data remaining in buffers. See
9611 below "Session state at disconnection" for more details.
9612
9613 - "actconn" is the total number of concurrent connections on the process when
Jamie Gloudonaaa21002012-08-25 00:18:33 -04009614 the session was logged. It is useful to detect when some per-process system
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009615 limits have been reached. For instance, if actconn is close to 512 or 1024
9616 when multiple connection errors occur, chances are high that the system
9617 limits the process to use a maximum of 1024 file descriptors and that all
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009618 of them are used. See section 3 "Global parameters" to find how to tune the
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009619 system.
9620
9621 - "feconn" is the total number of concurrent connections on the frontend when
9622 the session was logged. It is useful to estimate the amount of resource
9623 required to sustain high loads, and to detect when the frontend's "maxconn"
9624 has been reached. Most often when this value increases by huge jumps, it is
9625 because there is congestion on the backend servers, but sometimes it can be
9626 caused by a denial of service attack.
9627
9628 - "beconn" is the total number of concurrent connections handled by the
9629 backend when the session was logged. It includes the total number of
9630 concurrent connections active on servers as well as the number of
9631 connections pending in queues. It is useful to estimate the amount of
9632 additional servers needed to support high loads for a given application.
9633 Most often when this value increases by huge jumps, it is because there is
9634 congestion on the backend servers, but sometimes it can be caused by a
9635 denial of service attack.
9636
9637 - "srv_conn" is the total number of concurrent connections still active on
9638 the server when the session was logged. It can never exceed the server's
9639 configured "maxconn" parameter. If this value is very often close or equal
9640 to the server's "maxconn", it means that traffic regulation is involved a
9641 lot, meaning that either the server's maxconn value is too low, or that
9642 there aren't enough servers to process the load with an optimal response
9643 time. When only one of the server's "srv_conn" is high, it usually means
9644 that this server has some trouble causing the requests to take longer to be
9645 processed than on other servers.
9646
9647 - "retries" is the number of connection retries experienced by this session
9648 when trying to connect to the server. It must normally be zero, unless a
9649 server is being stopped at the same moment the connection was attempted.
9650 Frequent retries generally indicate either a network problem between
9651 haproxy and the server, or a misconfigured system backlog on the server
9652 preventing new connections from being queued. This field may optionally be
9653 prefixed with a '+' sign, indicating that the session has experienced a
9654 redispatch after the maximal retry count has been reached on the initial
9655 server. In this case, the server name appearing in the log is the one the
9656 connection was redispatched to, and not the first one, though both may
9657 sometimes be the same in case of hashing for instance. So as a general rule
9658 of thumb, when a '+' is present in front of the retry count, this count
9659 should not be attributed to the logged server.
9660
9661 - "srv_queue" is the total number of requests which were processed before
9662 this one in the server queue. It is zero when the request has not gone
9663 through the server queue. It makes it possible to estimate the approximate
9664 server's response time by dividing the time spent in queue by the number of
9665 requests in the queue. It is worth noting that if a session experiences a
9666 redispatch and passes through two server queues, their positions will be
9667 cumulated. A request should not pass through both the server queue and the
9668 backend queue unless a redispatch occurs.
9669
9670 - "backend_queue" is the total number of requests which were processed before
9671 this one in the backend's global queue. It is zero when the request has not
9672 gone through the global queue. It makes it possible to estimate the average
9673 queue length, which easily translates into a number of missing servers when
9674 divided by a server's "maxconn" parameter. It is worth noting that if a
9675 session experiences a redispatch, it may pass twice in the backend's queue,
9676 and then both positions will be cumulated. A request should not pass
9677 through both the server queue and the backend queue unless a redispatch
9678 occurs.
9679
9680 - "captured_request_headers" is a list of headers captured in the request due
9681 to the presence of the "capture request header" statement in the frontend.
9682 Multiple headers can be captured, they will be delimited by a vertical bar
9683 ('|'). When no capture is enabled, the braces do not appear, causing a
9684 shift of remaining fields. It is important to note that this field may
9685 contain spaces, and that using it requires a smarter log parser than when
9686 it's not used. Please consult the section "Capturing HTTP headers and
9687 cookies" below for more details.
9688
9689 - "captured_response_headers" is a list of headers captured in the response
9690 due to the presence of the "capture response header" statement in the
9691 frontend. Multiple headers can be captured, they will be delimited by a
9692 vertical bar ('|'). When no capture is enabled, the braces do not appear,
9693 causing a shift of remaining fields. It is important to note that this
9694 field may contain spaces, and that using it requires a smarter log parser
9695 than when it's not used. Please consult the section "Capturing HTTP headers
9696 and cookies" below for more details.
9697
9698 - "http_request" is the complete HTTP request line, including the method,
9699 request and HTTP version string. Non-printable characters are encoded (see
9700 below the section "Non-printable characters"). This is always the last
9701 field, and it is always delimited by quotes and is the only one which can
9702 contain quotes. If new fields are added to the log format, they will be
9703 added before this field. This field might be truncated if the request is
9704 huge and does not fit in the standard syslog buffer (1024 characters). This
9705 is the reason why this field must always remain the last one.
9706
9707
Cyril Bontédc4d9032012-04-08 21:57:39 +020097088.2.4. Custom log format
9709------------------------
William Lallemand48940402012-01-30 16:47:22 +01009710
William Lallemandbddd4fd2012-02-27 11:23:10 +01009711The directive log-format allows you to custom the logs in http mode and tcp
9712mode. It takes a string as argument.
William Lallemand48940402012-01-30 16:47:22 +01009713
9714HAproxy understands some log format variables. % precedes log format variables.
9715Variables can take arguments using braces ('{}'), and multiple arguments are
9716separated by commas within the braces. Flags may be added or removed by
9717prefixing them with a '+' or '-' sign.
9718
9719Special variable "%o" may be used to propagate its flags to all other
9720variables on the same format string. This is particularly handy with quoted
9721string formats ("Q").
9722
9723Note: spaces must be escaped. A space character is considered as a separator.
9724HAproxy will automatically merge consecutive separators.
9725
9726Flags are :
9727 * Q: quote a string
Jamie Gloudonaaa21002012-08-25 00:18:33 -04009728 * X: hexadecimal representation (IPs, Ports, %Ts, %rt, %pid)
William Lallemand48940402012-01-30 16:47:22 +01009729
9730 Example:
9731
9732 log-format %T\ %t\ Some\ Text
9733 log-format %{+Q}o\ %t\ %s\ %{-Q}r
9734
9735At the moment, the default HTTP format is defined this way :
9736
Willy Tarreau773d65f2012-10-12 14:56:11 +02009737 log-format %Ci:%Cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %st\ %B\ %cc\ \
Willy Tarreau6580c062012-03-12 15:09:42 +01009738 %cs\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r
William Lallemand48940402012-01-30 16:47:22 +01009739
William Lallemandbddd4fd2012-02-27 11:23:10 +01009740the default CLF format is defined this way :
William Lallemand48940402012-01-30 16:47:22 +01009741
9742 log-format %{+Q}o\ %{-Q}Ci\ -\ -\ [%T]\ %r\ %st\ %B\ \"\"\ \"\"\ %Cp\ \
Willy Tarreau773d65f2012-10-12 14:56:11 +02009743 %ms\ %ft\ %b\ %s\ \%Tq\ %Tw\ %Tc\ %Tr\ %Tt\ %tsc\ %ac\ %fc\ \
William Lallemand48940402012-01-30 16:47:22 +01009744 %bc\ %sc\ %rc\ %sq\ %bq\ %cc\ %cs\ \%hrl\ %hsl
9745
William Lallemandbddd4fd2012-02-27 11:23:10 +01009746and the default TCP format is defined this way :
9747
Willy Tarreau773d65f2012-10-12 14:56:11 +02009748 log-format %Ci:%Cp\ [%t]\ %ft\ %b/%s\ %Tw/%Tc/%Tt\ %B\ %ts\ \
William Lallemandbddd4fd2012-02-27 11:23:10 +01009749 %ac/%fc/%bc/%sc/%rc\ %sq/%bq
9750
William Lallemand48940402012-01-30 16:47:22 +01009751Please refer to the table below for currently defined variables :
9752
William Lallemandbddd4fd2012-02-27 11:23:10 +01009753 +---+------+-----------------------------------------------+-------------+
Willy Tarreauffc3fcd2012-10-12 20:17:54 +02009754 | R | var | field name (8.2.2 and 8.2.3 for description) | type |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009755 +---+------+-----------------------------------------------+-------------+
9756 | | %o | special variable, apply flags on all next var | |
9757 +---+------+-----------------------------------------------+-------------+
9758 | | %B | bytes_read | numeric |
William Lallemand5f232402012-04-05 18:02:55 +02009759 | | %Ci | client_ip | IP |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009760 | | %Cp | client_port | numeric |
William Lallemand5f232402012-04-05 18:02:55 +02009761 | | %Bi | backend_source_ip | IP |
William Lallemandb7ff6a32012-03-02 14:35:21 +01009762 | | %Bp | backend_source_port | numeric |
William Lallemand5f232402012-04-05 18:02:55 +02009763 | | %Fi | frontend_ip | IP |
9764 | | %Fp | frontend_port | numeric |
9765 | | %H | hostname | string |
William Lallemanda73203e2012-03-12 12:48:57 +01009766 | | %ID | unique-id | string |
William Lallemand5f232402012-04-05 18:02:55 +02009767 | | %Si | server_IP | IP |
9768 | | %Sp | server_port | numeric |
9769 | | %T | gmt_date_time | date |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009770 | | %Tc | Tc | numeric |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +02009771 | H | %Tq | Tq | numeric |
