blob: 1a89ad0a9f0303c8ab361022ca43ae5aa1f94c3e [file] [log] [blame]
Willy Tarreau6a06a402007-07-15 20:15:28 +02001 ----------------------
Willy Tarreau8317b282014-04-23 01:49:41 +02002 HAProxy
Willy Tarreau6a06a402007-07-15 20:15:28 +02003 Configuration Manual
4 ----------------------
Willy Tarreau15480d72014-06-19 21:10:58 +02005 version 1.6
Willy Tarreau6a06a402007-07-15 20:15:28 +02006 willy tarreau
Willy Tarreau8747b6d2015-03-11 23:57:23 +01007 2015/03/11
Willy Tarreau6a06a402007-07-15 20:15:28 +02008
9
10This document covers the configuration language as implemented in the version
11specified above. It does not provide any hint, example or advice. For such
Willy Tarreau0ba27502007-12-24 16:55:16 +010012documentation, please refer to the Reference Manual or the Architecture Manual.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013The summary below is meant to help you search sections by name and navigate
14through the document.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015
Willy Tarreauc57f0e22009-05-10 13:12:33 +020016Note to documentation contributors :
Jamie Gloudonaaa21002012-08-25 00:18:33 -040017 This document is formatted with 80 columns per line, with even number of
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018 spaces for indentation and without tabs. Please follow these rules strictly
19 so that it remains easily printable everywhere. If a line needs to be
20 printed verbatim and does not fit, please end each line with a backslash
Willy Tarreau62a36c42010-08-17 15:53:10 +020021 ('\') and continue on next line, indented by two characters. It is also
22 sometimes useful to prefix all output lines (logs, console outs) with 3
23 closing angle brackets ('>>>') in order to help get the difference between
24 inputs and outputs when it can become ambiguous. If you add sections,
25 please update the summary below for easier searching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020026
27
28Summary
29-------
30
311. Quick reminder about HTTP
321.1. The HTTP transaction model
331.2. HTTP request
341.2.1. The Request line
351.2.2. The request headers
361.3. HTTP response
371.3.1. The Response line
381.3.2. The response headers
39
402. Configuring HAProxy
412.1. Configuration file format
422.2. Time format
Patrick Mezard35da19c2010-06-12 17:02:47 +0200432.3. Examples
Willy Tarreauc57f0e22009-05-10 13:12:33 +020044
453. Global parameters
463.1. Process management and security
473.2. Performance tuning
483.3. Debugging
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100493.4. Userlists
Cyril Bontédc4d9032012-04-08 21:57:39 +0200503.5. Peers
Willy Tarreauc57f0e22009-05-10 13:12:33 +020051
524. Proxies
534.1. Proxy keywords matrix
544.2. Alphabetically sorted keywords reference
55
Willy Tarreau086fbf52012-09-24 20:34:51 +0200565. Bind and Server options
575.1. Bind options
585.2. Server and default-server options
Willy Tarreauc57f0e22009-05-10 13:12:33 +020059
606. HTTP header manipulation
61
Willy Tarreau74ca5042013-06-11 23:12:07 +0200627. Using ACLs and fetching samples
637.1. ACL basics
647.1.1. Matching booleans
657.1.2. Matching integers
667.1.3. Matching strings
677.1.4. Matching regular expressions (regexes)
687.1.5. Matching arbitrary data blocks
697.1.6. Matching IPv4 and IPv6 addresses
707.2. Using ACLs to form conditions
717.3. Fetching samples
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200727.3.1. Converters
737.3.2. Fetching samples from internal states
747.3.3. Fetching samples at Layer 4
757.3.4. Fetching samples at Layer 5
767.3.5. Fetching samples from buffer contents (Layer 6)
777.3.6. Fetching HTTP samples (Layer 7)
Willy Tarreau74ca5042013-06-11 23:12:07 +0200787.4. Pre-defined ACLs
Willy Tarreauc57f0e22009-05-10 13:12:33 +020079
808. Logging
818.1. Log levels
828.2. Log formats
838.2.1. Default log format
848.2.2. TCP log format
858.2.3. HTTP log format
William Lallemand48940402012-01-30 16:47:22 +0100868.2.4. Custom log format
Willy Tarreau5f51e1a2012-12-03 18:40:10 +0100878.2.5. Error log format
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200888.3. Advanced logging options
898.3.1. Disabling logging of external tests
908.3.2. Logging before waiting for the session to terminate
918.3.3. Raising log level upon errors
928.3.4. Disabling logging of successful connections
938.4. Timing events
948.5. Session state at disconnection
958.6. Non-printable characters
968.7. Capturing HTTP cookies
978.8. Capturing HTTP headers
988.9. Examples of logs
99
1009. Statistics and monitoring
1019.1. CSV format
1029.2. Unix Socket commands
103
104
1051. Quick reminder about HTTP
106----------------------------
107
108When haproxy is running in HTTP mode, both the request and the response are
109fully analyzed and indexed, thus it becomes possible to build matching criteria
110on almost anything found in the contents.
111
112However, it is important to understand how HTTP requests and responses are
113formed, and how HAProxy decomposes them. It will then become easier to write
114correct rules and to debug existing configurations.
115
116
1171.1. The HTTP transaction model
118-------------------------------
119
120The HTTP protocol is transaction-driven. This means that each request will lead
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100121to one and only one response. Traditionally, a TCP connection is established
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200122from the client to the server, a request is sent by the client on the
123connection, the server responds and the connection is closed. A new request
124will involve a new connection :
125
126 [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
127
128In this mode, called the "HTTP close" mode, there are as many connection
129establishments as there are HTTP transactions. Since the connection is closed
130by the server after the response, the client does not need to know the content
131length.
132
133Due to the transactional nature of the protocol, it was possible to improve it
134to avoid closing a connection between two subsequent transactions. In this mode
135however, it is mandatory that the server indicates the content length for each
136response so that the client does not wait indefinitely. For this, a special
137header is used: "Content-length". This mode is called the "keep-alive" mode :
138
139 [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ...
140
141Its advantages are a reduced latency between transactions, and less processing
142power required on the server side. It is generally better than the close mode,
143but not always because the clients often limit their concurrent connections to
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200144a smaller value.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200145
146A last improvement in the communications is the pipelining mode. It still uses
147keep-alive, but the client does not wait for the first response to send the
148second request. This is useful for fetching large number of images composing a
149page :
150
151 [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ...
152
153This can obviously have a tremendous benefit on performance because the network
154latency is eliminated between subsequent requests. Many HTTP agents do not
155correctly support pipelining since there is no way to associate a response with
156the corresponding request in HTTP. For this reason, it is mandatory for the
Cyril Bonté78caf842010-03-10 22:41:43 +0100157server to reply in the exact same order as the requests were received.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200158
Willy Tarreau70dffda2014-01-30 03:07:23 +0100159By default HAProxy operates in keep-alive mode with regards to persistent
160connections: for each connection it processes each request and response, and
161leaves the connection idle on both sides between the end of a response and the
162start of a new request.
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200163
Willy Tarreau70dffda2014-01-30 03:07:23 +0100164HAProxy supports 5 connection modes :
165 - keep alive : all requests and responses are processed (default)
166 - tunnel : only the first request and response are processed,
167 everything else is forwarded with no analysis.
168 - passive close : tunnel with "Connection: close" added in both directions.
169 - server close : the server-facing connection is closed after the response.
170 - forced close : the connection is actively closed after end of response.
171
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200172
1731.2. HTTP request
174-----------------
175
176First, let's consider this HTTP request :
177
178 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100179 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200180 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1
181 2 Host: www.mydomain.com
182 3 User-agent: my small browser
183 4 Accept: image/jpeg, image/gif
184 5 Accept: image/png
185
186
1871.2.1. The Request line
188-----------------------
189
190Line 1 is the "request line". It is always composed of 3 fields :
191
192 - a METHOD : GET
193 - a URI : /serv/login.php?lang=en&profile=2
194 - a version tag : HTTP/1.1
195
196All of them are delimited by what the standard calls LWS (linear white spaces),
197which are commonly spaces, but can also be tabs or line feeds/carriage returns
198followed by spaces/tabs. The method itself cannot contain any colon (':') and
199is limited to alphabetic letters. All those various combinations make it
200desirable that HAProxy performs the splitting itself rather than leaving it to
201the user to write a complex or inaccurate regular expression.
202
203The URI itself can have several forms :
204
205 - A "relative URI" :
206
207 /serv/login.php?lang=en&profile=2
208
209 It is a complete URL without the host part. This is generally what is
210 received by servers, reverse proxies and transparent proxies.
211
212 - An "absolute URI", also called a "URL" :
213
214 http://192.168.0.12:8080/serv/login.php?lang=en&profile=2
215
216 It is composed of a "scheme" (the protocol name followed by '://'), a host
217 name or address, optionally a colon (':') followed by a port number, then
218 a relative URI beginning at the first slash ('/') after the address part.
219 This is generally what proxies receive, but a server supporting HTTP/1.1
220 must accept this form too.
221
222 - a star ('*') : this form is only accepted in association with the OPTIONS
223 method and is not relayable. It is used to inquiry a next hop's
224 capabilities.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100225
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200226 - an address:port combination : 192.168.0.12:80
227 This is used with the CONNECT method, which is used to establish TCP
228 tunnels through HTTP proxies, generally for HTTPS, but sometimes for
229 other protocols too.
230
231In a relative URI, two sub-parts are identified. The part before the question
232mark is called the "path". It is typically the relative path to static objects
233on the server. The part after the question mark is called the "query string".
234It is mostly used with GET requests sent to dynamic scripts and is very
235specific to the language, framework or application in use.
236
237
2381.2.2. The request headers
239--------------------------
240
241The headers start at the second line. They are composed of a name at the
242beginning of the line, immediately followed by a colon (':'). Traditionally,
243an LWS is added after the colon but that's not required. Then come the values.
244Multiple identical headers may be folded into one single line, delimiting the
245values with commas, provided that their order is respected. This is commonly
246encountered in the "Cookie:" field. A header may span over multiple lines if
247the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5
248define a total of 3 values for the "Accept:" header.
249
250Contrary to a common mis-conception, header names are not case-sensitive, and
251their values are not either if they refer to other header names (such as the
252"Connection:" header).
253
254The end of the headers is indicated by the first empty line. People often say
255that it's a double line feed, which is not exact, even if a double line feed
256is one valid form of empty line.
257
258Fortunately, HAProxy takes care of all these complex combinations when indexing
259headers, checking values and counting them, so there is no reason to worry
260about the way they could be written, but it is important not to accuse an
261application of being buggy if it does unusual, valid things.
262
263Important note:
264 As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks
265 in the middle of headers by LWS in order to join multi-line headers. This
266 is necessary for proper analysis and helps less capable HTTP parsers to work
267 correctly and not to be fooled by such complex constructs.
268
269
2701.3. HTTP response
271------------------
272
273An HTTP response looks very much like an HTTP request. Both are called HTTP
274messages. Let's consider this HTTP response :
275
276 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100277 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200278 1 HTTP/1.1 200 OK
279 2 Content-length: 350
280 3 Content-Type: text/html
281
Willy Tarreau816b9792009-09-15 21:25:21 +0200282As a special case, HTTP supports so called "Informational responses" as status
283codes 1xx. These messages are special in that they don't convey any part of the
284response, they're just used as sort of a signaling message to ask a client to
Willy Tarreau5843d1a2010-02-01 15:13:32 +0100285continue to post its request for instance. In the case of a status 100 response
286the requested information will be carried by the next non-100 response message
287following the informational one. This implies that multiple responses may be
288sent to a single request, and that this only works when keep-alive is enabled
289(1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to
290correctly forward and skip them, and only process the next non-100 response. As
291such, these messages are neither logged nor transformed, unless explicitly
292state otherwise. Status 101 messages indicate that the protocol is changing
293over the same connection and that haproxy must switch to tunnel mode, just as
294if a CONNECT had occurred. Then the Upgrade header would contain additional
295information about the type of protocol the connection is switching to.
Willy Tarreau816b9792009-09-15 21:25:21 +0200296
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200297
2981.3.1. The Response line
299------------------------
300
301Line 1 is the "response line". It is always composed of 3 fields :
302
303 - a version tag : HTTP/1.1
304 - a status code : 200
305 - a reason : OK
306
307The status code is always 3-digit. The first digit indicates a general status :
Willy Tarreau816b9792009-09-15 21:25:21 +0200308 - 1xx = informational message to be skipped (eg: 100, 101)
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200309 - 2xx = OK, content is following (eg: 200, 206)
310 - 3xx = OK, no content following (eg: 302, 304)
311 - 4xx = error caused by the client (eg: 401, 403, 404)
312 - 5xx = error caused by the server (eg: 500, 502, 503)
313
314Please refer to RFC2616 for the detailed meaning of all such codes. The
Willy Tarreaud72758d2010-01-12 10:42:19 +0100315"reason" field is just a hint, but is not parsed by clients. Anything can be
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200316found there, but it's a common practice to respect the well-established
317messages. It can be composed of one or multiple words, such as "OK", "Found",
318or "Authentication Required".
319
320Haproxy may emit the following status codes by itself :
321
322 Code When / reason
323 200 access to stats page, and when replying to monitoring requests
324 301 when performing a redirection, depending on the configured code
325 302 when performing a redirection, depending on the configured code
326 303 when performing a redirection, depending on the configured code
Willy Tarreaub67fdc42013-03-29 19:28:11 +0100327 307 when performing a redirection, depending on the configured code
328 308 when performing a redirection, depending on the configured code
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200329 400 for an invalid or too large request
330 401 when an authentication is required to perform the action (when
331 accessing the stats page)
332 403 when a request is forbidden by a "block" ACL or "reqdeny" filter
333 408 when the request timeout strikes before the request is complete
334 500 when haproxy encounters an unrecoverable internal error, such as a
335 memory allocation failure, which should never happen
336 502 when the server returns an empty, invalid or incomplete response, or
337 when an "rspdeny" filter blocks the response.
338 503 when no server was available to handle the request, or in response to
339 monitoring requests which match the "monitor fail" condition
340 504 when the response timeout strikes before the server responds
341
342The error 4xx and 5xx codes above may be customized (see "errorloc" in section
3434.2).
344
345
3461.3.2. The response headers
347---------------------------
348
349Response headers work exactly like request headers, and as such, HAProxy uses
350the same parsing function for both. Please refer to paragraph 1.2.2 for more
351details.
352
353
3542. Configuring HAProxy
355----------------------
356
3572.1. Configuration file format
358------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200359
360HAProxy's configuration process involves 3 major sources of parameters :
361
362 - the arguments from the command-line, which always take precedence
363 - the "global" section, which sets process-wide parameters
364 - the proxies sections which can take form of "defaults", "listen",
365 "frontend" and "backend".
366
Willy Tarreau0ba27502007-12-24 16:55:16 +0100367The configuration file syntax consists in lines beginning with a keyword
368referenced in this manual, optionally followed by one or several parameters
369delimited by spaces. If spaces have to be entered in strings, then they must be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100370preceded by a backslash ('\') to be escaped. Backslashes also have to be
Willy Tarreau0ba27502007-12-24 16:55:16 +0100371escaped by doubling them.
372
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200373
3742.2. Time format
375----------------
376
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100377Some parameters involve values representing time, such as timeouts. These
Willy Tarreau0ba27502007-12-24 16:55:16 +0100378values are generally expressed in milliseconds (unless explicitly stated
379otherwise) but may be expressed in any other unit by suffixing the unit to the
380numeric value. It is important to consider this because it will not be repeated
381for every keyword. Supported units are :
382
383 - us : microseconds. 1 microsecond = 1/1000000 second
384 - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
385 - s : seconds. 1s = 1000ms
386 - m : minutes. 1m = 60s = 60000ms
387 - h : hours. 1h = 60m = 3600s = 3600000ms
388 - d : days. 1d = 24h = 1440m = 86400s = 86400000ms
389
390
Patrick Mezard35da19c2010-06-12 17:02:47 +02003912.3. Examples
392-------------
393
394 # Simple configuration for an HTTP proxy listening on port 80 on all
395 # interfaces and forwarding requests to a single backend "servers" with a
396 # single server "server1" listening on 127.0.0.1:8000
397 global
398 daemon
399 maxconn 256
400
401 defaults
402 mode http
403 timeout connect 5000ms
404 timeout client 50000ms
405 timeout server 50000ms
406
407 frontend http-in
408 bind *:80
409 default_backend servers
410
411 backend servers
412 server server1 127.0.0.1:8000 maxconn 32
413
414
415 # The same configuration defined with a single listen block. Shorter but
416 # less expressive, especially in HTTP mode.
417 global
418 daemon
419 maxconn 256
420
421 defaults
422 mode http
423 timeout connect 5000ms
424 timeout client 50000ms
425 timeout server 50000ms
426
427 listen http-in
428 bind *:80
429 server server1 127.0.0.1:8000 maxconn 32
430
431
432Assuming haproxy is in $PATH, test these configurations in a shell with:
433
Willy Tarreauccb289d2010-12-11 20:19:38 +0100434 $ sudo haproxy -f configuration.conf -c
Patrick Mezard35da19c2010-06-12 17:02:47 +0200435
436
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004373. Global parameters
Willy Tarreau6a06a402007-07-15 20:15:28 +0200438--------------------
439
440Parameters in the "global" section are process-wide and often OS-specific. They
441are generally set once for all and do not need being changed once correct. Some
442of them have command-line equivalents.
443
444The following keywords are supported in the "global" section :
445
446 * Process management and security
Emeric Brunc8e8d122012-10-02 18:42:10 +0200447 - ca-base
Willy Tarreau6a06a402007-07-15 20:15:28 +0200448 - chroot
Emeric Brunc8e8d122012-10-02 18:42:10 +0200449 - crt-base
Willy Tarreau6a06a402007-07-15 20:15:28 +0200450 - daemon
Simon Horman98637e52014-06-20 12:30:16 +0900451 - external-check
Willy Tarreau6a06a402007-07-15 20:15:28 +0200452 - gid
453 - group
454 - log
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100455 - log-send-hostname
Willy Tarreau6a06a402007-07-15 20:15:28 +0200456 - nbproc
457 - pidfile
458 - uid
459 - ulimit-n
460 - user
Willy Tarreaufbee7132007-10-18 13:53:22 +0200461 - stats
Emeric Brun850efd52014-01-29 12:24:34 +0100462 - ssl-server-verify
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200463 - node
464 - description
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100465 - unix-bind
Willy Tarreaud72758d2010-01-12 10:42:19 +0100466
Willy Tarreau6a06a402007-07-15 20:15:28 +0200467 * Performance tuning
Willy Tarreau1746eec2014-04-25 10:46:47 +0200468 - max-spread-checks
Willy Tarreau6a06a402007-07-15 20:15:28 +0200469 - maxconn
Willy Tarreau81c25d02011-09-07 15:17:21 +0200470 - maxconnrate
William Lallemandd85f9172012-11-09 17:05:39 +0100471 - maxcomprate
William Lallemand072a2bf2012-11-20 17:01:01 +0100472 - maxcompcpuusage
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100473 - maxpipes
Willy Tarreau93e7c002013-10-07 18:51:07 +0200474 - maxsessrate
Willy Tarreau403edff2012-09-06 11:58:37 +0200475 - maxsslconn
Willy Tarreaue43d5322013-10-07 20:01:52 +0200476 - maxsslrate
Willy Tarreau6a06a402007-07-15 20:15:28 +0200477 - noepoll
478 - nokqueue
479 - nopoll
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100480 - nosplice
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300481 - nogetaddrinfo
Willy Tarreaufe255b72007-10-14 23:09:26 +0200482 - spread-checks
Willy Tarreau27a674e2009-08-17 07:23:33 +0200483 - tune.bufsize
Willy Tarreau43961d52010-10-04 20:39:20 +0200484 - tune.chksize
William Lallemandf3747832012-11-09 12:33:10 +0100485 - tune.comp.maxlevel
Willy Tarreau193b8c62012-11-22 00:17:38 +0100486 - tune.http.cookielen
Willy Tarreauac1932d2011-10-24 19:14:41 +0200487 - tune.http.maxhdr
Willy Tarreau7e312732014-02-12 16:35:14 +0100488 - tune.idletimer
Thierry FOURNIER90da1912015-03-05 11:17:06 +0100489 - tune.lua.forced-yield
Willy Tarreau32f61e22015-03-18 17:54:59 +0100490 - tune.lua.maxmem
Thierry FOURNIER90da1912015-03-05 11:17:06 +0100491 - tune.lua.session-timeout
492 - tune.lua.task-timeout
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100493 - tune.maxaccept
494 - tune.maxpollevents
Willy Tarreau27a674e2009-08-17 07:23:33 +0200495 - tune.maxrewrite
Willy Tarreaubd9a0a72011-10-23 21:14:29 +0200496 - tune.pipesize
Willy Tarreaue803de22010-01-21 17:43:04 +0100497 - tune.rcvbuf.client
498 - tune.rcvbuf.server
499 - tune.sndbuf.client
500 - tune.sndbuf.server
Willy Tarreau6ec58db2012-11-16 16:32:15 +0100501 - tune.ssl.cachesize
Willy Tarreaubfd59462013-02-21 07:46:09 +0100502 - tune.ssl.lifetime
Emeric Brun8dc60392014-05-09 13:52:00 +0200503 - tune.ssl.force-private-cache
Willy Tarreaubfd59462013-02-21 07:46:09 +0100504 - tune.ssl.maxrecord
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200505 - tune.ssl.default-dh-param
William Lallemanda509e4c2012-11-07 16:54:34 +0100506 - tune.zlib.memlevel
507 - tune.zlib.windowsize
Willy Tarreaud72758d2010-01-12 10:42:19 +0100508
Willy Tarreau6a06a402007-07-15 20:15:28 +0200509 * Debugging
510 - debug
511 - quiet
Willy Tarreau6a06a402007-07-15 20:15:28 +0200512
513
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005143.1. Process management and security
Willy Tarreau6a06a402007-07-15 20:15:28 +0200515------------------------------------
516
Emeric Brunc8e8d122012-10-02 18:42:10 +0200517ca-base <dir>
518 Assigns a default directory to fetch SSL CA certificates and CRLs from when a
Emeric Brunfd33a262012-10-11 16:28:27 +0200519 relative path is used with "ca-file" or "crl-file" directives. Absolute
520 locations specified in "ca-file" and "crl-file" prevail and ignore "ca-base".
Emeric Brunc8e8d122012-10-02 18:42:10 +0200521
Willy Tarreau6a06a402007-07-15 20:15:28 +0200522chroot <jail dir>
523 Changes current directory to <jail dir> and performs a chroot() there before
524 dropping privileges. This increases the security level in case an unknown
525 vulnerability would be exploited, since it would make it very hard for the
526 attacker to exploit the system. This only works when the process is started
527 with superuser privileges. It is important to ensure that <jail_dir> is both
528 empty and unwritable to anyone.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100529
Willy Tarreaufc6c0322012-11-16 16:12:27 +0100530cpu-map <"all"|"odd"|"even"|process_num> <cpu-set>...
531 On Linux 2.6 and above, it is possible to bind a process to a specific CPU
532 set. This means that the process will never run on other CPUs. The "cpu-map"
533 directive specifies CPU sets for process sets. The first argument is the
Willy Tarreaua9db57e2013-01-18 11:29:29 +0100534 process number to bind. This process must have a number between 1 and 32 or
535 64, depending on the machine's word size, and any process IDs above nbproc
536 are ignored. It is possible to specify all processes at once using "all",
537 only odd numbers using "odd" or even numbers using "even", just like with the
538 "bind-process" directive. The second and forthcoming arguments are CPU sets.
539 Each CPU set is either a unique number between 0 and 31 or 63 or a range with
540 two such numbers delimited by a dash ('-'). Multiple CPU numbers or ranges
541 may be specified, and the processes will be allowed to bind to all of them.
542 Obviously, multiple "cpu-map" directives may be specified. Each "cpu-map"
543 directive will replace the previous ones when they overlap.
Willy Tarreaufc6c0322012-11-16 16:12:27 +0100544
Emeric Brunc8e8d122012-10-02 18:42:10 +0200545crt-base <dir>
546 Assigns a default directory to fetch SSL certificates from when a relative
547 path is used with "crtfile" directives. Absolute locations specified after
548 "crtfile" prevail and ignore "crt-base".
549
Willy Tarreau6a06a402007-07-15 20:15:28 +0200550daemon
551 Makes the process fork into background. This is the recommended mode of
552 operation. It is equivalent to the command line "-D" argument. It can be
553 disabled by the command line "-db" argument.
554
Simon Horman98637e52014-06-20 12:30:16 +0900555external-check
556 Allows the use of an external agent to perform health checks.
557 This is disabled by default as a security precaution.
558 See "option external-check".
559
Willy Tarreau6a06a402007-07-15 20:15:28 +0200560gid <number>
561 Changes the process' group ID to <number>. It is recommended that the group
562 ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
563 be started with a user belonging to this group, or with superuser privileges.
Michael Schererab012dd2013-01-12 18:35:19 +0100564 Note that if haproxy is started from a user having supplementary groups, it
565 will only be able to drop these groups if started with superuser privileges.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200566 See also "group" and "uid".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100567
Willy Tarreau6a06a402007-07-15 20:15:28 +0200568group <group name>
569 Similar to "gid" but uses the GID of group name <group name> from /etc/group.
570 See also "gid" and "user".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100571
Willy Tarreau18324f52014-06-27 18:10:07 +0200572log <address> [len <length>] <facility> [max level [min level]]
Willy Tarreau6a06a402007-07-15 20:15:28 +0200573 Adds a global syslog server. Up to two global servers can be defined. They
574 will receive logs for startups and exits, as well as all logs from proxies
Robert Tsai81ae1952007-12-05 10:47:29 +0100575 configured with "log global".
576
577 <address> can be one of:
578
Willy Tarreau2769aa02007-12-27 18:26:09 +0100579 - An IPv4 address optionally followed by a colon and a UDP port. If
Robert Tsai81ae1952007-12-05 10:47:29 +0100580 no port is specified, 514 is used by default (the standard syslog
581 port).
582
David du Colombier24bb5f52011-03-17 10:40:23 +0100583 - An IPv6 address followed by a colon and optionally a UDP port. If
584 no port is specified, 514 is used by default (the standard syslog
585 port).
586
Robert Tsai81ae1952007-12-05 10:47:29 +0100587 - A filesystem path to a UNIX domain socket, keeping in mind
588 considerations for chroot (be sure the path is accessible inside
589 the chroot) and uid/gid (be sure the path is appropriately
590 writeable).
591
Willy Tarreaudad36a32013-03-11 01:20:04 +0100592 Any part of the address string may reference any number of environment
593 variables by preceding their name with a dollar sign ('$') and
594 optionally enclosing them with braces ('{}'), similarly to what is done
595 in Bourne shell.
596
Willy Tarreau18324f52014-06-27 18:10:07 +0200597 <length> is an optional maximum line length. Log lines larger than this value
598 will be truncated before being sent. The reason is that syslog
599 servers act differently on log line length. All servers support the
600 default value of 1024, but some servers simply drop larger lines
601 while others do log them. If a server supports long lines, it may
602 make sense to set this value here in order to avoid truncating long
603 lines. Similarly, if a server drops long lines, it is preferable to
604 truncate them before sending them. Accepted values are 80 to 65535
605 inclusive. The default value of 1024 is generally fine for all
606 standard usages. Some specific cases of long captures or
607 JSON-formated logs may require larger values.
608
Robert Tsai81ae1952007-12-05 10:47:29 +0100609 <facility> must be one of the 24 standard syslog facilities :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200610
611 kern user mail daemon auth syslog lpr news
612 uucp cron auth2 ftp ntp audit alert cron2
613 local0 local1 local2 local3 local4 local5 local6 local7
614
615 An optional level can be specified to filter outgoing messages. By default,
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200616 all messages are sent. If a maximum level is specified, only messages with a
617 severity at least as important as this level will be sent. An optional minimum
618 level can be specified. If it is set, logs emitted with a more severe level
619 than this one will be capped to this level. This is used to avoid sending
620 "emerg" messages on all terminals on some default syslog configurations.
621 Eight levels are known :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200622
Cyril Bontédc4d9032012-04-08 21:57:39 +0200623 emerg alert crit err warning notice info debug
Willy Tarreau6a06a402007-07-15 20:15:28 +0200624
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100625log-send-hostname [<string>]
626 Sets the hostname field in the syslog header. If optional "string" parameter
627 is set the header is set to the string contents, otherwise uses the hostname
628 of the system. Generally used if one is not relaying logs through an
629 intermediate syslog server or for simply customizing the hostname printed in
630 the logs.
631
Kevinm48936af2010-12-22 16:08:21 +0000632log-tag <string>
633 Sets the tag field in the syslog header to this string. It defaults to the
634 program name as launched from the command line, which usually is "haproxy".
635 Sometimes it can be useful to differentiate between multiple processes
Willy Tarreau094af4e2015-01-07 15:03:42 +0100636 running on the same host. See also the per-proxy "log-tag" directive.
Kevinm48936af2010-12-22 16:08:21 +0000637
Thierry FOURNIER90da1912015-03-05 11:17:06 +0100638lua-load <file>
639 This global directive loads and executes a Lua file. This directive can be
640 used multiple times.
641
Willy Tarreau6a06a402007-07-15 20:15:28 +0200642nbproc <number>
643 Creates <number> processes when going daemon. This requires the "daemon"
644 mode. By default, only one process is created, which is the recommended mode
645 of operation. For systems limited to small sets of file descriptors per
646 process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES
647 IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon".
648
649pidfile <pidfile>
650 Writes pids of all daemons into file <pidfile>. This option is equivalent to
651 the "-p" command line argument. The file must be accessible to the user
652 starting the process. See also "daemon".
653
Willy Tarreaua9db57e2013-01-18 11:29:29 +0100654stats bind-process [ all | odd | even | <number 1-64>[-<number 1-64>] ] ...
Willy Tarreau35b7b162012-10-22 23:17:18 +0200655 Limits the stats socket to a certain set of processes numbers. By default the
656 stats socket is bound to all processes, causing a warning to be emitted when
657 nbproc is greater than 1 because there is no way to select the target process
658 when connecting. However, by using this setting, it becomes possible to pin
659 the stats socket to a specific set of processes, typically the first one. The
660 warning will automatically be disabled when this setting is used, whatever
Willy Tarreaua9db57e2013-01-18 11:29:29 +0100661 the number of processes used. The maximum process ID depends on the machine's
Willy Tarreauae302532014-05-07 19:22:24 +0200662 word size (32 or 64). A better option consists in using the "process" setting
663 of the "stats socket" line to force the process on each line.
Willy Tarreau35b7b162012-10-22 23:17:18 +0200664
Willy Tarreau610f04b2014-02-13 11:36:41 +0100665ssl-default-bind-ciphers <ciphers>
666 This setting is only available when support for OpenSSL was built in. It sets
667 the default string describing the list of cipher algorithms ("cipher suite")
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300668 that are negotiated during the SSL/TLS handshake for all "bind" lines which
Willy Tarreau610f04b2014-02-13 11:36:41 +0100669 do not explicitly define theirs. The format of the string is defined in
670 "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such
671 as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the
672 "bind" keyword for more information.
673
Emeric Brun2c86cbf2014-10-30 15:56:50 +0100674ssl-default-bind-options [<option>]...
675 This setting is only available when support for OpenSSL was built in. It sets
676 default ssl-options to force on all "bind" lines. Please check the "bind"
677 keyword to see available options.
678
679 Example:
680 global
681 ssl-default-bind-options no-sslv3 no-tls-tickets
682
Willy Tarreau610f04b2014-02-13 11:36:41 +0100683ssl-default-server-ciphers <ciphers>
684 This setting is only available when support for OpenSSL was built in. It
685 sets the default string describing the list of cipher algorithms that are
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300686 negotiated during the SSL/TLS handshake with the server, for all "server"
Willy Tarreau610f04b2014-02-13 11:36:41 +0100687 lines which do not explicitly define theirs. The format of the string is
688 defined in "man 1 ciphers". Please check the "server" keyword for more
689 information.
690
Emeric Brun2c86cbf2014-10-30 15:56:50 +0100691ssl-default-server-options [<option>]...
692 This setting is only available when support for OpenSSL was built in. It sets
693 default ssl-options to force on all "server" lines. Please check the "server"
694 keyword to see available options.
695
Emeric Brun850efd52014-01-29 12:24:34 +0100696ssl-server-verify [none|required]
697 The default behavior for SSL verify on servers side. If specified to 'none',
698 servers certificates are not verified. The default is 'required' except if
699 forced using cmdline option '-dV'.
700
Willy Tarreauabb175f2012-09-24 12:43:26 +0200701stats socket [<address:port>|<path>] [param*]
702 Binds a UNIX socket to <path> or a TCPv4/v6 address to <address:port>.
703 Connections to this socket will return various statistics outputs and even
704 allow some commands to be issued to change some runtime settings. Please
705 consult section 9.2 "Unix Socket commands" for more details.
Willy Tarreau6162db22009-10-10 17:13:00 +0200706
Willy Tarreauabb175f2012-09-24 12:43:26 +0200707 All parameters supported by "bind" lines are supported, for instance to
708 restrict access to some users or their access rights. Please consult
709 section 5.1 for more information.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200710
711stats timeout <timeout, in milliseconds>
712 The default timeout on the stats socket is set to 10 seconds. It is possible
713 to change this value with "stats timeout". The value must be passed in
Willy Tarreaubefdff12007-12-02 22:27:38 +0100714 milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200715
716stats maxconn <connections>
717 By default, the stats socket is limited to 10 concurrent connections. It is
718 possible to change this value with "stats maxconn".
719
Willy Tarreau6a06a402007-07-15 20:15:28 +0200720uid <number>
721 Changes the process' user ID to <number>. It is recommended that the user ID
722 is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
723 be started with superuser privileges in order to be able to switch to another
724 one. See also "gid" and "user".
725
726ulimit-n <number>
727 Sets the maximum number of per-process file-descriptors to <number>. By
728 default, it is automatically computed, so it is recommended not to use this
729 option.
730
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100731unix-bind [ prefix <prefix> ] [ mode <mode> ] [ user <user> ] [ uid <uid> ]
732 [ group <group> ] [ gid <gid> ]
733
734 Fixes common settings to UNIX listening sockets declared in "bind" statements.
735 This is mainly used to simplify declaration of those UNIX sockets and reduce
736 the risk of errors, since those settings are most commonly required but are
737 also process-specific. The <prefix> setting can be used to force all socket
738 path to be relative to that directory. This might be needed to access another
739 component's chroot. Note that those paths are resolved before haproxy chroots
740 itself, so they are absolute. The <mode>, <user>, <uid>, <group> and <gid>
741 all have the same meaning as their homonyms used by the "bind" statement. If
742 both are specified, the "bind" statement has priority, meaning that the
743 "unix-bind" settings may be seen as process-wide default settings.
744
Willy Tarreau6a06a402007-07-15 20:15:28 +0200745user <user name>
746 Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
747 See also "uid" and "group".
748
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200749node <name>
750 Only letters, digits, hyphen and underscore are allowed, like in DNS names.
751
752 This statement is useful in HA configurations where two or more processes or
753 servers share the same IP address. By setting a different node-name on all
754 nodes, it becomes easy to immediately spot what server is handling the
755 traffic.
756
757description <text>
758 Add a text that describes the instance.
759
760 Please note that it is required to escape certain characters (# for example)
761 and this text is inserted into a html page so you should avoid using
762 "<" and ">" characters.
763
Willy Tarreau6a06a402007-07-15 20:15:28 +0200764
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007653.2. Performance tuning
Willy Tarreau6a06a402007-07-15 20:15:28 +0200766-----------------------
767
Willy Tarreau1746eec2014-04-25 10:46:47 +0200768max-spread-checks <delay in milliseconds>
769 By default, haproxy tries to spread the start of health checks across the
770 smallest health check interval of all the servers in a farm. The principle is
771 to avoid hammering services running on the same server. But when using large
772 check intervals (10 seconds or more), the last servers in the farm take some
773 time before starting to be tested, which can be a problem. This parameter is
774 used to enforce an upper bound on delay between the first and the last check,
775 even if the servers' check intervals are larger. When servers run with
776 shorter intervals, their intervals will be respected though.
777
Willy Tarreau6a06a402007-07-15 20:15:28 +0200778maxconn <number>
779 Sets the maximum per-process number of concurrent connections to <number>. It
780 is equivalent to the command-line argument "-n". Proxies will stop accepting
781 connections when this limit is reached. The "ulimit-n" parameter is
Willy Tarreau8274e102014-06-19 15:31:25 +0200782 automatically adjusted according to this value. See also "ulimit-n". Note:
783 the "select" poller cannot reliably use more than 1024 file descriptors on
784 some platforms. If your platform only supports select and reports "select
785 FAILED" on startup, you need to reduce maxconn until it works (slightly
Willy Tarreaud0256482015-01-15 21:45:22 +0100786 below 500 in general). If this value is not set, it will default to the value
787 set in DEFAULT_MAXCONN at build time (reported in haproxy -vv) if no memory
788 limit is enforced, or will be computed based on the memory limit, the buffer
789 size, memory allocated to compression, SSL cache size, and use or not of SSL
790 and the associated maxsslconn (which can also be automatic).