9772 | H | %Tr | Tr | numeric |
William Lallemand5f232402012-04-05 18:02:55 +02009773 | | %Ts | timestamp | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009774 | | %Tt | Tt | numeric |
9775 | | %Tw | Tw | numeric |
9776 | | %ac | actconn | numeric |
9777 | | %b | backend_name | string |
9778 | | %bc | beconn | numeric |
9779 | | %bq | backend_queue | numeric |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +02009780 | H | %cc | captured_request_cookie | string |
9781 | H | %rt | http_request_counter | numeric |
9782 | H | %cs | captured_response_cookie | string |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009783 | | %f | frontend_name | string |
Willy Tarreau773d65f2012-10-12 14:56:11 +02009784 | | %ft | frontend_name_transport ('~' suffix for SSL) | string |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009785 | | %fc | feconn | numeric |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +02009786 | H | %hr | captured_request_headers default style | string |
9787 | H | %hrl | captured_request_headers CLF style | string list |
9788 | H | %hs | captured_response_headers default style | string |
9789 | H | %hsl | captured_response_headers CLF style | string list |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009790 | | %ms | accept date milliseconds | numeric |
William Lallemand5f232402012-04-05 18:02:55 +02009791 | | %pid | PID | numeric |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +02009792 | H | %r | http_request | string |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009793 | | %rc | retries | numeric |
9794 | | %s | server_name | string |
9795 | | %sc | srv_conn | numeric |
9796 | | %sq | srv_queue | numeric |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +02009797 | S | %sslc| ssl_ciphers (ex: AES-SHA) | string |
9798 | S | %sslv| ssl_version (ex: TLSv1) | string |
9799 | H | %st | status_code | numeric |
William Lallemand5f232402012-04-05 18:02:55 +02009800 | | %t | date_time | date |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009801 | | %ts | termination_state | string |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +02009802 | H | %tsc | termination_state with cookie status | string |
William Lallemandbddd4fd2012-02-27 11:23:10 +01009803 +---+------+-----------------------------------------------+-------------+
William Lallemand48940402012-01-30 16:47:22 +01009804
Willy Tarreauffc3fcd2012-10-12 20:17:54 +02009805 R = Restrictions : H = mode http only ; S = SSL only
William Lallemand48940402012-01-30 16:47:22 +01009806
Willy Tarreauc57f0e22009-05-10 13:12:33 +020098078.3. Advanced logging options
9808-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009809
9810Some advanced logging options are often looked for but are not easy to find out
9811just by looking at the various options. Here is an entry point for the few
9812options which can enable better logging. Please refer to the keywords reference
9813for more information about their usage.
9814
9815
Willy Tarreauc57f0e22009-05-10 13:12:33 +020098168.3.1. Disabling logging of external tests
9817------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009818
9819It is quite common to have some monitoring tools perform health checks on
9820haproxy. Sometimes it will be a layer 3 load-balancer such as LVS or any
9821commercial load-balancer, and sometimes it will simply be a more complete
9822monitoring system such as Nagios. When the tests are very frequent, users often
9823ask how to disable logging for those checks. There are three possibilities :
9824
9825 - if connections come from everywhere and are just TCP probes, it is often
9826 desired to simply disable logging of connections without data exchange, by
9827 setting "option dontlognull" in the frontend. It also disables logging of
9828 port scans, which may or may not be desired.
9829
9830 - if the connection come from a known source network, use "monitor-net" to
9831 declare this network as monitoring only. Any host in this network will then
9832 only be able to perform health checks, and their requests will not be
9833 logged. This is generally appropriate to designate a list of equipments
9834 such as other load-balancers.
9835
9836 - if the tests are performed on a known URI, use "monitor-uri" to declare
9837 this URI as dedicated to monitoring. Any host sending this request will
9838 only get the result of a health-check, and the request will not be logged.
9839
9840
Willy Tarreauc57f0e22009-05-10 13:12:33 +020098418.3.2. Logging before waiting for the session to terminate
9842----------------------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009843
9844The problem with logging at end of connection is that you have no clue about
9845what is happening during very long sessions, such as remote terminal sessions
9846or large file downloads. This problem can be worked around by specifying
9847"option logasap" in the frontend. Haproxy will then log as soon as possible,
9848just before data transfer begins. This means that in case of TCP, it will still
9849log the connection status to the server, and in case of HTTP, it will log just
9850after processing the server headers. In this case, the number of bytes reported
9851is the number of header bytes sent to the client. In order to avoid confusion
9852with normal logs, the total time field and the number of bytes are prefixed
9853with a '+' sign which means that real numbers are certainly larger.
9854
9855
Willy Tarreauc57f0e22009-05-10 13:12:33 +020098568.3.3. Raising log level upon errors
9857------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02009858
9859Sometimes it is more convenient to separate normal traffic from errors logs,
9860for instance in order to ease error monitoring from log files. When the option
9861"log-separate-errors" is used, connections which experience errors, timeouts,
9862retries, redispatches or HTTP status codes 5xx will see their syslog level
9863raised from "info" to "err". This will help a syslog daemon store the log in
9864a separate file. It is very important to keep the errors in the normal traffic
9865file too, so that log ordering is not altered. You should also be careful if
9866you already have configured your syslog daemon to store all logs higher than
9867"notice" in an "admin" file, because the "err" level is higher than "notice".
9868
9869
Willy Tarreauc57f0e22009-05-10 13:12:33 +020098708.3.4. Disabling logging of successful connections
9871--------------------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02009872
9873Although this may sound strange at first, some large sites have to deal with
9874multiple thousands of logs per second and are experiencing difficulties keeping
9875them intact for a long time or detecting errors within them. If the option
9876"dontlog-normal" is set on the frontend, all normal connections will not be
9877logged. In this regard, a normal connection is defined as one without any
9878error, timeout, retry nor redispatch. In HTTP, the status code is checked too,
9879and a response with a status 5xx is not considered normal and will be logged
9880too. Of course, doing is is really discouraged as it will remove most of the
9881useful information from the logs. Do this only if you have no other
9882alternative.
9883
9884
Willy Tarreauc57f0e22009-05-10 13:12:33 +020098858.4. Timing events
9886------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009887
9888Timers provide a great help in troubleshooting network problems. All values are
9889reported in milliseconds (ms). These timers should be used in conjunction with
9890the session termination flags. In TCP mode with "option tcplog" set on the
9891frontend, 3 control points are reported under the form "Tw/Tc/Tt", and in HTTP
9892mode, 5 control points are reported under the form "Tq/Tw/Tc/Tr/Tt" :
9893
9894 - Tq: total time to get the client request (HTTP mode only). It's the time
9895 elapsed between the moment the client connection was accepted and the
9896 moment the proxy received the last HTTP header. The value "-1" indicates
9897 that the end of headers (empty line) has never been seen. This happens when
9898 the client closes prematurely or times out.
9899
9900 - Tw: total time spent in the queues waiting for a connection slot. It
9901 accounts for backend queue as well as the server queues, and depends on the
9902 queue size, and the time needed for the server to complete previous
9903 requests. The value "-1" means that the request was killed before reaching
9904 the queue, which is generally what happens with invalid or denied requests.
9905
9906 - Tc: total time to establish the TCP connection to the server. It's the time
9907 elapsed between the moment the proxy sent the connection request, and the
9908 moment it was acknowledged by the server, or between the TCP SYN packet and
9909 the matching SYN/ACK packet in return. The value "-1" means that the
9910 connection never established.
9911
9912 - Tr: server response time (HTTP mode only). It's the time elapsed between
9913 the moment the TCP connection was established to the server and the moment
9914 the server sent its complete response headers. It purely shows its request
9915 processing time, without the network overhead due to the data transmission.
9916 It is worth noting that when the client has data to send to the server, for
9917 instance during a POST request, the time already runs, and this can distort
9918 apparent response time. For this reason, it's generally wise not to trust
9919 too much this field for POST requests initiated from clients behind an
9920 untrusted network. A value of "-1" here means that the last the response
9921 header (empty line) was never seen, most likely because the server timeout
9922 stroke before the server managed to process the request.
9923
9924 - Tt: total session duration time, between the moment the proxy accepted it
9925 and the moment both ends were closed. The exception is when the "logasap"
9926 option is specified. In this case, it only equals (Tq+Tw+Tc+Tr), and is
9927 prefixed with a '+' sign. From this field, we can deduce "Td", the data
9928 transmission time, by substracting other timers when valid :
9929
9930 Td = Tt - (Tq + Tw + Tc + Tr)
9931
9932 Timers with "-1" values have to be excluded from this equation. In TCP
9933 mode, "Tq" and "Tr" have to be excluded too. Note that "Tt" can never be
9934 negative.
9935
9936These timers provide precious indications on trouble causes. Since the TCP
9937protocol defines retransmit delays of 3, 6, 12... seconds, we know for sure
9938that timers close to multiples of 3s are nearly always related to lost packets
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009939due to network problems (wires, negotiation, congestion). Moreover, if "Tt" is
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009940close to a timeout value specified in the configuration, it often means that a
9941session has been aborted on timeout.
9942
9943Most common cases :
9944
9945 - If "Tq" is close to 3000, a packet has probably been lost between the
9946 client and the proxy. This is very rare on local networks but might happen
9947 when clients are on far remote networks and send large requests. It may
9948 happen that values larger than usual appear here without any network cause.
9949 Sometimes, during an attack or just after a resource starvation has ended,
9950 haproxy may accept thousands of connections in a few milliseconds. The time
9951 spent accepting these connections will inevitably slightly delay processing
9952 of other connections, and it can happen that request times in the order of
9953 a few tens of milliseconds are measured after a few thousands of new
Patrick Mezard105faca2010-06-12 17:02:46 +02009954 connections have been accepted at once. Setting "option http-server-close"
9955 may display larger request times since "Tq" also measures the time spent
9956 waiting for additional requests.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009957
9958 - If "Tc" is close to 3000, a packet has probably been lost between the
9959 server and the proxy during the server connection phase. This value should
9960 always be very low, such as 1 ms on local networks and less than a few tens
9961 of ms on remote networks.
9962
Willy Tarreau55165fe2009-05-10 12:02:55 +02009963 - If "Tr" is nearly always lower than 3000 except some rare values which seem
9964 to be the average majored by 3000, there are probably some packets lost
9965 between the proxy and the server.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009966
9967 - If "Tt" is large even for small byte counts, it generally is because
9968 neither the client nor the server decides to close the connection, for
9969 instance because both have agreed on a keep-alive connection mode. In order
9970 to solve this issue, it will be needed to specify "option httpclose" on
9971 either the frontend or the backend. If the problem persists, it means that
9972 the server ignores the "close" connection mode and expects the client to
9973 close. Then it will be required to use "option forceclose". Having the
9974 smallest possible 'Tt' is important when connection regulation is used with
9975 the "maxconn" option on the servers, since no new connection will be sent
9976 to the server until another one is released.
9977
9978Other noticeable HTTP log cases ('xx' means any value to be ignored) :
9979
9980 Tq/Tw/Tc/Tr/+Tt The "option logasap" is present on the frontend and the log
9981 was emitted before the data phase. All the timers are valid
9982 except "Tt" which is shorter than reality.
9983
9984 -1/xx/xx/xx/Tt The client was not able to send a complete request in time
9985 or it aborted too early. Check the session termination flags
9986 then "timeout http-request" and "timeout client" settings.
9987
9988 Tq/-1/xx/xx/Tt It was not possible to process the request, maybe because
9989 servers were out of order, because the request was invalid
9990 or forbidden by ACL rules. Check the session termination
9991 flags.
9992
9993 Tq/Tw/-1/xx/Tt The connection could not establish on the server. Either it
9994 actively refused it or it timed out after Tt-(Tq+Tw) ms.
9995 Check the session termination flags, then check the
9996 "timeout connect" setting. Note that the tarpit action might
9997 return similar-looking patterns, with "Tw" equal to the time
9998 the client connection was maintained open.
9999
10000 Tq/Tw/Tc/-1/Tt The server has accepted the connection but did not return
10001 a complete response in time, or it closed its connexion
10002 unexpectedly after Tt-(Tq+Tw+Tc) ms. Check the session
10003 termination flags, then check the "timeout server" setting.
10004
10005
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200100068.5. Session state at disconnection
10007-----------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010008
10009TCP and HTTP logs provide a session termination indicator in the
10010"termination_state" field, just before the number of active connections. It is
100112-characters long in TCP mode, and is extended to 4 characters in HTTP mode,
10012each of which has a special meaning :
10013
10014 - On the first character, a code reporting the first event which caused the
10015 session to terminate :
10016
10017 C : the TCP session was unexpectedly aborted by the client.
10018
10019 S : the TCP session was unexpectedly aborted by the server, or the
10020 server explicitly refused it.
10021
10022 P : the session was prematurely aborted by the proxy, because of a
10023 connection limit enforcement, because a DENY filter was matched,
10024 because of a security check which detected and blocked a dangerous
10025 error in server response which might have caused information leak
10026 (eg: cacheable cookie), or because the response was processed by
10027 the proxy (redirect, stats, etc...).
10028
10029 R : a resource on the proxy has been exhausted (memory, sockets, source
10030 ports, ...). Usually, this appears during the connection phase, and
10031 system logs should contain a copy of the precise error. If this
10032 happens, it must be considered as a very serious anomaly which
10033 should be fixed as soon as possible by any means.
10034
10035 I : an internal error was identified by the proxy during a self-check.
10036 This should NEVER happen, and you are encouraged to report any log
10037 containing this, because this would almost certainly be a bug. It
10038 would be wise to preventively restart the process after such an
10039 event too, in case it would be caused by memory corruption.
10040
Simon Horman752dc4a2011-06-21 14:34:59 +090010041 D : the session was killed by haproxy because the server was detected
10042 as down and was configured to kill all connections when going down.
10043
Justin Karnegeseb2c24a2012-05-24 15:28:52 -070010044 U : the session was killed by haproxy on this backup server because an
10045 active server was detected as up and was configured to kill all
10046 backup connections when going up.
10047
Willy Tarreaua2a64e92011-09-07 23:01:56 +020010048 K : the session was actively killed by an admin operating on haproxy.
10049
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010050 c : the client-side timeout expired while waiting for the client to
10051 send or receive data.
10052
10053 s : the server-side timeout expired while waiting for the server to
10054 send or receive data.
10055
10056 - : normal session completion, both the client and the server closed
10057 with nothing left in the buffers.
10058
10059 - on the second character, the TCP or HTTP session state when it was closed :
10060
Willy Tarreauf7b30a92010-12-06 22:59:17 +010010061 R : the proxy was waiting for a complete, valid REQUEST from the client
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010062 (HTTP mode only). Nothing was sent to any server.
10063
10064 Q : the proxy was waiting in the QUEUE for a connection slot. This can
10065 only happen when servers have a 'maxconn' parameter set. It can
10066 also happen in the global queue after a redispatch consecutive to
10067 a failed attempt to connect to a dying server. If no redispatch is
10068 reported, then no connection attempt was made to any server.
10069
10070 C : the proxy was waiting for the CONNECTION to establish on the
10071 server. The server might at most have noticed a connection attempt.
10072
10073 H : the proxy was waiting for complete, valid response HEADERS from the
10074 server (HTTP only).
10075
10076 D : the session was in the DATA phase.
10077
10078 L : the proxy was still transmitting LAST data to the client while the
10079 server had already finished. This one is very rare as it can only
10080 happen when the client dies while receiving the last packets.
10081
10082 T : the request was tarpitted. It has been held open with the client
10083 during the whole "timeout tarpit" duration or until the client
10084 closed, both of which will be reported in the "Tw" timer.
10085
10086 - : normal session completion after end of data transfer.
10087
10088 - the third character tells whether the persistence cookie was provided by
10089 the client (only in HTTP mode) :
10090
10091 N : the client provided NO cookie. This is usually the case for new
10092 visitors, so counting the number of occurrences of this flag in the
10093 logs generally indicate a valid trend for the site frequentation.
10094
10095 I : the client provided an INVALID cookie matching no known server.
10096 This might be caused by a recent configuration change, mixed
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +020010097 cookies between HTTP/HTTPS sites, persistence conditionally
10098 ignored, or an attack.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010099
10100 D : the client provided a cookie designating a server which was DOWN,
10101 so either "option persist" was used and the client was sent to
10102 this server, or it was not set and the client was redispatched to
10103 another server.
10104
Willy Tarreau996a92c2010-10-13 19:30:47 +020010105 V : the client provided a VALID cookie, and was sent to the associated
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010106 server.
10107
Willy Tarreau996a92c2010-10-13 19:30:47 +020010108 E : the client provided a valid cookie, but with a last date which was
10109 older than what is allowed by the "maxidle" cookie parameter, so
10110 the cookie is consider EXPIRED and is ignored. The request will be
10111 redispatched just as if there was no cookie.
10112
10113 O : the client provided a valid cookie, but with a first date which was
10114 older than what is allowed by the "maxlife" cookie parameter, so
10115 the cookie is consider too OLD and is ignored. The request will be
10116 redispatched just as if there was no cookie.
10117
Willy Tarreauc89ccb62012-04-05 21:18:22 +020010118 U : a cookie was present but was not used to select the server because
10119 some other server selection mechanism was used instead (typically a
10120 "use-server" rule).
10121
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010122 - : does not apply (no cookie set in configuration).