Willy Tarreau6a06a402007-07-15 20:15:28 +0200791
Willy Tarreau81c25d02011-09-07 15:17:21 +0200792maxconnrate <number>
793 Sets the maximum per-process number of connections per second to <number>.
794 Proxies will stop accepting connections when this limit is reached. It can be
795 used to limit the global capacity regardless of each frontend capacity. It is
796 important to note that this can only be used as a service protection measure,
797 as there will not necessarily be a fair share between frontends when the
798 limit is reached, so it's a good idea to also limit each frontend to some
799 value close to its expected share. Also, lowering tune.maxaccept can improve
800 fairness.
801
William Lallemandd85f9172012-11-09 17:05:39 +0100802maxcomprate <number>
803 Sets the maximum per-process input compression rate to <number> kilobytes
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300804 per second. For each session, if the maximum is reached, the compression
William Lallemandd85f9172012-11-09 17:05:39 +0100805 level will be decreased during the session. If the maximum is reached at the
806 beginning of a session, the session will not compress at all. If the maximum
807 is not reached, the compression level will be increased up to
808 tune.comp.maxlevel. A value of zero means there is no limit, this is the
809 default value.
810
William Lallemand072a2bf2012-11-20 17:01:01 +0100811maxcompcpuusage <number>
812 Sets the maximum CPU usage HAProxy can reach before stopping the compression
813 for new requests or decreasing the compression level of current requests.
814 It works like 'maxcomprate' but measures CPU usage instead of incoming data
815 bandwidth. The value is expressed in percent of the CPU used by haproxy. In
816 case of multiple processes (nbproc > 1), each process manages its individual
817 usage. A value of 100 disable the limit. The default value is 100. Setting
818 a lower value will prevent the compression work from slowing the whole
819 process down and from introducing high latencies.
820
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100821maxpipes <number>
822 Sets the maximum per-process number of pipes to <number>. Currently, pipes
823 are only used by kernel-based tcp splicing. Since a pipe contains two file
824 descriptors, the "ulimit-n" value will be increased accordingly. The default
825 value is maxconn/4, which seems to be more than enough for most heavy usages.
826 The splice code dynamically allocates and releases pipes, and can fall back
827 to standard copy, so setting this value too low may only impact performance.
828
Willy Tarreau93e7c002013-10-07 18:51:07 +0200829maxsessrate <number>
830 Sets the maximum per-process number of sessions per second to <number>.
831 Proxies will stop accepting connections when this limit is reached. It can be
832 used to limit the global capacity regardless of each frontend capacity. It is
833 important to note that this can only be used as a service protection measure,
834 as there will not necessarily be a fair share between frontends when the
835 limit is reached, so it's a good idea to also limit each frontend to some
836 value close to its expected share. Also, lowering tune.maxaccept can improve
837 fairness.
838
Willy Tarreau403edff2012-09-06 11:58:37 +0200839maxsslconn <number>
840 Sets the maximum per-process number of concurrent SSL connections to
841 <number>. By default there is no SSL-specific limit, which means that the
842 global maxconn setting will apply to all connections. Setting this limit
843 avoids having openssl use too much memory and crash when malloc returns NULL
844 (since it unfortunately does not reliably check for such conditions). Note
845 that the limit applies both to incoming and outgoing connections, so one
846 connection which is deciphered then ciphered accounts for 2 SSL connections.
Willy Tarreaud0256482015-01-15 21:45:22 +0100847 If this value is not set, but a memory limit is enforced, this value will be
848 automatically computed based on the memory limit, maxconn, the buffer size,
849 memory allocated to compression, SSL cache size, and use of SSL in either
850 frontends, backends or both. If neither maxconn nor maxsslconn are specified
851 when there is a memory limit, haproxy will automatically adjust these values
852 so that 100% of the connections can be made over SSL with no risk, and will
853 consider the sides where it is enabled (frontend, backend, both).
Willy Tarreau403edff2012-09-06 11:58:37 +0200854
Willy Tarreaue43d5322013-10-07 20:01:52 +0200855maxsslrate <number>
856 Sets the maximum per-process number of SSL sessions per second to <number>.
857 SSL listeners will stop accepting connections when this limit is reached. It
858 can be used to limit the global SSL CPU usage regardless of each frontend
859 capacity. It is important to note that this can only be used as a service
860 protection measure, as there will not necessarily be a fair share between
861 frontends when the limit is reached, so it's a good idea to also limit each
862 frontend to some value close to its expected share. It is also important to
863 note that the sessions are accounted before they enter the SSL stack and not
864 after, which also protects the stack against bad handshakes. Also, lowering
865 tune.maxaccept can improve fairness.
866
William Lallemand9d5f5482012-11-07 16:12:57 +0100867maxzlibmem <number>
868 Sets the maximum amount of RAM in megabytes per process usable by the zlib.
869 When the maximum amount is reached, future sessions will not compress as long
870 as RAM is unavailable. When sets to 0, there is no limit.
William Lallemande3a7d992012-11-20 11:25:20 +0100871 The default value is 0. The value is available in bytes on the UNIX socket
872 with "show info" on the line "MaxZlibMemUsage", the memory used by zlib is
873 "ZlibMemUsage" in bytes.
874
Willy Tarreau6a06a402007-07-15 20:15:28 +0200875noepoll
876 Disables the use of the "epoll" event polling system on Linux. It is
877 equivalent to the command-line argument "-de". The next polling system
Willy Tarreaue9f49e72012-11-11 17:42:00 +0100878 used will generally be "poll". See also "nopoll".
Willy Tarreau6a06a402007-07-15 20:15:28 +0200879
880nokqueue
881 Disables the use of the "kqueue" event polling system on BSD. It is
882 equivalent to the command-line argument "-dk". The next polling system
883 used will generally be "poll". See also "nopoll".
884
885nopoll
886 Disables the use of the "poll" event polling system. It is equivalent to the
887 command-line argument "-dp". The next polling system used will be "select".
Willy Tarreau0ba27502007-12-24 16:55:16 +0100888 It should never be needed to disable "poll" since it's available on all
Willy Tarreaue9f49e72012-11-11 17:42:00 +0100889 platforms supported by HAProxy. See also "nokqueue" and "noepoll".
Willy Tarreau6a06a402007-07-15 20:15:28 +0200890
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100891nosplice
892 Disables the use of kernel tcp splicing between sockets on Linux. It is
893 equivalent to the command line argument "-dS". Data will then be copied
894 using conventional and more portable recv/send calls. Kernel tcp splicing is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100895 limited to some very recent instances of kernel 2.6. Most versions between
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100896 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not
897 be used. This option makes it easier to globally disable kernel splicing in
898 case of doubt. See also "option splice-auto", "option splice-request" and
899 "option splice-response".
900
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300901nogetaddrinfo
902 Disables the use of getaddrinfo(3) for name resolving. It is equivalent to
903 the command line argument "-dG". Deprecated gethostbyname(3) will be used.
904
Willy Tarreaufe255b72007-10-14 23:09:26 +0200905spread-checks <0..50, in percent>
Simon Hormand60d6912013-11-25 10:46:36 +0900906 Sometimes it is desirable to avoid sending agent and health checks to
907 servers at exact intervals, for instance when many logical servers are
908 located on the same physical server. With the help of this parameter, it
909 becomes possible to add some randomness in the check interval between 0
910 and +/- 50%. A value between 2 and 5 seems to show good results. The
911 default value remains at 0.
Willy Tarreaufe255b72007-10-14 23:09:26 +0200912
Willy Tarreau33cb0652014-12-23 22:52:37 +0100913tune.buffers.limit <number>
914 Sets a hard limit on the number of buffers which may be allocated per process.
915 The default value is zero which means unlimited. The minimum non-zero value
916 will always be greater than "tune.buffers.reserve" and should ideally always
917 be about twice as large. Forcing this value can be particularly useful to
918 limit the amount of memory a process may take, while retaining a sane
919 behaviour. When this limit is reached, sessions which need a buffer wait for
920 another one to be released by another session. Since buffers are dynamically
921 allocated and released, the waiting time is very short and not perceptible
922 provided that limits remain reasonable. In fact sometimes reducing the limit
923 may even increase performance by increasing the CPU cache's efficiency. Tests
924 have shown good results on average HTTP traffic with a limit to 1/10 of the
925 expected global maxconn setting, which also significantly reduces memory
926 usage. The memory savings come from the fact that a number of connections
927 will not allocate 2*tune.bufsize. It is best not to touch this value unless
928 advised to do so by an haproxy core developer.
929
Willy Tarreau1058ae72014-12-23 22:40:40 +0100930tune.buffers.reserve <number>
931 Sets the number of buffers which are pre-allocated and reserved for use only
932 during memory shortage conditions resulting in failed memory allocations. The
933 minimum value is 2 and is also the default. There is no reason a user would
934 want to change this value, it's mostly aimed at haproxy core developers.
935
Willy Tarreau27a674e2009-08-17 07:23:33 +0200936tune.bufsize <number>
937 Sets the buffer size to this size (in bytes). Lower values allow more
938 sessions to coexist in the same amount of RAM, and higher values allow some
939 applications with very large cookies to work. The default value is 16384 and
940 can be changed at build time. It is strongly recommended not to change this
941 from the default value, as very low values will break some services such as
942 statistics, and values larger than default size will increase memory usage,
943 possibly causing the system to run out of memory. At least the global maxconn
944 parameter should be decreased by the same factor as this one is increased.
Dmitry Sivachenkof6f4f7b2012-10-21 18:10:25 +0400945 If HTTP request is larger than (tune.bufsize - tune.maxrewrite), haproxy will
946 return HTTP 400 (Bad Request) error. Similarly if an HTTP response is larger
947 than this size, haproxy will return HTTP 502 (Bad Gateway).
Willy Tarreau27a674e2009-08-17 07:23:33 +0200948
Willy Tarreau43961d52010-10-04 20:39:20 +0200949tune.chksize <number>
950 Sets the check buffer size to this size (in bytes). Higher values may help
951 find string or regex patterns in very large pages, though doing so may imply
952 more memory and CPU usage. The default value is 16384 and can be changed at
953 build time. It is not recommended to change this value, but to use better
954 checks whenever possible.
955
William Lallemandf3747832012-11-09 12:33:10 +0100956tune.comp.maxlevel <number>
957 Sets the maximum compression level. The compression level affects CPU
958 usage during compression. This value affects CPU usage during compression.
959 Each session using compression initializes the compression algorithm with
960 this value. The default value is 1.
961
Willy Tarreau193b8c62012-11-22 00:17:38 +0100962tune.http.cookielen <number>
963 Sets the maximum length of captured cookies. This is the maximum value that
964 the "capture cookie xxx len yyy" will be allowed to take, and any upper value
965 will automatically be truncated to this one. It is important not to set too
966 high a value because all cookie captures still allocate this size whatever
967 their configured value (they share a same pool). This value is per request
968 per response, so the memory allocated is twice this value per connection.
969 When not specified, the limit is set to 63 characters. It is recommended not
970 to change this value.
971
Willy Tarreauac1932d2011-10-24 19:14:41 +0200972tune.http.maxhdr <number>
973 Sets the maximum number of headers in a request. When a request comes with a
974 number of headers greater than this value (including the first line), it is
975 rejected with a "400 Bad Request" status code. Similarly, too large responses
976 are blocked with "502 Bad Gateway". The default value is 101, which is enough
977 for all usages, considering that the widely deployed Apache server uses the
978 same limit. It can be useful to push this limit further to temporarily allow
979 a buggy application to work by the time it gets fixed. Keep in mind that each
980 new header consumes 32bits of memory for each session, so don't push this
981 limit too high.
982
Willy Tarreau7e312732014-02-12 16:35:14 +0100983tune.idletimer <timeout>
984 Sets the duration after which haproxy will consider that an empty buffer is
985 probably associated with an idle stream. This is used to optimally adjust
986 some packet sizes while forwarding large and small data alternatively. The
987 decision to use splice() or to send large buffers in SSL is modulated by this
988 parameter. The value is in milliseconds between 0 and 65535. A value of zero
989 means that haproxy will not try to detect idle streams. The default is 1000,
990 which seems to correctly detect end user pauses (eg: read a page before
991 clicking). There should be not reason for changing this value. Please check
992 tune.ssl.maxrecord below.
993
Thierry FOURNIER90da1912015-03-05 11:17:06 +0100994tune.lua.forced-yield <number>
995 This directive forces the Lua engine to execute a yield each <number> of
996 instructions executed. This permits interruptng a long script and allows the
997 HAProxy scheduler to process other tasks like accepting connections or
998 forwarding traffic. The default value is 10000 instructions. If HAProxy often
999 executes some Lua code but more reactivity is required, this value can be
1000 lowered. If the Lua code is quite long and its result is absolutely required
1001 to process the data, the <number> can be increased.
1002
Willy Tarreau32f61e22015-03-18 17:54:59 +01001003tune.lua.maxmem
1004 Sets the maximum amount of RAM in megabytes per process usable by Lua. By
1005 default it is zero which means unlimited. It is important to set a limit to
1006 ensure that a bug in a script will not result in the system running out of
1007 memory.
1008
Thierry FOURNIER90da1912015-03-05 11:17:06 +01001009tune.lua.session-timeout <timeout>
1010 This is the execution timeout for the Lua sessions. This is useful for
1011 preventing infinite loops or spending too much time in Lua. This timeout has a
1012 priority over other timeouts. For example, if this timeout is set to 4s and
1013 you run a 5s sleep, the code will be interrupted with an error after waiting
1014 4s.
1015
1016tune.lua.task-timeout <timeout>
1017 Purpose is the same as "tune.lua.session-timeout", but this timeout is
1018 dedicated to the tasks. By default, this timeout isn't set because a task may
1019 remain alive during of the lifetime of HAProxy. For example, a task used to
1020 check servers.
1021
Willy Tarreaua0250ba2008-01-06 11:22:57 +01001022tune.maxaccept <number>
Willy Tarreau16a21472012-11-19 12:39:59 +01001023 Sets the maximum number of consecutive connections a process may accept in a
1024 row before switching to other work. In single process mode, higher numbers
1025 give better performance at high connection rates. However in multi-process
1026 modes, keeping a bit of fairness between processes generally is better to
1027 increase performance. This value applies individually to each listener, so
1028 that the number of processes a listener is bound to is taken into account.
1029 This value defaults to 64. In multi-process mode, it is divided by twice
1030 the number of processes the listener is bound to. Setting this value to -1
1031 completely disables the limitation. It should normally not be needed to tweak
1032 this value.
Willy Tarreaua0250ba2008-01-06 11:22:57 +01001033
1034tune.maxpollevents <number>
1035 Sets the maximum amount of events that can be processed at once in a call to
1036 the polling system. The default value is adapted to the operating system. It
1037 has been noticed that reducing it below 200 tends to slightly decrease
1038 latency at the expense of network bandwidth, and increasing it above 200
1039 tends to trade latency for slightly increased bandwidth.
1040
Willy Tarreau27a674e2009-08-17 07:23:33 +02001041tune.maxrewrite <number>
1042 Sets the reserved buffer space to this size in bytes. The reserved space is
1043 used for header rewriting or appending. The first reads on sockets will never
1044 fill more than bufsize-maxrewrite. Historically it has defaulted to half of
1045 bufsize, though that does not make much sense since there are rarely large
1046 numbers of headers to add. Setting it too high prevents processing of large
1047 requests or responses. Setting it too low prevents addition of new headers
1048 to already large requests or to POST requests. It is generally wise to set it
1049 to about 1024. It is automatically readjusted to half of bufsize if it is
1050 larger than that. This means you don't have to worry about it when changing
1051 bufsize.
1052
Willy Tarreaubd9a0a72011-10-23 21:14:29 +02001053tune.pipesize <number>
1054 Sets the kernel pipe buffer size to this size (in bytes). By default, pipes
1055 are the default size for the system. But sometimes when using TCP splicing,
1056 it can improve performance to increase pipe sizes, especially if it is
1057 suspected that pipes are not filled and that many calls to splice() are
1058 performed. This has an impact on the kernel's memory footprint, so this must
1059 not be changed if impacts are not understood.
1060
Willy Tarreaue803de22010-01-21 17:43:04 +01001061tune.rcvbuf.client <number>
1062tune.rcvbuf.server <number>
1063 Forces the kernel socket receive buffer size on the client or the server side
1064 to the specified value in bytes. This value applies to all TCP/HTTP frontends
1065 and backends. It should normally never be set, and the default size (0) lets
1066 the kernel autotune this value depending on the amount of available memory.
1067 However it can sometimes help to set it to very low values (eg: 4096) in
1068 order to save kernel memory by preventing it from buffering too large amounts
1069 of received data. Lower values will significantly increase CPU usage though.
1070
1071tune.sndbuf.client <number>
1072tune.sndbuf.server <number>
1073 Forces the kernel socket send buffer size on the client or the server side to
1074 the specified value in bytes. This value applies to all TCP/HTTP frontends
1075 and backends. It should normally never be set, and the default size (0) lets
1076 the kernel autotune this value depending on the amount of available memory.
1077 However it can sometimes help to set it to very low values (eg: 4096) in
1078 order to save kernel memory by preventing it from buffering too large amounts
1079 of received data. Lower values will significantly increase CPU usage though.
1080 Another use case is to prevent write timeouts with extremely slow clients due
1081 to the kernel waiting for a large part of the buffer to be read before
1082 notifying haproxy again.
1083
Willy Tarreau6ec58db2012-11-16 16:32:15 +01001084tune.ssl.cachesize <number>
Emeric Brunaf9619d2012-11-28 18:47:52 +01001085 Sets the size of the global SSL session cache, in a number of blocks. A block
1086 is large enough to contain an encoded session without peer certificate.
1087 An encoded session with peer certificate is stored in multiple blocks
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001088 depending on the size of the peer certificate. A block uses approximately
Emeric Brunaf9619d2012-11-28 18:47:52 +01001089 200 bytes of memory. The default value may be forced at build time, otherwise
1090 defaults to 20000. When the cache is full, the most idle entries are purged
1091 and reassigned. Higher values reduce the occurrence of such a purge, hence
1092 the number of CPU-intensive SSL handshakes by ensuring that all users keep
1093 their session as long as possible. All entries are pre-allocated upon startup
Emeric Brun22890a12012-12-28 14:41:32 +01001094 and are shared between all processes if "nbproc" is greater than 1. Setting
1095 this value to 0 disables the SSL session cache.
Willy Tarreau6ec58db2012-11-16 16:32:15 +01001096
Emeric Brun8dc60392014-05-09 13:52:00 +02001097tune.ssl.force-private-cache
1098 This boolean disables SSL session cache sharing between all processes. It
1099 should normally not be used since it will force many renegotiations due to
1100 clients hitting a random process. But it may be required on some operating
1101 systems where none of the SSL cache synchronization method may be used. In
1102 this case, adding a first layer of hash-based load balancing before the SSL
1103 layer might limit the impact of the lack of session sharing.
1104
Emeric Brun4f65bff2012-11-16 15:11:00 +01001105tune.ssl.lifetime <timeout>
1106 Sets how long a cached SSL session may remain valid. This time is expressed
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001107 in seconds and defaults to 300 (5 min). It is important to understand that it
Emeric Brun4f65bff2012-11-16 15:11:00 +01001108 does not guarantee that sessions will last that long, because if the cache is
1109 full, the longest idle sessions will be purged despite their configured
1110 lifetime. The real usefulness of this setting is to prevent sessions from
1111 being used for too long.
1112
Willy Tarreaubfd59462013-02-21 07:46:09 +01001113tune.ssl.maxrecord <number>
1114 Sets the maximum amount of bytes passed to SSL_write() at a time. Default
1115 value 0 means there is no limit. Over SSL/TLS, the client can decipher the
1116 data only once it has received a full record. With large records, it means
1117 that clients might have to download up to 16kB of data before starting to
1118 process them. Limiting the value can improve page load times on browsers
1119 located over high latency or low bandwidth networks. It is suggested to find
1120 optimal values which fit into 1 or 2 TCP segments (generally 1448 bytes over
1121 Ethernet with TCP timestamps enabled, or 1460 when timestamps are disabled),
1122 keeping in mind that SSL/TLS add some overhead. Typical values of 1419 and
1123 2859 gave good results during tests. Use "strace -e trace=write" to find the
Willy Tarreau7e312732014-02-12 16:35:14 +01001124 best value. Haproxy will automatically switch to this setting after an idle
1125 stream has been detected (see tune.idletimer above).
Willy Tarreaubfd59462013-02-21 07:46:09 +01001126
Remi Gacognef46cd6e2014-06-12 14:58:40 +02001127tune.ssl.default-dh-param <number>
1128 Sets the maximum size of the Diffie-Hellman parameters used for generating
1129 the ephemeral/temporary Diffie-Hellman key in case of DHE key exchange. The
1130 final size will try to match the size of the server's RSA (or DSA) key (e.g,
1131 a 2048 bits temporary DH key for a 2048 bits RSA key), but will not exceed
1132 this maximum value. Default value if 1024. Only 1024 or higher values are
1133 allowed. Higher values will increase the CPU load, and values greater than
1134 1024 bits are not supported by Java 7 and earlier clients. This value is not
1135 used if static Diffie-Hellman parameters are supplied via the certificate file.
1136
William Lallemanda509e4c2012-11-07 16:54:34 +01001137tune.zlib.memlevel <number>
1138 Sets the memLevel parameter in zlib initialization for each session. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001139 defines how much memory should be allocated for the internal compression
William Lallemanda509e4c2012-11-07 16:54:34 +01001140 state. A value of 1 uses minimum memory but is slow and reduces compression
1141 ratio, a value of 9 uses maximum memory for optimal speed. Can be a value
1142 between 1 and 9. The default value is 8.
1143
1144tune.zlib.windowsize <number>
1145 Sets the window size (the size of the history buffer) as a parameter of the
1146 zlib initialization for each session. Larger values of this parameter result
1147 in better compression at the expense of memory usage. Can be a value between
1148 8 and 15. The default value is 15.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001149
Willy Tarreauc57f0e22009-05-10 13:12:33 +020011503.3. Debugging
1151--------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02001152
1153debug
1154 Enables debug mode which dumps to stdout all exchanges, and disables forking
1155 into background. It is the equivalent of the command-line argument "-d". It
1156 should never be used in a production configuration since it may prevent full
1157 system startup.
1158
1159quiet
1160 Do not display any message during startup. It is equivalent to the command-
1161 line argument "-q".
1162
Emeric Brunf099e792010-09-27 12:05:28 +02001163
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +010011643.4. Userlists
1165--------------
1166It is possible to control access to frontend/backend/listen sections or to
1167http stats by allowing only authenticated and authorized users. To do this,
1168it is required to create at least one userlist and to define users.
1169
1170userlist <listname>
Cyril Bonté78caf842010-03-10 22:41:43 +01001171 Creates new userlist with name <listname>. Many independent userlists can be
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001172 used to store authentication & authorization data for independent customers.
1173
1174group <groupname> [users <user>,<user>,(...)]
Cyril Bonté78caf842010-03-10 22:41:43 +01001175 Adds group <groupname> to the current userlist. It is also possible to
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001176 attach users to this group by using a comma separated list of names
1177 proceeded by "users" keyword.
1178
Cyril Bontéf0c60612010-02-06 14:44:47 +01001179user <username> [password|insecure-password <password>]
1180 [groups <group>,<group>,(...)]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001181 Adds user <username> to the current userlist. Both secure (encrypted) and
1182 insecure (unencrypted) passwords can be used. Encrypted passwords are
Cyril Bonté78caf842010-03-10 22:41:43 +01001183 evaluated using the crypt(3) function so depending of the system's
1184 capabilities, different algorithms are supported. For example modern Glibc
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001185 based Linux system supports MD5, SHA-256, SHA-512 and of course classic,
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001186 DES-based method of encrypting passwords.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001187
1188
1189 Example:
Cyril Bontéf0c60612010-02-06 14:44:47 +01001190 userlist L1
1191 group G1 users tiger,scott
1192 group G2 users xdb,scott
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001193
Cyril Bontéf0c60612010-02-06 14:44:47 +01001194 user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91
1195 user scott insecure-password elgato
1196 user xdb insecure-password hello
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001197
Cyril Bontéf0c60612010-02-06 14:44:47 +01001198 userlist L2
1199 group G1
1200 group G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001201
Cyril Bontéf0c60612010-02-06 14:44:47 +01001202 user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1
1203 user scott insecure-password elgato groups G1,G2
1204 user xdb insecure-password hello groups G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001205
1206 Please note that both lists are functionally identical.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001207
Emeric Brunf099e792010-09-27 12:05:28 +02001208
12093.5. Peers
Cyril Bontédc4d9032012-04-08 21:57:39 +02001210----------
Emeric Brunf099e792010-09-27 12:05:28 +02001211It is possible to synchronize server entries in stick tables between several
1212haproxy instances over TCP connections in a multi-master fashion. Each instance
1213pushes its local updates and insertions to remote peers. Server IDs are used to
1214identify servers remotely, so it is important that configurations look similar
1215or at least that the same IDs are forced on each server on all participants.
1216Interrupted exchanges are automatically detected and recovered from the last
1217known point. In addition, during a soft restart, the old process connects to
1218the new one using such a TCP connection to push all its entries before the new
1219process tries to connect to other peers. That ensures very fast replication
1220during a reload, it typically takes a fraction of a second even for large
1221tables.
1222
1223peers <peersect>
Jamie Gloudon801a0a32012-08-25 00:18:33 -04001224 Creates a new peer list with name <peersect>. It is an independent section,
Emeric Brunf099e792010-09-27 12:05:28 +02001225 which is referenced by one or more stick-tables.
1226
1227peer <peername> <ip>:<port>
1228 Defines a peer inside a peers section.
1229 If <peername> is set to the local peer name (by default hostname, or forced
1230 using "-L" command line option), haproxy will listen for incoming remote peer
1231 connection on <ip>:<port>. Otherwise, <ip>:<port> defines where to connect to
1232 to join the remote peer, and <peername> is used at the protocol level to
1233 identify and validate the remote peer on the server side.
1234
1235 During a soft restart, local peer <ip>:<port> is used by the old instance to
1236 connect the new one and initiate a complete replication (teaching process).
1237
1238 It is strongly recommended to have the exact same peers declaration on all
1239 peers and to only rely on the "-L" command line argument to change the local
1240 peer name. This makes it easier to maintain coherent configuration files
1241 across all peers.
1242
Willy Tarreaudad36a32013-03-11 01:20:04 +01001243 Any part of the address string may reference any number of environment
1244 variables by preceding their name with a dollar sign ('$') and optionally
1245 enclosing them with braces ('{}'), similarly to what is done in Bourne shell.
1246
Cyril Bontédc4d9032012-04-08 21:57:39 +02001247 Example:
Emeric Brunf099e792010-09-27 12:05:28 +02001248 peers mypeers
Willy Tarreauf7b30a92010-12-06 22:59:17 +01001249 peer haproxy1 192.168.0.1:1024
1250 peer haproxy2 192.168.0.2:1024
1251 peer haproxy3 10.2.0.1:1024
Emeric Brunf099e792010-09-27 12:05:28 +02001252
1253 backend mybackend
1254 mode tcp
1255 balance roundrobin
1256 stick-table type ip size 20k peers mypeers
1257 stick on src
1258
Willy Tarreauf7b30a92010-12-06 22:59:17 +01001259 server srv1 192.168.0.30:80
1260 server srv2 192.168.0.31:80
Emeric Brunf099e792010-09-27 12:05:28 +02001261
1262
Simon Horman51a1cf62015-02-03 13:00:44 +090012633.6. Mailers
1264------------
1265It is possible to send email alerts when the state of servers changes.
1266If configured email alerts are sent to each mailer that is configured
1267in a mailers section. Email is sent to mailers using SMTP.
1268
1269mailer <mailersect>
1270 Creates a new mailer list with the name <mailersect>. It is an
1271 independent section which is referenced by one or more proxies.
1272
1273mailer <mailername> <ip>:<port>
1274 Defines a mailer inside a mailers section.
1275
1276 Example:
1277 mailers mymailers
1278 mailer smtp1 192.168.0.1:587
1279 mailer smtp2 192.168.0.2:587
1280
1281 backend mybackend
1282 mode tcp
1283 balance roundrobin
1284
1285 email-alert mailers mymailers
1286 email-alert from test1@horms.org
1287 email-alert to test2@horms.org
1288
1289 server srv1 192.168.0.30:80
1290 server srv2 192.168.0.31:80
1291
1292
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012934. Proxies
Willy Tarreau6a06a402007-07-15 20:15:28 +02001294----------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001295
Willy Tarreau6a06a402007-07-15 20:15:28 +02001296Proxy configuration can be located in a set of sections :
1297 - defaults <name>
1298 - frontend <name>
1299 - backend <name>
1300 - listen <name>
1301
1302A "defaults" section sets default parameters for all other sections following
1303its declaration. Those default parameters are reset by the next "defaults"
1304section. See below for the list of parameters which can be set in a "defaults"
Willy Tarreau0ba27502007-12-24 16:55:16 +01001305section. The name is optional but its use is encouraged for better readability.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001306
1307A "frontend" section describes a set of listening sockets accepting client
1308connections.
1309
1310A "backend" section describes a set of servers to which the proxy will connect
1311to forward incoming connections.
1312
1313A "listen" section defines a complete proxy with its frontend and backend
1314parts combined in one section. It is generally useful for TCP-only traffic.
1315
Willy Tarreau0ba27502007-12-24 16:55:16 +01001316All proxy names must be formed from upper and lower case letters, digits,
1317'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
1318case-sensitive, which means that "www" and "WWW" are two different proxies.
1319
1320Historically, all proxy names could overlap, it just caused troubles in the
1321logs. Since the introduction of content switching, it is mandatory that two
1322proxies with overlapping capabilities (frontend/backend) have different names.
1323However, it is still permitted that a frontend and a backend share the same
1324name, as this configuration seems to be commonly encountered.
1325
1326Right now, two major proxy modes are supported : "tcp", also known as layer 4,
1327and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001328bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the
Willy Tarreau0ba27502007-12-24 16:55:16 +01001329protocol, and can interact with it by allowing, blocking, switching, adding,
1330modifying, or removing arbitrary contents in requests or responses, based on
1331arbitrary criteria.
1332
Willy Tarreau70dffda2014-01-30 03:07:23 +01001333In HTTP mode, the processing applied to requests and responses flowing over
1334a connection depends in the combination of the frontend's HTTP options and
1335the backend's. HAProxy supports 5 connection modes :
1336
1337 - KAL : keep alive ("option http-keep-alive") which is the default mode : all
1338 requests and responses are processed, and connections remain open but idle
1339 between responses and new requests.
1340
1341 - TUN: tunnel ("option http-tunnel") : this was the default mode for versions
1342 1.0 to 1.5-dev21 : only the first request and response are processed, and
1343 everything else is forwarded with no analysis at all. This mode should not
1344 be used as it creates lots of trouble with logging and HTTP processing.
1345
1346 - PCL: passive close ("option httpclose") : exactly the same as tunnel mode,
1347 but with "Connection: close" appended in both directions to try to make
1348 both ends close after the first request/response exchange.
1349
1350 - SCL: server close ("option http-server-close") : the server-facing
1351 connection is closed after the end of the response is received, but the
1352 client-facing connection remains open.
1353
1354 - FCL: forced close ("option forceclose") : the connection is actively closed
1355 after the end of the response.
1356
1357The effective mode that will be applied to a connection passing through a
1358frontend and a backend can be determined by both proxy modes according to the
1359following matrix, but in short, the modes are symmetric, keep-alive is the
1360weakest option and force close is the strongest.