10123
10124 - the last character reports what operations were performed on the persistence
10125 cookie returned by the server (only in HTTP mode) :
10126
10127 N : NO cookie was provided by the server, and none was inserted either.
10128
10129 I : no cookie was provided by the server, and the proxy INSERTED one.
10130 Note that in "cookie insert" mode, if the server provides a cookie,
10131 it will still be overwritten and reported as "I" here.
10132
Willy Tarreau996a92c2010-10-13 19:30:47 +020010133 U : the proxy UPDATED the last date in the cookie that was presented by
10134 the client. This can only happen in insert mode with "maxidle". It
10135 happens everytime there is activity at a different date than the
10136 date indicated in the cookie. If any other change happens, such as
10137 a redispatch, then the cookie will be marked as inserted instead.
10138
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010139 P : a cookie was PROVIDED by the server and transmitted as-is.
10140
10141 R : the cookie provided by the server was REWRITTEN by the proxy, which
10142 happens in "cookie rewrite" or "cookie prefix" modes.
10143
10144 D : the cookie provided by the server was DELETED by the proxy.
10145
10146 - : does not apply (no cookie set in configuration).
10147
Willy Tarreau996a92c2010-10-13 19:30:47 +020010148The combination of the two first flags gives a lot of information about what
10149was happening when the session terminated, and why it did terminate. It can be
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010150helpful to detect server saturation, network troubles, local system resource
10151starvation, attacks, etc...
10152
10153The most common termination flags combinations are indicated below. They are
10154alphabetically sorted, with the lowercase set just after the upper case for
10155easier finding and understanding.
10156
10157 Flags Reason
10158
10159 -- Normal termination.
10160
10161 CC The client aborted before the connection could be established to the
10162 server. This can happen when haproxy tries to connect to a recently
10163 dead (or unchecked) server, and the client aborts while haproxy is
10164 waiting for the server to respond or for "timeout connect" to expire.
10165
10166 CD The client unexpectedly aborted during data transfer. This can be
10167 caused by a browser crash, by an intermediate equipment between the
10168 client and haproxy which decided to actively break the connection,
10169 by network routing issues between the client and haproxy, or by a
10170 keep-alive session between the server and the client terminated first
10171 by the client.
Willy Tarreaud72758d2010-01-12 10:42:19 +010010172
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010173 cD The client did not send nor acknowledge any data for as long as the
10174 "timeout client" delay. This is often caused by network failures on
Cyril Bontédc4d9032012-04-08 21:57:39 +020010175 the client side, or the client simply leaving the net uncleanly.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010176
10177 CH The client aborted while waiting for the server to start responding.
10178 It might be the server taking too long to respond or the client
10179 clicking the 'Stop' button too fast.
10180
10181 cH The "timeout client" stroke while waiting for client data during a
10182 POST request. This is sometimes caused by too large TCP MSS values
10183 for PPPoE networks which cannot transport full-sized packets. It can
10184 also happen when client timeout is smaller than server timeout and
10185 the server takes too long to respond.
10186
10187 CQ The client aborted while its session was queued, waiting for a server
10188 with enough empty slots to accept it. It might be that either all the
10189 servers were saturated or that the assigned server was taking too
10190 long a time to respond.
10191
10192 CR The client aborted before sending a full HTTP request. Most likely
10193 the request was typed by hand using a telnet client, and aborted
10194 too early. The HTTP status code is likely a 400 here. Sometimes this
10195 might also be caused by an IDS killing the connection between haproxy
10196 and the client.
10197
10198 cR The "timeout http-request" stroke before the client sent a full HTTP
10199 request. This is sometimes caused by too large TCP MSS values on the
10200 client side for PPPoE networks which cannot transport full-sized
10201 packets, or by clients sending requests by hand and not typing fast
10202 enough, or forgetting to enter the empty line at the end of the
10203 request. The HTTP status code is likely a 408 here.
10204
10205 CT The client aborted while its session was tarpitted. It is important to
10206 check if this happens on valid requests, in order to be sure that no
Willy Tarreau55165fe2009-05-10 12:02:55 +020010207 wrong tarpit rules have been written. If a lot of them happen, it
10208 might make sense to lower the "timeout tarpit" value to something
10209 closer to the average reported "Tw" timer, in order not to consume
10210 resources for just a few attackers.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010211
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010010212 SC The server or an equipment between it and haproxy explicitly refused
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010213 the TCP connection (the proxy received a TCP RST or an ICMP message
10214 in return). Under some circumstances, it can also be the network
10215 stack telling the proxy that the server is unreachable (eg: no route,
10216 or no ARP response on local network). When this happens in HTTP mode,
10217 the status code is likely a 502 or 503 here.
10218
10219 sC The "timeout connect" stroke before a connection to the server could
10220 complete. When this happens in HTTP mode, the status code is likely a
10221 503 or 504 here.
10222
10223 SD The connection to the server died with an error during the data
10224 transfer. This usually means that haproxy has received an RST from
10225 the server or an ICMP message from an intermediate equipment while
10226 exchanging data with the server. This can be caused by a server crash
10227 or by a network issue on an intermediate equipment.
10228
10229 sD The server did not send nor acknowledge any data for as long as the
10230 "timeout server" setting during the data phase. This is often caused
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010010231 by too short timeouts on L4 equipments before the server (firewalls,
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010232 load-balancers, ...), as well as keep-alive sessions maintained
10233 between the client and the server expiring first on haproxy.
10234
10235 SH The server aborted before sending its full HTTP response headers, or
10236 it crashed while processing the request. Since a server aborting at
10237 this moment is very rare, it would be wise to inspect its logs to
10238 control whether it crashed and why. The logged request may indicate a
10239 small set of faulty requests, demonstrating bugs in the application.
10240 Sometimes this might also be caused by an IDS killing the connection
10241 between haproxy and the server.
10242
10243 sH The "timeout server" stroke before the server could return its
10244 response headers. This is the most common anomaly, indicating too
10245 long transactions, probably caused by server or database saturation.
10246 The immediate workaround consists in increasing the "timeout server"
10247 setting, but it is important to keep in mind that the user experience
10248 will suffer from these long response times. The only long term
10249 solution is to fix the application.
10250
10251 sQ The session spent too much time in queue and has been expired. See
10252 the "timeout queue" and "timeout connect" settings to find out how to
10253 fix this if it happens too often. If it often happens massively in
10254 short periods, it may indicate general problems on the affected
10255 servers due to I/O or database congestion, or saturation caused by
10256 external attacks.
10257
10258 PC The proxy refused to establish a connection to the server because the
10259 process' socket limit has been reached while attempting to connect.
Cyril Bontédc4d9032012-04-08 21:57:39 +020010260 The global "maxconn" parameter may be increased in the configuration
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010261 so that it does not happen anymore. This status is very rare and
10262 might happen when the global "ulimit-n" parameter is forced by hand.
10263
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010010264 PD The proxy blocked an incorrectly formatted chunked encoded message in
10265 a request or a response, after the server has emitted its headers. In
10266 most cases, this will indicate an invalid message from the server to
10267 the client.
10268
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010269 PH The proxy blocked the server's response, because it was invalid,
10270 incomplete, dangerous (cache control), or matched a security filter.
10271 In any case, an HTTP 502 error is sent to the client. One possible
10272 cause for this error is an invalid syntax in an HTTP header name
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010010273 containing unauthorized characters. It is also possible but quite
10274 rare, that the proxy blocked a chunked-encoding request from the
10275 client due to an invalid syntax, before the server responded. In this
10276 case, an HTTP 400 error is sent to the client and reported in the
10277 logs.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010278
10279 PR The proxy blocked the client's HTTP request, either because of an
10280 invalid HTTP syntax, in which case it returned an HTTP 400 error to
10281 the client, or because a deny filter matched, in which case it
10282 returned an HTTP 403 error.
10283
10284 PT The proxy blocked the client's request and has tarpitted its
10285 connection before returning it a 500 server error. Nothing was sent
10286 to the server. The connection was maintained open for as long as
10287 reported by the "Tw" timer field.
10288
10289 RC A local resource has been exhausted (memory, sockets, source ports)
10290 preventing the connection to the server from establishing. The error
10291 logs will tell precisely what was missing. This is very rare and can
10292 only be solved by proper system tuning.
10293
Willy Tarreau996a92c2010-10-13 19:30:47 +020010294The combination of the two last flags gives a lot of information about how
10295persistence was handled by the client, the server and by haproxy. This is very
10296important to troubleshoot disconnections, when users complain they have to
10297re-authenticate. The commonly encountered flags are :
10298
10299 -- Persistence cookie is not enabled.
10300
10301 NN No cookie was provided by the client, none was inserted in the
10302 response. For instance, this can be in insert mode with "postonly"
10303 set on a GET request.
10304
10305 II A cookie designating an invalid server was provided by the client,
10306 a valid one was inserted in the response. This typically happens when
Jamie Gloudonaaa21002012-08-25 00:18:33 -040010307 a "server" entry is removed from the configuration, since its cookie
Willy Tarreau996a92c2010-10-13 19:30:47 +020010308 value can be presented by a client when no other server knows it.
10309
10310 NI No cookie was provided by the client, one was inserted in the
10311 response. This typically happens for first requests from every user
10312 in "insert" mode, which makes it an easy way to count real users.