1361
1362 Backend mode
1363
1364 | KAL | TUN | PCL | SCL | FCL
1365 ----+-----+-----+-----+-----+----
1366 KAL | KAL | TUN | PCL | SCL | FCL
1367 ----+-----+-----+-----+-----+----
1368 TUN | TUN | TUN | PCL | SCL | FCL
1369 Frontend ----+-----+-----+-----+-----+----
1370 mode PCL | PCL | PCL | PCL | FCL | FCL
1371 ----+-----+-----+-----+-----+----
1372 SCL | SCL | SCL | FCL | SCL | FCL
1373 ----+-----+-----+-----+-----+----
1374 FCL | FCL | FCL | FCL | FCL | FCL
1375
Willy Tarreau0ba27502007-12-24 16:55:16 +01001376
Willy Tarreau70dffda2014-01-30 03:07:23 +01001377
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013784.1. Proxy keywords matrix
1379--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001380
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001381The following list of keywords is supported. Most of them may only be used in a
1382limited set of section types. Some of them are marked as "deprecated" because
1383they are inherited from an old syntax which may be confusing or functionally
1384limited, and there are new recommended keywords to replace them. Keywords
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001385marked with "(*)" can be optionally inverted using the "no" prefix, eg. "no
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001386option contstats". This makes sense when the option has been enabled by default
Willy Tarreau3842f002009-06-14 11:39:52 +02001387and must be disabled for a specific instance. Such options may also be prefixed
1388with "default" in order to restore default settings regardless of what has been
1389specified in a previous "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001390
Willy Tarreau6a06a402007-07-15 20:15:28 +02001391
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001392 keyword defaults frontend listen backend
1393------------------------------------+----------+----------+---------+---------
1394acl - X X X
1395appsession - - X X
1396backlog X X X -
1397balance X - X X
1398bind - X X -
1399bind-process X X X X
1400block - X X X
1401capture cookie - X X -
1402capture request header - X X -
1403capture response header - X X -
1404clitimeout (deprecated) X X X -
William Lallemand82fe75c2012-10-23 10:25:10 +02001405compression X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001406contimeout (deprecated) X - X X
1407cookie X - X X
1408default-server X - X X
1409default_backend X X X -
1410description - X X X
1411disabled X X X X
1412dispatch - - X X
Simon Horman51a1cf62015-02-03 13:00:44 +09001413email-alert from X X X X
Simon Horman64e34162015-02-06 11:11:57 +09001414email-alert level X X X X
Simon Horman51a1cf62015-02-03 13:00:44 +09001415email-alert mailers X X X X
1416email-alert myhostname X X X X
1417email-alert to X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001418enabled X X X X
1419errorfile X X X X
1420errorloc X X X X
1421errorloc302 X X X X
1422-- keyword -------------------------- defaults - frontend - listen -- backend -
1423errorloc303 X X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001424force-persist - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001425fullconn X - X X
1426grace X X X X
1427hash-type X - X X
1428http-check disable-on-404 X - X X
Willy Tarreaubd741542010-03-16 18:46:54 +01001429http-check expect - - X X
Willy Tarreau7ab6aff2010-10-12 06:30:16 +02001430http-check send-state X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001431http-request - X X X
Willy Tarreaue365c0b2013-06-11 16:06:12 +02001432http-response - X X X
Baptiste Assmann2c42ef52013-10-09 21:57:02 +02001433http-send-name-header - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001434id - X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001435ignore-persist - X X X
William Lallemand0f99e342011-10-12 17:50:54 +02001436log (*) X X X X
Willy Tarreaufb4e7ea2015-01-07 14:55:17 +01001437log-format X X X -
Willy Tarreau094af4e2015-01-07 15:03:42 +01001438log-tag X X X X
Willy Tarreauc35362a2014-04-25 13:58:37 +02001439max-keep-alive-queue X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001440maxconn X X X -
1441mode X X X X
1442monitor fail - X X -
1443monitor-net X X X -
1444monitor-uri X X X -
1445option abortonclose (*) X - X X
1446option accept-invalid-http-request (*) X X X -
1447option accept-invalid-http-response (*) X - X X
1448option allbackups (*) X - X X
1449option checkcache (*) X - X X
1450option clitcpka (*) X X X -
1451option contstats (*) X X X -
1452option dontlog-normal (*) X X X -
1453option dontlognull (*) X X X -
1454option forceclose (*) X X X X
1455-- keyword -------------------------- defaults - frontend - listen -- backend -
1456option forwardfor X X X X
Willy Tarreau16bfb022010-01-16 19:48:41 +01001457option http-keep-alive (*) X X X X
Willy Tarreau96e31212011-05-30 18:10:30 +02001458option http-no-delay (*) X X X X
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02001459option http-pretend-keepalive (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001460option http-server-close (*) X X X X
Willy Tarreau02bce8b2014-01-30 00:15:28 +01001461option http-tunnel (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001462option http-use-proxy-header (*) X X X -
1463option httpchk X - X X
1464option httpclose (*) X X X X
1465option httplog X X X X
1466option http_proxy (*) X X X X
Jamie Gloudon801a0a32012-08-25 00:18:33 -04001467option independent-streams (*) X X X X
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02001468option ldap-check X - X X
Simon Horman98637e52014-06-20 12:30:16 +09001469option external-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001470option log-health-checks (*) X - X X
1471option log-separate-errors (*) X X X -
1472option logasap (*) X X X -
1473option mysql-check X - X X
Rauf Kuliyev38b41562011-01-04 15:14:13 +01001474option pgsql-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001475option nolinger (*) X X X X
1476option originalto X X X X
1477option persist (*) X - X X
1478option redispatch (*) X - X X
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02001479option redis-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001480option smtpchk X - X X
1481option socket-stats (*) X X X -
1482option splice-auto (*) X X X X
1483option splice-request (*) X X X X
1484option splice-response (*) X X X X
1485option srvtcpka (*) X - X X
1486option ssl-hello-chk X - X X
1487-- keyword -------------------------- defaults - frontend - listen -- backend -
Willy Tarreaued179852013-12-16 01:07:00 +01001488option tcp-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001489option tcp-smart-accept (*) X X X -
1490option tcp-smart-connect (*) X - X X
1491option tcpka X X X X
1492option tcplog X X X X
1493option transparent (*) X - X X
Simon Horman98637e52014-06-20 12:30:16 +09001494external-check command X - X X
1495external-check path X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001496persist rdp-cookie X - X X
1497rate-limit sessions X X X -
1498redirect - X X X
1499redisp (deprecated) X - X X
1500redispatch (deprecated) X - X X
1501reqadd - X X X
1502reqallow - X X X
1503reqdel - X X X
1504reqdeny - X X X
1505reqiallow - X X X
1506reqidel - X X X
1507reqideny - X X X
1508reqipass - X X X
1509reqirep - X X X
1510reqisetbe - X X X
1511reqitarpit - X X X
1512reqpass - X X X
1513reqrep - X X X
1514-- keyword -------------------------- defaults - frontend - listen -- backend -
1515reqsetbe - X X X
1516reqtarpit - X X X
1517retries X - X X
1518rspadd - X X X
1519rspdel - X X X
1520rspdeny - X X X
1521rspidel - X X X
1522rspideny - X X X
1523rspirep - X X X
1524rsprep - X X X
1525server - - X X
1526source X - X X
1527srvtimeout (deprecated) X - X X
Cyril Bonté66c327d2010-10-12 00:14:37 +02001528stats admin - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001529stats auth X - X X
1530stats enable X - X X
1531stats hide-version X - X X
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02001532stats http-request - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001533stats realm X - X X
1534stats refresh X - X X
1535stats scope X - X X
1536stats show-desc X - X X
1537stats show-legends X - X X
1538stats show-node X - X X
1539stats uri X - X X
1540-- keyword -------------------------- defaults - frontend - listen -- backend -
1541stick match - - X X
1542stick on - - X X
1543stick store-request - - X X
Willy Tarreaud8dc99f2011-07-01 11:33:25 +02001544stick store-response - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001545stick-table - - X X
Willy Tarreau938c7fe2014-04-25 14:21:39 +02001546tcp-check connect - - X X
1547tcp-check expect - - X X
1548tcp-check send - - X X
1549tcp-check send-binary - - X X
Willy Tarreaue9656522010-08-17 15:40:09 +02001550tcp-request connection - X X -
1551tcp-request content - X X X
Willy Tarreaua56235c2010-09-14 11:31:36 +02001552tcp-request inspect-delay - X X X
Emeric Brun0a3b67f2010-09-24 15:34:53 +02001553tcp-response content - - X X
1554tcp-response inspect-delay - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001555timeout check X - X X
1556timeout client X X X -
Willy Tarreau05cdd962014-05-10 14:30:07 +02001557timeout client-fin X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001558timeout clitimeout (deprecated) X X X -
1559timeout connect X - X X
1560timeout contimeout (deprecated) X - X X
1561timeout http-keep-alive X X X X
1562timeout http-request X X X X
1563timeout queue X - X X
1564timeout server X - X X
Willy Tarreau05cdd962014-05-10 14:30:07 +02001565timeout server-fin X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001566timeout srvtimeout (deprecated) X - X X
1567timeout tarpit X X X X
Willy Tarreauce887fd2012-05-12 12:50:00 +02001568timeout tunnel X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001569transparent (deprecated) X - X X
William Lallemanda73203e2012-03-12 12:48:57 +01001570unique-id-format X X X -
1571unique-id-header X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001572use_backend - X X -
Willy Tarreau4a5cade2012-04-05 21:09:48 +02001573use-server - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001574------------------------------------+----------+----------+---------+---------
1575 keyword defaults frontend listen backend
Willy Tarreau6a06a402007-07-15 20:15:28 +02001576
Willy Tarreau0ba27502007-12-24 16:55:16 +01001577
Willy Tarreauc57f0e22009-05-10 13:12:33 +020015784.2. Alphabetically sorted keywords reference
1579---------------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001580
1581This section provides a description of each keyword and its usage.
1582
1583
1584acl <aclname> <criterion> [flags] [operator] <value> ...
1585 Declare or complete an access list.
1586 May be used in sections : defaults | frontend | listen | backend
1587 no | yes | yes | yes
1588 Example:
1589 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1590 acl invalid_src src_port 0:1023
1591 acl local_dst hdr(host) -i localhost
1592
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001593 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001594
1595
Cyril Bontéb21570a2009-11-29 20:04:48 +01001596appsession <cookie> len <length> timeout <holdtime>
1597 [request-learn] [prefix] [mode <path-parameters|query-string>]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001598 Define session stickiness on an existing application cookie.
1599 May be used in sections : defaults | frontend | listen | backend
1600 no | no | yes | yes
1601 Arguments :
1602 <cookie> this is the name of the cookie used by the application and which
1603 HAProxy will have to learn for each new session.
1604
Cyril Bontéb21570a2009-11-29 20:04:48 +01001605 <length> this is the max number of characters that will be memorized and
Willy Tarreau0ba27502007-12-24 16:55:16 +01001606 checked in each cookie value.
1607
1608 <holdtime> this is the time after which the cookie will be removed from
1609 memory if unused. If no unit is specified, this time is in
1610 milliseconds.
1611
Cyril Bontébf47aeb2009-10-15 00:15:40 +02001612 request-learn
1613 If this option is specified, then haproxy will be able to learn
1614 the cookie found in the request in case the server does not
1615 specify any in response. This is typically what happens with
1616 PHPSESSID cookies, or when haproxy's session expires before
1617 the application's session and the correct server is selected.
1618 It is recommended to specify this option to improve reliability.
1619
Cyril Bontéb21570a2009-11-29 20:04:48 +01001620 prefix When this option is specified, haproxy will match on the cookie
1621 prefix (or URL parameter prefix). The appsession value is the
1622 data following this prefix.
1623
1624 Example :
1625 appsession ASPSESSIONID len 64 timeout 3h prefix
1626
1627 This will match the cookie ASPSESSIONIDXXXX=XXXXX,
1628 the appsession value will be XXXX=XXXXX.
1629
1630 mode This option allows to change the URL parser mode.
1631 2 modes are currently supported :
1632 - path-parameters :
1633 The parser looks for the appsession in the path parameters
1634 part (each parameter is separated by a semi-colon), which is
1635 convenient for JSESSIONID for example.
1636 This is the default mode if the option is not set.
1637 - query-string :
1638 In this mode, the parser will look for the appsession in the
1639 query string.
1640
Willy Tarreau0ba27502007-12-24 16:55:16 +01001641 When an application cookie is defined in a backend, HAProxy will check when
1642 the server sets such a cookie, and will store its value in a table, and
1643 associate it with the server's identifier. Up to <length> characters from
1644 the value will be retained. On each connection, haproxy will look for this
Cyril Bontéb21570a2009-11-29 20:04:48 +01001645 cookie both in the "Cookie:" headers, and as a URL parameter (depending on
1646 the mode used). If a known value is found, the client will be directed to the
1647 server associated with this value. Otherwise, the load balancing algorithm is
Willy Tarreau0ba27502007-12-24 16:55:16 +01001648 applied. Cookies are automatically removed from memory when they have been
1649 unused for a duration longer than <holdtime>.
1650
1651 The definition of an application cookie is limited to one per backend.
1652
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01001653 Note : Consider not using this feature in multi-process mode (nbproc > 1)
1654 unless you know what you do : memory is not shared between the
1655 processes, which can result in random behaviours.
1656
Willy Tarreau0ba27502007-12-24 16:55:16 +01001657 Example :
1658 appsession JSESSIONID len 52 timeout 3h
1659
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01001660 See also : "cookie", "capture cookie", "balance", "stick", "stick-table",
1661 "ignore-persist", "nbproc" and "bind-process".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001662
1663
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001664backlog <conns>
1665 Give hints to the system about the approximate listen backlog desired size
1666 May be used in sections : defaults | frontend | listen | backend
1667 yes | yes | yes | no
1668 Arguments :
1669 <conns> is the number of pending connections. Depending on the operating
1670 system, it may represent the number of already acknowledged
Cyril Bontédc4d9032012-04-08 21:57:39 +02001671 connections, of non-acknowledged ones, or both.
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001672
1673 In order to protect against SYN flood attacks, one solution is to increase
1674 the system's SYN backlog size. Depending on the system, sometimes it is just
1675 tunable via a system parameter, sometimes it is not adjustable at all, and
1676 sometimes the system relies on hints given by the application at the time of
1677 the listen() syscall. By default, HAProxy passes the frontend's maxconn value
1678 to the listen() syscall. On systems which can make use of this value, it can
1679 sometimes be useful to be able to specify a different value, hence this
1680 backlog parameter.
1681
1682 On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
1683 used as a hint and the system accepts up to the smallest greater power of
1684 two, and never more than some limits (usually 32768).
1685
1686 See also : "maxconn" and the target operating system's tuning guide.
1687
1688
Willy Tarreau0ba27502007-12-24 16:55:16 +01001689balance <algorithm> [ <arguments> ]
Willy Tarreau226071e2014-04-10 11:55:45 +02001690balance url_param <param> [check_post]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001691 Define the load balancing algorithm to be used in a backend.
1692 May be used in sections : defaults | frontend | listen | backend
1693 yes | no | yes | yes
1694 Arguments :
1695 <algorithm> is the algorithm used to select a server when doing load
1696 balancing. This only applies when no persistence information
1697 is available, or when a connection is redispatched to another
1698 server. <algorithm> may be one of the following :
1699
1700 roundrobin Each server is used in turns, according to their weights.
1701 This is the smoothest and fairest algorithm when the server's
1702 processing time remains equally distributed. This algorithm
1703 is dynamic, which means that server weights may be adjusted
Willy Tarreau9757a382009-10-03 12:56:50 +02001704 on the fly for slow starts for instance. It is limited by
Godbacha34bdc02013-07-22 07:44:53 +08001705 design to 4095 active servers per backend. Note that in some
Willy Tarreau9757a382009-10-03 12:56:50 +02001706 large farms, when a server becomes up after having been down
1707 for a very short time, it may sometimes take a few hundreds
1708 requests for it to be re-integrated into the farm and start
1709 receiving traffic. This is normal, though very rare. It is
1710 indicated here in case you would have the chance to observe
1711 it, so that you don't worry.
1712
1713 static-rr Each server is used in turns, according to their weights.
1714 This algorithm is as similar to roundrobin except that it is
1715 static, which means that changing a server's weight on the
1716 fly will have no effect. On the other hand, it has no design
1717 limitation on the number of servers, and when a server goes
1718 up, it is always immediately reintroduced into the farm, once
1719 the full map is recomputed. It also uses slightly less CPU to
1720 run (around -1%).
Willy Tarreau0ba27502007-12-24 16:55:16 +01001721
Willy Tarreau2d2a7f82008-03-17 12:07:56 +01001722 leastconn The server with the lowest number of connections receives the
1723 connection. Round-robin is performed within groups of servers
1724 of the same load to ensure that all servers will be used. Use
1725 of this algorithm is recommended where very long sessions are
1726 expected, such as LDAP, SQL, TSE, etc... but is not very well
1727 suited for protocols using short sessions such as HTTP. This
1728 algorithm is dynamic, which means that server weights may be
1729 adjusted on the fly for slow starts for instance.
1730
Willy Tarreauf09c6602012-02-13 17:12:08 +01001731 first The first server with available connection slots receives the
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001732 connection. The servers are chosen from the lowest numeric
Willy Tarreauf09c6602012-02-13 17:12:08 +01001733 identifier to the highest (see server parameter "id"), which
1734 defaults to the server's position in the farm. Once a server
Willy Tarreau64559c52012-04-07 09:08:45 +02001735 reaches its maxconn value, the next server is used. It does
Willy Tarreauf09c6602012-02-13 17:12:08 +01001736 not make sense to use this algorithm without setting maxconn.
1737 The purpose of this algorithm is to always use the smallest
1738 number of servers so that extra servers can be powered off
1739 during non-intensive hours. This algorithm ignores the server
1740 weight, and brings more benefit to long session such as RDP
Willy Tarreau64559c52012-04-07 09:08:45 +02001741 or IMAP than HTTP, though it can be useful there too. In
1742 order to use this algorithm efficiently, it is recommended
1743 that a cloud controller regularly checks server usage to turn
1744 them off when unused, and regularly checks backend queue to
1745 turn new servers on when the queue inflates. Alternatively,
1746 using "http-check send-state" may inform servers on the load.
Willy Tarreauf09c6602012-02-13 17:12:08 +01001747
Willy Tarreau0ba27502007-12-24 16:55:16 +01001748 source The source IP address is hashed and divided by the total
1749 weight of the running servers to designate which server will
1750 receive the request. This ensures that the same client IP
1751 address will always reach the same server as long as no
1752 server goes down or up. If the hash result changes due to the
1753 number of running servers changing, many clients will be
1754 directed to a different server. This algorithm is generally
1755 used in TCP mode where no cookie may be inserted. It may also
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001756 be used on the Internet to provide a best-effort stickiness
Willy Tarreau0ba27502007-12-24 16:55:16 +01001757 to clients which refuse session cookies. This algorithm is
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001758 static by default, which means that changing a server's
1759 weight on the fly will have no effect, but this can be
1760 changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001761
Oskar Stolc8dc41842012-05-19 10:19:54 +01001762 uri This algorithm hashes either the left part of the URI (before
1763 the question mark) or the whole URI (if the "whole" parameter
1764 is present) and divides the hash value by the total weight of
1765 the running servers. The result designates which server will
1766 receive the request. This ensures that the same URI will
1767 always be directed to the same server as long as no server
1768 goes up or down. This is used with proxy caches and
1769 anti-virus proxies in order to maximize the cache hit rate.
1770 Note that this algorithm may only be used in an HTTP backend.
1771 This algorithm is static by default, which means that
1772 changing a server's weight on the fly will have no effect,
1773 but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001774
Oskar Stolc8dc41842012-05-19 10:19:54 +01001775 This algorithm supports two optional parameters "len" and
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001776 "depth", both followed by a positive integer number. These
1777 options may be helpful when it is needed to balance servers
1778 based on the beginning of the URI only. The "len" parameter
1779 indicates that the algorithm should only consider that many
1780 characters at the beginning of the URI to compute the hash.
1781 Note that having "len" set to 1 rarely makes sense since most
1782 URIs start with a leading "/".
1783
1784 The "depth" parameter indicates the maximum directory depth
1785 to be used to compute the hash. One level is counted for each
1786 slash in the request. If both parameters are specified, the
1787 evaluation stops when either is reached.
1788
Willy Tarreau0ba27502007-12-24 16:55:16 +01001789 url_param The URL parameter specified in argument will be looked up in
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001790 the query string of each HTTP GET request.
1791
1792 If the modifier "check_post" is used, then an HTTP POST
Cyril Bontédc4d9032012-04-08 21:57:39 +02001793 request entity will be searched for the parameter argument,
1794 when it is not found in a query string after a question mark
Willy Tarreau226071e2014-04-10 11:55:45 +02001795 ('?') in the URL. The message body will only start to be
1796 analyzed once either the advertised amount of data has been
1797 received or the request buffer is full. In the unlikely event
1798 that chunked encoding is used, only the first chunk is
Cyril Bontédc4d9032012-04-08 21:57:39 +02001799 scanned. Parameter values separated by a chunk boundary, may
Willy Tarreau226071e2014-04-10 11:55:45 +02001800 be randomly balanced if at all. This keyword used to support
1801 an optional <max_wait> parameter which is now ignored.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001802
1803 If the parameter is found followed by an equal sign ('=') and
1804 a value, then the value is hashed and divided by the total
1805 weight of the running servers. The result designates which
1806 server will receive the request.
1807
1808 This is used to track user identifiers in requests and ensure
1809 that a same user ID will always be sent to the same server as
1810 long as no server goes up or down. If no value is found or if
1811 the parameter is not found, then a round robin algorithm is
1812 applied. Note that this algorithm may only be used in an HTTP
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001813 backend. This algorithm is static by default, which means
1814 that changing a server's weight on the fly will have no
1815 effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001816
Cyril Bontédc4d9032012-04-08 21:57:39 +02001817 hdr(<name>) The HTTP header <name> will be looked up in each HTTP
1818 request. Just as with the equivalent ACL 'hdr()' function,
1819 the header name in parenthesis is not case sensitive. If the
1820 header is absent or if it does not contain any value, the
1821 roundrobin algorithm is applied instead.
Benoitaffb4812009-03-25 13:02:10 +01001822
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001823 An optional 'use_domain_only' parameter is available, for
Benoitaffb4812009-03-25 13:02:10 +01001824 reducing the hash algorithm to the main domain part with some
1825 specific headers such as 'Host'. For instance, in the Host
1826 value "haproxy.1wt.eu", only "1wt" will be considered.
1827
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001828 This algorithm is static by default, which means that
1829 changing a server's weight on the fly will have no effect,
1830 but this can be changed using "hash-type".
1831
Emeric Brun736aa232009-06-30 17:56:00 +02001832 rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02001833 rdp-cookie(<name>)
Emeric Brun736aa232009-06-30 17:56:00 +02001834 The RDP cookie <name> (or "mstshash" if omitted) will be
1835 looked up and hashed for each incoming TCP request. Just as
1836 with the equivalent ACL 'req_rdp_cookie()' function, the name
1837 is not case-sensitive. This mechanism is useful as a degraded
1838 persistence mode, as it makes it possible to always send the
1839 same user (or the same session ID) to the same server. If the
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001840 cookie is not found, the normal roundrobin algorithm is
Emeric Brun736aa232009-06-30 17:56:00 +02001841 used instead.
1842
1843 Note that for this to work, the frontend must ensure that an
1844 RDP cookie is already present in the request buffer. For this
1845 you must use 'tcp-request content accept' rule combined with
1846 a 'req_rdp_cookie_cnt' ACL.
1847
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001848 This algorithm is static by default, which means that
1849 changing a server's weight on the fly will have no effect,
1850 but this can be changed using "hash-type".
1851
Cyril Bontédc4d9032012-04-08 21:57:39 +02001852 See also the rdp_cookie pattern fetch function.
Simon Hormanab814e02011-06-24 14:50:20 +09001853
Willy Tarreau0ba27502007-12-24 16:55:16 +01001854 <arguments> is an optional list of arguments which may be needed by some
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001855 algorithms. Right now, only "url_param" and "uri" support an
1856 optional argument.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001857
Willy Tarreau3cd9af22009-03-15 14:06:41 +01001858 The load balancing algorithm of a backend is set to roundrobin when no other
1859 algorithm, mode nor option have been set. The algorithm may only be set once
1860 for each backend.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001861
1862 Examples :
1863 balance roundrobin
1864 balance url_param userid
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001865 balance url_param session_id check_post 64
Benoitaffb4812009-03-25 13:02:10 +01001866 balance hdr(User-Agent)
1867 balance hdr(host)
1868 balance hdr(Host) use_domain_only
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001869
1870 Note: the following caveats and limitations on using the "check_post"
1871 extension with "url_param" must be considered :
1872
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001873 - all POST requests are eligible for consideration, because there is no way
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001874 to determine if the parameters will be found in the body or entity which
1875 may contain binary data. Therefore another method may be required to
1876 restrict consideration of POST requests that have no URL parameters in
1877 the body. (see acl reqideny http_end)
1878
1879 - using a <max_wait> value larger than the request buffer size does not
1880 make sense and is useless. The buffer size is set at build time, and
1881 defaults to 16 kB.
1882
1883 - Content-Encoding is not supported, the parameter search will probably
1884 fail; and load balancing will fall back to Round Robin.
1885
1886 - Expect: 100-continue is not supported, load balancing will fall back to
1887 Round Robin.
1888
1889 - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk.
1890 If the entire parameter value is not present in the first chunk, the
1891 selection of server is undefined (actually, defined by how little
1892 actually appeared in the first chunk).
1893
1894 - This feature does not support generation of a 100, 411 or 501 response.
1895
1896 - In some cases, requesting "check_post" MAY attempt to scan the entire
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001897 contents of a message body. Scanning normally terminates when linear
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001898 white space or control characters are found, indicating the end of what
1899 might be a URL parameter list. This is probably not a concern with SGML
1900 type message bodies.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001901
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001902 See also : "dispatch", "cookie", "appsession", "transparent", "hash-type" and
1903 "http_proxy".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001904
1905
Willy Tarreaub6205fd2012-09-24 12:27:33 +02001906bind [<address>]:<port_range> [, ...] [param*]
1907bind /<path> [, ...] [param*]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001908 Define one or several listening addresses and/or ports in a frontend.
1909 May be used in sections : defaults | frontend | listen | backend
1910 no | yes | yes | no
1911 Arguments :
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001912 <address> is optional and can be a host name, an IPv4 address, an IPv6
1913 address, or '*'. It designates the address the frontend will
1914 listen on. If unset, all IPv4 addresses of the system will be
1915 listened on. The same will apply for '*' or the system's
David du Colombier9c938da2011-03-17 10:40:27 +01001916 special address "0.0.0.0". The IPv6 equivalent is '::'.
Willy Tarreau24709282013-03-10 21:32:12 +01001917 Optionally, an address family prefix may be used before the
1918 address to force the family regardless of the address format,
1919 which can be useful to specify a path to a unix socket with
1920 no slash ('/'). Currently supported prefixes are :
1921 - 'ipv4@' -> address is always IPv4
1922 - 'ipv6@' -> address is always IPv6
1923 - 'unix@' -> address is a path to a local unix socket
Willy Tarreau70f72e02014-07-08 00:37:50 +02001924 - 'abns@' -> address is in abstract namespace (Linux only).
1925 Note: since abstract sockets are not "rebindable", they
1926 do not cope well with multi-process mode during
1927 soft-restart, so it is better to avoid them if
1928 nbproc is greater than 1. The effect is that if the
1929 new process fails to start, only one of the old ones
1930 will be able to rebind to the socket.
Willy Tarreau40aa0702013-03-10 23:51:38 +01001931 - 'fd@<n>' -> use file descriptor <n> inherited from the
1932 parent. The fd must be bound and may or may not already
1933 be listening.
Willy Tarreaudad36a32013-03-11 01:20:04 +01001934 Any part of the address string may reference any number of
1935 environment variables by preceding their name with a dollar
1936 sign ('$') and optionally enclosing them with braces ('{}'),
1937 similarly to what is done in Bourne shell.
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001938
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001939 <port_range> is either a unique TCP port, or a port range for which the
1940 proxy will accept connections for the IP address specified
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001941 above. The port is mandatory for TCP listeners. Note that in
1942 the case of an IPv6 address, the port is always the number
1943 after the last colon (':'). A range can either be :
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001944 - a numerical port (ex: '80')
1945 - a dash-delimited ports range explicitly stating the lower
1946 and upper bounds (ex: '2000-2100') which are included in
1947 the range.
1948
1949 Particular care must be taken against port ranges, because
1950 every <address:port> couple consumes one socket (= a file
1951 descriptor), so it's easy to consume lots of descriptors
1952 with a simple range, and to run out of sockets. Also, each
1953 <address:port> couple must be used only once among all
1954 instances running on a same system. Please note that binding
1955 to ports lower than 1024 generally require particular
Jamie Gloudon801a0a32012-08-25 00:18:33 -04001956 privileges to start the program, which are independent of
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001957 the 'uid' parameter.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001958
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001959 <path> is a UNIX socket path beginning with a slash ('/'). This is
1960 alternative to the TCP listening port. Haproxy will then
1961 receive UNIX connections on the socket located at this place.
1962 The path must begin with a slash and by default is absolute.
1963 It can be relative to the prefix defined by "unix-bind" in
1964 the global section. Note that the total length of the prefix
1965 followed by the socket path cannot exceed some system limits
1966 for UNIX sockets, which commonly are set to 107 characters.
1967
Willy Tarreaub6205fd2012-09-24 12:27:33 +02001968 <param*> is a list of parameters common to all sockets declared on the
1969 same line. These numerous parameters depend on OS and build
1970 options and have a complete section dedicated to them. Please
1971 refer to section 5 to for more details.
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02001972
Willy Tarreau0ba27502007-12-24 16:55:16 +01001973 It is possible to specify a list of address:port combinations delimited by
1974 commas. The frontend will then listen on all of these addresses. There is no
1975 fixed limit to the number of addresses and ports which can be listened on in
1976 a frontend, as well as there is no limit to the number of "bind" statements
1977 in a frontend.
1978
1979 Example :
1980 listen http_proxy
1981 bind :80,:443
1982 bind 10.0.0.1:10080,10.0.0.1:10443
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001983 bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy
Willy Tarreau0ba27502007-12-24 16:55:16 +01001984
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02001985 listen http_https_proxy
1986 bind :80
Cyril Bonté0d44fc62012-10-09 22:45:33 +02001987 bind :443 ssl crt /etc/haproxy/site.pem
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02001988
Willy Tarreau24709282013-03-10 21:32:12 +01001989 listen http_https_proxy_explicit
1990 bind ipv6@:80
1991 bind ipv4@public_ssl:443 ssl crt /etc/haproxy/site.pem
1992 bind unix@ssl-frontend.sock user root mode 600 accept-proxy
1993
Willy Tarreaudad36a32013-03-11 01:20:04 +01001994 listen external_bind_app1
1995 bind fd@${FD_APP1}
1996
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001997 See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol
Willy Tarreaub6205fd2012-09-24 12:27:33 +02001998 documentation, and section 5 about bind options.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001999
2000
Willy Tarreaua9db57e2013-01-18 11:29:29 +01002001bind-process [ all | odd | even | <number 1-64>[-<number 1-64>] ] ...
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002002 Limit visibility of an instance to a certain set of processes numbers.
2003 May be used in sections : defaults | frontend | listen | backend
2004 yes | yes | yes | yes
2005 Arguments :
2006 all All process will see this instance. This is the default. It
2007 may be used to override a default value.
2008
Willy Tarreaua9db57e2013-01-18 11:29:29 +01002009 odd This instance will be enabled on processes 1,3,5,...63. This
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002010 option may be combined with other numbers.
2011
Willy Tarreaua9db57e2013-01-18 11:29:29 +01002012 even This instance will be enabled on processes 2,4,6,...64. This
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002013 option may be combined with other numbers. Do not use it
2014 with less than 2 processes otherwise some instances might be
2015 missing from all processes.
2016
Willy Tarreau110ecc12012-11-15 17:50:01 +01002017 number The instance will be enabled on this process number or range,
Willy Tarreaua9db57e2013-01-18 11:29:29 +01002018 whose values must all be between 1 and 32 or 64 depending on
Willy Tarreau102df612014-05-07 23:56:38 +02002019 the machine's word size. If a proxy is bound to process
2020 numbers greater than the configured global.nbproc, it will
2021 either be forced to process #1 if a single process was
2022 specified, or to all processes otherwise.
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002023
2024 This keyword limits binding of certain instances to certain processes. This
2025 is useful in order not to have too many processes listening to the same
2026 ports. For instance, on a dual-core machine, it might make sense to set
2027 'nbproc 2' in the global section, then distributes the listeners among 'odd'
2028 and 'even' instances.
2029
Willy Tarreaua9db57e2013-01-18 11:29:29 +01002030 At the moment, it is not possible to reference more than 32 or 64 processes
2031 using this keyword, but this should be more than enough for most setups.
2032 Please note that 'all' really means all processes regardless of the machine's
2033 word size, and is not limited to the first 32 or 64.
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002034
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02002035 Each "bind" line may further be limited to a subset of the proxy's processes,
2036 please consult the "process" bind keyword in section 5.1.
2037
Willy Tarreaub369a042014-09-16 13:21:03 +02002038 When a frontend has no explicit "bind-process" line, it tries to bind to all
2039 the processes referenced by its "bind" lines. That means that frontends can
2040 easily adapt to their listeners' processes.
2041
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002042 If some backends are referenced by frontends bound to other processes, the
2043 backend automatically inherits the frontend's processes.
2044
2045 Example :
2046 listen app_ip1
2047 bind 10.0.0.1:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02002048 bind-process odd
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002049
2050 listen app_ip2
2051 bind 10.0.0.2:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02002052 bind-process even
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002053
2054 listen management
2055 bind 10.0.0.3:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02002056 bind-process 1 2 3 4
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002057
Willy Tarreau110ecc12012-11-15 17:50:01 +01002058 listen management
2059 bind 10.0.0.4:80
2060 bind-process 1-4
2061
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02002062 See also : "nbproc" in global section, and "process" in section 5.1.
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01002063
2064
Willy Tarreau0ba27502007-12-24 16:55:16 +01002065block { if | unless } <condition>
2066 Block a layer 7 request if/unless a condition is matched
2067 May be used in sections : defaults | frontend | listen | backend
2068 no | yes | yes | yes
2069
2070 The HTTP request will be blocked very early in the layer 7 processing
2071 if/unless <condition> is matched. A 403 error will be returned if the request
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002072 is blocked. The condition has to reference ACLs (see section 7). This is
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02002073 typically used to deny access to certain sensitive resources if some
Willy Tarreau0ba27502007-12-24 16:55:16 +01002074 conditions are met or not met. There is no fixed limit to the number of
2075 "block" statements per instance.
2076
2077 Example:
2078 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
2079 acl invalid_src src_port 0:1023
2080 acl local_dst hdr(host) -i localhost
2081 block if invalid_src || local_dst
2082
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002083 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002084
2085
2086capture cookie <name> len <length>
2087 Capture and log a cookie in the request and in the response.
2088 May be used in sections : defaults | frontend | listen | backend
2089 no | yes | yes | no
2090 Arguments :
2091 <name> is the beginning of the name of the cookie to capture. In order
2092 to match the exact name, simply suffix the name with an equal
2093 sign ('='). The full name will appear in the logs, which is
2094 useful with application servers which adjust both the cookie name
2095 and value (eg: ASPSESSIONXXXXX).
2096
2097 <length> is the maximum number of characters to report in the logs, which
2098 include the cookie name, the equal sign and the value, all in the
2099 standard "name=value" form. The string will be truncated on the
2100 right if it exceeds <length>.
2101
2102 Only the first cookie is captured. Both the "cookie" request headers and the
2103 "set-cookie" response headers are monitored. This is particularly useful to
2104 check for application bugs causing session crossing or stealing between
2105 users, because generally the user's cookies can only change on a login page.
2106
2107 When the cookie was not presented by the client, the associated log column
2108 will report "-". When a request does not cause a cookie to be assigned by the
2109 server, a "-" is reported in the response column.
2110
2111 The capture is performed in the frontend only because it is necessary that
2112 the log format does not change for a given frontend depending on the
2113 backends. This may change in the future. Note that there can be only one
Willy Tarreau193b8c62012-11-22 00:17:38 +01002114 "capture cookie" statement in a frontend. The maximum capture length is set
2115 by the global "tune.http.cookielen" setting and defaults to 63 characters. It
2116 is not possible to specify a capture in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002117
2118 Example:
2119 capture cookie ASPSESSION len 32
2120
2121 See also : "capture request header", "capture response header" as well as
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002122 section 8 about logging.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002123
2124
2125capture request header <name> len <length>
Willy Tarreau4460d032012-11-21 23:37:37 +01002126 Capture and log the last occurrence of the specified request header.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002127 May be used in sections : defaults | frontend | listen | backend
2128 no | yes | yes | no
2129 Arguments :
2130 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002131 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01002132 appear in the requests, with the first letter of each word in
2133 upper case. The header name will not appear in the logs, only the
2134 value is reported, but the position in the logs is respected.
2135
2136 <length> is the maximum number of characters to extract from the value and
2137 report in the logs. The string will be truncated on the right if
2138 it exceeds <length>.
2139
Willy Tarreau4460d032012-11-21 23:37:37 +01002140 The complete value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01002141 value will be added to the logs between braces ('{}'). If multiple headers
2142 are captured, they will be delimited by a vertical bar ('|') and will appear
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002143 in the same order they were declared in the configuration. Non-existent
2144 headers will be logged just as an empty string. Common uses for request
2145 header captures include the "Host" field in virtual hosting environments, the
2146 "Content-length" when uploads are supported, "User-agent" to quickly
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002147 differentiate between real users and robots, and "X-Forwarded-For" in proxied
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002148 environments to find where the request came from.
2149
2150 Note that when capturing headers such as "User-agent", some spaces may be
2151 logged, making the log analysis more difficult. Thus be careful about what
2152 you log if you know your log parser is not smart enough to rely on the
2153 braces.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002154
Willy Tarreau0900abb2012-11-22 00:21:46 +01002155 There is no limit to the number of captured request headers nor to their
2156 length, though it is wise to keep them low to limit memory usage per session.
2157 In order to keep log format consistent for a same frontend, header captures
2158 can only be declared in a frontend. It is not possible to specify a capture
2159 in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002160
2161 Example:
2162 capture request header Host len 15
2163 capture request header X-Forwarded-For len 15
2164 capture request header Referrer len 15
2165
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002166 See also : "capture cookie", "capture response header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01002167 about logging.
2168
2169
2170capture response header <name> len <length>
Willy Tarreau4460d032012-11-21 23:37:37 +01002171 Capture and log the last occurrence of the specified response header.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002172 May be used in sections : defaults | frontend | listen | backend
2173 no | yes | yes | no
2174 Arguments :
2175 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002176 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01002177 appear in the response, with the first letter of each word in
2178 upper case. The header name will not appear in the logs, only the
2179 value is reported, but the position in the logs is respected.
2180
2181 <length> is the maximum number of characters to extract from the value and
2182 report in the logs. The string will be truncated on the right if
2183 it exceeds <length>.
2184
Willy Tarreau4460d032012-11-21 23:37:37 +01002185 The complete value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01002186 result will be added to the logs between braces ('{}') after the captured
2187 request headers. If multiple headers are captured, they will be delimited by
2188 a vertical bar ('|') and will appear in the same order they were declared in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002189 the configuration. Non-existent headers will be logged just as an empty
2190 string. Common uses for response header captures include the "Content-length"
2191 header which indicates how many bytes are expected to be returned, the
2192 "Location" header to track redirections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002193
Willy Tarreau0900abb2012-11-22 00:21:46 +01002194 There is no limit to the number of captured response headers nor to their
2195 length, though it is wise to keep them low to limit memory usage per session.
2196 In order to keep log format consistent for a same frontend, header captures
2197 can only be declared in a frontend. It is not possible to specify a capture
2198 in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002199
2200 Example:
2201 capture response header Content-length len 9
2202 capture response header Location len 15
2203
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002204 See also : "capture cookie", "capture request header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01002205 about logging.
2206
2207
Cyril Bontéf0c60612010-02-06 14:44:47 +01002208clitimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01002209 Set the maximum inactivity time on the client side.
2210 May be used in sections : defaults | frontend | listen | backend
2211 yes | yes | yes | no
2212 Arguments :
2213 <timeout> is the timeout value is specified in milliseconds by default, but
2214 can be in any other unit if the number is suffixed by the unit,
2215 as explained at the top of this document.
2216
2217 The inactivity timeout applies when the client is expected to acknowledge or
2218 send data. In HTTP mode, this timeout is particularly important to consider
2219 during the first phase, when the client sends the request, and during the
2220 response while it is reading data sent by the server. The value is specified
2221 in milliseconds by default, but can be in any other unit if the number is
2222 suffixed by the unit, as specified at the top of this document. In TCP mode
2223 (and to a lesser extent, in HTTP mode), it is highly recommended that the
2224 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002225 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01002226 losses by specifying timeouts that are slightly above multiples of 3 seconds
2227 (eg: 4 or 5 seconds).
2228
2229 This parameter is specific to frontends, but can be specified once for all in
2230 "defaults" sections. This is in fact one of the easiest solutions not to
2231 forget about it. An unspecified timeout results in an infinite timeout, which
2232 is not recommended. Such a usage is accepted and works but reports a warning
2233 during startup because it may results in accumulation of expired sessions in
2234 the system if the system's timeouts are not configured either.
2235
2236 This parameter is provided for compatibility but is currently deprecated.
2237 Please use "timeout client" instead.
2238
Willy Tarreau036fae02008-01-06 13:24:40 +01002239 See also : "timeout client", "timeout http-request", "timeout server", and
2240 "srvtimeout".
Willy Tarreau0ba27502007-12-24 16:55:16 +01002241
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002242compression algo <algorithm> ...
2243compression type <mime type> ...
Willy Tarreau70737d12012-10-27 00:34:28 +02002244compression offload
William Lallemand82fe75c2012-10-23 10:25:10 +02002245 Enable HTTP compression.
2246 May be used in sections : defaults | frontend | listen | backend
2247 yes | yes | yes | yes
2248 Arguments :
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002249 algo is followed by the list of supported compression algorithms.
2250 type is followed by the list of MIME types that will be compressed.
2251 offload makes haproxy work as a compression offloader only (see notes).
2252
2253 The currently supported algorithms are :
Willy Tarreauc91840a2015-03-28 17:00:39 +01002254 identity this is mostly for debugging, and it was useful for developing
2255 the compression feature. Identity does not apply any change on
2256 data.
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002257
Willy Tarreauc91840a2015-03-28 17:00:39 +01002258 gzip applies gzip compression. This setting is only available when
2259 support for zlib was built in.
2260
2261 deflate same as "gzip", but with deflate algorithm and zlib format.
2262 Note that this algorithm has ambiguous support on many
2263 browsers and no support at all from recent ones. It is
2264 strongly recommended not to use it for anything else than
2265 experimentation. This setting is only available when support
2266 for zlib was built in.
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002267
Willy Tarreauc91840a2015-03-28 17:00:39 +01002268 raw-deflate same as "deflate" without the zlib wrapper, and used as an
2269 alternative when the browser wants "deflate". All major
2270 browsers understand it and despite violating the standards,
2271 it is known to work better than "deflate", at least on MSIE
2272 and some versions of Safari. Do not use it in conjunction
2273 with "deflate", use either one or the other since both react
2274 to the same Accept-Encoding token. This setting is only
2275 available when support for zlib was built in.
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002276
Dmitry Sivachenko87c208b2012-11-22 20:03:26 +04002277 Compression will be activated depending on the Accept-Encoding request
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002278 header. With identity, it does not take care of that header.
Dmitry Sivachenkoc9f3b452012-11-28 17:47:11 +04002279 If backend servers support HTTP compression, these directives
2280 will be no-op: haproxy will see the compressed response and will not
2281 compress again. If backend servers do not support HTTP compression and
2282 there is Accept-Encoding header in request, haproxy will compress the
2283 matching response.
Willy Tarreau70737d12012-10-27 00:34:28 +02002284
2285 The "offload" setting makes haproxy remove the Accept-Encoding header to
2286 prevent backend servers from compressing responses. It is strongly
2287 recommended not to do this because this means that all the compression work
2288 will be done on the single point where haproxy is located. However in some
2289 deployment scenarios, haproxy may be installed in front of a buggy gateway
Dmitry Sivachenkoc9f3b452012-11-28 17:47:11 +04002290 with broken HTTP compression implementation which can't be turned off.
2291 In that case haproxy can be used to prevent that gateway from emitting
2292 invalid payloads. In this case, simply removing the header in the
2293 configuration does not work because it applies before the header is parsed,
2294 so that prevents haproxy from compressing. The "offload" setting should
Willy Tarreauffea9fd2014-07-12 16:37:02 +02002295 then be used for such scenarios. Note: for now, the "offload" setting is
2296 ignored when set in a defaults section.
William Lallemand82fe75c2012-10-23 10:25:10 +02002297
William Lallemand05097442012-11-20 12:14:28 +01002298 Compression is disabled when:
Baptiste Assmann650d53d2013-01-05 15:44:44 +01002299 * the request does not advertise a supported compression algorithm in the
2300 "Accept-Encoding" header
2301 * the response message is not HTTP/1.1
William Lallemandd3002612012-11-26 14:34:47 +01002302 * HTTP status code is not 200
William Lallemand8bb4e342013-12-10 17:28:48 +01002303 * response header "Transfer-Encoding" contains "chunked" (Temporary
2304 Workaround)
Baptiste Assmann650d53d2013-01-05 15:44:44 +01002305 * response contain neither a "Content-Length" header nor a
2306 "Transfer-Encoding" whose last value is "chunked"
2307 * response contains a "Content-Type" header whose first value starts with
2308 "multipart"
2309 * the response contains the "no-transform" value in the "Cache-control"
2310 header
2311 * User-Agent matches "Mozilla/4" unless it is MSIE 6 with XP SP2, or MSIE 7
2312 and later
2313 * The response contains a "Content-Encoding" header, indicating that the
2314 response is already compressed (see compression offload)
William Lallemand05097442012-11-20 12:14:28 +01002315
Baptiste Assmann650d53d2013-01-05 15:44:44 +01002316 Note: The compression does not rewrite Etag headers, and does not emit the
2317 Warning header.
William Lallemand05097442012-11-20 12:14:28 +01002318
William Lallemand82fe75c2012-10-23 10:25:10 +02002319 Examples :
2320 compression algo gzip
2321 compression type text/html text/plain
Willy Tarreau0ba27502007-12-24 16:55:16 +01002322
Cyril Bontéf0c60612010-02-06 14:44:47 +01002323contimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01002324 Set the maximum time to wait for a connection attempt to a server to succeed.
2325 May be used in sections : defaults | frontend | listen | backend
2326 yes | no | yes | yes
2327 Arguments :
2328 <timeout> is the timeout value is specified in milliseconds by default, but
2329 can be in any other unit if the number is suffixed by the unit,
2330 as explained at the top of this document.
2331
2332 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002333 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01002334 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01002335 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
2336 connect timeout also presets the queue timeout to the same value if this one
2337 has not been specified. Historically, the contimeout was also used to set the
2338 tarpit timeout in a listen section, which is not possible in a pure frontend.
2339
2340 This parameter is specific to backends, but can be specified once for all in
2341 "defaults" sections. This is in fact one of the easiest solutions not to
2342 forget about it. An unspecified timeout results in an infinite timeout, which
2343 is not recommended. Such a usage is accepted and works but reports a warning
2344 during startup because it may results in accumulation of failed sessions in
2345 the system if the system's timeouts are not configured either.
2346
2347 This parameter is provided for backwards compatibility but is currently
2348 deprecated. Please use "timeout connect", "timeout queue" or "timeout tarpit"
2349 instead.
2350
2351 See also : "timeout connect", "timeout queue", "timeout tarpit",
2352 "timeout server", "contimeout".
2353
2354
Willy Tarreau55165fe2009-05-10 12:02:55 +02002355cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
Willy Tarreau4992dd22012-05-31 21:02:17 +02002356 [ postonly ] [ preserve ] [ httponly ] [ secure ]
2357 [ domain <domain> ]* [ maxidle <idle> ] [ maxlife <life> ]
Willy Tarreau0ba27502007-12-24 16:55:16 +01002358 Enable cookie-based persistence in a backend.
2359 May be used in sections : defaults | frontend | listen | backend
2360 yes | no | yes | yes
2361 Arguments :
2362 <name> is the name of the cookie which will be monitored, modified or
2363 inserted in order to bring persistence. This cookie is sent to
2364 the client via a "Set-Cookie" header in the response, and is
2365 brought back by the client in a "Cookie" header in all requests.
2366 Special care should be taken to choose a name which does not
2367 conflict with any likely application cookie. Also, if the same
2368 backends are subject to be used by the same clients (eg:
2369 HTTP/HTTPS), care should be taken to use different cookie names
2370 between all backends if persistence between them is not desired.
2371
2372 rewrite This keyword indicates that the cookie will be provided by the
2373 server and that haproxy will have to modify its value to set the
2374 server's identifier in it. This mode is handy when the management
2375 of complex combinations of "Set-cookie" and "Cache-control"
2376 headers is left to the application. The application can then
2377 decide whether or not it is appropriate to emit a persistence
2378 cookie. Since all responses should be monitored, this mode only
2379 works in HTTP close mode. Unless the application behaviour is
2380 very complex and/or broken, it is advised not to start with this
2381 mode for new deployments. This keyword is incompatible with
2382 "insert" and "prefix".
2383
2384 insert This keyword indicates that the persistence cookie will have to
Willy Tarreaua79094d2010-08-31 22:54:15 +02002385 be inserted by haproxy in server responses if the client did not
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002386
Willy Tarreaua79094d2010-08-31 22:54:15 +02002387 already have a cookie that would have permitted it to access this
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002388 server. When used without the "preserve" option, if the server
2389 emits a cookie with the same name, it will be remove before
2390 processing. For this reason, this mode can be used to upgrade
2391 existing configurations running in the "rewrite" mode. The cookie
2392 will only be a session cookie and will not be stored on the
2393 client's disk. By default, unless the "indirect" option is added,
2394 the server will see the cookies emitted by the client. Due to
2395 caching effects, it is generally wise to add the "nocache" or
2396 "postonly" keywords (see below). The "insert" keyword is not
2397 compatible with "rewrite" and "prefix".
Willy Tarreau0ba27502007-12-24 16:55:16 +01002398
2399 prefix This keyword indicates that instead of relying on a dedicated
2400 cookie for the persistence, an existing one will be completed.
2401 This may be needed in some specific environments where the client
2402 does not support more than one single cookie and the application
2403 already needs it. In this case, whenever the server sets a cookie
2404 named <name>, it will be prefixed with the server's identifier
2405 and a delimiter. The prefix will be removed from all client
2406 requests so that the server still finds the cookie it emitted.
2407 Since all requests and responses are subject to being modified,
2408 this mode requires the HTTP close mode. The "prefix" keyword is
Willy Tarreau37229df2011-10-17 12:24:55 +02002409 not compatible with "rewrite" and "insert". Note: it is highly
2410 recommended not to use "indirect" with "prefix", otherwise server
2411 cookie updates would not be sent to clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002412
Willy Tarreaua79094d2010-08-31 22:54:15 +02002413 indirect When this option is specified, no cookie will be emitted to a
2414 client which already has a valid one for the server which has
2415 processed the request. If the server sets such a cookie itself,
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002416 it will be removed, unless the "preserve" option is also set. In
2417 "insert" mode, this will additionally remove cookies from the
2418 requests transmitted to the server, making the persistence
2419 mechanism totally transparent from an application point of view.
Willy Tarreau37229df2011-10-17 12:24:55 +02002420 Note: it is highly recommended not to use "indirect" with
2421 "prefix", otherwise server cookie updates would not be sent to
2422 clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002423
2424 nocache This option is recommended in conjunction with the insert mode
2425 when there is a cache between the client and HAProxy, as it
2426 ensures that a cacheable response will be tagged non-cacheable if
2427 a cookie needs to be inserted. This is important because if all
2428 persistence cookies are added on a cacheable home page for
2429 instance, then all customers will then fetch the page from an
2430 outer cache and will all share the same persistence cookie,
2431 leading to one server receiving much more traffic than others.
2432 See also the "insert" and "postonly" options.
2433
2434 postonly This option ensures that cookie insertion will only be performed
2435 on responses to POST requests. It is an alternative to the
2436 "nocache" option, because POST responses are not cacheable, so
2437 this ensures that the persistence cookie will never get cached.
2438 Since most sites do not need any sort of persistence before the
2439 first POST which generally is a login request, this is a very
2440 efficient method to optimize caching without risking to find a
2441 persistence cookie in the cache.
2442 See also the "insert" and "nocache" options.
2443
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002444 preserve This option may only be used with "insert" and/or "indirect". It
2445 allows the server to emit the persistence cookie itself. In this
2446 case, if a cookie is found in the response, haproxy will leave it
2447 untouched. This is useful in order to end persistence after a
2448 logout request for instance. For this, the server just has to
2449 emit a cookie with an invalid value (eg: empty) or with a date in
2450 the past. By combining this mechanism with the "disable-on-404"
2451 check option, it is possible to perform a completely graceful
2452 shutdown because users will definitely leave the server after
2453 they logout.
2454
Willy Tarreau4992dd22012-05-31 21:02:17 +02002455 httponly This option tells haproxy to add an "HttpOnly" cookie attribute
2456 when a cookie is inserted. This attribute is used so that a
2457 user agent doesn't share the cookie with non-HTTP components.
2458 Please check RFC6265 for more information on this attribute.
2459
2460 secure This option tells haproxy to add a "Secure" cookie attribute when
2461 a cookie is inserted. This attribute is used so that a user agent
2462 never emits this cookie over non-secure channels, which means
2463 that a cookie learned with this flag will be presented only over
2464 SSL/TLS connections. Please check RFC6265 for more information on
2465 this attribute.
2466
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02002467 domain This option allows to specify the domain at which a cookie is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002468 inserted. It requires exactly one parameter: a valid domain
Willy Tarreau68a897b2009-12-03 23:28:34 +01002469 name. If the domain begins with a dot, the browser is allowed to
2470 use it for any host ending with that name. It is also possible to
2471 specify several domain names by invoking this option multiple
2472 times. Some browsers might have small limits on the number of
2473 domains, so be careful when doing that. For the record, sending
2474 10 domains to MSIE 6 or Firefox 2 works as expected.
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02002475
Willy Tarreau996a92c2010-10-13 19:30:47 +02002476 maxidle This option allows inserted cookies to be ignored after some idle
2477 time. It only works with insert-mode cookies. When a cookie is
2478 sent to the client, the date this cookie was emitted is sent too.
2479 Upon further presentations of this cookie, if the date is older
2480 than the delay indicated by the parameter (in seconds), it will
2481 be ignored. Otherwise, it will be refreshed if needed when the
2482 response is sent to the client. This is particularly useful to
2483 prevent users who never close their browsers from remaining for
2484 too long on the same server (eg: after a farm size change). When
2485 this option is set and a cookie has no date, it is always
2486 accepted, but gets refreshed in the response. This maintains the
2487 ability for admins to access their sites. Cookies that have a
2488 date in the future further than 24 hours are ignored. Doing so
2489 lets admins fix timezone issues without risking kicking users off
2490 the site.
2491
2492 maxlife This option allows inserted cookies to be ignored after some life
2493 time, whether they're in use or not. It only works with insert
2494 mode cookies. When a cookie is first sent to the client, the date
2495 this cookie was emitted is sent too. Upon further presentations
2496 of this cookie, if the date is older than the delay indicated by
2497 the parameter (in seconds), it will be ignored. If the cookie in
2498 the request has no date, it is accepted and a date will be set.
2499 Cookies that have a date in the future further than 24 hours are
2500 ignored. Doing so lets admins fix timezone issues without risking
2501 kicking users off the site. Contrary to maxidle, this value is
2502 not refreshed, only the first visit date counts. Both maxidle and
2503 maxlife may be used at the time. This is particularly useful to
2504 prevent users who never close their browsers from remaining for
2505 too long on the same server (eg: after a farm size change). This
2506 is stronger than the maxidle method in that it forces a
2507 redispatch after some absolute delay.
2508
Willy Tarreau0ba27502007-12-24 16:55:16 +01002509 There can be only one persistence cookie per HTTP backend, and it can be
2510 declared in a defaults section. The value of the cookie will be the value
2511 indicated after the "cookie" keyword in a "server" statement. If no cookie
2512 is declared for a given server, the cookie is not set.
Willy Tarreau6a06a402007-07-15 20:15:28 +02002513
Willy Tarreau0ba27502007-12-24 16:55:16 +01002514 Examples :
2515 cookie JSESSIONID prefix
2516 cookie SRV insert indirect nocache
2517 cookie SRV insert postonly indirect
Willy Tarreau996a92c2010-10-13 19:30:47 +02002518 cookie SRV insert indirect nocache maxidle 30m maxlife 8h
Willy Tarreau0ba27502007-12-24 16:55:16 +01002519
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02002520 See also : "appsession", "balance source", "capture cookie", "server"
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002521 and "ignore-persist".
Willy Tarreau0ba27502007-12-24 16:55:16 +01002522
Willy Tarreau983e01e2010-01-11 18:42:06 +01002523
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002524default-server [param*]
2525 Change default options for a server in a backend
2526 May be used in sections : defaults | frontend | listen | backend
2527 yes | no | yes | yes
2528 Arguments:
Willy Tarreau983e01e2010-01-11 18:42:06 +01002529 <param*> is a list of parameters for this server. The "default-server"
2530 keyword accepts an important number of options and has a complete
2531 section dedicated to it. Please refer to section 5 for more
2532 details.
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002533
Willy Tarreau983e01e2010-01-11 18:42:06 +01002534 Example :
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002535 default-server inter 1000 weight 13
2536
2537 See also: "server" and section 5 about server options
Willy Tarreau0ba27502007-12-24 16:55:16 +01002538
Willy Tarreau983e01e2010-01-11 18:42:06 +01002539
Willy Tarreau0ba27502007-12-24 16:55:16 +01002540default_backend <backend>
2541 Specify the backend to use when no "use_backend" rule has been matched.
2542 May be used in sections : defaults | frontend | listen | backend
2543 yes | yes | yes | no
2544 Arguments :
2545 <backend> is the name of the backend to use.
2546
2547 When doing content-switching between frontend and backends using the
2548 "use_backend" keyword, it is often useful to indicate which backend will be
2549 used when no rule has matched. It generally is the dynamic backend which
2550 will catch all undetermined requests.
2551
Willy Tarreau0ba27502007-12-24 16:55:16 +01002552 Example :
2553
2554 use_backend dynamic if url_dyn
2555 use_backend static if url_css url_img extension_img
2556 default_backend dynamic
2557
Willy Tarreau2769aa02007-12-27 18:26:09 +01002558 See also : "use_backend", "reqsetbe", "reqisetbe"
2559
Willy Tarreau0ba27502007-12-24 16:55:16 +01002560
Baptiste Assmann27f51342013-10-09 06:51:49 +02002561description <string>
2562 Describe a listen, frontend or backend.
2563 May be used in sections : defaults | frontend | listen | backend
2564 no | yes | yes | yes
2565 Arguments : string
2566
2567 Allows to add a sentence to describe the related object in the HAProxy HTML
2568 stats page. The description will be printed on the right of the object name
2569 it describes.
2570 No need to backslash spaces in the <string> arguments.
2571
2572
Willy Tarreau0ba27502007-12-24 16:55:16 +01002573disabled
2574 Disable a proxy, frontend or backend.
2575 May be used in sections : defaults | frontend | listen | backend
2576 yes | yes | yes | yes
2577 Arguments : none
2578
2579 The "disabled" keyword is used to disable an instance, mainly in order to
2580 liberate a listening port or to temporarily disable a service. The instance
2581 will still be created and its configuration will be checked, but it will be
2582 created in the "stopped" state and will appear as such in the statistics. It
2583 will not receive any traffic nor will it send any health-checks or logs. It
2584 is possible to disable many instances at once by adding the "disabled"
2585 keyword in a "defaults" section.
2586
2587 See also : "enabled"
2588
2589
Willy Tarreau5ce94572010-06-07 14:35:41 +02002590dispatch <address>:<port>
2591 Set a default server address
2592 May be used in sections : defaults | frontend | listen | backend
2593 no | no | yes | yes
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002594 Arguments :
Willy Tarreau5ce94572010-06-07 14:35:41 +02002595
2596 <address> is the IPv4 address of the default server. Alternatively, a
2597 resolvable hostname is supported, but this name will be resolved
2598 during start-up.
2599
2600 <ports> is a mandatory port specification. All connections will be sent
2601 to this port, and it is not permitted to use port offsets as is
2602 possible with normal servers.
2603
Willy Tarreau787aed52011-04-15 06:45:37 +02002604 The "dispatch" keyword designates a default server for use when no other
Willy Tarreau5ce94572010-06-07 14:35:41 +02002605 server can take the connection. In the past it was used to forward non
2606 persistent connections to an auxiliary load balancer. Due to its simple
2607 syntax, it has also been used for simple TCP relays. It is recommended not to
2608 use it for more clarity, and to use the "server" directive instead.
2609
2610 See also : "server"
2611
2612
Willy Tarreau0ba27502007-12-24 16:55:16 +01002613enabled
2614 Enable a proxy, frontend or backend.
2615 May be used in sections : defaults | frontend | listen | backend
2616 yes | yes | yes | yes
2617 Arguments : none
2618
2619 The "enabled" keyword is used to explicitly enable an instance, when the
2620 defaults has been set to "disabled". This is very rarely used.
2621
2622 See also : "disabled"
2623
2624
2625errorfile <code> <file>
2626 Return a file contents instead of errors generated by HAProxy
2627 May be used in sections : defaults | frontend | listen | backend
2628 yes | yes | yes | yes
2629 Arguments :
2630 <code> is the HTTP status code. Currently, HAProxy is capable of
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002631 generating codes 200, 400, 403, 408, 500, 502, 503, and 504.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002632
2633 <file> designates a file containing the full HTTP response. It is
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002634 recommended to follow the common practice of appending ".http" to
Willy Tarreau0ba27502007-12-24 16:55:16 +01002635 the filename so that people do not confuse the response with HTML
Willy Tarreau59140a22009-02-22 12:02:30 +01002636 error pages, and to use absolute paths, since files are read
2637 before any chroot is performed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002638
2639 It is important to understand that this keyword is not meant to rewrite
2640 errors returned by the server, but errors detected and returned by HAProxy.
2641 This is why the list of supported errors is limited to a small set.
2642
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002643 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2644
Willy Tarreau0ba27502007-12-24 16:55:16 +01002645 The files are returned verbatim on the TCP socket. This allows any trick such
2646 as redirections to another URL or site, as well as tricks to clean cookies,
2647 force enable or disable caching, etc... The package provides default error
2648 files returning the same contents as default errors.
2649
Willy Tarreau59140a22009-02-22 12:02:30 +01002650 The files should not exceed the configured buffer size (BUFSIZE), which
2651 generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
2652 not to put any reference to local contents (eg: images) in order to avoid
2653 loops between the client and HAProxy when all servers are down, causing an
2654 error to be returned instead of an image. For better HTTP compliance, it is
2655 recommended that all header lines end with CR-LF and not LF alone.
2656
Willy Tarreau0ba27502007-12-24 16:55:16 +01002657 The files are read at the same time as the configuration and kept in memory.
2658 For this reason, the errors continue to be returned even when the process is
2659 chrooted, and no file change is considered while the process is running. A
Willy Tarreauc27debf2008-01-06 08:57:02 +01002660 simple method for developing those files consists in associating them to the
Willy Tarreau0ba27502007-12-24 16:55:16 +01002661 403 status code and interrogating a blocked URL.
2662
2663 See also : "errorloc", "errorloc302", "errorloc303"
2664
Willy Tarreau59140a22009-02-22 12:02:30 +01002665 Example :
2666 errorfile 400 /etc/haproxy/errorfiles/400badreq.http
Willy Tarreau2705a612014-05-23 17:38:34 +02002667 errorfile 408 /dev/null # workaround Chrome pre-connect bug
Willy Tarreau59140a22009-02-22 12:02:30 +01002668 errorfile 403 /etc/haproxy/errorfiles/403forbid.http
2669 errorfile 503 /etc/haproxy/errorfiles/503sorry.http
2670
Willy Tarreau2769aa02007-12-27 18:26:09 +01002671
2672errorloc <code> <url>
2673errorloc302 <code> <url>
2674 Return an HTTP redirection to a URL instead of errors generated by HAProxy
2675 May be used in sections : defaults | frontend | listen | backend
2676 yes | yes | yes | yes
2677 Arguments :
2678 <code> is the HTTP status code. Currently, HAProxy is capable of
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002679 generating codes 200, 400, 403, 408, 500, 502, 503, and 504.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002680
2681 <url> it is the exact contents of the "Location" header. It may contain
2682 either a relative URI to an error page hosted on the same site,
2683 or an absolute URI designating an error page on another site.
2684 Special care should be given to relative URIs to avoid redirect
2685 loops if the URI itself may generate the same error (eg: 500).
2686
2687 It is important to understand that this keyword is not meant to rewrite
2688 errors returned by the server, but errors detected and returned by HAProxy.
2689 This is why the list of supported errors is limited to a small set.
2690
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002691 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2692
Willy Tarreau2769aa02007-12-27 18:26:09 +01002693 Note that both keyword return the HTTP 302 status code, which tells the
2694 client to fetch the designated URL using the same HTTP method. This can be
2695 quite problematic in case of non-GET methods such as POST, because the URL
2696 sent to the client might not be allowed for something other than GET. To
2697 workaround this problem, please use "errorloc303" which send the HTTP 303
2698 status code, indicating to the client that the URL must be fetched with a GET
2699 request.
2700
2701 See also : "errorfile", "errorloc303"
2702
2703
2704errorloc303 <code> <url>
2705 Return an HTTP redirection to a URL instead of errors generated by HAProxy
2706 May be used in sections : defaults | frontend | listen | backend
2707 yes | yes | yes | yes
2708 Arguments :
2709 <code> is the HTTP status code. Currently, HAProxy is capable of
2710 generating codes 400, 403, 408, 500, 502, 503, and 504.
2711
2712 <url> it is the exact contents of the "Location" header. It may contain
2713 either a relative URI to an error page hosted on the same site,
2714 or an absolute URI designating an error page on another site.
2715 Special care should be given to relative URIs to avoid redirect
2716 loops if the URI itself may generate the same error (eg: 500).
2717
2718 It is important to understand that this keyword is not meant to rewrite
2719 errors returned by the server, but errors detected and returned by HAProxy.
2720 This is why the list of supported errors is limited to a small set.
2721
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002722 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2723
Willy Tarreau2769aa02007-12-27 18:26:09 +01002724 Note that both keyword return the HTTP 303 status code, which tells the
2725 client to fetch the designated URL using the same HTTP GET method. This
2726 solves the usual problems associated with "errorloc" and the 302 code. It is
2727 possible that some very old browsers designed before HTTP/1.1 do not support
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002728 it, but no such problem has been reported till now.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002729
2730 See also : "errorfile", "errorloc", "errorloc302"
2731
2732
Simon Horman51a1cf62015-02-03 13:00:44 +09002733email-alert from <emailaddr>
2734 Declare the from email address to be used in both the envelope and header
2735 of email alerts. This is the address that email alerts are sent from.
2736 May be used in sections: defaults | frontend | listen | backend
2737 yes | yes | yes | yes
2738
2739 Arguments :
2740
2741 <emailaddr> is the from email address to use when sending email alerts
2742
2743 Also requires "email-alert mailers" and "email-alert to" to be set
2744 and if so sending email alerts is enabled for the proxy.
2745
Simon Horman64e34162015-02-06 11:11:57 +09002746 See also : "email-alert level", "email-alert mailers",
2747 "email-alert myhostname", "email-alert to", section 3.6 about mailers.
2748
2749
2750email-alert level <level>
2751 Declare the maximum log level of messages for which email alerts will be
2752 sent. This acts as a filter on the sending of email alerts.
2753 May be used in sections: defaults | frontend | listen | backend
2754 yes | yes | yes | yes
2755
2756 Arguments :
2757
2758 <level> One of the 8 syslog levels:
2759 emerg alert crit err warning notice info debug
2760 The above syslog levels are ordered from lowest to highest.
2761
2762 By default level is alert
2763
2764 Also requires "email-alert from", "email-alert mailers" and
2765 "email-alert to" to be set and if so sending email alerts is enabled
2766 for the proxy.
2767
2768 See also : "email-alert from", "email-alert mailers",
2769 "email-alert myhostname", "email-alert to",
Simon Horman51a1cf62015-02-03 13:00:44 +09002770 section 3.6 about mailers.
2771
2772
2773email-alert mailers <mailersect>
2774 Declare the mailers to be used when sending email alerts
2775 May be used in sections: defaults | frontend | listen | backend
2776 yes | yes | yes | yes
2777
2778 Arguments :
2779
2780 <mailersect> is the name of the mailers section to send email alerts.
2781
2782 Also requires "email-alert from" and "email-alert to" to be set
2783 and if so sending email alerts is enabled for the proxy.
2784
Simon Horman64e34162015-02-06 11:11:57 +09002785 See also : "email-alert from", "email-alert level", "email-alert myhostname",
2786 "email-alert to", section 3.6 about mailers.
Simon Horman51a1cf62015-02-03 13:00:44 +09002787
2788
2789email-alert myhostname <hostname>
2790 Declare the to hostname address to be used when communicating with
2791 mailers.
2792 May be used in sections: defaults | frontend | listen | backend
2793 yes | yes | yes | yes
2794
2795 Arguments :
2796
2797 <emailaddr> is the to email address to use when sending email alerts
2798
2799 By default the systems hostname is used.
2800
2801 Also requires "email-alert from", "email-alert mailers" and
2802 "email-alert to" to be set and if so sending email alerts is enabled
2803 for the proxy.
2804
Simon Horman64e34162015-02-06 11:11:57 +09002805 See also : "email-alert from", "email-alert level", "email-alert mailers",
2806 "email-alert to", section 3.6 about mailers.
Simon Horman51a1cf62015-02-03 13:00:44 +09002807
2808
2809email-alert to <emailaddr>
2810 Declare both the recipent address in the envelope and to address in the
2811 header of email alerts. This is the address that email alerts are sent to.
2812 May be used in sections: defaults | frontend | listen | backend
2813 yes | yes | yes | yes
2814
2815 Arguments :
2816
2817 <emailaddr> is the to email address to use when sending email alerts
2818
2819 Also requires "email-alert mailers" and "email-alert to" to be set
2820 and if so sending email alerts is enabled for the proxy.
2821
Simon Horman64e34162015-02-06 11:11:57 +09002822 See also : "email-alert from", "email-alert level", "email-alert mailers",
Simon Horman51a1cf62015-02-03 13:00:44 +09002823 "email-alert myhostname", section 3.6 about mailers.
2824
2825
Willy Tarreau4de91492010-01-22 19:10:05 +01002826force-persist { if | unless } <condition>
2827 Declare a condition to force persistence on down servers
2828 May be used in sections: defaults | frontend | listen | backend
2829 no | yes | yes | yes
2830
2831 By default, requests are not dispatched to down servers. It is possible to
2832 force this using "option persist", but it is unconditional and redispatches
2833 to a valid server if "option redispatch" is set. That leaves with very little
2834 possibilities to force some requests to reach a server which is artificially
2835 marked down for maintenance operations.
2836
2837 The "force-persist" statement allows one to declare various ACL-based
2838 conditions which, when met, will cause a request to ignore the down status of
2839 a server and still try to connect to it. That makes it possible to start a
2840 server, still replying an error to the health checks, and run a specially
2841 configured browser to test the service. Among the handy methods, one could
2842 use a specific source IP address, or a specific cookie. The cookie also has
2843 the advantage that it can easily be added/removed on the browser from a test
2844 page. Once the service is validated, it is then possible to open the service
2845 to the world by returning a valid response to health checks.
2846
2847 The forced persistence is enabled when an "if" condition is met, or unless an
2848 "unless" condition is met. The final redispatch is always disabled when this
2849 is used.
2850
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002851 See also : "option redispatch", "ignore-persist", "persist",
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02002852 and section 7 about ACL usage.
Willy Tarreau4de91492010-01-22 19:10:05 +01002853
2854
Willy Tarreau2769aa02007-12-27 18:26:09 +01002855fullconn <conns>
2856 Specify at what backend load the servers will reach their maxconn
2857 May be used in sections : defaults | frontend | listen | backend
2858 yes | no | yes | yes
2859 Arguments :
2860 <conns> is the number of connections on the backend which will make the
2861 servers use the maximal number of connections.
2862
Willy Tarreau198a7442008-01-17 12:05:32 +01002863 When a server has a "maxconn" parameter specified, it means that its number
Willy Tarreau2769aa02007-12-27 18:26:09 +01002864 of concurrent connections will never go higher. Additionally, if it has a
Willy Tarreau198a7442008-01-17 12:05:32 +01002865 "minconn" parameter, it indicates a dynamic limit following the backend's
Willy Tarreau2769aa02007-12-27 18:26:09 +01002866 load. The server will then always accept at least <minconn> connections,
2867 never more than <maxconn>, and the limit will be on the ramp between both
2868 values when the backend has less than <conns> concurrent connections. This
2869 makes it possible to limit the load on the servers during normal loads, but
2870 push it further for important loads without overloading the servers during
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002871 exceptional loads.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002872
Willy Tarreaufbb78422011-06-05 15:38:35 +02002873 Since it's hard to get this value right, haproxy automatically sets it to
2874 10% of the sum of the maxconns of all frontends that may branch to this
Bertrand Jacquin702d44f2013-11-19 11:43:06 +01002875 backend (based on "use_backend" and "default_backend" rules). That way it's
2876 safe to leave it unset. However, "use_backend" involving dynamic names are
2877 not counted since there is no way to know if they could match or not.
Willy Tarreaufbb78422011-06-05 15:38:35 +02002878
Willy Tarreau2769aa02007-12-27 18:26:09 +01002879 Example :
2880 # The servers will accept between 100 and 1000 concurrent connections each
2881 # and the maximum of 1000 will be reached when the backend reaches 10000
2882 # connections.
2883 backend dynamic
2884 fullconn 10000
2885 server srv1 dyn1:80 minconn 100 maxconn 1000
2886 server srv2 dyn2:80 minconn 100 maxconn 1000
2887
2888 See also : "maxconn", "server"
2889
2890
2891grace <time>
2892 Maintain a proxy operational for some time after a soft stop
2893 May be used in sections : defaults | frontend | listen | backend
Cyril Bonté99ed3272010-01-24 23:29:44 +01002894 yes | yes | yes | yes
Willy Tarreau2769aa02007-12-27 18:26:09 +01002895 Arguments :
2896 <time> is the time (by default in milliseconds) for which the instance
2897 will remain operational with the frontend sockets still listening
2898 when a soft-stop is received via the SIGUSR1 signal.
2899
2900 This may be used to ensure that the services disappear in a certain order.
2901 This was designed so that frontends which are dedicated to monitoring by an
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002902 external equipment fail immediately while other ones remain up for the time
Willy Tarreau2769aa02007-12-27 18:26:09 +01002903 needed by the equipment to detect the failure.
2904
2905 Note that currently, there is very little benefit in using this parameter,
2906 and it may in fact complicate the soft-reconfiguration process more than
2907 simplify it.
2908
Willy Tarreau0ba27502007-12-24 16:55:16 +01002909
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05002910hash-type <method> <function> <modifier>
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002911 Specify a method to use for mapping hashes to servers
2912 May be used in sections : defaults | frontend | listen | backend
2913 yes | no | yes | yes
2914 Arguments :
Bhaskar98634f02013-10-29 23:30:51 -04002915 <method> is the method used to select a server from the hash computed by
2916 the <function> :
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002917
Bhaskar98634f02013-10-29 23:30:51 -04002918 map-based the hash table is a static array containing all alive servers.
2919 The hashes will be very smooth, will consider weights, but
2920 will be static in that weight changes while a server is up
2921 will be ignored. This means that there will be no slow start.
2922 Also, since a server is selected by its position in the array,
2923 most mappings are changed when the server count changes. This
2924 means that when a server goes up or down, or when a server is
2925 added to a farm, most connections will be redistributed to
2926 different servers. This can be inconvenient with caches for
2927 instance.
Willy Tarreau798a39c2010-11-24 15:04:29 +01002928
Bhaskar98634f02013-10-29 23:30:51 -04002929 consistent the hash table is a tree filled with many occurrences of each
2930 server. The hash key is looked up in the tree and the closest
2931 server is chosen. This hash is dynamic, it supports changing
2932 weights while the servers are up, so it is compatible with the
2933 slow start feature. It has the advantage that when a server
2934 goes up or down, only its associations are moved. When a
2935 server is added to the farm, only a few part of the mappings
2936 are redistributed, making it an ideal method for caches.
2937 However, due to its principle, the distribution will never be
2938 very smooth and it may sometimes be necessary to adjust a
2939 server's weight or its ID to get a more balanced distribution.
2940 In order to get the same distribution on multiple load
2941 balancers, it is important that all servers have the exact
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05002942 same IDs. Note: consistent hash uses sdbm and avalanche if no
2943 hash function is specified.
Bhaskar98634f02013-10-29 23:30:51 -04002944
2945 <function> is the hash function to be used :
2946
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03002947 sdbm this function was created initially for sdbm (a public-domain
Bhaskar98634f02013-10-29 23:30:51 -04002948 reimplementation of ndbm) database library. It was found to do
2949 well in scrambling bits, causing better distribution of the keys
2950 and fewer splits. It also happens to be a good general hashing
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05002951 function with good distribution, unless the total server weight
2952 is a multiple of 64, in which case applying the avalanche
2953 modifier may help.