10313
10314 VN A cookie was provided by the client, none was inserted in the
10315 response. This happens for most responses for which the client has
10316 already got a cookie.
10317
10318 VU A cookie was provided by the client, with a last visit date which is
10319 not completely up-to-date, so an updated cookie was provided in
10320 response. This can also happen if there was no date at all, or if
10321 there was a date but the "maxidle" parameter was not set, so that the
10322 cookie can be switched to unlimited time.
10323
10324 EI A cookie was provided by the client, with a last visit date which is
10325 too old for the "maxidle" parameter, so the cookie was ignored and a
10326 new cookie was inserted in the response.
10327
10328 OI A cookie was provided by the client, with a first visit date which is
10329 too old for the "maxlife" parameter, so the cookie was ignored and a
10330 new cookie was inserted in the response.
10331
10332 DI The server designated by the cookie was down, a new server was
10333 selected and a new cookie was emitted in the response.
10334
10335 VI The server designated by the cookie was not marked dead but could not
10336 be reached. A redispatch happened and selected another one, which was
10337 then advertised in the response.
10338
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010339
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200103408.6. Non-printable characters
10341-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010342
10343In order not to cause trouble to log analysis tools or terminals during log
10344consulting, non-printable characters are not sent as-is into log files, but are
10345converted to the two-digits hexadecimal representation of their ASCII code,
10346prefixed by the character '#'. The only characters that can be logged without
10347being escaped are comprised between 32 and 126 (inclusive). Obviously, the
10348escape character '#' itself is also encoded to avoid any ambiguity ("#23"). It
10349is the same for the character '"' which becomes "#22", as well as '{', '|' and
10350'}' when logging headers.
10351
10352Note that the space character (' ') is not encoded in headers, which can cause
10353issues for tools relying on space count to locate fields. A typical header
10354containing spaces is "User-Agent".
10355
10356Last, it has been observed that some syslog daemons such as syslog-ng escape
10357the quote ('"') with a backslash ('\'). The reverse operation can safely be
10358performed since no quote may appear anywhere else in the logs.
10359
10360
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200103618.7. Capturing HTTP cookies
10362---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010363
10364Cookie capture simplifies the tracking a complete user session. This can be
10365achieved using the "capture cookie" statement in the frontend. Please refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010366section 4.2 for more details. Only one cookie can be captured, and the same
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010367cookie will simultaneously be checked in the request ("Cookie:" header) and in
10368the response ("Set-Cookie:" header). The respective values will be reported in
10369the HTTP logs at the "captured_request_cookie" and "captured_response_cookie"
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010370locations (see section 8.2.3 about HTTP log format). When either cookie is
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010371not seen, a dash ('-') replaces the value. This way, it's easy to detect when a
10372user switches to a new session for example, because the server will reassign it
10373a new cookie. It is also possible to detect if a server unexpectedly sets a
10374wrong cookie to a client, leading to session crossing.
10375
10376 Examples :
10377 # capture the first cookie whose name starts with "ASPSESSION"
10378 capture cookie ASPSESSION len 32
10379
10380 # capture the first cookie whose name is exactly "vgnvisitor"
10381 capture cookie vgnvisitor= len 32
10382
10383
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200103848.8. Capturing HTTP headers
10385---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010386
10387Header captures are useful to track unique request identifiers set by an upper
10388proxy, virtual host names, user-agents, POST content-length, referrers, etc. In
10389the response, one can search for information about the response length, how the
10390server asked the cache to behave, or an object location during a redirection.
10391
10392Header captures are performed using the "capture request header" and "capture
10393response header" statements in the frontend. Please consult their definition in
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010394section 4.2 for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010395
10396It is possible to include both request headers and response headers at the same
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010010397time. Non-existent headers are logged as empty strings, and if one header
10398appears more than once, only its last occurrence will be logged. Request headers
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010399are grouped within braces '{' and '}' in the same order as they were declared,
10400and delimited with a vertical bar '|' without any space. Response headers
10401follow the same representation, but are displayed after a space following the
10402request headers block. These blocks are displayed just before the HTTP request
10403in the logs.
10404
10405 Example :
10406 # This instance chains to the outgoing proxy
10407 listen proxy-out
10408 mode http
10409 option httplog
10410 option logasap
10411 log global
10412 server cache1 192.168.1.1:3128
10413
10414 # log the name of the virtual server
10415 capture request header Host len 20
10416
10417 # log the amount of data uploaded during a POST
10418 capture request header Content-Length len 10
10419
10420 # log the beginning of the referrer
10421 capture request header Referer len 20
10422
10423 # server name (useful for outgoing proxies only)
10424 capture response header Server len 20
10425
10426 # logging the content-length is useful with "option logasap"
10427 capture response header Content-Length len 10
10428
10429 # log the expected cache behaviour on the response
10430 capture response header Cache-Control len 8
10431
10432 # the Via header will report the next proxy's name
10433 capture response header Via len 20
10434
10435 # log the URL location during a redirection
10436 capture response header Location len 20
10437
10438 >>> Aug 9 20:26:09 localhost \
10439 haproxy[2022]: 127.0.0.1:34014 [09/Aug/2004:20:26:09] proxy-out \
10440 proxy-out/cache1 0/0/0/162/+162 200 +350 - - ---- 0/0/0/0/0 0/0 \
10441 {fr.adserver.yahoo.co||http://fr.f416.mail.} {|864|private||} \
10442 "GET http://fr.adserver.yahoo.com/"
10443
10444 >>> Aug 9 20:30:46 localhost \
10445 haproxy[2022]: 127.0.0.1:34020 [09/Aug/2004:20:30:46] proxy-out \
10446 proxy-out/cache1 0/0/0/182/+182 200 +279 - - ---- 0/0/0/0/0 0/0 \
10447 {w.ods.org||} {Formilux/0.1.8|3495|||} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010010448 "GET http://trafic.1wt.eu/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010449
10450 >>> Aug 9 20:30:46 localhost \
10451 haproxy[2022]: 127.0.0.1:34028 [09/Aug/2004:20:30:46] proxy-out \
10452 proxy-out/cache1 0/0/2/126/+128 301 +223 - - ---- 0/0/0/0/0 0/0 \
10453 {www.sytadin.equipement.gouv.fr||http://trafic.1wt.eu/} \
10454 {Apache|230|||http://www.sytadin.} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010010455 "GET http://www.sytadin.equipement.gouv.fr/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010456
10457
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200104588.9. Examples of logs
10459---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010460
10461These are real-world examples of logs accompanied with an explanation. Some of
10462them have been made up by hand. The syslog part has been removed for better
10463reading. Their sole purpose is to explain how to decipher them.
10464
10465 >>> haproxy[674]: 127.0.0.1:33318 [15/Oct/2003:08:31:57.130] px-http \
10466 px-http/srv1 6559/0/7/147/6723 200 243 - - ---- 5/3/3/1/0 0/0 \
10467 "HEAD / HTTP/1.0"
10468
10469 => long request (6.5s) entered by hand through 'telnet'. The server replied
10470 in 147 ms, and the session ended normally ('----')
10471
10472 >>> haproxy[674]: 127.0.0.1:33319 [15/Oct/2003:08:31:57.149] px-http \
10473 px-http/srv1 6559/1230/7/147/6870 200 243 - - ---- 324/239/239/99/0 \
10474 0/9 "HEAD / HTTP/1.0"
10475
10476 => Idem, but the request was queued in the global queue behind 9 other
10477 requests, and waited there for 1230 ms.
10478
10479 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.654] px-http \
10480 px-http/srv1 9/0/7/14/+30 200 +243 - - ---- 3/3/3/1/0 0/0 \
10481 "GET /image.iso HTTP/1.0"
10482
10483 => request for a long data transfer. The "logasap" option was specified, so
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010010484 the log was produced just before transferring data. The server replied in
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010485 14 ms, 243 bytes of headers were sent to the client, and total time from
10486 accept to first data byte is 30 ms.
10487
10488 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.925] px-http \
10489 px-http/srv1 9/0/7/14/30 502 243 - - PH-- 3/2/2/0/0 0/0 \
10490 "GET /cgi-bin/bug.cgi? HTTP/1.0"
10491
10492 => the proxy blocked a server response either because of an "rspdeny" or
10493 "rspideny" filter, or because the response was improperly formatted and
Willy Tarreau3c92c5f2011-08-28 09:45:47 +020010494 not HTTP-compliant, or because it blocked sensitive information which
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010495 risked being cached. In this case, the response is replaced with a "502
10496 bad gateway". The flags ("PH--") tell us that it was haproxy who decided
10497 to return the 502 and not the server.
10498
10499 >>> haproxy[18113]: 127.0.0.1:34548 [15/Oct/2003:15:18:55.798] px-http \
Willy Tarreaud72758d2010-01-12 10:42:19 +010010500 px-http/<NOSRV> -1/-1/-1/-1/8490 -1 0 - - CR-- 2/2/2/0/0 0/0 ""
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010501
10502 => the client never completed its request and aborted itself ("C---") after
10503 8.5s, while the proxy was waiting for the request headers ("-R--").