Bhaskar98634f02013-10-29 23:30:51 -04002954
2955 djb2 this function was first proposed by Dan Bernstein many years ago
2956 on comp.lang.c. Studies have shown that for certain workload this
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05002957 function provides a better distribution than sdbm. It generally
2958 works well with text-based inputs though it can perform extremely
2959 poorly with numeric-only input or when the total server weight is
2960 a multiple of 33, unless the avalanche modifier is also used.
2961
Willy Tarreaua0f42712013-11-14 14:30:35 +01002962 wt6 this function was designed for haproxy while testing other
2963 functions in the past. It is not as smooth as the other ones, but
2964 is much less sensible to the input data set or to the number of
2965 servers. It can make sense as an alternative to sdbm+avalanche or
2966 djb2+avalanche for consistent hashing or when hashing on numeric
2967 data such as a source IP address or a visitor identifier in a URL
2968 parameter.
2969
Willy Tarreau324f07f2015-01-20 19:44:50 +01002970 crc32 this is the most common CRC32 implementation as used in Ethernet,
2971 gzip, PNG, etc. It is slower than the other ones but may provide
2972 a better distribution or less predictable results especially when
2973 used on strings.
2974
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05002975 <modifier> indicates an optional method applied after hashing the key :
2976
2977 avalanche This directive indicates that the result from the hash
2978 function above should not be used in its raw form but that
2979 a 4-byte full avalanche hash must be applied first. The
2980 purpose of this step is to mix the resulting bits from the
2981 previous hash in order to avoid any undesired effect when
2982 the input contains some limited values or when the number of
2983 servers is a multiple of one of the hash's components (64
2984 for SDBM, 33 for DJB2). Enabling avalanche tends to make the
2985 result less predictable, but it's also not as smooth as when
2986 using the original function. Some testing might be needed
2987 with some workloads. This hash is one of the many proposed
2988 by Bob Jenkins.
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002989
Bhaskar98634f02013-10-29 23:30:51 -04002990 The default hash type is "map-based" and is recommended for most usages. The
2991 default function is "sdbm", the selection of a function should be based on
2992 the range of the values being hashed.
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002993
2994 See also : "balance", "server"
2995
2996
Willy Tarreau0ba27502007-12-24 16:55:16 +01002997http-check disable-on-404
2998 Enable a maintenance mode upon HTTP/404 response to health-checks
2999 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau2769aa02007-12-27 18:26:09 +01003000 yes | no | yes | yes
Willy Tarreau0ba27502007-12-24 16:55:16 +01003001 Arguments : none
3002
3003 When this option is set, a server which returns an HTTP code 404 will be
3004 excluded from further load-balancing, but will still receive persistent
3005 connections. This provides a very convenient method for Web administrators
3006 to perform a graceful shutdown of their servers. It is also important to note
3007 that a server which is detected as failed while it was in this mode will not
3008 generate an alert, just a notice. If the server responds 2xx or 3xx again, it
3009 will immediately be reinserted into the farm. The status on the stats page
3010 reports "NOLB" for a server in this mode. It is important to note that this
Willy Tarreaubd741542010-03-16 18:46:54 +01003011 option only works in conjunction with the "httpchk" option. If this option
3012 is used with "http-check expect", then it has precedence over it so that 404
3013 responses will still be considered as soft-stop.
3014
3015 See also : "option httpchk", "http-check expect"
3016
3017
3018http-check expect [!] <match> <pattern>
Jamie Gloudonaaa21002012-08-25 00:18:33 -04003019 Make HTTP health checks consider response contents or specific status codes
Willy Tarreaubd741542010-03-16 18:46:54 +01003020 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau1ee51a62011-08-19 20:04:17 +02003021 yes | no | yes | yes
Willy Tarreaubd741542010-03-16 18:46:54 +01003022 Arguments :
3023 <match> is a keyword indicating how to look for a specific pattern in the
3024 response. The keyword may be one of "status", "rstatus",
Jamie Gloudonaaa21002012-08-25 00:18:33 -04003025 "string", or "rstring". The keyword may be preceded by an
Willy Tarreaubd741542010-03-16 18:46:54 +01003026 exclamation mark ("!") to negate the match. Spaces are allowed
3027 between the exclamation mark and the keyword. See below for more
3028 details on the supported keywords.
3029
3030 <pattern> is the pattern to look for. It may be a string or a regular
3031 expression. If the pattern contains spaces, they must be escaped
3032 with the usual backslash ('\').
3033
3034 By default, "option httpchk" considers that response statuses 2xx and 3xx
3035 are valid, and that others are invalid. When "http-check expect" is used,
3036 it defines what is considered valid or invalid. Only one "http-check"
3037 statement is supported in a backend. If a server fails to respond or times
3038 out, the check obviously fails. The available matches are :
3039
3040 status <string> : test the exact string match for the HTTP status code.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04003041 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01003042 response's status code is exactly this string. If the
3043 "status" keyword is prefixed with "!", then the response
3044 will be considered invalid if the status code matches.
3045
3046 rstatus <regex> : test a regular expression for the HTTP status code.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04003047 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01003048 response's status code matches the expression. If the
3049 "rstatus" keyword is prefixed with "!", then the response
3050 will be considered invalid if the status code matches.
3051 This is mostly used to check for multiple codes.
3052
3053 string <string> : test the exact string match in the HTTP response body.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04003054 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01003055 response's body contains this exact string. If the
3056 "string" keyword is prefixed with "!", then the response
3057 will be considered invalid if the body contains this
3058 string. This can be used to look for a mandatory word at
3059 the end of a dynamic page, or to detect a failure when a
3060 specific error appears on the check page (eg: a stack
3061 trace).
3062
3063 rstring <regex> : test a regular expression on the HTTP response body.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04003064 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01003065 response's body matches this expression. If the "rstring"
3066 keyword is prefixed with "!", then the response will be
3067 considered invalid if the body matches the expression.
3068 This can be used to look for a mandatory word at the end
3069 of a dynamic page, or to detect a failure when a specific
3070 error appears on the check page (eg: a stack trace).
3071
3072 It is important to note that the responses will be limited to a certain size
3073 defined by the global "tune.chksize" option, which defaults to 16384 bytes.
3074 Thus, too large responses may not contain the mandatory pattern when using
3075 "string" or "rstring". If a large response is absolutely required, it is
3076 possible to change the default max size by setting the global variable.
3077 However, it is worth keeping in mind that parsing very large responses can
3078 waste some CPU cycles, especially when regular expressions are used, and that
3079 it is always better to focus the checks on smaller resources.
3080
Cyril Bonté32602d22015-01-30 00:07:07 +01003081 Also "http-check expect" doesn't support HTTP keep-alive. Keep in mind that it
3082 will automatically append a "Connection: close" header, meaning that this
3083 header should not be present in the request provided by "option httpchk".
3084
Willy Tarreaubd741542010-03-16 18:46:54 +01003085 Last, if "http-check expect" is combined with "http-check disable-on-404",
3086 then this last one has precedence when the server responds with 404.
3087
3088 Examples :
3089 # only accept status 200 as valid
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01003090 http-check expect status 200
Willy Tarreaubd741542010-03-16 18:46:54 +01003091
3092 # consider SQL errors as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01003093 http-check expect ! string SQL\ Error
Willy Tarreaubd741542010-03-16 18:46:54 +01003094
3095 # consider status 5xx only as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01003096 http-check expect ! rstatus ^5
Willy Tarreaubd741542010-03-16 18:46:54 +01003097
3098 # check that we have a correct hexadecimal tag before /html
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01003099 http-check expect rstring <!--tag:[0-9a-f]*</html>
Willy Tarreau0ba27502007-12-24 16:55:16 +01003100
Willy Tarreaubd741542010-03-16 18:46:54 +01003101 See also : "option httpchk", "http-check disable-on-404"
Willy Tarreau2769aa02007-12-27 18:26:09 +01003102
3103
Willy Tarreauef781042010-01-27 11:53:01 +01003104http-check send-state
3105 Enable emission of a state header with HTTP health checks
3106 May be used in sections : defaults | frontend | listen | backend
3107 yes | no | yes | yes
3108 Arguments : none
3109
3110 When this option is set, haproxy will systematically send a special header
3111 "X-Haproxy-Server-State" with a list of parameters indicating to each server
3112 how they are seen by haproxy. This can be used for instance when a server is
3113 manipulated without access to haproxy and the operator needs to know whether
3114 haproxy still sees it up or not, or if the server is the last one in a farm.
3115
3116 The header is composed of fields delimited by semi-colons, the first of which
3117 is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid
3118 checks on the total number before transition, just as appears in the stats
3119 interface. Next headers are in the form "<variable>=<value>", indicating in
3120 no specific order some values available in the stats interface :
Joseph Lynch514061c2015-01-15 17:52:59 -08003121 - a variable "address", containing the address of the backend server.
3122 This corresponds to the <address> field in the server declaration. For
3123 unix domain sockets, it will read "unix".
3124
3125 - a variable "port", containing the port of the backend server. This
3126 corresponds to the <port> field in the server declaration. For unix
3127 domain sockets, it will read "unix".
3128
Willy Tarreauef781042010-01-27 11:53:01 +01003129 - a variable "name", containing the name of the backend followed by a slash
3130 ("/") then the name of the server. This can be used when a server is
3131 checked in multiple backends.
3132
3133 - a variable "node" containing the name of the haproxy node, as set in the
3134 global "node" variable, otherwise the system's hostname if unspecified.
3135
3136 - a variable "weight" indicating the weight of the server, a slash ("/")
3137 and the total weight of the farm (just counting usable servers). This
3138 helps to know if other servers are available to handle the load when this
3139 one fails.
3140
3141 - a variable "scur" indicating the current number of concurrent connections
3142 on the server, followed by a slash ("/") then the total number of
3143 connections on all servers of the same backend.
3144
3145 - a variable "qcur" indicating the current number of requests in the
3146 server's queue.
3147
3148 Example of a header received by the application server :
3149 >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \
3150 scur=13/22; qcur=0
3151
3152 See also : "option httpchk", "http-check disable-on-404"
3153
Willy Tarreauccbcc372012-12-27 12:37:57 +01003154http-request { allow | deny | tarpit | auth [realm <realm>] | redirect <rule> |
Willy Tarreauf4c43c12013-06-11 17:01:13 +02003155 add-header <name> <fmt> | set-header <name> <fmt> |
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02003156 del-header <name> | set-nice <nice> | set-log-level <level> |
Sasha Pachev218f0642014-06-16 12:05:59 -06003157 replace-header <name> <match-regex> <replace-fmt> |
3158 replace-value <name> <match-regex> <replace-fmt> |
Willy Tarreaua0dc23f2015-01-22 20:46:11 +01003159 set-method <fmt> | set-path <fmt> | set-query <fmt> |
3160 set-uri <fmt> | set-tos <tos> | set-mark <mark> |
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003161 add-acl(<file name>) <key fmt> |
3162 del-acl(<file name>) <key fmt> |
3163 del-map(<file name>) <key fmt> |
Baptiste Assmannbb7e86a2014-09-03 18:29:47 +02003164 set-map(<file name>) <key fmt> <value fmt> |
Thierry FOURNIER90da1912015-03-05 11:17:06 +01003165 { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>] |
3166 lua <function name>
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003167 }
Cyril Bontéf0c60612010-02-06 14:44:47 +01003168 [ { if | unless } <condition> ]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003169 Access control for Layer 7 requests
3170
3171 May be used in sections: defaults | frontend | listen | backend
3172 no | yes | yes | yes
3173
Willy Tarreau20b0de52012-12-24 15:45:22 +01003174 The http-request statement defines a set of rules which apply to layer 7
3175 processing. The rules are evaluated in their declaration order when they are
3176 met in a frontend, listen or backend section. Any rule may optionally be
3177 followed by an ACL-based condition, in which case it will only be evaluated
3178 if the condition is true.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003179
Willy Tarreau20b0de52012-12-24 15:45:22 +01003180 The first keyword is the rule's action. Currently supported actions include :
3181 - "allow" : this stops the evaluation of the rules and lets the request
3182 pass the check. No further "http-request" rules are evaluated.
3183
3184 - "deny" : this stops the evaluation of the rules and immediately rejects
3185 the request and emits an HTTP 403 error. No further "http-request" rules
3186 are evaluated.
3187
Willy Tarreauccbcc372012-12-27 12:37:57 +01003188 - "tarpit" : this stops the evaluation of the rules and immediately blocks
3189 the request without responding for a delay specified by "timeout tarpit"
3190 or "timeout connect" if the former is not set. After that delay, if the
3191 client is still connected, an HTTP error 500 is returned so that the
3192 client does not suspect it has been tarpitted. Logs will report the flags
3193 "PT". The goal of the tarpit rule is to slow down robots during an attack
3194 when they're limited on the number of concurrent requests. It can be very
3195 efficient against very dumb robots, and will significantly reduce the
3196 load on firewalls compared to a "deny" rule. But when facing "correctly"
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03003197 developed robots, it can make things worse by forcing haproxy and the
Willy Tarreauccbcc372012-12-27 12:37:57 +01003198 front firewall to support insane number of concurrent connections.
3199
Willy Tarreau20b0de52012-12-24 15:45:22 +01003200 - "auth" : this stops the evaluation of the rules and immediately responds
3201 with an HTTP 401 or 407 error code to invite the user to present a valid
3202 user name and password. No further "http-request" rules are evaluated. An
3203 optional "realm" parameter is supported, it sets the authentication realm
3204 that is returned with the response (typically the application's name).
3205
Willy Tarreau81499eb2012-12-27 12:19:02 +01003206 - "redirect" : this performs an HTTP redirection based on a redirect rule.
3207 This is exactly the same as the "redirect" statement except that it
3208 inserts a redirect rule which can be processed in the middle of other
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01003209 "http-request" rules and that these rules use the "log-format" strings.
3210 See the "redirect" keyword for the rule's syntax.
Willy Tarreau81499eb2012-12-27 12:19:02 +01003211
Willy Tarreau20b0de52012-12-24 15:45:22 +01003212 - "add-header" appends an HTTP header field whose name is specified in
3213 <name> and whose value is defined by <fmt> which follows the log-format
3214 rules (see Custom Log Format in section 8.2.4). This is particularly
3215 useful to pass connection-specific information to the server (eg: the
3216 client's SSL certificate), or to combine several headers into one. This
3217 rule is not final, so it is possible to add other similar rules. Note
3218 that header addition is performed immediately, so one rule might reuse
3219 the resulting header from a previous rule.
3220
3221 - "set-header" does the same as "add-header" except that the header name
3222 is first removed if it existed. This is useful when passing security
3223 information to the server, where the header must not be manipulated by
Willy Tarreau85603282015-01-21 20:39:27 +01003224 external users. Note that the new value is computed before the removal so
3225 it is possible to concatenate a value to an existing header.
Willy Tarreau20b0de52012-12-24 15:45:22 +01003226
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02003227 - "del-header" removes all HTTP header fields whose name is specified in
3228 <name>.
3229
Sasha Pachev218f0642014-06-16 12:05:59 -06003230 - "replace-header" matches the regular expression in all occurrences of
3231 header field <name> according to <match-regex>, and replaces them with
3232 the <replace-fmt> argument. Format characters are allowed in replace-fmt
3233 and work like in <fmt> arguments in "add-header". The match is only
3234 case-sensitive. It is important to understand that this action only
3235 considers whole header lines, regardless of the number of values they
3236 may contain. This usage is suited to headers naturally containing commas
3237 in their value, such as If-Modified-Since and so on.
3238
3239 Example:
3240
3241 http-request replace-header Cookie foo=([^;]*);(.*) foo=\1;ip=%bi;\2
3242
3243 applied to:
3244
3245 Cookie: foo=foobar; expires=Tue, 14-Jun-2016 01:40:45 GMT;
3246
3247 outputs:
3248
3249 Cookie: foo=foobar;ip=192.168.1.20; expires=Tue, 14-Jun-2016 01:40:45 GMT;
3250
3251 assuming the backend IP is 192.168.1.20
3252
3253 - "replace-value" works like "replace-header" except that it matches the
3254 regex against every comma-delimited value of the header field <name>
3255 instead of the entire header. This is suited for all headers which are
3256 allowed to carry more than one value. An example could be the Accept
3257 header.
3258
3259 Example:
3260
3261 http-request replace-value X-Forwarded-For ^192\.168\.(.*)$ 172.16.\1
3262
3263 applied to:
3264
3265 X-Forwarded-For: 192.168.10.1, 192.168.13.24, 10.0.0.37
3266
3267 outputs:
3268
3269 X-Forwarded-For: 172.16.10.1, 172.16.13.24, 10.0.0.37
3270
Willy Tarreaua0dc23f2015-01-22 20:46:11 +01003271 - "set-method" rewrites the request method with the result of the
3272 evaluation of format string <fmt>. There should be very few valid reasons
3273 for having to do so as this is more likely to break something than to fix
3274 it.
3275
3276 - "set-path" rewrites the request path with the result of the evaluation of
3277 format string <fmt>. The query string, if any, is left intact. If a
3278 scheme and authority is found before the path, they are left intact as
3279 well. If the request doesn't have a path ("*"), this one is replaced with
3280 the format. This can be used to prepend a directory component in front of
3281 a path for example. See also "set-query" and "set-uri".
3282
3283 Example :
3284 # prepend the host name before the path
3285 http-request set-path /%[hdr(host)]%[path]
3286
3287 - "set-query" rewrites the request's query string which appears after the
3288 first question mark ("?") with the result of the evaluation of format
3289 string <fmt>. The part prior to the question mark is left intact. If the
3290 request doesn't contain a question mark and the new value is not empty,
3291 then one is added at the end of the URI, followed by the new value. If
3292 a question mark was present, it will never be removed even if the value
3293 is empty. This can be used to add or remove parameters from the query
3294 string. See also "set-query" and "set-uri".
3295
3296 Example :
3297 # replace "%3D" with "=" in the query string
3298 http-request set-query %[query,regsub(%3D,=,g)]
3299
3300 - "set-uri" rewrites the request URI with the result of the evaluation of
3301 format string <fmt>. The scheme, authority, path and query string are all
3302 replaced at once. This can be used to rewrite hosts in front of proxies,
3303 or to perform complex modifications to the URI such as moving parts
3304 between the path and the query string. See also "set-path" and
3305 "set-query".
3306
Willy Tarreauf4c43c12013-06-11 17:01:13 +02003307 - "set-nice" sets the "nice" factor of the current request being processed.
3308 It only has effect against the other requests being processed at the same
3309 time. The default value is 0, unless altered by the "nice" setting on the
3310 "bind" line. The accepted range is -1024..1024. The higher the value, the
3311 nicest the request will be. Lower values will make the request more
3312 important than other ones. This can be useful to improve the speed of
3313 some requests, or lower the priority of non-important requests. Using
3314 this setting without prior experimentation can cause some major slowdown.
3315
Willy Tarreau9a355ec2013-06-11 17:45:46 +02003316 - "set-log-level" is used to change the log level of the current request
3317 when a certain condition is met. Valid levels are the 8 syslog levels
3318 (see the "log" keyword) plus the special level "silent" which disables
3319 logging for this request. This rule is not final so the last matching
3320 rule wins. This rule can be useful to disable health checks coming from
3321 another equipment.
3322
Willy Tarreau42cf39e2013-06-11 18:51:32 +02003323 - "set-tos" is used to set the TOS or DSCP field value of packets sent to
3324 the client to the value passed in <tos> on platforms which support this.
3325 This value represents the whole 8 bits of the IP TOS field, and can be
3326 expressed both in decimal or hexadecimal format (prefixed by "0x"). Note
3327 that only the 6 higher bits are used in DSCP or TOS, and the two lower
3328 bits are always 0. This can be used to adjust some routing behaviour on
3329 border routers based on some information from the request. See RFC 2474,
3330 2597, 3260 and 4594 for more information.
3331
Willy Tarreau51347ed2013-06-11 19:34:13 +02003332 - "set-mark" is used to set the Netfilter MARK on all packets sent to the
3333 client to the value passed in <mark> on platforms which support it. This
3334 value is an unsigned 32 bit value which can be matched by netfilter and
3335 by the routing table. It can be expressed both in decimal or hexadecimal
3336 format (prefixed by "0x"). This can be useful to force certain packets to
3337 take a different route (for example a cheaper network path for bulk
3338 downloads). This works on Linux kernels 2.6.32 and above and requires
3339 admin privileges.
3340
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003341 - "add-acl" is used to add a new entry into an ACL. The ACL must be loaded
3342 from a file (even a dummy empty file). The file name of the ACL to be
3343 updated is passed between parentheses. It takes one argument: <key fmt>,
3344 which follows log-format rules, to collect content of the new entry. It
3345 performs a lookup in the ACL before insertion, to avoid duplicated (or
3346 more) values. This lookup is done by a linear search and can be expensive
3347 with large lists! It is the equivalent of the "add acl" command from the
3348 stats socket, but can be triggered by an HTTP request.
3349
3350 - "del-acl" is used to delete an entry from an ACL. The ACL must be loaded
3351 from a file (even a dummy empty file). The file name of the ACL to be
3352 updated is passed between parentheses. It takes one argument: <key fmt>,
3353 which follows log-format rules, to collect content of the entry to delete.
3354 It is the equivalent of the "del acl" command from the stats socket, but
3355 can be triggered by an HTTP request.
3356
3357 - "del-map" is used to delete an entry from a MAP. The MAP must be loaded
3358 from a file (even a dummy empty file). The file name of the MAP to be
3359 updated is passed between parentheses. It takes one argument: <key fmt>,
3360 which follows log-format rules, to collect content of the entry to delete.
3361 It takes one argument: "file name" It is the equivalent of the "del map"
3362 command from the stats socket, but can be triggered by an HTTP request.
3363
3364 - "set-map" is used to add a new entry into a MAP. The MAP must be loaded
3365 from a file (even a dummy empty file). The file name of the MAP to be
3366 updated is passed between parentheses. It takes 2 arguments: <key fmt>,
3367 which follows log-format rules, used to collect MAP key, and <value fmt>,
3368 which follows log-format rules, used to collect content for the new entry.
3369 It performs a lookup in the MAP before insertion, to avoid duplicated (or
3370 more) values. This lookup is done by a linear search and can be expensive
3371 with large lists! It is the equivalent of the "set map" command from the
3372 stats socket, but can be triggered by an HTTP request.
3373
Willy Tarreau09448f72014-06-25 18:12:15 +02003374 - { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>] :
3375 enables tracking of sticky counters from current request. These rules
3376 do not stop evaluation and do not change default action. Three sets of
3377 counters may be simultaneously tracked by the same connection. The first
3378 "track-sc0" rule executed enables tracking of the counters of the
3379 specified table as the first set. The first "track-sc1" rule executed
3380 enables tracking of the counters of the specified table as the second
3381 set. The first "track-sc2" rule executed enables tracking of the
3382 counters of the specified table as the third set. It is a recommended
3383 practice to use the first set of counters for the per-frontend counters
3384 and the second set for the per-backend ones. But this is just a
3385 guideline, all may be used everywhere.
3386
3387 These actions take one or two arguments :
3388 <key> is mandatory, and is a sample expression rule as described
3389 in section 7.3. It describes what elements of the incoming
3390 request or connection will be analysed, extracted, combined,
3391 and used to select which table entry to update the counters.
3392
3393 <table> is an optional table to be used instead of the default one,
3394 which is the stick-table declared in the current proxy. All
3395 the counters for the matches and updates for the key will
3396 then be performed in that table until the session ends.
3397
3398 Once a "track-sc*" rule is executed, the key is looked up in the table
3399 and if it is not found, an entry is allocated for it. Then a pointer to
3400 that entry is kept during all the session's life, and this entry's
3401 counters are updated as often as possible, every time the session's
3402 counters are updated, and also systematically when the session ends.
3403 Counters are only updated for events that happen after the tracking has
3404 been started. As an exception, connection counters and request counters
3405 are systematically updated so that they reflect useful information.
3406
3407 If the entry tracks concurrent connection counters, one connection is
3408 counted for as long as the entry is tracked, and the entry will not
3409 expire during that time. Tracking counters also provides a performance
3410 advantage over just checking the keys, because only one table lookup is
3411 performed for all ACL checks that make use of it.
3412
Thierry FOURNIER90da1912015-03-05 11:17:06 +01003413 - "lua" is used to run a Lua function if the action is executed. The single
3414 parameter is the name of the function to run. The prototype of the
3415 function is documented in the API documentation.
3416
Willy Tarreau20b0de52012-12-24 15:45:22 +01003417 There is no limit to the number of http-request statements per instance.
3418
3419 It is important to know that http-request rules are processed very early in
3420 the HTTP processing, just after "block" rules and before "reqdel" or "reqrep"
3421 rules. That way, headers added by "add-header"/"set-header" are visible by
3422 almost all further ACL rules.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003423
3424 Example:
Cyril Bonté78caf842010-03-10 22:41:43 +01003425 acl nagios src 192.168.129.3
3426 acl local_net src 192.168.0.0/16
3427 acl auth_ok http_auth(L1)
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003428
Cyril Bonté78caf842010-03-10 22:41:43 +01003429 http-request allow if nagios
3430 http-request allow if local_net auth_ok
3431 http-request auth realm Gimme if local_net auth_ok
3432 http-request deny
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003433
Cyril Bonté78caf842010-03-10 22:41:43 +01003434 Example:
3435 acl auth_ok http_auth_group(L1) G1
Cyril Bonté78caf842010-03-10 22:41:43 +01003436 http-request auth unless auth_ok
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003437
Willy Tarreau20b0de52012-12-24 15:45:22 +01003438 Example:
3439 http-request set-header X-Haproxy-Current-Date %T
3440 http-request set-header X-SSL %[ssl_fc]
3441 http-request set-header X-SSL-Session_ID %[ssl_fc_session_id]
3442 http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
3443 http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
3444 http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
3445 http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
3446 http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
3447 http-request set-header X-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
3448
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003449 Example:
3450 acl key req.hdr(X-Add-Acl-Key) -m found
3451 acl add path /addacl
3452 acl del path /delacl
3453
3454 acl myhost hdr(Host) -f myhost.lst
3455
3456 http-request add-acl(myhost.lst) %[req.hdr(X-Add-Acl-Key)] if key add
3457 http-request del-acl(myhost.lst) %[req.hdr(X-Add-Acl-Key)] if key del
3458
3459 Example:
3460 acl value req.hdr(X-Value) -m found
3461 acl setmap path /setmap
3462 acl delmap path /delmap
3463
3464 use_backend bk_appli if { hdr(Host),map_str(map.lst) -m found }
3465
3466 http-request set-map(map.lst) %[src] %[req.hdr(X-Value)] if setmap value
3467 http-request del-map(map.lst) %[src] if delmap
3468
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02003469 See also : "stats http-request", section 3.4 about userlists and section 7
3470 about ACL usage.
Willy Tarreauef781042010-01-27 11:53:01 +01003471
Willy Tarreauf4c43c12013-06-11 17:01:13 +02003472http-response { allow | deny | add-header <name> <fmt> | set-nice <nice> |
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02003473 set-header <name> <fmt> | del-header <name> |
Sasha Pachev218f0642014-06-16 12:05:59 -06003474 replace-header <name> <regex-match> <replace-fmt> |
3475 replace-value <name> <regex-match> <replace-fmt> |
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003476 set-log-level <level> | set-mark <mark> | set-tos <tos> |
3477 add-acl(<file name>) <key fmt> |
3478 del-acl(<file name>) <key fmt> |
3479 del-map(<file name>) <key fmt> |
Thierry FOURNIER90da1912015-03-05 11:17:06 +01003480 set-map(<file name>) <key fmt> <value fmt> |
3481 lua <function name>
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003482 }
Lukas Tribus2dd1d1a2013-06-19 23:34:41 +02003483 [ { if | unless } <condition> ]
Willy Tarreaue365c0b2013-06-11 16:06:12 +02003484 Access control for Layer 7 responses
3485
3486 May be used in sections: defaults | frontend | listen | backend
3487 no | yes | yes | yes
3488
3489 The http-response statement defines a set of rules which apply to layer 7
3490 processing. The rules are evaluated in their declaration order when they are
3491 met in a frontend, listen or backend section. Any rule may optionally be
3492 followed by an ACL-based condition, in which case it will only be evaluated
3493 if the condition is true. Since these rules apply on responses, the backend
3494 rules are applied first, followed by the frontend's rules.
3495
3496 The first keyword is the rule's action. Currently supported actions include :
3497 - "allow" : this stops the evaluation of the rules and lets the response
3498 pass the check. No further "http-response" rules are evaluated for the
3499 current section.
3500
3501 - "deny" : this stops the evaluation of the rules and immediately rejects
3502 the response and emits an HTTP 502 error. No further "http-response"
3503 rules are evaluated.
3504
3505 - "add-header" appends an HTTP header field whose name is specified in
3506 <name> and whose value is defined by <fmt> which follows the log-format
3507 rules (see Custom Log Format in section 8.2.4). This may be used to send
3508 a cookie to a client for example, or to pass some internal information.
3509 This rule is not final, so it is possible to add other similar rules.
3510 Note that header addition is performed immediately, so one rule might
3511 reuse the resulting header from a previous rule.
3512
3513 - "set-header" does the same as "add-header" except that the header name
3514 is first removed if it existed. This is useful when passing security
3515 information to the server, where the header must not be manipulated by
3516 external users.
3517
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02003518 - "del-header" removes all HTTP header fields whose name is specified in
3519 <name>.
3520
Sasha Pachev218f0642014-06-16 12:05:59 -06003521 - "replace-header" matches the regular expression in all occurrences of
3522 header field <name> according to <match-regex>, and replaces them with
3523 the <replace-fmt> argument. Format characters are allowed in replace-fmt
3524 and work like in <fmt> arguments in "add-header". The match is only
3525 case-sensitive. It is important to understand that this action only
3526 considers whole header lines, regardless of the number of values they
3527 may contain. This usage is suited to headers naturally containing commas
3528 in their value, such as Set-Cookie, Expires and so on.
3529
3530 Example:
3531
3532 http-response replace-header Set-Cookie (C=[^;]*);(.*) \1;ip=%bi;\2
3533
3534 applied to:
3535
3536 Set-Cookie: C=1; expires=Tue, 14-Jun-2016 01:40:45 GMT
3537
3538 outputs:
3539
3540 Set-Cookie: C=1;ip=192.168.1.20; expires=Tue, 14-Jun-2016 01:40:45 GMT
3541
3542 assuming the backend IP is 192.168.1.20.
3543
3544 - "replace-value" works like "replace-header" except that it matches the
3545 regex against every comma-delimited value of the header field <name>
3546 instead of the entire header. This is suited for all headers which are
3547 allowed to carry more than one value. An example could be the Accept
3548 header.
3549
3550 Example:
3551
3552 http-response replace-value Cache-control ^public$ private
3553
3554 applied to:
3555
3556 Cache-Control: max-age=3600, public
3557
3558 outputs:
3559
3560 Cache-Control: max-age=3600, private
3561
Willy Tarreauf4c43c12013-06-11 17:01:13 +02003562 - "set-nice" sets the "nice" factor of the current request being processed.
3563 It only has effect against the other requests being processed at the same
3564 time. The default value is 0, unless altered by the "nice" setting on the
3565 "bind" line. The accepted range is -1024..1024. The higher the value, the
3566 nicest the request will be. Lower values will make the request more
3567 important than other ones. This can be useful to improve the speed of
3568 some requests, or lower the priority of non-important requests. Using
3569 this setting without prior experimentation can cause some major slowdown.
3570
Willy Tarreau9a355ec2013-06-11 17:45:46 +02003571 - "set-log-level" is used to change the log level of the current request
3572 when a certain condition is met. Valid levels are the 8 syslog levels
3573 (see the "log" keyword) plus the special level "silent" which disables
3574 logging for this request. This rule is not final so the last matching
3575 rule wins. This rule can be useful to disable health checks coming from
3576 another equipment.
3577
Willy Tarreau42cf39e2013-06-11 18:51:32 +02003578 - "set-tos" is used to set the TOS or DSCP field value of packets sent to
3579 the client to the value passed in <tos> on platforms which support this.
3580 This value represents the whole 8 bits of the IP TOS field, and can be
3581 expressed both in decimal or hexadecimal format (prefixed by "0x"). Note
3582 that only the 6 higher bits are used in DSCP or TOS, and the two lower
3583 bits are always 0. This can be used to adjust some routing behaviour on
3584 border routers based on some information from the request. See RFC 2474,
3585 2597, 3260 and 4594 for more information.
3586
Willy Tarreau51347ed2013-06-11 19:34:13 +02003587 - "set-mark" is used to set the Netfilter MARK on all packets sent to the
3588 client to the value passed in <mark> on platforms which support it. This
3589 value is an unsigned 32 bit value which can be matched by netfilter and
3590 by the routing table. It can be expressed both in decimal or hexadecimal
3591 format (prefixed by "0x"). This can be useful to force certain packets to
3592 take a different route (for example a cheaper network path for bulk
3593 downloads). This works on Linux kernels 2.6.32 and above and requires
3594 admin privileges.
3595
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003596 - "add-acl" is used to add a new entry into an ACL. The ACL must be loaded
3597 from a file (even a dummy empty file). The file name of the ACL to be
3598 updated is passed between parentheses. It takes one argument: <key fmt>,
3599 which follows log-format rules, to collect content of the new entry. It
3600 performs a lookup in the ACL before insertion, to avoid duplicated (or
3601 more) values. This lookup is done by a linear search and can be expensive
3602 with large lists! It is the equivalent of the "add acl" command from the
3603 stats socket, but can be triggered by an HTTP response.
3604
3605 - "del-acl" is used to delete an entry from an ACL. The ACL must be loaded
3606 from a file (even a dummy empty file). The file name of the ACL to be
3607 updated is passed between parentheses. It takes one argument: <key fmt>,
3608 which follows log-format rules, to collect content of the entry to delete.
3609 It is the equivalent of the "del acl" command from the stats socket, but
3610 can be triggered by an HTTP response.
3611
3612 - "del-map" is used to delete an entry from a MAP. The MAP must be loaded
3613 from a file (even a dummy empty file). The file name of the MAP to be
3614 updated is passed between parentheses. It takes one argument: <key fmt>,
3615 which follows log-format rules, to collect content of the entry to delete.
3616 It takes one argument: "file name" It is the equivalent of the "del map"
3617 command from the stats socket, but can be triggered by an HTTP response.
3618
3619 - "set-map" is used to add a new entry into a MAP. The MAP must be loaded
3620 from a file (even a dummy empty file). The file name of the MAP to be
3621 updated is passed between parentheses. It takes 2 arguments: <key fmt>,
3622 which follows log-format rules, used to collect MAP key, and <value fmt>,
3623 which follows log-format rules, used to collect content for the new entry.
3624 It performs a lookup in the MAP before insertion, to avoid duplicated (or
3625 more) values. This lookup is done by a linear search and can be expensive
3626 with large lists! It is the equivalent of the "set map" command from the
3627 stats socket, but can be triggered by an HTTP response.
3628
Thierry FOURNIER90da1912015-03-05 11:17:06 +01003629 - "lua" is used to run a Lua function if the action is executed. The single
3630 parameter is the name of the function to run. The prototype of the
3631 function is documented in the API documentation.
3632
Willy Tarreaue365c0b2013-06-11 16:06:12 +02003633 There is no limit to the number of http-response statements per instance.
3634
Godbach09250262013-07-02 01:19:15 +08003635 It is important to know that http-response rules are processed very early in
Willy Tarreaue365c0b2013-06-11 16:06:12 +02003636 the HTTP processing, before "reqdel" or "reqrep" rules. That way, headers
3637 added by "add-header"/"set-header" are visible by almost all further ACL
3638 rules.
3639
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003640 Example:
3641 acl key_acl res.hdr(X-Acl-Key) -m found
3642
3643 acl myhost hdr(Host) -f myhost.lst
3644
3645 http-response add-acl(myhost.lst) %[res.hdr(X-Acl-Key)] if key_acl
3646 http-response del-acl(myhost.lst) %[res.hdr(X-Acl-Key)] if key_acl
3647
3648 Example:
3649 acl value res.hdr(X-Value) -m found
3650
3651 use_backend bk_appli if { hdr(Host),map_str(map.lst) -m found }
3652
3653 http-response set-map(map.lst) %[src] %[res.hdr(X-Value)] if value
3654 http-response del-map(map.lst) %[src] if ! value
3655
Willy Tarreaue365c0b2013-06-11 16:06:12 +02003656 See also : "http-request", section 3.4 about userlists and section 7 about
3657 ACL usage.
3658
Baptiste Assmann5ecb77f2013-10-06 23:24:13 +02003659
Mark Lamourinec2247f02012-01-04 13:02:01 -05003660http-send-name-header [<header>]
3661 Add the server name to a request. Use the header string given by <header>
3662
3663 May be used in sections: defaults | frontend | listen | backend
3664 yes | no | yes | yes
3665
3666 Arguments :
3667
3668 <header> The header string to use to send the server name
3669
3670 The "http-send-name-header" statement causes the name of the target
3671 server to be added to the headers of an HTTP request. The name
3672 is added with the header string proved.