10504 Nothing was sent to any server.
10505
10506 >>> haproxy[18113]: 127.0.0.1:34549 [15/Oct/2003:15:19:06.103] px-http \
10507 px-http/<NOSRV> -1/-1/-1/-1/50001 408 0 - - cR-- 2/2/2/0/0 0/0 ""
10508
10509 => The client never completed its request, which was aborted by the
10510 time-out ("c---") after 50s, while the proxy was waiting for the request
10511 headers ("-R--"). Nothing was sent to any server, but the proxy could
10512 send a 408 return code to the client.
10513
10514 >>> haproxy[18989]: 127.0.0.1:34550 [15/Oct/2003:15:24:28.312] px-tcp \
10515 px-tcp/srv1 0/0/5007 0 cD 0/0/0/0/0 0/0
10516
10517 => This log was produced with "option tcplog". The client timed out after
10518 5 seconds ("c----").
10519
10520 >>> haproxy[18989]: 10.0.0.1:34552 [15/Oct/2003:15:26:31.462] px-http \
10521 px-http/srv1 3183/-1/-1/-1/11215 503 0 - - SC-- 205/202/202/115/3 \
Willy Tarreaud72758d2010-01-12 10:42:19 +010010522 0/0 "HEAD / HTTP/1.0"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010523
10524 => The request took 3s to complete (probably a network problem), and the
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010525 connection to the server failed ('SC--') after 4 attempts of 2 seconds
Willy Tarreaucc6c8912009-02-22 10:53:55 +010010526 (config says 'retries 3'), and no redispatch (otherwise we would have
10527 seen "/+3"). Status code 503 was returned to the client. There were 115
10528 connections on this server, 202 connections on this proxy, and 205 on
10529 the global process. It is possible that the server refused the
10530 connection because of too many already established.
Willy Tarreau844e3c52008-01-11 16:28:18 +010010531
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010010532
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200105339. Statistics and monitoring
10534----------------------------
10535
10536It is possible to query HAProxy about its status. The most commonly used
10537mechanism is the HTTP statistics page. This page also exposes an alternative
10538CSV output format for monitoring tools. The same format is provided on the
10539Unix socket.
10540
10541
105429.1. CSV format
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010010543---------------
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +010010544
Willy Tarreau7f062c42009-03-05 18:43:00 +010010545The statistics may be consulted either from the unix socket or from the HTTP
10546page. Both means provide a CSV format whose fields follow.
10547
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +010010548 0. pxname: proxy name
10549 1. svname: service name (FRONTEND for frontend, BACKEND for backend, any name
10550 for server)
10551 2. qcur: current queued requests
10552 3. qmax: max queued requests
10553 4. scur: current sessions
10554 5. smax: max sessions
10555 6. slim: sessions limit
10556 7. stot: total sessions
10557 8. bin: bytes in
10558 9. bout: bytes out
10559 10. dreq: denied requests
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010010560 11. dresp: denied responses
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +010010561 12. ereq: request errors
10562 13. econ: connection errors
Willy Tarreauae526782010-03-04 20:34:23 +010010563 14. eresp: response errors (among which srv_abrt)
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +010010564 15. wretr: retries (warning)
10565 16. wredis: redispatches (warning)
Cyril Bonté0dae5852010-02-03 00:26:28 +010010566 17. status: status (UP/DOWN/NOLB/MAINT/MAINT(via)...)
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +010010567 18. weight: server weight (server), total weight (backend)
10568 19. act: server is active (server), number of active servers (backend)
10569 20. bck: server is backup (server), number of backup servers (backend)
10570 21. chkfail: number of failed checks
10571 22. chkdown: number of UP->DOWN transitions
10572 23. lastchg: last status change (in seconds)
10573 24. downtime: total downtime (in seconds)
10574 25. qlimit: queue limit
10575 26. pid: process id (0 for first instance, 1 for second, ...)
10576 27. iid: unique proxy id
10577 28. sid: service id (unique inside a proxy)
10578 29. throttle: warm up status
10579 30. lbtot: total number of times a server was selected
10580 31. tracked: id of proxy/server if tracking is enabled
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +020010581 32. type (0=frontend, 1=backend, 2=server, 3=socket)
Krzysztof Piotr Oledzkidb57c6b2009-08-31 21:23:27 +020010582 33. rate: number of sessions per second over last elapsed second
10583 34. rate_lim: limit on new sessions per second
10584 35. rate_max: max number of new sessions per second
Krzysztof Piotr Oledzki09605412009-09-23 22:09:24 +020010585 36. check_status: status of last health check, one of:
Cyril Bontéf0c60612010-02-06 14:44:47 +010010586 UNK -> unknown
10587 INI -> initializing
10588 SOCKERR -> socket error
10589 L4OK -> check passed on layer 4, no upper layers testing enabled
10590 L4TMOUT -> layer 1-4 timeout
10591 L4CON -> layer 1-4 connection problem, for example
10592 "Connection refused" (tcp rst) or "No route to host" (icmp)
10593 L6OK -> check passed on layer 6
10594 L6TOUT -> layer 6 (SSL) timeout
10595 L6RSP -> layer 6 invalid response - protocol error
10596 L7OK -> check passed on layer 7
10597 L7OKC -> check conditionally passed on layer 7, for example 404 with
10598 disable-on-404
10599 L7TOUT -> layer 7 (HTTP/SMTP) timeout
10600 L7RSP -> layer 7 invalid response - protocol error
10601 L7STS -> layer 7 response error, for example HTTP 5xx
Krzysztof Piotr Oledzki09605412009-09-23 22:09:24 +020010602 37. check_code: layer5-7 code, if available
10603 38. check_duration: time in ms took to finish last health check
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010010604 39. hrsp_1xx: http responses with 1xx code
10605 40. hrsp_2xx: http responses with 2xx code
10606 41. hrsp_3xx: http responses with 3xx code
10607 42. hrsp_4xx: http responses with 4xx code
10608 43. hrsp_5xx: http responses with 5xx code
10609 44. hrsp_other: http responses with other codes (protocol error)
Willy Tarreaud63335a2010-02-26 12:56:52 +010010610 45. hanafail: failed health checks details
10611 46. req_rate: HTTP requests per second over last elapsed second
10612 47. req_rate_max: max number of HTTP requests per second observed
10613 48. req_tot: total number of HTTP requests received
Willy Tarreauae526782010-03-04 20:34:23 +010010614 49. cli_abrt: number of data transfers aborted by the client
10615 50. srv_abrt: number of data transfers aborted by the server (inc. in eresp)
Willy Tarreau844e3c52008-01-11 16:28:18 +010010616
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010010617
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200106189.2. Unix Socket commands
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010010619-------------------------
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010010620
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010010621The following commands are supported on the UNIX stats socket ; all of them
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010622must be terminated by a line feed. The socket supports pipelining, so that it
10623is possible to chain multiple commands at once provided they are delimited by
10624a semi-colon or a line feed, although the former is more reliable as it has no
10625risk of being truncated over the network. The responses themselves will each be
10626followed by an empty line, so it will be easy for an external script to match a
10627given response with a given request. By default one command line is processed
10628then the connection closes, but there is an interactive allowing multiple lines
10629to be issued one at a time.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010010630
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010631It is important to understand that when multiple haproxy processes are started
10632on the same sockets, any process may pick up the request and will output its
10633own stats.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010010634
Willy Tarreaud63335a2010-02-26 12:56:52 +010010635clear counters
10636 Clear the max values of the statistics counters in each proxy (frontend &
10637 backend) and in each server. The cumulated counters are not affected. This
10638 can be used to get clean counters after an incident, without having to
10639 restart nor to clear traffic counters. This command is restricted and can
10640 only be issued on sockets configured for levels "operator" or "admin".
10641
10642clear counters all
10643 Clear all statistics counters in each proxy (frontend & backend) and in each
10644 server. This has the same effect as restarting. This command is restricted
10645 and can only be issued on sockets configured for level "admin".
10646
Simon Hormanc88b8872011-06-15 15:18:49 +090010647clear table <table> [ data.<type> <operator> <value> ] | [ key <key> ]
10648 Remove entries from the stick-table <table>.
10649
10650 This is typically used to unblock some users complaining they have been
10651 abusively denied access to a service, but this can also be used to clear some
10652 stickiness entries matching a server that is going to be replaced (see "show
10653 table" below for details). Note that sometimes, removal of an entry will be
10654 refused because it is currently tracked by a session. Retrying a few seconds
10655 later after the session ends is usual enough.
10656
10657 In the case where no options arguments are given all entries will be removed.
10658
10659 When the "data." form is used entries matching a filter applied using the
10660 stored data (see "stick-table" in section 4.2) are removed. A stored data
10661 type must be specified in <type>, and this data type must be stored in the
10662 table otherwise an error is reported. The data is compared according to
10663 <operator> with the 64-bit integer <value>. Operators are the same as with
10664 the ACLs :
10665
10666 - eq : match entries whose data is equal to this value
10667 - ne : match entries whose data is not equal to this value
10668 - le : match entries whose data is less than or equal to this value
10669 - ge : match entries whose data is greater than or equal to this value
10670 - lt : match entries whose data is less than this value
10671 - gt : match entries whose data is greater than this value
10672
10673 When the key form is used the entry <key> is removed. The key must be of the
Simon Horman619e3cc2011-06-15 15:18:52 +090010674 same type as the table, which currently is limited to IPv4, IPv6, integer and
10675 string.
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010676
10677 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020010678 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Emeric Brun7c6b82e2010-09-24 16:34:28 +020010679 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020010680 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
10681 bytes_out_rate(60000)=187
10682 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
10683 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010684
10685 $ echo "clear table http_proxy key 127.0.0.1" | socat stdio /tmp/sock1
10686
10687 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Emeric Brun7c6b82e2010-09-24 16:34:28 +020010688 >>> # table: http_proxy, type: ip, size:204800, used:1
Willy Tarreau62a36c42010-08-17 15:53:10 +020010689 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
10690 bytes_out_rate(60000)=191
Simon Hormanc88b8872011-06-15 15:18:49 +090010691 $ echo "clear table http_proxy data.gpc0 eq 1" | socat stdio /tmp/sock1
10692 $ echo "show table http_proxy" | socat stdio /tmp/sock1
10693 >>> # table: http_proxy, type: ip, size:204800, used:1
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010694
Willy Tarreau532a4502011-09-07 22:37:44 +020010695disable frontend <frontend>
10696 Mark the frontend as temporarily stopped. This corresponds to the mode which
10697 is used during a soft restart : the frontend releases the port but can be
10698 enabled again if needed. This should be used with care as some non-Linux OSes
10699 are unable to enable it back. This is intended to be used in environments
10700 where stopping a proxy is not even imaginable but a misconfigured proxy must
10701 be fixed. That way it's possible to release the port and bind it into another
10702 process to restore operations. The frontend will appear with status "STOP"
10703 on the stats page.
10704
10705 The frontend may be specified either by its name or by its numeric ID,
10706 prefixed with a sharp ('#').
10707
10708 This command is restricted and can only be issued on sockets configured for
10709 level "admin".
10710
Willy Tarreaud63335a2010-02-26 12:56:52 +010010711disable server <backend>/<server>
10712 Mark the server DOWN for maintenance. In this mode, no more checks will be
10713 performed on the server until it leaves maintenance.
10714 If the server is tracked by other servers, those servers will be set to DOWN
10715 during the maintenance.
10716
10717 In the statistics page, a server DOWN for maintenance will appear with a
10718 "MAINT" status, its tracking servers with the "MAINT(via)" one.
10719
10720 Both the backend and the server may be specified either by their name or by
Willy Tarreauf5f31922011-08-02 11:32:07 +020010721 their numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010010722
10723 This command is restricted and can only be issued on sockets configured for
10724 level "admin".
10725
Willy Tarreau532a4502011-09-07 22:37:44 +020010726enable frontend <frontend>
10727 Resume a frontend which was temporarily stopped. It is possible that some of
10728 the listening ports won't be able to bind anymore (eg: if another process
10729 took them since the 'disable frontend' operation). If this happens, an error
10730 is displayed. Some operating systems might not be able to resume a frontend
10731 which was disabled.
10732
10733 The frontend may be specified either by its name or by its numeric ID,
10734 prefixed with a sharp ('#').
10735
10736 This command is restricted and can only be issued on sockets configured for
10737 level "admin".
10738
Willy Tarreaud63335a2010-02-26 12:56:52 +010010739enable server <backend>/<server>
10740 If the server was previously marked as DOWN for maintenance, this marks the
10741 server UP and checks are re-enabled.
10742
10743 Both the backend and the server may be specified either by their name or by
Willy Tarreauf5f31922011-08-02 11:32:07 +020010744 their numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010010745
10746 This command is restricted and can only be issued on sockets configured for
10747 level "admin".
10748
10749get weight <backend>/<server>
10750 Report the current weight and the initial weight of server <server> in
10751 backend <backend> or an error if either doesn't exist. The initial weight is
10752 the one that appears in the configuration file. Both are normally equal
10753 unless the current weight has been changed. Both the backend and the server
10754 may be specified either by their name or by their numeric ID, prefixed with a
Willy Tarreauf5f31922011-08-02 11:32:07 +020010755 sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010010756
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010757help
10758 Print the list of known keywords and their basic usage. The same help screen
10759 is also displayed for unknown commands.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010010760
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010761prompt
10762 Toggle the prompt at the beginning of the line and enter or leave interactive
10763 mode. In interactive mode, the connection is not closed after a command
10764 completes. Instead, the prompt will appear again, indicating the user that
10765 the interpreter is waiting for a new command. The prompt consists in a right
10766 angle bracket followed by a space "> ". This mode is particularly convenient
10767 when one wants to periodically check information such as stats or errors.
10768 It is also a good idea to enter interactive mode before issuing a "help"
10769 command.
10770
10771quit
10772 Close the connection when in interactive mode.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010010773
Willy Tarreau2a0f4d22011-08-02 11:49:05 +020010774set maxconn frontend <frontend> <value>
Willy Tarreau3c7a79d2012-09-26 21:07:15 +020010775 Dynamically change the specified frontend's maxconn setting. Any positive
10776 value is allowed including zero, but setting values larger than the global
10777 maxconn does not make much sense. If the limit is increased and connections
10778 were pending, they will immediately be accepted. If it is lowered to a value
10779 below the current number of connections, new connections acceptation will be
Willy Tarreau2a0f4d22011-08-02 11:49:05 +020010780 delayed until the threshold is reached. The frontend might be specified by
10781 either its name or its numeric ID prefixed with a sharp ('#').
10782
Willy Tarreau91886b62011-09-07 14:38:31 +020010783set maxconn global <maxconn>
10784 Dynamically change the global maxconn setting within the range defined by the
10785 initial global maxconn setting. If it is increased and connections were
10786 pending, they will immediately be accepted. If it is lowered to a value below
10787 the current number of connections, new connections acceptation will be
10788 delayed until the threshold is reached. A value of zero restores the initial
10789 setting.
10790
Willy Tarreauf5b22872011-09-07 16:13:44 +020010791set rate-limit connections global <value>
10792 Change the process-wide connection rate limit, which is set by the global
10793 'maxconnrate' setting. A value of zero disables the limitation. This limit
10794 applies to all frontends and the change has an immediate effect. The value
10795 is passed in number of connections per second.
10796
Willy Tarreau654694e2012-06-07 01:03:16 +020010797set table <table> key <key> data.<data_type> <value>
10798 Create or update a stick-table entry in the table. If the key is not present,
10799 an entry is inserted. See stick-table in section 4.2 to find all possible
10800 values for <data_type>. The most likely use consists in dynamically entering
10801 entries for source IP addresses, with a flag in gpc0 to dynamically block an
10802 IP address or affect its quality of service.
10803
Willy Tarreaud63335a2010-02-26 12:56:52 +010010804set timeout cli <delay>
10805 Change the CLI interface timeout for current connection. This can be useful
10806 during long debugging sessions where the user needs to constantly inspect
10807 some indicators without being disconnected. The delay is passed in seconds.
10808
10809set weight <backend>/<server> <weight>[%]
10810 Change a server's weight to the value passed in argument. If the value ends
10811 with the '%' sign, then the new weight will be relative to the initially
10812 configured weight. Relative weights are only permitted between 0 and 100%,
10813 and absolute weights are permitted between 0 and 256. Servers which are part
10814 of a farm running a static load-balancing algorithm have stricter limitations
10815 because the weight cannot change once set. Thus for these servers, the only
10816 accepted values are 0 and 100% (or 0 and the initial weight). Changes take
10817 effect immediately, though certain LB algorithms require a certain amount of
10818 requests to consider changes. A typical usage of this command is to disable
10819 a server during an update by setting its weight to zero, then to enable it
10820 again after the update by setting it back to 100%. This command is restricted
10821 and can only be issued on sockets configured for level "admin". Both the
10822 backend and the server may be specified either by their name or by their
Willy Tarreauf5f31922011-08-02 11:32:07 +020010823 numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010010824
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010010825show errors [<iid>]
10826 Dump last known request and response errors collected by frontends and
10827 backends. If <iid> is specified, the limit the dump to errors concerning
Willy Tarreau6162db22009-10-10 17:13:00 +020010828 either frontend or backend whose ID is <iid>. This command is restricted
10829 and can only be issued on sockets configured for levels "operator" or
10830 "admin".
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010010831
10832 The errors which may be collected are the last request and response errors
10833 caused by protocol violations, often due to invalid characters in header
10834 names. The report precisely indicates what exact character violated the
10835 protocol. Other important information such as the exact date the error was
10836 detected, frontend and backend names, the server name (when known), the
10837 internal session ID and the source address which has initiated the session
10838 are reported too.
10839
10840 All characters are returned, and non-printable characters are encoded. The
10841 most common ones (\t = 9, \n = 10, \r = 13 and \e = 27) are encoded as one
10842 letter following a backslash. The backslash itself is encoded as '\\' to
10843 avoid confusion. Other non-printable characters are encoded '\xNN' where
10844 NN is the two-digits hexadecimal representation of the character's ASCII
10845 code.