3673
3674 See also : "server"
3675
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01003676id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02003677 Set a persistent ID to a proxy.
3678 May be used in sections : defaults | frontend | listen | backend
3679 no | yes | yes | yes
3680 Arguments : none
3681
3682 Set a persistent ID for the proxy. This ID must be unique and positive.
3683 An unused ID will automatically be assigned if unset. The first assigned
3684 value will be 1. This ID is currently only returned in statistics.
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01003685
3686
Cyril Bonté0d4bf012010-04-25 23:21:46 +02003687ignore-persist { if | unless } <condition>
3688 Declare a condition to ignore persistence
3689 May be used in sections: defaults | frontend | listen | backend
3690 no | yes | yes | yes
3691
3692 By default, when cookie persistence is enabled, every requests containing
3693 the cookie are unconditionally persistent (assuming the target server is up
3694 and running).
3695
3696 The "ignore-persist" statement allows one to declare various ACL-based
3697 conditions which, when met, will cause a request to ignore persistence.
3698 This is sometimes useful to load balance requests for static files, which
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03003699 often don't require persistence. This can also be used to fully disable
Cyril Bonté0d4bf012010-04-25 23:21:46 +02003700 persistence for a specific User-Agent (for example, some web crawler bots).
3701
3702 Combined with "appsession", it can also help reduce HAProxy memory usage, as
3703 the appsession table won't grow if persistence is ignored.
3704
3705 The persistence is ignored when an "if" condition is met, or unless an
3706 "unless" condition is met.
3707
3708 See also : "force-persist", "cookie", and section 7 about ACL usage.
3709
3710
Willy Tarreau2769aa02007-12-27 18:26:09 +01003711log global
Willy Tarreau18324f52014-06-27 18:10:07 +02003712log <address> [len <length>] <facility> [<level> [<minlevel>]]
William Lallemand0f99e342011-10-12 17:50:54 +02003713no log
Willy Tarreau2769aa02007-12-27 18:26:09 +01003714 Enable per-instance logging of events and traffic.
3715 May be used in sections : defaults | frontend | listen | backend
3716 yes | yes | yes | yes
William Lallemand0f99e342011-10-12 17:50:54 +02003717
3718 Prefix :
3719 no should be used when the logger list must be flushed. For example,
3720 if you don't want to inherit from the default logger list. This
3721 prefix does not allow arguments.
3722
Willy Tarreau2769aa02007-12-27 18:26:09 +01003723 Arguments :
3724 global should be used when the instance's logging parameters are the
3725 same as the global ones. This is the most common usage. "global"
3726 replaces <address>, <facility> and <level> with those of the log
3727 entries found in the "global" section. Only one "log global"
3728 statement may be used per instance, and this form takes no other
3729 parameter.
3730
3731 <address> indicates where to send the logs. It takes the same format as
3732 for the "global" section's logs, and can be one of :
3733
3734 - An IPv4 address optionally followed by a colon (':') and a UDP
3735 port. If no port is specified, 514 is used by default (the
3736 standard syslog port).
3737
David du Colombier24bb5f52011-03-17 10:40:23 +01003738 - An IPv6 address followed by a colon (':') and optionally a UDP
3739 port. If no port is specified, 514 is used by default (the
3740 standard syslog port).
3741
Willy Tarreau2769aa02007-12-27 18:26:09 +01003742 - A filesystem path to a UNIX domain socket, keeping in mind
3743 considerations for chroot (be sure the path is accessible
3744 inside the chroot) and uid/gid (be sure the path is
3745 appropriately writeable).
3746
Willy Tarreaudad36a32013-03-11 01:20:04 +01003747 Any part of the address string may reference any number of
3748 environment variables by preceding their name with a dollar
3749 sign ('$') and optionally enclosing them with braces ('{}'),
3750 similarly to what is done in Bourne shell.
3751
Willy Tarreau18324f52014-06-27 18:10:07 +02003752 <length> is an optional maximum line length. Log lines larger than this
3753 value will be truncated before being sent. The reason is that
3754 syslog servers act differently on log line length. All servers
3755 support the default value of 1024, but some servers simply drop
3756 larger lines while others do log them. If a server supports long
3757 lines, it may make sense to set this value here in order to avoid
3758 truncating long lines. Similarly, if a server drops long lines,
3759 it is preferable to truncate them before sending them. Accepted
3760 values are 80 to 65535 inclusive. The default value of 1024 is
3761 generally fine for all standard usages. Some specific cases of
3762 long captures or JSON-formated logs may require larger values.
3763
Willy Tarreau2769aa02007-12-27 18:26:09 +01003764 <facility> must be one of the 24 standard syslog facilities :
3765
3766 kern user mail daemon auth syslog lpr news
3767 uucp cron auth2 ftp ntp audit alert cron2
3768 local0 local1 local2 local3 local4 local5 local6 local7
3769
3770 <level> is optional and can be specified to filter outgoing messages. By
3771 default, all messages are sent. If a level is specified, only
3772 messages with a severity at least as important as this level
Willy Tarreauf7edefa2009-05-10 17:20:05 +02003773 will be sent. An optional minimum level can be specified. If it
3774 is set, logs emitted with a more severe level than this one will
3775 be capped to this level. This is used to avoid sending "emerg"
3776 messages on all terminals on some default syslog configurations.
3777 Eight levels are known :
Willy Tarreau2769aa02007-12-27 18:26:09 +01003778
3779 emerg alert crit err warning notice info debug
3780
William Lallemand0f99e342011-10-12 17:50:54 +02003781 It is important to keep in mind that it is the frontend which decides what to
3782 log from a connection, and that in case of content switching, the log entries
3783 from the backend will be ignored. Connections are logged at level "info".
Willy Tarreaucc6c8912009-02-22 10:53:55 +01003784
3785 However, backend log declaration define how and where servers status changes
3786 will be logged. Level "notice" will be used to indicate a server going up,
3787 "warning" will be used for termination signals and definitive service
3788 termination, and "alert" will be used for when a server goes down.
3789
3790 Note : According to RFC3164, messages are truncated to 1024 bytes before
3791 being emitted.
Willy Tarreau2769aa02007-12-27 18:26:09 +01003792
3793 Example :
3794 log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02003795 log 127.0.0.1:514 local0 notice # only send important events
3796 log 127.0.0.1:514 local0 notice notice # same but limit output level
Willy Tarreaudad36a32013-03-11 01:20:04 +01003797 log ${LOCAL_SYSLOG}:514 local0 notice # send to local server
3798
Willy Tarreau2769aa02007-12-27 18:26:09 +01003799
William Lallemand48940402012-01-30 16:47:22 +01003800log-format <string>
Willy Tarreaufb4e7ea2015-01-07 14:55:17 +01003801 Specifies the log format string to use for traffic logs
3802 May be used in sections: defaults | frontend | listen | backend
3803 yes | yes | yes | no
William Lallemand48940402012-01-30 16:47:22 +01003804
Willy Tarreaufb4e7ea2015-01-07 14:55:17 +01003805 This directive specifies the log format string that will be used for all logs
3806 resulting from traffic passing through the frontend using this line. If the
3807 directive is used in a defaults section, all subsequent frontends will use
3808 the same log format. Please see section 8.2.4 which covers the log format
3809 string in depth.
William Lallemand48940402012-01-30 16:47:22 +01003810
Willy Tarreau094af4e2015-01-07 15:03:42 +01003811log-tag <string>
3812 Specifies the log tag to use for all outgoing logs
3813 May be used in sections: defaults | frontend | listen | backend
3814 yes | yes | yes | yes
3815
3816 Sets the tag field in the syslog header to this string. It defaults to the
3817 log-tag set in the global section, otherwise the program name as launched
3818 from the command line, which usually is "haproxy". Sometimes it can be useful
3819 to differentiate between multiple processes running on the same host, or to
3820 differentiate customer instances running in the same process. In the backend,
3821 logs about servers up/down will use this tag. As a hint, it can be convenient
3822 to set a log-tag related to a hosted customer in a defaults section then put
3823 all the frontends and backends for that customer, then start another customer
3824 in a new defaults section. See also the global "log-tag" directive.
Willy Tarreau2769aa02007-12-27 18:26:09 +01003825
Willy Tarreauc35362a2014-04-25 13:58:37 +02003826max-keep-alive-queue <value>
3827 Set the maximum server queue size for maintaining keep-alive connections
3828 May be used in sections: defaults | frontend | listen | backend
3829 yes | no | yes | yes
3830
3831 HTTP keep-alive tries to reuse the same server connection whenever possible,
3832 but sometimes it can be counter-productive, for example if a server has a lot
3833 of connections while other ones are idle. This is especially true for static
3834 servers.
3835
3836 The purpose of this setting is to set a threshold on the number of queued
3837 connections at which haproxy stops trying to reuse the same server and prefers
3838 to find another one. The default value, -1, means there is no limit. A value
3839 of zero means that keep-alive requests will never be queued. For very close
3840 servers which can be reached with a low latency and which are not sensible to
3841 breaking keep-alive, a low value is recommended (eg: local static server can
3842 use a value of 10 or less). For remote servers suffering from a high latency,
3843 higher values might be needed to cover for the latency and/or the cost of
3844 picking a different server.
3845
3846 Note that this has no impact on responses which are maintained to the same
3847 server consecutively to a 401 response. They will still go to the same server
3848 even if they have to be queued.
3849
3850 See also : "option http-server-close", "option prefer-last-server", server
3851 "maxconn" and cookie persistence.
3852
3853
Willy Tarreau2769aa02007-12-27 18:26:09 +01003854maxconn <conns>
3855 Fix the maximum number of concurrent connections on a frontend
3856 May be used in sections : defaults | frontend | listen | backend
3857 yes | yes | yes | no
3858 Arguments :
3859 <conns> is the maximum number of concurrent connections the frontend will
3860 accept to serve. Excess connections will be queued by the system
3861 in the socket's listen queue and will be served once a connection
3862 closes.
3863
3864 If the system supports it, it can be useful on big sites to raise this limit
3865 very high so that haproxy manages connection queues, instead of leaving the
3866 clients with unanswered connection attempts. This value should not exceed the
3867 global maxconn. Also, keep in mind that a connection contains two buffers
3868 of 8kB each, as well as some other data resulting in about 17 kB of RAM being
3869 consumed per established connection. That means that a medium system equipped
3870 with 1GB of RAM can withstand around 40000-50000 concurrent connections if
3871 properly tuned.
3872
3873 Also, when <conns> is set to large values, it is possible that the servers
3874 are not sized to accept such loads, and for this reason it is generally wise
3875 to assign them some reasonable connection limits.
3876
Vincent Bernat6341be52012-06-27 17:18:30 +02003877 By default, this value is set to 2000.
3878
Willy Tarreau2769aa02007-12-27 18:26:09 +01003879 See also : "server", global section's "maxconn", "fullconn"
3880
3881
3882mode { tcp|http|health }
3883 Set the running mode or protocol of the instance
3884 May be used in sections : defaults | frontend | listen | backend
3885 yes | yes | yes | yes
3886 Arguments :
3887 tcp The instance will work in pure TCP mode. A full-duplex connection
3888 will be established between clients and servers, and no layer 7
3889 examination will be performed. This is the default mode. It
3890 should be used for SSL, SSH, SMTP, ...
3891
3892 http The instance will work in HTTP mode. The client request will be
3893 analyzed in depth before connecting to any server. Any request
3894 which is not RFC-compliant will be rejected. Layer 7 filtering,
3895 processing and switching will be possible. This is the mode which
3896 brings HAProxy most of its value.
3897
3898 health The instance will work in "health" mode. It will just reply "OK"
Willy Tarreau82569f92012-09-27 23:48:56 +02003899 to incoming connections and close the connection. Alternatively,
3900 If the "httpchk" option is set, "HTTP/1.0 200 OK" will be sent
3901 instead. Nothing will be logged in either case. This mode is used
3902 to reply to external components health checks. This mode is
3903 deprecated and should not be used anymore as it is possible to do
3904 the same and even better by combining TCP or HTTP modes with the
3905 "monitor" keyword.
Willy Tarreau2769aa02007-12-27 18:26:09 +01003906
Cyril Bonté108cf6e2012-04-21 23:30:29 +02003907 When doing content switching, it is mandatory that the frontend and the
3908 backend are in the same mode (generally HTTP), otherwise the configuration
3909 will be refused.
Willy Tarreau2769aa02007-12-27 18:26:09 +01003910
Cyril Bonté108cf6e2012-04-21 23:30:29 +02003911 Example :
Willy Tarreau2769aa02007-12-27 18:26:09 +01003912 defaults http_instances
3913 mode http
3914
Cyril Bonté108cf6e2012-04-21 23:30:29 +02003915 See also : "monitor", "monitor-net"
Willy Tarreau2769aa02007-12-27 18:26:09 +01003916
Willy Tarreau0ba27502007-12-24 16:55:16 +01003917
Cyril Bontéf0c60612010-02-06 14:44:47 +01003918monitor fail { if | unless } <condition>
Willy Tarreau2769aa02007-12-27 18:26:09 +01003919 Add a condition to report a failure to a monitor HTTP request.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003920 May be used in sections : defaults | frontend | listen | backend
3921 no | yes | yes | no
Willy Tarreau0ba27502007-12-24 16:55:16 +01003922 Arguments :
3923 if <cond> the monitor request will fail if the condition is satisfied,
3924 and will succeed otherwise. The condition should describe a
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003925 combined test which must induce a failure if all conditions
Willy Tarreau0ba27502007-12-24 16:55:16 +01003926 are met, for instance a low number of servers both in a
3927 backend and its backup.
3928
3929 unless <cond> the monitor request will succeed only if the condition is
3930 satisfied, and will fail otherwise. Such a condition may be
3931 based on a test on the presence of a minimum number of active
3932 servers in a list of backends.
3933
3934 This statement adds a condition which can force the response to a monitor
3935 request to report a failure. By default, when an external component queries
3936 the URI dedicated to monitoring, a 200 response is returned. When one of the
3937 conditions above is met, haproxy will return 503 instead of 200. This is
3938 very useful to report a site failure to an external component which may base
3939 routing advertisements between multiple sites on the availability reported by
3940 haproxy. In this case, one would rely on an ACL involving the "nbsrv"
Willy Tarreauae94d4d2011-05-11 16:28:49 +02003941 criterion. Note that "monitor fail" only works in HTTP mode. Both status
3942 messages may be tweaked using "errorfile" or "errorloc" if needed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003943
3944 Example:
3945 frontend www
Willy Tarreau2769aa02007-12-27 18:26:09 +01003946 mode http
Willy Tarreau0ba27502007-12-24 16:55:16 +01003947 acl site_dead nbsrv(dynamic) lt 2
3948 acl site_dead nbsrv(static) lt 2
3949 monitor-uri /site_alive
3950 monitor fail if site_dead
3951
Willy Tarreauae94d4d2011-05-11 16:28:49 +02003952 See also : "monitor-net", "monitor-uri", "errorfile", "errorloc"
Willy Tarreau2769aa02007-12-27 18:26:09 +01003953
3954
3955monitor-net <source>
3956 Declare a source network which is limited to monitor requests
3957 May be used in sections : defaults | frontend | listen | backend
3958 yes | yes | yes | no
3959 Arguments :
3960 <source> is the source IPv4 address or network which will only be able to
3961 get monitor responses to any request. It can be either an IPv4
3962 address, a host name, or an address followed by a slash ('/')
3963 followed by a mask.
3964
3965 In TCP mode, any connection coming from a source matching <source> will cause
3966 the connection to be immediately closed without any log. This allows another
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003967 equipment to probe the port and verify that it is still listening, without
Willy Tarreau2769aa02007-12-27 18:26:09 +01003968 forwarding the connection to a remote server.
3969
3970 In HTTP mode, a connection coming from a source matching <source> will be
3971 accepted, the following response will be sent without waiting for a request,
3972 then the connection will be closed : "HTTP/1.0 200 OK". This is normally
3973 enough for any front-end HTTP probe to detect that the service is UP and
Willy Tarreau82569f92012-09-27 23:48:56 +02003974 running without forwarding the request to a backend server. Note that this
3975 response is sent in raw format, without any transformation. This is important
3976 as it means that it will not be SSL-encrypted on SSL listeners.
Willy Tarreau2769aa02007-12-27 18:26:09 +01003977
Willy Tarreau82569f92012-09-27 23:48:56 +02003978 Monitor requests are processed very early, just after tcp-request connection
3979 ACLs which are the only ones able to block them. These connections are short
3980 lived and never wait for any data from the client. They cannot be logged, and
3981 it is the intended purpose. They are only used to report HAProxy's health to
3982 an upper component, nothing more. Please note that "monitor fail" rules do
3983 not apply to connections intercepted by "monitor-net".
Willy Tarreau2769aa02007-12-27 18:26:09 +01003984
Willy Tarreau95cd2832010-03-04 23:36:33 +01003985 Last, please note that only one "monitor-net" statement can be specified in
3986 a frontend. If more than one is found, only the last one will be considered.
Cyril Bonté108cf6e2012-04-21 23:30:29 +02003987
Willy Tarreau2769aa02007-12-27 18:26:09 +01003988 Example :
3989 # addresses .252 and .253 are just probing us.
3990 frontend www
3991 monitor-net 192.168.0.252/31
3992
3993 See also : "monitor fail", "monitor-uri"
3994
3995
3996monitor-uri <uri>
3997 Intercept a URI used by external components' monitor requests
3998 May be used in sections : defaults | frontend | listen | backend
3999 yes | yes | yes | no
4000 Arguments :
4001 <uri> is the exact URI which we want to intercept to return HAProxy's
4002 health status instead of forwarding the request.
4003
4004 When an HTTP request referencing <uri> will be received on a frontend,
4005 HAProxy will not forward it nor log it, but instead will return either
4006 "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
4007 conditions defined with "monitor fail". This is normally enough for any
4008 front-end HTTP probe to detect that the service is UP and running without
4009 forwarding the request to a backend server. Note that the HTTP method, the
4010 version and all headers are ignored, but the request must at least be valid
4011 at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
4012
4013 Monitor requests are processed very early. It is not possible to block nor
4014 divert them using ACLs. They cannot be logged either, and it is the intended
4015 purpose. They are only used to report HAProxy's health to an upper component,
4016 nothing more. However, it is possible to add any number of conditions using
4017 "monitor fail" and ACLs so that the result can be adjusted to whatever check
4018 can be imagined (most often the number of available servers in a backend).
4019
4020 Example :
4021 # Use /haproxy_test to report haproxy's status
4022 frontend www
4023 mode http
4024 monitor-uri /haproxy_test
4025
4026 See also : "monitor fail", "monitor-net"
4027
Willy Tarreau0ba27502007-12-24 16:55:16 +01004028
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004029option abortonclose
4030no option abortonclose
4031 Enable or disable early dropping of aborted requests pending in queues.
4032 May be used in sections : defaults | frontend | listen | backend
4033 yes | no | yes | yes
4034 Arguments : none
4035
4036 In presence of very high loads, the servers will take some time to respond.
4037 The per-instance connection queue will inflate, and the response time will
4038 increase respective to the size of the queue times the average per-session
4039 response time. When clients will wait for more than a few seconds, they will
Willy Tarreau198a7442008-01-17 12:05:32 +01004040 often hit the "STOP" button on their browser, leaving a useless request in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004041 the queue, and slowing down other users, and the servers as well, because the
4042 request will eventually be served, then aborted at the first error
4043 encountered while delivering the response.
4044
4045 As there is no way to distinguish between a full STOP and a simple output
4046 close on the client side, HTTP agents should be conservative and consider
4047 that the client might only have closed its output channel while waiting for
4048 the response. However, this introduces risks of congestion when lots of users
4049 do the same, and is completely useless nowadays because probably no client at
4050 all will close the session while waiting for the response. Some HTTP agents
Willy Tarreaud72758d2010-01-12 10:42:19 +01004051 support this behaviour (Squid, Apache, HAProxy), and others do not (TUX, most
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004052 hardware-based load balancers). So the probability for a closed input channel
Willy Tarreau198a7442008-01-17 12:05:32 +01004053 to represent a user hitting the "STOP" button is close to 100%, and the risk
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004054 of being the single component to break rare but valid traffic is extremely
4055 low, which adds to the temptation to be able to abort a session early while
4056 still not served and not pollute the servers.
4057
4058 In HAProxy, the user can choose the desired behaviour using the option
4059 "abortonclose". By default (without the option) the behaviour is HTTP
4060 compliant and aborted requests will be served. But when the option is
4061 specified, a session with an incoming channel closed will be aborted while
4062 it is still possible, either pending in the queue for a connection slot, or
4063 during the connection establishment if the server has not yet acknowledged
4064 the connection request. This considerably reduces the queue size and the load
4065 on saturated servers when users are tempted to click on STOP, which in turn
Willy Tarreaud72758d2010-01-12 10:42:19 +01004066 reduces the response time for other users.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004067
4068 If this option has been enabled in a "defaults" section, it can be disabled
4069 in a specific instance by prepending the "no" keyword before it.
4070
4071 See also : "timeout queue" and server's "maxconn" and "maxqueue" parameters
4072
4073
Willy Tarreau4076a152009-04-02 15:18:36 +02004074option accept-invalid-http-request
4075no option accept-invalid-http-request
4076 Enable or disable relaxing of HTTP request parsing
4077 May be used in sections : defaults | frontend | listen | backend
4078 yes | yes | yes | no
4079 Arguments : none
4080
4081 By default, HAProxy complies with RFC2616 in terms of message parsing. This
4082 means that invalid characters in header names are not permitted and cause an
4083 error to be returned to the client. This is the desired behaviour as such
4084 forbidden characters are essentially used to build attacks exploiting server
4085 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
4086 server will emit invalid header names for whatever reason (configuration,
4087 implementation) and the issue will not be immediately fixed. In such a case,
4088 it is possible to relax HAProxy's header name parser to accept any character
Willy Tarreau422246e2012-01-07 23:54:13 +01004089 even if that does not make sense, by specifying this option. Similarly, the
4090 list of characters allowed to appear in a URI is well defined by RFC3986, and
4091 chars 0-31, 32 (space), 34 ('"'), 60 ('<'), 62 ('>'), 92 ('\'), 94 ('^'), 96
4092 ('`'), 123 ('{'), 124 ('|'), 125 ('}'), 127 (delete) and anything above are
4093 not allowed at all. Haproxy always blocks a number of them (0..32, 127). The
4094 remaining ones are blocked by default unless this option is enabled.
Willy Tarreau4076a152009-04-02 15:18:36 +02004095
4096 This option should never be enabled by default as it hides application bugs
4097 and open security breaches. It should only be deployed after a problem has
4098 been confirmed.
4099
4100 When this option is enabled, erroneous header names will still be accepted in
4101 requests, but the complete request will be captured in order to permit later
Willy Tarreau422246e2012-01-07 23:54:13 +01004102 analysis using the "show errors" request on the UNIX stats socket. Similarly,
4103 requests containing invalid chars in the URI part will be logged. Doing this
Willy Tarreau4076a152009-04-02 15:18:36 +02004104 also helps confirming that the issue has been solved.
4105
4106 If this option has been enabled in a "defaults" section, it can be disabled
4107 in a specific instance by prepending the "no" keyword before it.
4108
4109 See also : "option accept-invalid-http-response" and "show errors" on the
4110 stats socket.
4111
4112
4113option accept-invalid-http-response
4114no option accept-invalid-http-response
4115 Enable or disable relaxing of HTTP response parsing
4116 May be used in sections : defaults | frontend | listen | backend
4117 yes | no | yes | yes
4118 Arguments : none
4119
4120 By default, HAProxy complies with RFC2616 in terms of message parsing. This
4121 means that invalid characters in header names are not permitted and cause an
4122 error to be returned to the client. This is the desired behaviour as such
4123 forbidden characters are essentially used to build attacks exploiting server
4124 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
4125 server will emit invalid header names for whatever reason (configuration,
4126 implementation) and the issue will not be immediately fixed. In such a case,
4127 it is possible to relax HAProxy's header name parser to accept any character
4128 even if that does not make sense, by specifying this option.
4129
4130 This option should never be enabled by default as it hides application bugs
4131 and open security breaches. It should only be deployed after a problem has
4132 been confirmed.
4133
4134 When this option is enabled, erroneous header names will still be accepted in
4135 responses, but the complete response will be captured in order to permit
4136 later analysis using the "show errors" request on the UNIX stats socket.
4137 Doing this also helps confirming that the issue has been solved.
4138
4139 If this option has been enabled in a "defaults" section, it can be disabled
4140 in a specific instance by prepending the "no" keyword before it.
4141
4142 See also : "option accept-invalid-http-request" and "show errors" on the
4143 stats socket.
4144
4145
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004146option allbackups
4147no option allbackups
4148 Use either all backup servers at a time or only the first one
4149 May be used in sections : defaults | frontend | listen | backend
4150 yes | no | yes | yes
4151 Arguments : none
4152
4153 By default, the first operational backup server gets all traffic when normal
4154 servers are all down. Sometimes, it may be preferred to use multiple backups
4155 at once, because one will not be enough. When "option allbackups" is enabled,
4156 the load balancing will be performed among all backup servers when all normal
4157 ones are unavailable. The same load balancing algorithm will be used and the
4158 servers' weights will be respected. Thus, there will not be any priority
4159 order between the backup servers anymore.
4160
4161 This option is mostly used with static server farms dedicated to return a
4162 "sorry" page when an application is completely offline.
4163
4164 If this option has been enabled in a "defaults" section, it can be disabled
4165 in a specific instance by prepending the "no" keyword before it.
4166
4167
4168option checkcache
4169no option checkcache
Godbach7056a352013-12-11 20:01:07 +08004170 Analyze all server responses and block responses with cacheable cookies
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004171 May be used in sections : defaults | frontend | listen | backend
4172 yes | no | yes | yes
4173 Arguments : none
4174
4175 Some high-level frameworks set application cookies everywhere and do not
4176 always let enough control to the developer to manage how the responses should
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004177 be cached. When a session cookie is returned on a cacheable object, there is a
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004178 high risk of session crossing or stealing between users traversing the same
4179 caches. In some situations, it is better to block the response than to let
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02004180 some sensitive session information go in the wild.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004181
4182 The option "checkcache" enables deep inspection of all server responses for
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004183 strict compliance with HTTP specification in terms of cacheability. It
Willy Tarreau198a7442008-01-17 12:05:32 +01004184 carefully checks "Cache-control", "Pragma" and "Set-cookie" headers in server
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004185 response to check if there's a risk of caching a cookie on a client-side
4186 proxy. When this option is enabled, the only responses which can be delivered
Willy Tarreau198a7442008-01-17 12:05:32 +01004187 to the client are :
4188 - all those without "Set-Cookie" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004189 - all those with a return code other than 200, 203, 206, 300, 301, 410,
Willy Tarreau198a7442008-01-17 12:05:32 +01004190 provided that the server has not set a "Cache-control: public" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004191 - all those that come from a POST request, provided that the server has not
4192 set a 'Cache-Control: public' header ;
4193 - those with a 'Pragma: no-cache' header
4194 - those with a 'Cache-control: private' header
4195 - those with a 'Cache-control: no-store' header
4196 - those with a 'Cache-control: max-age=0' header
4197 - those with a 'Cache-control: s-maxage=0' header
4198 - those with a 'Cache-control: no-cache' header
4199 - those with a 'Cache-control: no-cache="set-cookie"' header
4200 - those with a 'Cache-control: no-cache="set-cookie,' header
4201 (allowing other fields after set-cookie)
4202
4203 If a response doesn't respect these requirements, then it will be blocked
Willy Tarreau198a7442008-01-17 12:05:32 +01004204 just as if it was from an "rspdeny" filter, with an "HTTP 502 bad gateway".
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004205 The session state shows "PH--" meaning that the proxy blocked the response
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004206 during headers processing. Additionally, an alert will be sent in the logs so
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004207 that admins are informed that there's something to be fixed.
4208
4209 Due to the high impact on the application, the application should be tested
4210 in depth with the option enabled before going to production. It is also a
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004211 good practice to always activate it during tests, even if it is not used in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004212 production, as it will report potentially dangerous application behaviours.
4213
4214 If this option has been enabled in a "defaults" section, it can be disabled
4215 in a specific instance by prepending the "no" keyword before it.
4216
4217
4218option clitcpka
4219no option clitcpka
4220 Enable or disable the sending of TCP keepalive packets on the client side
4221 May be used in sections : defaults | frontend | listen | backend
4222 yes | yes | yes | no
4223 Arguments : none
4224
4225 When there is a firewall or any session-aware component between a client and
4226 a server, and when the protocol involves very long sessions with long idle
4227 periods (eg: remote desktops), there is a risk that one of the intermediate
4228 components decides to expire a session which has remained idle for too long.
4229
4230 Enabling socket-level TCP keep-alives makes the system regularly send packets
4231 to the other end of the connection, leaving it active. The delay between
4232 keep-alive probes is controlled by the system only and depends both on the
4233 operating system and its tuning parameters.
4234
4235 It is important to understand that keep-alive packets are neither emitted nor
4236 received at the application level. It is only the network stacks which sees
4237 them. For this reason, even if one side of the proxy already uses keep-alives
4238 to maintain its connection alive, those keep-alive packets will not be
4239 forwarded to the other side of the proxy.
4240
4241 Please note that this has nothing to do with HTTP keep-alive.
4242
4243 Using option "clitcpka" enables the emission of TCP keep-alive probes on the
4244 client side of a connection, which should help when session expirations are
4245 noticed between HAProxy and a client.
4246
4247 If this option has been enabled in a "defaults" section, it can be disabled
4248 in a specific instance by prepending the "no" keyword before it.
4249
4250 See also : "option srvtcpka", "option tcpka"
4251
4252
Willy Tarreau0ba27502007-12-24 16:55:16 +01004253option contstats
4254 Enable continuous traffic statistics updates
4255 May be used in sections : defaults | frontend | listen | backend
4256 yes | yes | yes | no
4257 Arguments : none
4258
4259 By default, counters used for statistics calculation are incremented
4260 only when a session finishes. It works quite well when serving small
4261 objects, but with big ones (for example large images or archives) or
4262 with A/V streaming, a graph generated from haproxy counters looks like
4263 a hedgehog. With this option enabled counters get incremented continuously,
4264 during a whole session. Recounting touches a hotpath directly so
4265 it is not enabled by default, as it has small performance impact (~0.5%).
4266
4267
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02004268option dontlog-normal
4269no option dontlog-normal
4270 Enable or disable logging of normal, successful connections
4271 May be used in sections : defaults | frontend | listen | backend
4272 yes | yes | yes | no
4273 Arguments : none
4274
4275 There are large sites dealing with several thousand connections per second
4276 and for which logging is a major pain. Some of them are even forced to turn
4277 logs off and cannot debug production issues. Setting this option ensures that
4278 normal connections, those which experience no error, no timeout, no retry nor
4279 redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
4280 mode, the response status code is checked and return codes 5xx will still be
4281 logged.
4282
4283 It is strongly discouraged to use this option as most of the time, the key to
4284 complex issues is in the normal logs which will not be logged here. If you
4285 need to separate logs, see the "log-separate-errors" option instead.
4286
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004287 See also : "log", "dontlognull", "log-separate-errors" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02004288 logging.
4289
4290
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004291option dontlognull
4292no option dontlognull
4293 Enable or disable logging of null connections
4294 May be used in sections : defaults | frontend | listen | backend
4295 yes | yes | yes | no
4296 Arguments : none
4297
4298 In certain environments, there are components which will regularly connect to
4299 various systems to ensure that they are still alive. It can be the case from
4300 another load balancer as well as from monitoring systems. By default, even a
4301 simple port probe or scan will produce a log. If those connections pollute
4302 the logs too much, it is possible to enable option "dontlognull" to indicate
4303 that a connection on which no data has been transferred will not be logged,
4304 which typically corresponds to those probes.
4305
4306 It is generally recommended not to use this option in uncontrolled
4307 environments (eg: internet), otherwise scans and other malicious activities
4308 would not be logged.
4309
4310 If this option has been enabled in a "defaults" section, it can be disabled
4311 in a specific instance by prepending the "no" keyword before it.
4312
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004313 See also : "log", "monitor-net", "monitor-uri" and section 8 about logging.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004314
4315
4316option forceclose
4317no option forceclose
4318 Enable or disable active connection closing after response is transferred.
4319 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaua31e5df2009-12-30 01:10:35 +01004320 yes | yes | yes | yes
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004321 Arguments : none
4322
4323 Some HTTP servers do not necessarily close the connections when they receive
4324 the "Connection: close" set by "option httpclose", and if the client does not
4325 close either, then the connection remains open till the timeout expires. This
4326 causes high number of simultaneous connections on the servers and shows high
4327 global session times in the logs.
4328
4329 When this happens, it is possible to use "option forceclose". It will
Willy Tarreau82eeaf22009-12-29 12:09:05 +01004330 actively close the outgoing server channel as soon as the server has finished
Cyril Bonté653dcd62014-02-20 00:13:15 +01004331 to respond and release some resources earlier than with "option httpclose".
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004332
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004333 This option may also be combined with "option http-pretend-keepalive", which
4334 will disable sending of the "Connection: close" header, but will still cause
4335 the connection to be closed once the whole response is received.
4336
Cyril Bonté653dcd62014-02-20 00:13:15 +01004337 This option disables and replaces any previous "option httpclose", "option
4338 http-server-close", "option http-keep-alive", or "option http-tunnel".
Willy Tarreau02bce8b2014-01-30 00:15:28 +01004339
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004340 If this option has been enabled in a "defaults" section, it can be disabled
4341 in a specific instance by prepending the "no" keyword before it.
4342
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004343 See also : "option httpclose" and "option http-pretend-keepalive"
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004344
4345
Willy Tarreau87cf5142011-08-19 22:57:24 +02004346option forwardfor [ except <network> ] [ header <name> ] [ if-none ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01004347 Enable insertion of the X-Forwarded-For header to requests sent to servers
4348 May be used in sections : defaults | frontend | listen | backend
4349 yes | yes | yes | yes
4350 Arguments :
4351 <network> is an optional argument used to disable this option for sources
4352 matching <network>
Ross Westaf72a1d2008-08-03 10:51:45 +02004353 <name> an optional argument to specify a different "X-Forwarded-For"
Willy Tarreaud72758d2010-01-12 10:42:19 +01004354 header name.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004355
4356 Since HAProxy works in reverse-proxy mode, the servers see its IP address as
4357 their client address. This is sometimes annoying when the client's IP address
4358 is expected in server logs. To solve this problem, the well-known HTTP header
4359 "X-Forwarded-For" may be added by HAProxy to all requests sent to the server.
4360 This header contains a value representing the client's IP address. Since this
4361 header is always appended at the end of the existing header list, the server
4362 must be configured to always use the last occurrence of this header only. See
Ross Westaf72a1d2008-08-03 10:51:45 +02004363 the server's manual to find how to enable use of this standard header. Note
4364 that only the last occurrence of the header must be used, since it is really
4365 possible that the client has already brought one.
4366
Willy Tarreaud72758d2010-01-12 10:42:19 +01004367 The keyword "header" may be used to supply a different header name to replace
Ross Westaf72a1d2008-08-03 10:51:45 +02004368 the default "X-Forwarded-For". This can be useful where you might already
Willy Tarreaud72758d2010-01-12 10:42:19 +01004369 have a "X-Forwarded-For" header from a different application (eg: stunnel),
4370 and you need preserve it. Also if your backend server doesn't use the
Ross Westaf72a1d2008-08-03 10:51:45 +02004371 "X-Forwarded-For" header and requires different one (eg: Zeus Web Servers
4372 require "X-Cluster-Client-IP").
Willy Tarreauc27debf2008-01-06 08:57:02 +01004373
4374 Sometimes, a same HAProxy instance may be shared between a direct client
4375 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
4376 used to decrypt HTTPS traffic). It is possible to disable the addition of the
4377 header for a known source address or network by adding the "except" keyword
4378 followed by the network address. In this case, any source IP matching the
4379 network will not cause an addition of this header. Most common uses are with
4380 private networks or 127.0.0.1.
4381
Willy Tarreau87cf5142011-08-19 22:57:24 +02004382 Alternatively, the keyword "if-none" states that the header will only be
4383 added if it is not present. This should only be used in perfectly trusted
4384 environment, as this might cause a security issue if headers reaching haproxy
4385 are under the control of the end-user.
4386
Willy Tarreauc27debf2008-01-06 08:57:02 +01004387 This option may be specified either in the frontend or in the backend. If at
Ross Westaf72a1d2008-08-03 10:51:45 +02004388 least one of them uses it, the header will be added. Note that the backend's
4389 setting of the header subargument takes precedence over the frontend's if
Willy Tarreau87cf5142011-08-19 22:57:24 +02004390 both are defined. In the case of the "if-none" argument, if at least one of
4391 the frontend or the backend does not specify it, it wants the addition to be
4392 mandatory, so it wins.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004393
Ross Westaf72a1d2008-08-03 10:51:45 +02004394 Examples :
Willy Tarreauc27debf2008-01-06 08:57:02 +01004395 # Public HTTP address also used by stunnel on the same machine
4396 frontend www
4397 mode http
4398 option forwardfor except 127.0.0.1 # stunnel already adds the header
4399
Ross Westaf72a1d2008-08-03 10:51:45 +02004400 # Those servers want the IP Address in X-Client
4401 backend www
4402 mode http
4403 option forwardfor header X-Client
4404
Willy Tarreau87cf5142011-08-19 22:57:24 +02004405 See also : "option httpclose", "option http-server-close",
Willy Tarreau70dffda2014-01-30 03:07:23 +01004406 "option forceclose", "option http-keep-alive"
Willy Tarreauc27debf2008-01-06 08:57:02 +01004407
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004408
Willy Tarreau16bfb022010-01-16 19:48:41 +01004409option http-keep-alive
4410no option http-keep-alive
4411 Enable or disable HTTP keep-alive from client to server
4412 May be used in sections : defaults | frontend | listen | backend
4413 yes | yes | yes | yes
4414 Arguments : none
4415
Willy Tarreau70dffda2014-01-30 03:07:23 +01004416 By default HAProxy operates in keep-alive mode with regards to persistent
4417 connections: for each connection it processes each request and response, and
4418 leaves the connection idle on both sides between the end of a response and the
4419 start of a new request. This mode may be changed by several options such as
4420 "option http-server-close", "option forceclose", "option httpclose" or
4421 "option http-tunnel". This option allows to set back the keep-alive mode,
4422 which can be useful when another mode was used in a defaults section.
4423
4424 Setting "option http-keep-alive" enables HTTP keep-alive mode on the client-
4425 and server- sides. This provides the lowest latency on the client side (slow
Willy Tarreau16bfb022010-01-16 19:48:41 +01004426 network) and the fastest session reuse on the server side at the expense
4427 of maintaining idle connections to the servers. In general, it is possible
4428 with this option to achieve approximately twice the request rate that the
4429 "http-server-close" option achieves on small objects. There are mainly two
4430 situations where this option may be useful :
4431
4432 - when the server is non-HTTP compliant and authenticates the connection
4433 instead of requests (eg: NTLM authentication)
4434
4435 - when the cost of establishing the connection to the server is significant
4436 compared to the cost of retrieving the associated object from the server.
4437
4438 This last case can happen when the server is a fast static server of cache.
4439 In this case, the server will need to be properly tuned to support high enough
4440 connection counts because connections will last until the client sends another
4441 request.
4442
4443 If the client request has to go to another backend or another server due to
4444 content switching or the load balancing algorithm, the idle connection will
Willy Tarreau9420b122013-12-15 18:58:25 +01004445 immediately be closed and a new one re-opened. Option "prefer-last-server" is
4446 available to try optimize server selection so that if the server currently
4447 attached to an idle connection is usable, it will be used.
Willy Tarreau16bfb022010-01-16 19:48:41 +01004448
4449 In general it is preferred to use "option http-server-close" with application
4450 servers, and some static servers might benefit from "option http-keep-alive".
4451
4452 At the moment, logs will not indicate whether requests came from the same
4453 session or not. The accept date reported in the logs corresponds to the end
4454 of the previous request, and the request time corresponds to the time spent
4455 waiting for a new request. The keep-alive request time is still bound to the
4456 timeout defined by "timeout http-keep-alive" or "timeout http-request" if
4457 not set.
4458
Cyril Bonté653dcd62014-02-20 00:13:15 +01004459 This option disables and replaces any previous "option httpclose", "option
4460 http-server-close", "option forceclose" or "option http-tunnel". When backend
Willy Tarreau70dffda2014-01-30 03:07:23 +01004461 and frontend options differ, all of these 4 options have precedence over
Cyril Bonté653dcd62014-02-20 00:13:15 +01004462 "option http-keep-alive".
Willy Tarreau16bfb022010-01-16 19:48:41 +01004463
4464 See also : "option forceclose", "option http-server-close",
Willy Tarreau9420b122013-12-15 18:58:25 +01004465 "option prefer-last-server", "option http-pretend-keepalive",
4466 "option httpclose", and "1.1. The HTTP transaction model".
Willy Tarreau16bfb022010-01-16 19:48:41 +01004467
4468
Willy Tarreau96e31212011-05-30 18:10:30 +02004469option http-no-delay
4470no option http-no-delay
4471 Instruct the system to favor low interactive delays over performance in HTTP
4472 May be used in sections : defaults | frontend | listen | backend
4473 yes | yes | yes | yes
4474 Arguments : none
4475
4476 In HTTP, each payload is unidirectional and has no notion of interactivity.
4477 Any agent is expected to queue data somewhat for a reasonably low delay.
4478 There are some very rare server-to-server applications that abuse the HTTP
4479 protocol and expect the payload phase to be highly interactive, with many
4480 interleaved data chunks in both directions within a single request. This is
4481 absolutely not supported by the HTTP specification and will not work across
4482 most proxies or servers. When such applications attempt to do this through
4483 haproxy, it works but they will experience high delays due to the network
4484 optimizations which favor performance by instructing the system to wait for
4485 enough data to be available in order to only send full packets. Typical
4486 delays are around 200 ms per round trip. Note that this only happens with
4487 abnormal uses. Normal uses such as CONNECT requests nor WebSockets are not
4488 affected.
4489
4490 When "option http-no-delay" is present in either the frontend or the backend
4491 used by a connection, all such optimizations will be disabled in order to
4492 make the exchanges as fast as possible. Of course this offers no guarantee on
4493 the functionality, as it may break at any other place. But if it works via
4494 HAProxy, it will work as fast as possible. This option should never be used
4495 by default, and should never be used at all unless such a buggy application
4496 is discovered. The impact of using this option is an increase of bandwidth
4497 usage and CPU usage, which may significantly lower performance in high
4498 latency environments.
4499
4500
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004501option http-pretend-keepalive
4502no option http-pretend-keepalive
4503 Define whether haproxy will announce keepalive to the server or not
4504 May be used in sections : defaults | frontend | listen | backend
4505 yes | yes | yes | yes
4506 Arguments : none
4507
4508 When running with "option http-server-close" or "option forceclose", haproxy
4509 adds a "Connection: close" header to the request forwarded to the server.
4510 Unfortunately, when some servers see this header, they automatically refrain
4511 from using the chunked encoding for responses of unknown length, while this
4512 is totally unrelated. The immediate effect is that this prevents haproxy from
4513 maintaining the client connection alive. A second effect is that a client or
4514 a cache could receive an incomplete response without being aware of it, and
4515 consider the response complete.
4516
4517 By setting "option http-pretend-keepalive", haproxy will make the server
4518 believe it will keep the connection alive. The server will then not fall back
4519 to the abnormal undesired above. When haproxy gets the whole response, it
4520 will close the connection with the server just as it would do with the
4521 "forceclose" option. That way the client gets a normal response and the
4522 connection is correctly closed on the server side.
4523
4524 It is recommended not to enable this option by default, because most servers
4525 will more efficiently close the connection themselves after the last packet,
4526 and release its buffers slightly earlier. Also, the added packet on the
4527 network could slightly reduce the overall peak performance. However it is
4528 worth noting that when this option is enabled, haproxy will have slightly
4529 less work to do. So if haproxy is the bottleneck on the whole architecture,
4530 enabling this option might save a few CPU cycles.
4531
4532 This option may be set both in a frontend and in a backend. It is enabled if
4533 at least one of the frontend or backend holding a connection has it enabled.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04004534 This option may be combined with "option httpclose", which will cause
Willy Tarreau22a95342010-09-29 14:31:41 +02004535 keepalive to be announced to the server and close to be announced to the
4536 client. This practice is discouraged though.
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004537
4538 If this option has been enabled in a "defaults" section, it can be disabled
4539 in a specific instance by prepending the "no" keyword before it.
4540
Willy Tarreau16bfb022010-01-16 19:48:41 +01004541 See also : "option forceclose", "option http-server-close", and
4542 "option http-keep-alive"
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004543
Willy Tarreauc27debf2008-01-06 08:57:02 +01004544
Willy Tarreaub608feb2010-01-02 22:47:18 +01004545option http-server-close
4546no option http-server-close
4547 Enable or disable HTTP connection closing on the server side
4548 May be used in sections : defaults | frontend | listen | backend
4549 yes | yes | yes | yes
4550 Arguments : none
4551
Willy Tarreau70dffda2014-01-30 03:07:23 +01004552 By default HAProxy operates in keep-alive mode with regards to persistent
4553 connections: for each connection it processes each request and response, and
4554 leaves the connection idle on both sides between the end of a response and
4555 the start of a new request. This mode may be changed by several options such
4556 as "option http-server-close", "option forceclose", "option httpclose" or
4557 "option http-tunnel". Setting "option http-server-close" enables HTTP
4558 connection-close mode on the server side while keeping the ability to support
4559 HTTP keep-alive and pipelining on the client side. This provides the lowest
4560 latency on the client side (slow network) and the fastest session reuse on
4561 the server side to save server resources, similarly to "option forceclose".
4562 It also permits non-keepalive capable servers to be served in keep-alive mode
4563 to the clients if they conform to the requirements of RFC2616. Please note
4564 that some servers do not always conform to those requirements when they see
4565 "Connection: close" in the request. The effect will be that keep-alive will
4566 never be used. A workaround consists in enabling "option
4567 http-pretend-keepalive".
Willy Tarreaub608feb2010-01-02 22:47:18 +01004568
4569 At the moment, logs will not indicate whether requests came from the same
4570 session or not. The accept date reported in the logs corresponds to the end
4571 of the previous request, and the request time corresponds to the time spent
4572 waiting for a new request. The keep-alive request time is still bound to the
Willy Tarreaub16a5742010-01-10 14:46:16 +01004573 timeout defined by "timeout http-keep-alive" or "timeout http-request" if
4574 not set.
Willy Tarreaub608feb2010-01-02 22:47:18 +01004575
4576 This option may be set both in a frontend and in a backend. It is enabled if
4577 at least one of the frontend or backend holding a connection has it enabled.
Cyril Bonté653dcd62014-02-20 00:13:15 +01004578 It disables and replaces any previous "option httpclose", "option forceclose",
4579 "option http-tunnel" or "option http-keep-alive". Please check section 4
Willy Tarreau70dffda2014-01-30 03:07:23 +01004580 ("Proxies") to see how this option combines with others when frontend and
4581 backend options differ.
Willy Tarreaub608feb2010-01-02 22:47:18 +01004582
4583 If this option has been enabled in a "defaults" section, it can be disabled
4584 in a specific instance by prepending the "no" keyword before it.
4585
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02004586 See also : "option forceclose", "option http-pretend-keepalive",
Willy Tarreau16bfb022010-01-16 19:48:41 +01004587 "option httpclose", "option http-keep-alive", and
4588 "1.1. The HTTP transaction model".
Willy Tarreaub608feb2010-01-02 22:47:18 +01004589
4590
Willy Tarreau02bce8b2014-01-30 00:15:28 +01004591option http-tunnel
4592no option http-tunnel
4593 Disable or enable HTTP connection processing after first transaction
4594 May be used in sections : defaults | frontend | listen | backend
4595 yes | yes | yes | yes
4596 Arguments : none
4597
Willy Tarreau70dffda2014-01-30 03:07:23 +01004598 By default HAProxy operates in keep-alive mode with regards to persistent
4599 connections: for each connection it processes each request and response, and
4600 leaves the connection idle on both sides between the end of a response and
4601 the start of a new request. This mode may be changed by several options such
4602 as "option http-server-close", "option forceclose", "option httpclose" or
4603 "option http-tunnel".
4604
4605 Option "http-tunnel" disables any HTTP processing past the first request and
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03004606 the first response. This is the mode which was used by default in versions
Willy Tarreau70dffda2014-01-30 03:07:23 +01004607 1.0 to 1.5-dev21. It is the mode with the lowest processing overhead, which
4608 is normally not needed anymore unless in very specific cases such as when
4609 using an in-house protocol that looks like HTTP but is not compatible, or
4610 just to log one request per client in order to reduce log size. Note that
4611 everything which works at the HTTP level, including header parsing/addition,
4612 cookie processing or content switching will only work for the first request
4613 and will be ignored after the first response.
Willy Tarreau02bce8b2014-01-30 00:15:28 +01004614
4615 If this option has been enabled in a "defaults" section, it can be disabled
4616 in a specific instance by prepending the "no" keyword before it.
4617
4618 See also : "option forceclose", "option http-server-close",
4619 "option httpclose", "option http-keep-alive", and
4620 "1.1. The HTTP transaction model".
4621
4622
Willy Tarreau88d349d2010-01-25 12:15:43 +01004623option http-use-proxy-header
Cyril Bontéf0c60612010-02-06 14:44:47 +01004624no option http-use-proxy-header
Willy Tarreau88d349d2010-01-25 12:15:43 +01004625 Make use of non-standard Proxy-Connection header instead of Connection
4626 May be used in sections : defaults | frontend | listen | backend
4627 yes | yes | yes | no
4628 Arguments : none
4629
4630 While RFC2616 explicitly states that HTTP/1.1 agents must use the
4631 Connection header to indicate their wish of persistent or non-persistent
4632 connections, both browsers and proxies ignore this header for proxied
4633 connections and make use of the undocumented, non-standard Proxy-Connection
4634 header instead. The issue begins when trying to put a load balancer between
4635 browsers and such proxies, because there will be a difference between what
4636 haproxy understands and what the client and the proxy agree on.
4637
4638 By setting this option in a frontend, haproxy can automatically switch to use
4639 that non-standard header if it sees proxied requests. A proxied request is
4640 defined here as one where the URI begins with neither a '/' nor a '*'. The
4641 choice of header only affects requests passing through proxies making use of
4642 one of the "httpclose", "forceclose" and "http-server-close" options. Note
4643 that this option can only be specified in a frontend and will affect the
4644 request along its whole life.
4645
Willy Tarreau844a7e72010-01-31 21:46:18 +01004646 Also, when this option is set, a request which requires authentication will
4647 automatically switch to use proxy authentication headers if it is itself a
4648 proxied request. That makes it possible to check or enforce authentication in
4649 front of an existing proxy.
4650
Willy Tarreau88d349d2010-01-25 12:15:43 +01004651 This option should normally never be used, except in front of a proxy.
4652
4653 See also : "option httpclose", "option forceclose" and "option
4654 http-server-close".
4655
4656
Willy Tarreaud63335a2010-02-26 12:56:52 +01004657option httpchk
4658option httpchk <uri>
4659option httpchk <method> <uri>
4660option httpchk <method> <uri> <version>
4661 Enable HTTP protocol to check on the servers health
4662 May be used in sections : defaults | frontend | listen | backend
4663 yes | no | yes | yes
4664 Arguments :
4665 <method> is the optional HTTP method used with the requests. When not set,
4666 the "OPTIONS" method is used, as it generally requires low server
4667 processing and is easy to filter out from the logs. Any method
4668 may be used, though it is not recommended to invent non-standard
4669 ones.
4670
4671 <uri> is the URI referenced in the HTTP requests. It defaults to " / "
4672 which is accessible by default on almost any server, but may be
4673 changed to any other URI. Query strings are permitted.
4674
4675 <version> is the optional HTTP version string. It defaults to "HTTP/1.0"
4676 but some servers might behave incorrectly in HTTP 1.0, so turning
4677 it to HTTP/1.1 may sometimes help. Note that the Host field is
4678 mandatory in HTTP/1.1, and as a trick, it is possible to pass it
4679 after "\r\n" following the version string.
4680
4681 By default, server health checks only consist in trying to establish a TCP
4682 connection. When "option httpchk" is specified, a complete HTTP request is
4683 sent once the TCP connection is established, and responses 2xx and 3xx are
4684 considered valid, while all other ones indicate a server failure, including
4685 the lack of any response.
4686
4687 The port and interval are specified in the server configuration.
4688
4689 This option does not necessarily require an HTTP backend, it also works with
4690 plain TCP backends. This is particularly useful to check simple scripts bound
4691 to some dedicated ports using the inetd daemon.
4692
4693 Examples :
4694 # Relay HTTPS traffic to Apache instance and check service availability
4695 # using HTTP request "OPTIONS * HTTP/1.1" on port 80.
4696 backend https_relay
4697 mode tcp
4698 option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
4699 server apache1 192.168.1.1:443 check port 80
4700
Simon Hormanafc47ee2013-11-25 10:46:35 +09004701 See also : "option ssl-hello-chk", "option smtpchk", "option mysql-check",
4702 "option pgsql-check", "http-check" and the "check", "port" and
4703 "inter" server options.
Willy Tarreaud63335a2010-02-26 12:56:52 +01004704
4705
Willy Tarreauc27debf2008-01-06 08:57:02 +01004706option httpclose
4707no option httpclose
4708 Enable or disable passive HTTP connection closing
4709 May be used in sections : defaults | frontend | listen | backend
4710 yes | yes | yes | yes
4711 Arguments : none
4712
Willy Tarreau70dffda2014-01-30 03:07:23 +01004713 By default HAProxy operates in keep-alive mode with regards to persistent
4714 connections: for each connection it processes each request and response, and
4715 leaves the connection idle on both sides between the end of a response and
4716 the start of a new request. This mode may be changed by several options such
Cyril Bonté653dcd62014-02-20 00:13:15 +01004717 as "option http-server-close", "option forceclose", "option httpclose" or
Willy Tarreau70dffda2014-01-30 03:07:23 +01004718 "option http-tunnel".
4719
4720 If "option httpclose" is set, HAProxy will work in HTTP tunnel mode and check
4721 if a "Connection: close" header is already set in each direction, and will
4722 add one if missing. Each end should react to this by actively closing the TCP
4723 connection after each transfer, thus resulting in a switch to the HTTP close
4724 mode. Any "Connection" header different from "close" will also be removed.
4725 Note that this option is deprecated since what it does is very cheap but not
4726 reliable. Using "option http-server-close" or "option forceclose" is strongly
4727 recommended instead.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004728
4729 It seldom happens that some servers incorrectly ignore this header and do not
Jamie Gloudonaaa21002012-08-25 00:18:33 -04004730 close the connection even though they reply "Connection: close". For this
Willy Tarreau0dfdf192010-01-05 11:33:11 +01004731 reason, they are not compatible with older HTTP 1.0 browsers. If this happens
4732 it is possible to use the "option forceclose" which actively closes the
4733 request connection once the server responds. Option "forceclose" also
4734 releases the server connection earlier because it does not have to wait for
4735 the client to acknowledge it.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004736
4737 This option may be set both in a frontend and in a backend. It is enabled if
4738 at least one of the frontend or backend holding a connection has it enabled.
Cyril Bonté653dcd62014-02-20 00:13:15 +01004739 It disables and replaces any previous "option http-server-close",
4740 "option forceclose", "option http-keep-alive" or "option http-tunnel". Please
Willy Tarreau70dffda2014-01-30 03:07:23 +01004741 check section 4 ("Proxies") to see how this option combines with others when
4742 frontend and backend options differ.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004743
4744 If this option has been enabled in a "defaults" section, it can be disabled
4745 in a specific instance by prepending the "no" keyword before it.
4746
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02004747 See also : "option forceclose", "option http-server-close" and
4748 "1.1. The HTTP transaction model".
Willy Tarreauc27debf2008-01-06 08:57:02 +01004749
4750
Emeric Brun3a058f32009-06-30 18:26:00 +02004751option httplog [ clf ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01004752 Enable logging of HTTP request, session state and timers
4753 May be used in sections : defaults | frontend | listen | backend
4754 yes | yes | yes | yes
Emeric Brun3a058f32009-06-30 18:26:00 +02004755 Arguments :
4756 clf if the "clf" argument is added, then the output format will be
4757 the CLF format instead of HAProxy's default HTTP format. You can
4758 use this when you need to feed HAProxy's logs through a specific
4759 log analyser which only support the CLF format and which is not
4760 extensible.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004761
4762 By default, the log output format is very poor, as it only contains the
4763 source and destination addresses, and the instance name. By specifying
4764 "option httplog", each log line turns into a much richer format including,
4765 but not limited to, the HTTP request, the connection timers, the session
4766 status, the connections numbers, the captured headers and cookies, the
4767 frontend, backend and server name, and of course the source address and
4768 ports.
4769
4770 This option may be set either in the frontend or the backend.
4771
PiBa-NLbd556bf2014-12-11 21:31:54 +01004772 Specifying only "option httplog" will automatically clear the 'clf' mode
4773 if it was set by default.
Emeric Brun3a058f32009-06-30 18:26:00 +02004774
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004775 See also : section 8 about logging.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004776
Willy Tarreau55165fe2009-05-10 12:02:55 +02004777
4778option http_proxy
4779no option http_proxy
4780 Enable or disable plain HTTP proxy mode
4781 May be used in sections : defaults | frontend | listen | backend
4782 yes | yes | yes | yes
4783 Arguments : none
4784
4785 It sometimes happens that people need a pure HTTP proxy which understands
4786 basic proxy requests without caching nor any fancy feature. In this case,
4787 it may be worth setting up an HAProxy instance with the "option http_proxy"
4788 set. In this mode, no server is declared, and the connection is forwarded to
4789 the IP address and port found in the URL after the "http://" scheme.
4790
4791 No host address resolution is performed, so this only works when pure IP
4792 addresses are passed. Since this option's usage perimeter is rather limited,
4793 it will probably be used only by experts who know they need exactly it. Last,
4794 if the clients are susceptible of sending keep-alive requests, it will be
Cyril Bonté2409e682010-12-14 22:47:51 +01004795 needed to add "option httpclose" to ensure that all requests will correctly
Willy Tarreau55165fe2009-05-10 12:02:55 +02004796 be analyzed.
4797
4798 If this option has been enabled in a "defaults" section, it can be disabled
4799 in a specific instance by prepending the "no" keyword before it.
4800
4801 Example :
4802 # this backend understands HTTP proxy requests and forwards them directly.
4803 backend direct_forward
4804 option httpclose
4805 option http_proxy
4806
4807 See also : "option httpclose"
4808
Willy Tarreau211ad242009-10-03 21:45:07 +02004809
Jamie Gloudon801a0a32012-08-25 00:18:33 -04004810option independent-streams
4811no option independent-streams
4812 Enable or disable independent timeout processing for both directions
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02004813 May be used in sections : defaults | frontend | listen | backend
4814 yes | yes | yes | yes
4815 Arguments : none
4816
4817 By default, when data is sent over a socket, both the write timeout and the
4818 read timeout for that socket are refreshed, because we consider that there is
4819 activity on that socket, and we have no other means of guessing if we should
4820 receive data or not.
4821
4822 While this default behaviour is desirable for almost all applications, there
4823 exists a situation where it is desirable to disable it, and only refresh the
4824 read timeout if there are incoming data. This happens on sessions with large
4825 timeouts and low amounts of exchanged data such as telnet session. If the
4826 server suddenly disappears, the output data accumulates in the system's
4827 socket buffers, both timeouts are correctly refreshed, and there is no way
4828 to know the server does not receive them, so we don't timeout. However, when
4829 the underlying protocol always echoes sent data, it would be enough by itself
4830 to detect the issue using the read timeout. Note that this problem does not
4831 happen with more verbose protocols because data won't accumulate long in the
4832 socket buffers.
4833
4834 When this option is set on the frontend, it will disable read timeout updates
4835 on data sent to the client. There probably is little use of this case. When
4836 the option is set on the backend, it will disable read timeout updates on
4837 data sent to the server. Doing so will typically break large HTTP posts from
4838 slow lines, so use it with caution.
4839
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03004840 Note: older versions used to call this setting "option independent-streams"
Jamie Gloudon801a0a32012-08-25 00:18:33 -04004841 with a spelling mistake. This spelling is still supported but
4842 deprecated.
4843
Willy Tarreauce887fd2012-05-12 12:50:00 +02004844 See also : "timeout client", "timeout server" and "timeout tunnel"
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02004845
4846
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02004847option ldap-check
4848 Use LDAPv3 health checks for server testing
4849 May be used in sections : defaults | frontend | listen | backend
4850 yes | no | yes | yes
4851 Arguments : none
4852
4853 It is possible to test that the server correctly talks LDAPv3 instead of just
4854 testing that it accepts the TCP connection. When this option is set, an
4855 LDAPv3 anonymous simple bind message is sent to the server, and the response
4856 is analyzed to find an LDAPv3 bind response message.
4857
4858 The server is considered valid only when the LDAP response contains success
4859 resultCode (http://tools.ietf.org/html/rfc4511#section-4.1.9).
4860
4861 Logging of bind requests is server dependent see your documentation how to
4862 configure it.
4863
4864 Example :
4865 option ldap-check
4866
4867 See also : "option httpchk"
4868
4869
Simon Horman98637e52014-06-20 12:30:16 +09004870option external-check
4871 Use external processes for server health checks
4872 May be used in sections : defaults | frontend | listen | backend
4873 yes | no | yes | yes
4874
4875 It is possible to test the health of a server using an external command.
4876 This is achieved by running the executable set using "external-check
4877 command".
4878
4879 Requires the "external-check" global to be set.
4880
4881 See also : "external-check", "external-check command", "external-check path"
4882
4883
Willy Tarreau211ad242009-10-03 21:45:07 +02004884option log-health-checks
4885no option log-health-checks
Willy Tarreaubef1b322014-05-13 21:01:39 +02004886 Enable or disable logging of health checks status updates
Willy Tarreau211ad242009-10-03 21:45:07 +02004887 May be used in sections : defaults | frontend | listen | backend
4888 yes | no | yes | yes
4889 Arguments : none
4890
Willy Tarreaubef1b322014-05-13 21:01:39 +02004891 By default, failed health check are logged if server is UP and successful
4892 health checks are logged if server is DOWN, so the amount of additional
4893 information is limited.
Willy Tarreau211ad242009-10-03 21:45:07 +02004894
Willy Tarreaubef1b322014-05-13 21:01:39 +02004895 When this option is enabled, any change of the health check status or to
4896 the server's health will be logged, so that it becomes possible to know
4897 that a server was failing occasional checks before crashing, or exactly when
4898 it failed to respond a valid HTTP status, then when the port started to
4899 reject connections, then when the server stopped responding at all.
4900
4901 Note that status changes not caused by health checks (eg: enable/disable on
4902 the CLI) are intentionally not logged by this option.
Willy Tarreau211ad242009-10-03 21:45:07 +02004903
Willy Tarreaubef1b322014-05-13 21:01:39 +02004904 See also: "option httpchk", "option ldap-check", "option mysql-check",
4905 "option pgsql-check", "option redis-check", "option smtpchk",
4906 "option tcp-check", "log" and section 8 about logging.
Willy Tarreau211ad242009-10-03 21:45:07 +02004907
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02004908
4909option log-separate-errors
4910no option log-separate-errors
4911 Change log level for non-completely successful connections
4912 May be used in sections : defaults | frontend | listen | backend
4913 yes | yes | yes | no
4914 Arguments : none
4915
4916 Sometimes looking for errors in logs is not easy. This option makes haproxy
4917 raise the level of logs containing potentially interesting information such
4918 as errors, timeouts, retries, redispatches, or HTTP status codes 5xx. The
4919 level changes from "info" to "err". This makes it possible to log them
4920 separately to a different file with most syslog daemons. Be careful not to
4921 remove them from the original file, otherwise you would lose ordering which
4922 provides very important information.
4923
4924 Using this option, large sites dealing with several thousand connections per
4925 second may log normal traffic to a rotating buffer and only archive smaller
4926 error logs.
4927
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004928 See also : "log", "dontlognull", "dontlog-normal" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02004929 logging.
4930
Willy Tarreauc27debf2008-01-06 08:57:02 +01004931
4932option logasap
4933no option logasap
4934 Enable or disable early logging of HTTP requests
4935 May be used in sections : defaults | frontend | listen | backend
4936 yes | yes | yes | no
4937 Arguments : none
4938
4939 By default, HTTP requests are logged upon termination so that the total
4940 transfer time and the number of bytes appear in the logs. When large objects
4941 are being transferred, it may take a while before the request appears in the
4942 logs. Using "option logasap", the request gets logged as soon as the server
4943 sends the complete headers. The only missing information in the logs will be
4944 the total number of bytes which will indicate everything except the amount
4945 of data transferred, and the total time which will not take the transfer
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004946 time into account. In such a situation, it's a good practice to capture the
Willy Tarreauc27debf2008-01-06 08:57:02 +01004947 "Content-Length" response header so that the logs at least indicate how many
4948 bytes are expected to be transferred.
4949
Willy Tarreaucc6c8912009-02-22 10:53:55 +01004950 Examples :
4951 listen http_proxy 0.0.0.0:80
4952 mode http
4953 option httplog
4954 option logasap
4955 log 192.168.2.200 local3
4956
4957 >>> Feb 6 12:14:14 localhost \
4958 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
4959 static/srv1 9/10/7/14/+30 200 +243 - - ---- 3/1/1/1/0 1/0 \
4960 "GET /image.iso HTTP/1.0"
4961
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004962 See also : "option httplog", "capture response header", and section 8 about
Willy Tarreauc27debf2008-01-06 08:57:02 +01004963 logging.
4964
4965
Nenad Merdanovic6639a7c2014-05-30 14:26:32 +02004966option mysql-check [ user <username> [ post-41 ] ]
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02004967 Use MySQL health checks for server testing
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01004968 May be used in sections : defaults | frontend | listen | backend
4969 yes | no | yes | yes
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02004970 Arguments :
Cyril Bonté108cf6e2012-04-21 23:30:29 +02004971 <username> This is the username which will be used when connecting to MySQL
4972 server.
Nenad Merdanovic6639a7c2014-05-30 14:26:32 +02004973 post-41 Send post v4.1 client compatible checks
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02004974
4975 If you specify a username, the check consists of sending two MySQL packet,
4976 one Client Authentication packet, and one QUIT packet, to correctly close
4977 MySQL session. We then parse the MySQL Handshake Initialisation packet and/or
4978 Error packet. It is a basic but useful test which does not produce error nor
4979 aborted connect on the server. However, it requires adding an authorization
4980 in the MySQL table, like this :
4981
4982 USE mysql;
4983 INSERT INTO user (Host,User) values ('<ip_of_haproxy>','<username>');
4984 FLUSH PRIVILEGES;
4985
4986 If you don't specify a username (it is deprecated and not recommended), the
4987 check only consists in parsing the Mysql Handshake Initialisation packet or
4988 Error packet, we don't send anything in this mode. It was reported that it
4989 can generate lockout if check is too frequent and/or if there is not enough
4990 traffic. In fact, you need in this case to check MySQL "max_connect_errors"
4991 value as if a connection is established successfully within fewer than MySQL
4992 "max_connect_errors" attempts after a previous connection was interrupted,
4993 the error count for the host is cleared to zero. If HAProxy's server get
4994 blocked, the "FLUSH HOSTS" statement is the only way to unblock it.
4995
4996 Remember that this does not check database presence nor database consistency.
4997 To do this, you can use an external check with xinetd for example.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01004998
Hervé COMMOWICK212f7782011-06-10 14:05:59 +02004999 The check requires MySQL >=3.22, for older version, please use TCP check.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01005000
5001 Most often, an incoming MySQL server needs to see the client's IP address for
5002 various purposes, including IP privilege matching and connection logging.
5003 When possible, it is often wise to masquerade the client's IP address when
5004 connecting to the server using the "usesrc" argument of the "source" keyword,
5005 which requires the cttproxy feature to be compiled in, and the MySQL server
5006 to route the client via the machine hosting haproxy.
5007
5008 See also: "option httpchk"
5009
5010
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005011option nolinger
5012no option nolinger
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005013 Enable or disable immediate session resource cleaning after close
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005014 May be used in sections: defaults | frontend | listen | backend
5015 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005016 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005017
5018 When clients or servers abort connections in a dirty way (eg: they are
5019 physically disconnected), the session timeouts triggers and the session is
5020 closed. But it will remain in FIN_WAIT1 state for some time in the system,
5021 using some resources and possibly limiting the ability to establish newer
5022 connections.
5023
5024 When this happens, it is possible to activate "option nolinger" which forces
5025 the system to immediately remove any socket's pending data on close. Thus,
5026 the session is instantly purged from the system's tables. This usually has
5027 side effects such as increased number of TCP resets due to old retransmits
5028 getting immediately rejected. Some firewalls may sometimes complain about
5029 this too.
5030
5031 For this reason, it is not recommended to use this option when not absolutely
5032 needed. You know that you need it when you have thousands of FIN_WAIT1
5033 sessions on your system (TIME_WAIT ones do not count).
5034
5035 This option may be used both on frontends and backends, depending on the side
5036 where it is required. Use it on the frontend for clients, and on the backend
5037 for servers.
5038
5039 If this option has been enabled in a "defaults" section, it can be disabled
5040 in a specific instance by prepending the "no" keyword before it.
5041
5042
Willy Tarreau55165fe2009-05-10 12:02:55 +02005043option originalto [ except <network> ] [ header <name> ]
5044 Enable insertion of the X-Original-To header to requests sent to servers
5045 May be used in sections : defaults | frontend | listen | backend
5046 yes | yes | yes | yes
5047 Arguments :
5048 <network> is an optional argument used to disable this option for sources
5049 matching <network>
5050 <name> an optional argument to specify a different "X-Original-To"
5051 header name.
5052
5053 Since HAProxy can work in transparent mode, every request from a client can
5054 be redirected to the proxy and HAProxy itself can proxy every request to a
5055 complex SQUID environment and the destination host from SO_ORIGINAL_DST will
5056 be lost. This is annoying when you want access rules based on destination ip
5057 addresses. To solve this problem, a new HTTP header "X-Original-To" may be
5058 added by HAProxy to all requests sent to the server. This header contains a
5059 value representing the original destination IP address. Since this must be
5060 configured to always use the last occurrence of this header only. Note that
5061 only the last occurrence of the header must be used, since it is really
5062 possible that the client has already brought one.
5063
5064 The keyword "header" may be used to supply a different header name to replace
5065 the default "X-Original-To". This can be useful where you might already
5066 have a "X-Original-To" header from a different application, and you need
5067 preserve it. Also if your backend server doesn't use the "X-Original-To"
5068 header and requires different one.
5069
5070 Sometimes, a same HAProxy instance may be shared between a direct client
5071 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
5072 used to decrypt HTTPS traffic). It is possible to disable the addition of the
5073 header for a known source address or network by adding the "except" keyword
5074 followed by the network address. In this case, any source IP matching the
5075 network will not cause an addition of this header. Most common uses are with
5076 private networks or 127.0.0.1.
5077
5078 This option may be specified either in the frontend or in the backend. If at
5079 least one of them uses it, the header will be added. Note that the backend's
5080 setting of the header subargument takes precedence over the frontend's if
5081 both are defined.
5082
Willy Tarreau55165fe2009-05-10 12:02:55 +02005083 Examples :
5084 # Original Destination address
5085 frontend www
5086 mode http
5087 option originalto except 127.0.0.1
5088
5089 # Those servers want the IP Address in X-Client-Dst
5090 backend www
5091 mode http
5092 option originalto header X-Client-Dst
5093
Willy Tarreau87cf5142011-08-19 22:57:24 +02005094 See also : "option httpclose", "option http-server-close",
5095 "option forceclose"
Willy Tarreau55165fe2009-05-10 12:02:55 +02005096
5097
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005098option persist
5099no option persist
5100 Enable or disable forced persistence on down servers
5101 May be used in sections: defaults | frontend | listen | backend
5102 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005103 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005104
5105 When an HTTP request reaches a backend with a cookie which references a dead
5106 server, by default it is redispatched to another server. It is possible to
5107 force the request to be sent to the dead server first using "option persist"
5108 if absolutely needed. A common use case is when servers are under extreme
5109 load and spend their time flapping. In this case, the users would still be
5110 directed to the server they opened the session on, in the hope they would be
5111 correctly served. It is recommended to use "option redispatch" in conjunction
5112 with this option so that in the event it would not be possible to connect to
5113 the server at all (server definitely dead), the client would finally be
5114 redirected to another valid server.
5115
5116 If this option has been enabled in a "defaults" section, it can be disabled
5117 in a specific instance by prepending the "no" keyword before it.