10846
10847 Lines are prefixed with the position of their first character, starting at 0
10848 for the beginning of the buffer. At most one input line is printed per line,
10849 and large lines will be broken into multiple consecutive output lines so that
10850 the output never goes beyond 79 characters wide. It is easy to detect if a
10851 line was broken, because it will not end with '\n' and the next line's offset
10852 will be followed by a '+' sign, indicating it is a continuation of previous
10853 line.
10854
10855 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020010856 $ echo "show errors" | socat stdio /tmp/sock1
10857 >>> [04/Mar/2009:15:46:56.081] backend http-in (#2) : invalid response
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010010858 src 127.0.0.1, session #54, frontend fe-eth0 (#1), server s2 (#1)
10859 response length 213 bytes, error at position 23:
10860
10861 00000 HTTP/1.0 200 OK\r\n
10862 00017 header/bizarre:blah\r\n
10863 00038 Location: blah\r\n
10864 00054 Long-line: this is a very long line which should b
10865 00104+ e broken into multiple lines on the output buffer,
10866 00154+ otherwise it would be too large to print in a ter
10867 00204+ minal\r\n
10868 00211 \r\n
10869
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010870 In the example above, we see that the backend "http-in" which has internal
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010010871 ID 2 has blocked an invalid response from its server s2 which has internal
10872 ID 1. The request was on session 54 initiated by source 127.0.0.1 and
10873 received by frontend fe-eth0 whose ID is 1. The total response length was
10874 213 bytes when the error was detected, and the error was at byte 23. This
10875 is the slash ('/') in header name "header/bizarre", which is not a valid
10876 HTTP character for a header name.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010010877
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010878show info
10879 Dump info about haproxy status on current process.
10880
10881show sess
10882 Dump all known sessions. Avoid doing this on slow connections as this can
Willy Tarreau6162db22009-10-10 17:13:00 +020010883 be huge. This command is restricted and can only be issued on sockets
10884 configured for levels "operator" or "admin".
10885
Willy Tarreau66dc20a2010-03-05 17:53:32 +010010886show sess <id>
10887 Display a lot of internal information about the specified session identifier.
10888 This identifier is the first field at the beginning of the lines in the dumps
10889 of "show sess" (it corresponds to the session pointer). Those information are
10890 useless to most users but may be used by haproxy developers to troubleshoot a
10891 complex bug. The output format is intentionally not documented so that it can
10892 freely evolve depending on demands.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010893
10894show stat [<iid> <type> <sid>]
10895 Dump statistics in the CSV format. By passing <id>, <type> and <sid>, it is
10896 possible to dump only selected items :
10897 - <iid> is a proxy ID, -1 to dump everything
10898 - <type> selects the type of dumpable objects : 1 for frontends, 2 for
10899 backends, 4 for servers, -1 for everything. These values can be ORed,
10900 for example:
10901 1 + 2 = 3 -> frontend + backend.
10902 1 + 2 + 4 = 7 -> frontend + backend + server.
10903 - <sid> is a server ID, -1 to dump everything from the selected proxy.
10904
10905 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020010906 $ echo "show info;show stat" | socat stdio unix-connect:/tmp/sock1
10907 >>> Name: HAProxy
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010908 Version: 1.4-dev2-49
10909 Release_date: 2009/09/23
10910 Nbproc: 1
10911 Process_num: 1
10912 (...)
10913
10914 # pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq, (...)
10915 stats,FRONTEND,,,0,0,1000,0,0,0,0,0,0,,,,,OPEN,,,,,,,,,1,1,0, (...)
10916 stats,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,0,0,0,,0,250,(...)
10917 (...)
10918 www1,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,1,1,0,,0,250, (...)
10919
10920 $
10921
10922 Here, two commands have been issued at once. That way it's easy to find
10923 which process the stats apply to in multi-process mode. Notice the empty
10924 line after the information output which marks the end of the first block.
10925 A similar empty line appears at the end of the second block (stats) so that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010010926 the reader knows the output has not been truncated.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020010927
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010928show table
10929 Dump general information on all known stick-tables. Their name is returned
10930 (the name of the proxy which holds them), their type (currently zero, always
10931 IP), their size in maximum possible number of entries, and the number of
10932 entries currently in use.
10933
10934 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020010935 $ echo "show table" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090010936 >>> # table: front_pub, type: ip, size:204800, used:171454
10937 >>> # table: back_rdp, type: ip, size:204800, used:0
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010938
Simon Horman17bce342011-06-15 15:18:47 +090010939show table <name> [ data.<type> <operator> <value> ] | [ key <key> ]
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010940 Dump contents of stick-table <name>. In this mode, a first line of generic
10941 information about the table is reported as with "show table", then all
10942 entries are dumped. Since this can be quite heavy, it is possible to specify
Simon Horman17bce342011-06-15 15:18:47 +090010943 a filter in order to specify what entries to display.
10944
10945 When the "data." form is used the filter applies to the stored data (see
10946 "stick-table" in section 4.2). A stored data type must be specified
10947 in <type>, and this data type must be stored in the table otherwise an
10948 error is reported. The data is compared according to <operator> with the
10949 64-bit integer <value>. Operators are the same as with the ACLs :
10950
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010951 - eq : match entries whose data is equal to this value
10952 - ne : match entries whose data is not equal to this value
10953 - le : match entries whose data is less than or equal to this value
10954 - ge : match entries whose data is greater than or equal to this value
10955 - lt : match entries whose data is less than this value
10956 - gt : match entries whose data is greater than this value
10957
Simon Hormanc88b8872011-06-15 15:18:49 +090010958
10959 When the key form is used the entry <key> is shown. The key must be of the
Simon Horman619e3cc2011-06-15 15:18:52 +090010960 same type as the table, which currently is limited to IPv4, IPv6, integer,
10961 and string.
Simon Horman17bce342011-06-15 15:18:47 +090010962
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010963 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020010964 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090010965 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020010966 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
10967 bytes_out_rate(60000)=187
10968 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
10969 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010970
Willy Tarreau62a36c42010-08-17 15:53:10 +020010971 $ echo "show table http_proxy data.gpc0 gt 0" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090010972 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020010973 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
10974 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010975
Willy Tarreau62a36c42010-08-17 15:53:10 +020010976 $ echo "show table http_proxy data.conn_rate gt 5" | \
10977 socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090010978 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020010979 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
10980 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010981
Simon Horman17bce342011-06-15 15:18:47 +090010982 $ echo "show table http_proxy key 127.0.0.2" | \
10983 socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090010984 >>> # table: http_proxy, type: ip, size:204800, used:2
Simon Horman17bce342011-06-15 15:18:47 +090010985 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
10986 bytes_out_rate(60000)=191
10987
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010988 When the data criterion applies to a dynamic value dependent on time such as
10989 a bytes rate, the value is dynamically computed during the evaluation of the
10990 entry in order to decide whether it has to be dumped or not. This means that
10991 such a filter could match for some time then not match anymore because as
10992 time goes, the average event rate drops.
10993
10994 It is possible to use this to extract lists of IP addresses abusing the
10995 service, in order to monitor them or even blacklist them in a firewall.
10996 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020010997 $ echo "show table http_proxy data.gpc0 gt 0" \
10998 | socat stdio /tmp/sock1 \
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020010999 | fgrep 'key=' | cut -d' ' -f2 | cut -d= -f2 > abusers-ip.txt
11000 ( or | awk '/key/{ print a[split($2,a,"=")]; }' )
Krzysztof Piotr Oledzki719e7262009-10-04 15:02:46 +020011001
Willy Tarreau532a4502011-09-07 22:37:44 +020011002shutdown frontend <frontend>
11003 Completely delete the specified frontend. All the ports it was bound to will
11004 be released. It will not be possible to enable the frontend anymore after
11005 this operation. This is intended to be used in environments where stopping a
11006 proxy is not even imaginable but a misconfigured proxy must be fixed. That
11007 way it's possible to release the port and bind it into another process to
11008 restore operations. The frontend will not appear at all on the stats page
11009 once it is terminated.
11010
11011 The frontend may be specified either by its name or by its numeric ID,
11012 prefixed with a sharp ('#').
11013
11014 This command is restricted and can only be issued on sockets configured for
11015 level "admin".
11016
Willy Tarreaua295edc2011-09-07 23:21:03 +020011017shutdown session <id>
11018 Immediately terminate the session matching the specified session identifier.
11019 This identifier is the first field at the beginning of the lines in the dumps
11020 of "show sess" (it corresponds to the session pointer). This can be used to
11021 terminate a long-running session without waiting for a timeout or when an
11022 endless transfer is ongoing. Such terminated sessions are reported with a 'K'
11023 flag in the logs.
11024
Willy Tarreau52b2d222011-09-07 23:48:48 +020011025shutdown sessions <backend>/<server>
11026 Immediately terminate all the sessions attached to the specified server. This
11027 can be used to terminate long-running sessions after a server is put into
11028 maintenance mode, for instance. Such terminated sessions are reported with a
11029 'K' flag in the logs.
11030
Willy Tarreau0ba27502007-12-24 16:55:16 +010011031/*
11032 * Local variables:
11033 * fill-column: 79
11034 * End:
11035 */