5118
Willy Tarreau4de91492010-01-22 19:10:05 +01005119 See also : "option redispatch", "retries", "force-persist"
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005120
5121
Willy Tarreau0c122822013-12-15 18:49:01 +01005122option pgsql-check [ user <username> ]
5123 Use PostgreSQL health checks for server testing
5124 May be used in sections : defaults | frontend | listen | backend
5125 yes | no | yes | yes
5126 Arguments :
5127 <username> This is the username which will be used when connecting to
5128 PostgreSQL server.
5129
5130 The check sends a PostgreSQL StartupMessage and waits for either
5131 Authentication request or ErrorResponse message. It is a basic but useful
5132 test which does not produce error nor aborted connect on the server.
5133 This check is identical with the "mysql-check".
5134
5135 See also: "option httpchk"
5136
5137
Willy Tarreau9420b122013-12-15 18:58:25 +01005138option prefer-last-server
5139no option prefer-last-server
5140 Allow multiple load balanced requests to remain on the same server
5141 May be used in sections: defaults | frontend | listen | backend
5142 yes | no | yes | yes
5143 Arguments : none
5144
5145 When the load balancing algorithm in use is not deterministic, and a previous
5146 request was sent to a server to which haproxy still holds a connection, it is
5147 sometimes desirable that subsequent requests on a same session go to the same
5148 server as much as possible. Note that this is different from persistence, as
5149 we only indicate a preference which haproxy tries to apply without any form
5150 of warranty. The real use is for keep-alive connections sent to servers. When
5151 this option is used, haproxy will try to reuse the same connection that is
5152 attached to the server instead of rebalancing to another server, causing a
5153 close of the connection. This can make sense for static file servers. It does
Willy Tarreau068621e2013-12-23 15:11:25 +01005154 not make much sense to use this in combination with hashing algorithms. Note,
5155 haproxy already automatically tries to stick to a server which sends a 401 or
5156 to a proxy which sends a 407 (authentication required). This is mandatory for
5157 use with the broken NTLM authentication challenge, and significantly helps in
5158 troubleshooting some faulty applications. Option prefer-last-server might be
5159 desirable in these environments as well, to avoid redistributing the traffic
5160 after every other response.
Willy Tarreau9420b122013-12-15 18:58:25 +01005161
5162 If this option has been enabled in a "defaults" section, it can be disabled
5163 in a specific instance by prepending the "no" keyword before it.
5164
5165 See also: "option http-keep-alive"
5166
5167
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005168option redispatch
5169no option redispatch
5170 Enable or disable session redistribution in case of connection failure
5171 May be used in sections: defaults | frontend | listen | backend
5172 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005173 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005174
5175 In HTTP mode, if a server designated by a cookie is down, clients may
5176 definitely stick to it because they cannot flush the cookie, so they will not
5177 be able to access the service anymore.
5178
5179 Specifying "option redispatch" will allow the proxy to break their
5180 persistence and redistribute them to a working server.
5181
5182 It also allows to retry last connection to another server in case of multiple
5183 connection failures. Of course, it requires having "retries" set to a nonzero
5184 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01005185
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005186 This form is the preferred form, which replaces both the "redispatch" and
5187 "redisp" keywords.
5188
5189 If this option has been enabled in a "defaults" section, it can be disabled
5190 in a specific instance by prepending the "no" keyword before it.
5191
Willy Tarreau4de91492010-01-22 19:10:05 +01005192 See also : "redispatch", "retries", "force-persist"
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005193
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005194
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02005195option redis-check
5196 Use redis health checks for server testing
5197 May be used in sections : defaults | frontend | listen | backend
5198 yes | no | yes | yes
5199 Arguments : none
5200
5201 It is possible to test that the server correctly talks REDIS protocol instead
5202 of just testing that it accepts the TCP connection. When this option is set,
5203 a PING redis command is sent to the server, and the response is analyzed to
5204 find the "+PONG" response message.
5205
5206 Example :
5207 option redis-check
5208
5209 See also : "option httpchk"
5210
5211
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005212option smtpchk
5213option smtpchk <hello> <domain>
5214 Use SMTP health checks for server testing
5215 May be used in sections : defaults | frontend | listen | backend
5216 yes | no | yes | yes
Willy Tarreaud72758d2010-01-12 10:42:19 +01005217 Arguments :
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005218 <hello> is an optional argument. It is the "hello" command to use. It can
5219 be either "HELO" (for SMTP) or "EHLO" (for ESTMP). All other
5220 values will be turned into the default command ("HELO").
5221
5222 <domain> is the domain name to present to the server. It may only be
5223 specified (and is mandatory) if the hello command has been
5224 specified. By default, "localhost" is used.
5225
5226 When "option smtpchk" is set, the health checks will consist in TCP
5227 connections followed by an SMTP command. By default, this command is
5228 "HELO localhost". The server's return code is analyzed and only return codes
5229 starting with a "2" will be considered as valid. All other responses,
5230 including a lack of response will constitute an error and will indicate a
5231 dead server.
5232
5233 This test is meant to be used with SMTP servers or relays. Depending on the
5234 request, it is possible that some servers do not log each connection attempt,
5235 so you may want to experiment to improve the behaviour. Using telnet on port
5236 25 is often easier than adjusting the configuration.
5237
5238 Most often, an incoming SMTP server needs to see the client's IP address for
5239 various purposes, including spam filtering, anti-spoofing and logging. When
5240 possible, it is often wise to masquerade the client's IP address when
5241 connecting to the server using the "usesrc" argument of the "source" keyword,
5242 which requires the cttproxy feature to be compiled in.
5243
5244 Example :
5245 option smtpchk HELO mydomain.org
5246
5247 See also : "option httpchk", "source"
5248
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005249
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02005250option socket-stats
5251no option socket-stats
5252
5253 Enable or disable collecting & providing separate statistics for each socket.
5254 May be used in sections : defaults | frontend | listen | backend
5255 yes | yes | yes | no
5256
5257 Arguments : none
5258
5259
Willy Tarreauff4f82d2009-02-06 11:28:13 +01005260option splice-auto
5261no option splice-auto
5262 Enable or disable automatic kernel acceleration on sockets in both directions
5263 May be used in sections : defaults | frontend | listen | backend
5264 yes | yes | yes | yes
5265 Arguments : none
5266
5267 When this option is enabled either on a frontend or on a backend, haproxy
5268 will automatically evaluate the opportunity to use kernel tcp splicing to
5269 forward data between the client and the server, in either direction. Haproxy
5270 uses heuristics to estimate if kernel splicing might improve performance or
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005271 not. Both directions are handled independently. Note that the heuristics used
Willy Tarreauff4f82d2009-02-06 11:28:13 +01005272 are not much aggressive in order to limit excessive use of splicing. This
5273 option requires splicing to be enabled at compile time, and may be globally
5274 disabled with the global option "nosplice". Since splice uses pipes, using it
5275 requires that there are enough spare pipes.
5276
5277 Important note: kernel-based TCP splicing is a Linux-specific feature which
5278 first appeared in kernel 2.6.25. It offers kernel-based acceleration to
5279 transfer data between sockets without copying these data to user-space, thus
5280 providing noticeable performance gains and CPU cycles savings. Since many
5281 early implementations are buggy, corrupt data and/or are inefficient, this
5282 feature is not enabled by default, and it should be used with extreme care.
5283 While it is not possible to detect the correctness of an implementation,
5284 2.6.29 is the first version offering a properly working implementation. In
5285 case of doubt, splicing may be globally disabled using the global "nosplice"
5286 keyword.
5287
5288 Example :
5289 option splice-auto
5290
5291 If this option has been enabled in a "defaults" section, it can be disabled
5292 in a specific instance by prepending the "no" keyword before it.
5293
5294 See also : "option splice-request", "option splice-response", and global
5295 options "nosplice" and "maxpipes"
5296
5297
5298option splice-request
5299no option splice-request
5300 Enable or disable automatic kernel acceleration on sockets for requests
5301 May be used in sections : defaults | frontend | listen | backend
5302 yes | yes | yes | yes
5303 Arguments : none
5304
5305 When this option is enabled either on a frontend or on a backend, haproxy
Jamie Gloudonaaa21002012-08-25 00:18:33 -04005306 will use kernel tcp splicing whenever possible to forward data going from
Willy Tarreauff4f82d2009-02-06 11:28:13 +01005307 the client to the server. It might still use the recv/send scheme if there
5308 are no spare pipes left. This option requires splicing to be enabled at
5309 compile time, and may be globally disabled with the global option "nosplice".
5310 Since splice uses pipes, using it requires that there are enough spare pipes.
5311
5312 Important note: see "option splice-auto" for usage limitations.
5313
5314 Example :
5315 option splice-request
5316
5317 If this option has been enabled in a "defaults" section, it can be disabled
5318 in a specific instance by prepending the "no" keyword before it.
5319
5320 See also : "option splice-auto", "option splice-response", and global options
5321 "nosplice" and "maxpipes"
5322
5323
5324option splice-response
5325no option splice-response
5326 Enable or disable automatic kernel acceleration on sockets for responses
5327 May be used in sections : defaults | frontend | listen | backend
5328 yes | yes | yes | yes
5329 Arguments : none
5330
5331 When this option is enabled either on a frontend or on a backend, haproxy
Jamie Gloudonaaa21002012-08-25 00:18:33 -04005332 will use kernel tcp splicing whenever possible to forward data going from
Willy Tarreauff4f82d2009-02-06 11:28:13 +01005333 the server to the client. It might still use the recv/send scheme if there
5334 are no spare pipes left. This option requires splicing to be enabled at
5335 compile time, and may be globally disabled with the global option "nosplice".
5336 Since splice uses pipes, using it requires that there are enough spare pipes.
5337
5338 Important note: see "option splice-auto" for usage limitations.
5339
5340 Example :
5341 option splice-response
5342
5343 If this option has been enabled in a "defaults" section, it can be disabled
5344 in a specific instance by prepending the "no" keyword before it.
5345
5346 See also : "option splice-auto", "option splice-request", and global options
5347 "nosplice" and "maxpipes"
5348
5349
Willy Tarreaubf1f8162007-12-28 17:42:56 +01005350option srvtcpka
5351no option srvtcpka
5352 Enable or disable the sending of TCP keepalive packets on the server side
5353 May be used in sections : defaults | frontend | listen | backend
5354 yes | no | yes | yes
5355 Arguments : none
5356
5357 When there is a firewall or any session-aware component between a client and
5358 a server, and when the protocol involves very long sessions with long idle
5359 periods (eg: remote desktops), there is a risk that one of the intermediate
5360 components decides to expire a session which has remained idle for too long.
5361
5362 Enabling socket-level TCP keep-alives makes the system regularly send packets
5363 to the other end of the connection, leaving it active. The delay between
5364 keep-alive probes is controlled by the system only and depends both on the
5365 operating system and its tuning parameters.
5366
5367 It is important to understand that keep-alive packets are neither emitted nor
5368 received at the application level. It is only the network stacks which sees
5369 them. For this reason, even if one side of the proxy already uses keep-alives
5370 to maintain its connection alive, those keep-alive packets will not be
5371 forwarded to the other side of the proxy.
5372
5373 Please note that this has nothing to do with HTTP keep-alive.
5374
5375 Using option "srvtcpka" enables the emission of TCP keep-alive probes on the
5376 server side of a connection, which should help when session expirations are
5377 noticed between HAProxy and a server.
5378
5379 If this option has been enabled in a "defaults" section, it can be disabled
5380 in a specific instance by prepending the "no" keyword before it.
5381
5382 See also : "option clitcpka", "option tcpka"
5383
5384
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005385option ssl-hello-chk
5386 Use SSLv3 client hello health checks for server testing
5387 May be used in sections : defaults | frontend | listen | backend
5388 yes | no | yes | yes
5389 Arguments : none
5390
5391 When some SSL-based protocols are relayed in TCP mode through HAProxy, it is
5392 possible to test that the server correctly talks SSL instead of just testing
5393 that it accepts the TCP connection. When "option ssl-hello-chk" is set, pure
5394 SSLv3 client hello messages are sent once the connection is established to
5395 the server, and the response is analyzed to find an SSL server hello message.
5396 The server is considered valid only when the response contains this server
5397 hello message.
5398
5399 All servers tested till there correctly reply to SSLv3 client hello messages,
5400 and most servers tested do not even log the requests containing only hello
5401 messages, which is appreciable.
5402
Willy Tarreau763a95b2012-10-04 23:15:39 +02005403 Note that this check works even when SSL support was not built into haproxy
5404 because it forges the SSL message. When SSL support is available, it is best
5405 to use native SSL health checks instead of this one.
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005406
Willy Tarreau763a95b2012-10-04 23:15:39 +02005407 See also: "option httpchk", "check-ssl"
5408
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005409
Willy Tarreaued179852013-12-16 01:07:00 +01005410option tcp-check
5411 Perform health checks using tcp-check send/expect sequences
5412 May be used in sections: defaults | frontend | listen | backend
5413 yes | no | yes | yes
5414
5415 This health check method is intended to be combined with "tcp-check" command
5416 lists in order to support send/expect types of health check sequences.
5417
5418 TCP checks currently support 4 modes of operations :
5419 - no "tcp-check" directive : the health check only consists in a connection
5420 attempt, which remains the default mode.
5421
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005422 - "tcp-check send" or "tcp-check send-binary" only is mentioned : this is
Willy Tarreaued179852013-12-16 01:07:00 +01005423 used to send a string along with a connection opening. With some
5424 protocols, it helps sending a "QUIT" message for example that prevents
5425 the server from logging a connection error for each health check. The
5426 check result will still be based on the ability to open the connection
5427 only.
5428
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005429 - "tcp-check expect" only is mentioned : this is used to test a banner.
Willy Tarreaued179852013-12-16 01:07:00 +01005430 The connection is opened and haproxy waits for the server to present some
5431 contents which must validate some rules. The check result will be based
5432 on the matching between the contents and the rules. This is suited for
5433 POP, IMAP, SMTP, FTP, SSH, TELNET.
5434
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005435 - both "tcp-check send" and "tcp-check expect" are mentioned : this is
Willy Tarreaued179852013-12-16 01:07:00 +01005436 used to test a hello-type protocol. Haproxy sends a message, the server
5437 responds and its response is analysed. the check result will be based on
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005438 the matching between the response contents and the rules. This is often
Willy Tarreaued179852013-12-16 01:07:00 +01005439 suited for protocols which require a binding or a request/response model.
5440 LDAP, MySQL, Redis and SSL are example of such protocols, though they
5441 already all have their dedicated checks with a deeper understanding of
5442 the respective protocols.
5443 In this mode, many questions may be sent and many answers may be
5444 analysed.
5445
5446 Examples :
5447 # perform a POP check (analyse only server's banner)
5448 option tcp-check
5449 tcp-check expect string +OK\ POP3\ ready
5450
5451 # perform an IMAP check (analyse only server's banner)
5452 option tcp-check
5453 tcp-check expect string *\ OK\ IMAP4\ ready
5454
5455 # look for the redis master server after ensuring it speaks well
5456 # redis protocol, then it exits properly.
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005457 # (send a command then analyse the response 3 times)
Willy Tarreaued179852013-12-16 01:07:00 +01005458 option tcp-check
5459 tcp-check send PING\r\n
5460 tcp-check expect +PONG
5461 tcp-check send info\ replication\r\n
5462 tcp-check expect string role:master
5463 tcp-check send QUIT\r\n
5464 tcp-check expect string +OK
5465
5466 forge a HTTP request, then analyse the response
5467 (send many headers before analyzing)
5468 option tcp-check
5469 tcp-check send HEAD\ /\ HTTP/1.1\r\n
5470 tcp-check send Host:\ www.mydomain.com\r\n
5471 tcp-check send User-Agent:\ HAProxy\ tcpcheck\r\n
5472 tcp-check send \r\n
5473 tcp-check expect rstring HTTP/1\..\ (2..|3..)
5474
5475
5476 See also : "tcp-check expect", "tcp-check send"
5477
5478
Willy Tarreau9ea05a72009-06-14 12:07:01 +02005479option tcp-smart-accept
5480no option tcp-smart-accept
5481 Enable or disable the saving of one ACK packet during the accept sequence
5482 May be used in sections : defaults | frontend | listen | backend
5483 yes | yes | yes | no
5484 Arguments : none
5485
5486 When an HTTP connection request comes in, the system acknowledges it on
5487 behalf of HAProxy, then the client immediately sends its request, and the
5488 system acknowledges it too while it is notifying HAProxy about the new
5489 connection. HAProxy then reads the request and responds. This means that we
5490 have one TCP ACK sent by the system for nothing, because the request could
5491 very well be acknowledged by HAProxy when it sends its response.
5492
5493 For this reason, in HTTP mode, HAProxy automatically asks the system to avoid
5494 sending this useless ACK on platforms which support it (currently at least
5495 Linux). It must not cause any problem, because the system will send it anyway
5496 after 40 ms if the response takes more time than expected to come.
5497
5498 During complex network debugging sessions, it may be desirable to disable
5499 this optimization because delayed ACKs can make troubleshooting more complex
5500 when trying to identify where packets are delayed. It is then possible to
5501 fall back to normal behaviour by specifying "no option tcp-smart-accept".
5502
5503 It is also possible to force it for non-HTTP proxies by simply specifying
5504 "option tcp-smart-accept". For instance, it can make sense with some services
5505 such as SMTP where the server speaks first.
5506
5507 It is recommended to avoid forcing this option in a defaults section. In case
5508 of doubt, consider setting it back to automatic values by prepending the
5509 "default" keyword before it, or disabling it using the "no" keyword.
5510
Willy Tarreaud88edf22009-06-14 15:48:17 +02005511 See also : "option tcp-smart-connect"
5512
5513
5514option tcp-smart-connect
5515no option tcp-smart-connect
5516 Enable or disable the saving of one ACK packet during the connect sequence
5517 May be used in sections : defaults | frontend | listen | backend
5518 yes | no | yes | yes
5519 Arguments : none
5520
5521 On certain systems (at least Linux), HAProxy can ask the kernel not to
5522 immediately send an empty ACK upon a connection request, but to directly
5523 send the buffer request instead. This saves one packet on the network and
5524 thus boosts performance. It can also be useful for some servers, because they
5525 immediately get the request along with the incoming connection.
5526
5527 This feature is enabled when "option tcp-smart-connect" is set in a backend.
5528 It is not enabled by default because it makes network troubleshooting more
5529 complex.
5530
5531 It only makes sense to enable it with protocols where the client speaks first
5532 such as HTTP. In other situations, if there is no data to send in place of
5533 the ACK, a normal ACK is sent.
5534
5535 If this option has been enabled in a "defaults" section, it can be disabled
5536 in a specific instance by prepending the "no" keyword before it.
5537
5538 See also : "option tcp-smart-accept"
5539
Willy Tarreau9ea05a72009-06-14 12:07:01 +02005540
Willy Tarreaubf1f8162007-12-28 17:42:56 +01005541option tcpka
5542 Enable or disable the sending of TCP keepalive packets on both sides
5543 May be used in sections : defaults | frontend | listen | backend
5544 yes | yes | yes | yes
5545 Arguments : none
5546
5547 When there is a firewall or any session-aware component between a client and
5548 a server, and when the protocol involves very long sessions with long idle
5549 periods (eg: remote desktops), there is a risk that one of the intermediate
5550 components decides to expire a session which has remained idle for too long.
5551
5552 Enabling socket-level TCP keep-alives makes the system regularly send packets
5553 to the other end of the connection, leaving it active. The delay between
5554 keep-alive probes is controlled by the system only and depends both on the
5555 operating system and its tuning parameters.
5556
5557 It is important to understand that keep-alive packets are neither emitted nor
5558 received at the application level. It is only the network stacks which sees
5559 them. For this reason, even if one side of the proxy already uses keep-alives
5560 to maintain its connection alive, those keep-alive packets will not be
5561 forwarded to the other side of the proxy.
5562
5563 Please note that this has nothing to do with HTTP keep-alive.
5564
5565 Using option "tcpka" enables the emission of TCP keep-alive probes on both
5566 the client and server sides of a connection. Note that this is meaningful
5567 only in "defaults" or "listen" sections. If this option is used in a
5568 frontend, only the client side will get keep-alives, and if this option is
5569 used in a backend, only the server side will get keep-alives. For this
5570 reason, it is strongly recommended to explicitly use "option clitcpka" and
5571 "option srvtcpka" when the configuration is split between frontends and
5572 backends.
5573
5574 See also : "option clitcpka", "option srvtcpka"
5575
Willy Tarreau844e3c52008-01-11 16:28:18 +01005576
5577option tcplog
5578 Enable advanced logging of TCP connections with session state and timers
5579 May be used in sections : defaults | frontend | listen | backend
5580 yes | yes | yes | yes
5581 Arguments : none
5582
5583 By default, the log output format is very poor, as it only contains the
5584 source and destination addresses, and the instance name. By specifying
5585 "option tcplog", each log line turns into a much richer format including, but
5586 not limited to, the connection timers, the session status, the connections
5587 numbers, the frontend, backend and server name, and of course the source
5588 address and ports. This option is useful for pure TCP proxies in order to
5589 find which of the client or server disconnects or times out. For normal HTTP
5590 proxies, it's better to use "option httplog" which is even more complete.
5591
5592 This option may be set either in the frontend or the backend.
5593
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005594 See also : "option httplog", and section 8 about logging.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005595
5596
Willy Tarreau844e3c52008-01-11 16:28:18 +01005597option transparent
5598no option transparent
5599 Enable client-side transparent proxying
5600 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01005601 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01005602 Arguments : none
5603
5604 This option was introduced in order to provide layer 7 persistence to layer 3
5605 load balancers. The idea is to use the OS's ability to redirect an incoming
5606 connection for a remote address to a local process (here HAProxy), and let
5607 this process know what address was initially requested. When this option is
5608 used, sessions without cookies will be forwarded to the original destination
5609 IP address of the incoming request (which should match that of another
5610 equipment), while requests with cookies will still be forwarded to the
5611 appropriate server.
5612
5613 Note that contrary to a common belief, this option does NOT make HAProxy
5614 present the client's IP to the server when establishing the connection.
5615
Willy Tarreaua1146052011-03-01 09:51:54 +01005616 See also: the "usesrc" argument of the "source" keyword, and the
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005617 "transparent" option of the "bind" keyword.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005618
Willy Tarreaubf1f8162007-12-28 17:42:56 +01005619
Simon Horman98637e52014-06-20 12:30:16 +09005620external-check command <command>
5621 Executable to run when performing an external-check
5622 May be used in sections : defaults | frontend | listen | backend
5623 yes | no | yes | yes
5624
5625 Arguments :
5626 <command> is the external command to run
5627
Simon Horman98637e52014-06-20 12:30:16 +09005628 The arguments passed to the to the command are:
5629
Cyril Bonté777be862014-12-02 21:21:35 +01005630 <proxy_address> <proxy_port> <server_address> <server_port>
Simon Horman98637e52014-06-20 12:30:16 +09005631
Cyril Bonté777be862014-12-02 21:21:35 +01005632 The <proxy_address> and <proxy_port> are derived from the first listener
5633 that is either IPv4, IPv6 or a UNIX socket. In the case of a UNIX socket
5634 listener the proxy_address will be the path of the socket and the
5635 <proxy_port> will be the string "NOT_USED". In a backend section, it's not
5636 possible to determine a listener, and both <proxy_address> and <proxy_port>
5637 will have the string value "NOT_USED".
Simon Horman98637e52014-06-20 12:30:16 +09005638
Cyril Bonté72cda2a2014-12-27 22:28:39 +01005639 Some values are also provided through environment variables.
5640
5641 Environment variables :
5642 HAPROXY_PROXY_ADDR The first bind address if available (or empty if not
5643 applicable, for example in a "backend" section).
5644
5645 HAPROXY_PROXY_ID The backend id.
5646
5647 HAPROXY_PROXY_NAME The backend name.
5648
5649 HAPROXY_PROXY_PORT The first bind port if available (or empty if not
5650 applicable, for example in a "backend" section or
5651 for a UNIX socket).
5652
5653 HAPROXY_SERVER_ADDR The server address.
5654
5655 HAPROXY_SERVER_CURCONN The current number of connections on the server.
5656
5657 HAPROXY_SERVER_ID The server id.
5658
5659 HAPROXY_SERVER_MAXCONN The server max connections.
5660
5661 HAPROXY_SERVER_NAME The server name.
5662
5663 HAPROXY_SERVER_PORT The server port if available (or empty for a UNIX
5664 socket).
5665
5666 PATH The PATH environment variable used when executing
5667 the command may be set using "external-check path".
5668
Simon Horman98637e52014-06-20 12:30:16 +09005669 If the command executed and exits with a zero status then the check is
5670 considered to have passed, otherwise the check is considered to have
5671 failed.
5672
5673 Example :
5674 external-check command /bin/true
5675
5676 See also : "external-check", "option external-check", "external-check path"
5677
5678
5679external-check path <path>
5680 The value of the PATH environment variable used when running an external-check
5681 May be used in sections : defaults | frontend | listen | backend
5682 yes | no | yes | yes
5683
5684 Arguments :
5685 <path> is the path used when executing external command to run
5686
5687 The default path is "".
5688
5689 Example :
5690 external-check path "/usr/bin:/bin"
5691
5692 See also : "external-check", "option external-check",
5693 "external-check command"
5694
5695
Emeric Brun647caf12009-06-30 17:57:00 +02005696persist rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02005697persist rdp-cookie(<name>)
Emeric Brun647caf12009-06-30 17:57:00 +02005698 Enable RDP cookie-based persistence
5699 May be used in sections : defaults | frontend | listen | backend
5700 yes | no | yes | yes
5701 Arguments :
5702 <name> is the optional name of the RDP cookie to check. If omitted, the
Willy Tarreau61e28f22010-05-16 22:31:05 +02005703 default cookie name "msts" will be used. There currently is no
5704 valid reason to change this name.
Emeric Brun647caf12009-06-30 17:57:00 +02005705
5706 This statement enables persistence based on an RDP cookie. The RDP cookie
5707 contains all information required to find the server in the list of known
5708 servers. So when this option is set in the backend, the request is analysed
5709 and if an RDP cookie is found, it is decoded. If it matches a known server
5710 which is still UP (or if "option persist" is set), then the connection is
5711 forwarded to this server.
5712
5713 Note that this only makes sense in a TCP backend, but for this to work, the
5714 frontend must have waited long enough to ensure that an RDP cookie is present
5715 in the request buffer. This is the same requirement as with the "rdp-cookie"
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005716 load-balancing method. Thus it is highly recommended to put all statements in
Emeric Brun647caf12009-06-30 17:57:00 +02005717 a single "listen" section.
5718
Willy Tarreau61e28f22010-05-16 22:31:05 +02005719 Also, it is important to understand that the terminal server will emit this
5720 RDP cookie only if it is configured for "token redirection mode", which means
5721 that the "IP address redirection" option is disabled.
5722
Emeric Brun647caf12009-06-30 17:57:00 +02005723 Example :
5724 listen tse-farm
5725 bind :3389
5726 # wait up to 5s for an RDP cookie in the request
5727 tcp-request inspect-delay 5s
5728 tcp-request content accept if RDP_COOKIE
5729 # apply RDP cookie persistence
5730 persist rdp-cookie
5731 # if server is unknown, let's balance on the same cookie.
Cyril Bontédc4d9032012-04-08 21:57:39 +02005732 # alternatively, "balance leastconn" may be useful too.
Emeric Brun647caf12009-06-30 17:57:00 +02005733 balance rdp-cookie
5734 server srv1 1.1.1.1:3389
5735 server srv2 1.1.1.2:3389
5736
Simon Hormanab814e02011-06-24 14:50:20 +09005737 See also : "balance rdp-cookie", "tcp-request", the "req_rdp_cookie" ACL and
5738 the rdp_cookie pattern fetch function.
Emeric Brun647caf12009-06-30 17:57:00 +02005739
5740
Willy Tarreau3a7d2072009-03-05 23:48:25 +01005741rate-limit sessions <rate>
5742 Set a limit on the number of new sessions accepted per second on a frontend
5743 May be used in sections : defaults | frontend | listen | backend
5744 yes | yes | yes | no
5745 Arguments :
5746 <rate> The <rate> parameter is an integer designating the maximum number
5747 of new sessions per second to accept on the frontend.
5748
5749 When the frontend reaches the specified number of new sessions per second, it
5750 stops accepting new connections until the rate drops below the limit again.
5751 During this time, the pending sessions will be kept in the socket's backlog
5752 (in system buffers) and haproxy will not even be aware that sessions are
5753 pending. When applying very low limit on a highly loaded service, it may make
5754 sense to increase the socket's backlog using the "backlog" keyword.
5755
5756 This feature is particularly efficient at blocking connection-based attacks
5757 or service abuse on fragile servers. Since the session rate is measured every
5758 millisecond, it is extremely accurate. Also, the limit applies immediately,
5759 no delay is needed at all to detect the threshold.
5760
5761 Example : limit the connection rate on SMTP to 10 per second max
5762 listen smtp
5763 mode tcp
5764 bind :25
5765 rate-limit sessions 10
5766 server 127.0.0.1:1025
5767
Willy Tarreaua17c2d92011-07-25 08:16:20 +02005768 Note : when the maximum rate is reached, the frontend's status is not changed
5769 but its sockets appear as "WAITING" in the statistics if the
5770 "socket-stats" option is enabled.
Willy Tarreau3a7d2072009-03-05 23:48:25 +01005771
5772 See also : the "backlog" keyword and the "fe_sess_rate" ACL criterion.
5773
5774
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005775redirect location <loc> [code <code>] <option> [{if | unless} <condition>]
5776redirect prefix <pfx> [code <code>] <option> [{if | unless} <condition>]
5777redirect scheme <sch> [code <code>] <option> [{if | unless} <condition>]
Willy Tarreaub463dfb2008-06-07 23:08:56 +02005778 Return an HTTP redirection if/unless a condition is matched
5779 May be used in sections : defaults | frontend | listen | backend
5780 no | yes | yes | yes
5781
5782 If/unless the condition is matched, the HTTP request will lead to a redirect
Willy Tarreauf285f542010-01-03 20:03:03 +01005783 response. If no condition is specified, the redirect applies unconditionally.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02005784
Willy Tarreau0140f252008-11-19 21:07:09 +01005785 Arguments :
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005786 <loc> With "redirect location", the exact value in <loc> is placed into
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01005787 the HTTP "Location" header. When used in an "http-request" rule,
5788 <loc> value follows the log-format rules and can include some
5789 dynamic values (see Custom Log Format in section 8.2.4).
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005790
5791 <pfx> With "redirect prefix", the "Location" header is built from the
5792 concatenation of <pfx> and the complete URI path, including the
5793 query string, unless the "drop-query" option is specified (see
5794 below). As a special case, if <pfx> equals exactly "/", then
5795 nothing is inserted before the original URI. It allows one to
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01005796 redirect to the same URL (for instance, to insert a cookie). When
5797 used in an "http-request" rule, <pfx> value follows the log-format
5798 rules and can include some dynamic values (see Custom Log Format
5799 in section 8.2.4).
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005800
5801 <sch> With "redirect scheme", then the "Location" header is built by
5802 concatenating <sch> with "://" then the first occurrence of the
5803 "Host" header, and then the URI path, including the query string
5804 unless the "drop-query" option is specified (see below). If no
5805 path is found or if the path is "*", then "/" is used instead. If
5806 no "Host" header is found, then an empty host component will be
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005807 returned, which most recent browsers interpret as redirecting to
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005808 the same host. This directive is mostly used to redirect HTTP to
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01005809 HTTPS. When used in an "http-request" rule, <sch> value follows
5810 the log-format rules and can include some dynamic values (see
5811 Custom Log Format in section 8.2.4).
Willy Tarreau0140f252008-11-19 21:07:09 +01005812
5813 <code> The code is optional. It indicates which type of HTTP redirection
Willy Tarreaub67fdc42013-03-29 19:28:11 +01005814 is desired. Only codes 301, 302, 303, 307 and 308 are supported,
5815 with 302 used by default if no code is specified. 301 means
5816 "Moved permanently", and a browser may cache the Location. 302
5817 means "Moved permanently" and means that the browser should not
5818 cache the redirection. 303 is equivalent to 302 except that the
5819 browser will fetch the location with a GET method. 307 is just
5820 like 302 but makes it clear that the same method must be reused.
5821 Likewise, 308 replaces 301 if the same method must be used.
Willy Tarreau0140f252008-11-19 21:07:09 +01005822
5823 <option> There are several options which can be specified to adjust the
5824 expected behaviour of a redirection :
5825
5826 - "drop-query"
5827 When this keyword is used in a prefix-based redirection, then the
5828 location will be set without any possible query-string, which is useful
5829 for directing users to a non-secure page for instance. It has no effect
5830 with a location-type redirect.
5831
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01005832 - "append-slash"
5833 This keyword may be used in conjunction with "drop-query" to redirect
5834 users who use a URL not ending with a '/' to the same one with the '/'.
5835 It can be useful to ensure that search engines will only see one URL.
5836 For this, a return code 301 is preferred.
5837
Willy Tarreau0140f252008-11-19 21:07:09 +01005838 - "set-cookie NAME[=value]"
5839 A "Set-Cookie" header will be added with NAME (and optionally "=value")
5840 to the response. This is sometimes used to indicate that a user has
5841 been seen, for instance to protect against some types of DoS. No other
5842 cookie option is added, so the cookie will be a session cookie. Note
5843 that for a browser, a sole cookie name without an equal sign is
5844 different from a cookie with an equal sign.
5845
5846 - "clear-cookie NAME[=]"
5847 A "Set-Cookie" header will be added with NAME (and optionally "="), but
5848 with the "Max-Age" attribute set to zero. This will tell the browser to
5849 delete this cookie. It is useful for instance on logout pages. It is
5850 important to note that clearing the cookie "NAME" will not remove a
5851 cookie set with "NAME=value". You have to clear the cookie "NAME=" for
5852 that, because the browser makes the difference.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02005853
5854 Example: move the login URL only to HTTPS.
5855 acl clear dst_port 80
5856 acl secure dst_port 8080
5857 acl login_page url_beg /login
Willy Tarreau0140f252008-11-19 21:07:09 +01005858 acl logout url_beg /logout
Willy Tarreau79da4692008-11-19 20:03:04 +01005859 acl uid_given url_reg /login?userid=[^&]+
Willy Tarreau0140f252008-11-19 21:07:09 +01005860 acl cookie_set hdr_sub(cookie) SEEN=1
5861
5862 redirect prefix https://mysite.com set-cookie SEEN=1 if !cookie_set
Willy Tarreau79da4692008-11-19 20:03:04 +01005863 redirect prefix https://mysite.com if login_page !secure
5864 redirect prefix http://mysite.com drop-query if login_page !uid_given
5865 redirect location http://mysite.com/ if !login_page secure
Willy Tarreau0140f252008-11-19 21:07:09 +01005866 redirect location / clear-cookie USERID= if logout
Willy Tarreaub463dfb2008-06-07 23:08:56 +02005867
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01005868 Example: send redirects for request for articles without a '/'.
5869 acl missing_slash path_reg ^/article/[^/]*$
5870 redirect code 301 prefix / drop-query append-slash if missing_slash
5871
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005872 Example: redirect all HTTP traffic to HTTPS when SSL is handled by haproxy.
David BERARDe7153042012-11-03 00:11:31 +01005873 redirect scheme https if !{ ssl_fc }
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005874
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01005875 Example: append 'www.' prefix in front of all hosts not having it
5876 http-request redirect code 301 location www.%[hdr(host)]%[req.uri] \
5877 unless { hdr_beg(host) -i www }
5878
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005879 See section 7 about ACL usage.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02005880
5881
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005882redisp (deprecated)
5883redispatch (deprecated)
5884 Enable or disable session redistribution in case of connection failure
5885 May be used in sections: defaults | frontend | listen | backend
5886 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005887 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005888
5889 In HTTP mode, if a server designated by a cookie is down, clients may
5890 definitely stick to it because they cannot flush the cookie, so they will not
5891 be able to access the service anymore.
5892
5893 Specifying "redispatch" will allow the proxy to break their persistence and
5894 redistribute them to a working server.
5895
5896 It also allows to retry last connection to another server in case of multiple
5897 connection failures. Of course, it requires having "retries" set to a nonzero
5898 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01005899
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005900 This form is deprecated, do not use it in any new configuration, use the new
5901 "option redispatch" instead.
5902
5903 See also : "option redispatch"
5904
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005905
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01005906reqadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01005907 Add a header at the end of the HTTP request
5908 May be used in sections : defaults | frontend | listen | backend
5909 no | yes | yes | yes
5910 Arguments :
5911 <string> is the complete line to be added. Any space or known delimiter
5912 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005913 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01005914
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01005915 <cond> is an optional matching condition built from ACLs. It makes it
5916 possible to ignore this rule when other conditions are not met.
5917
Willy Tarreau303c0352008-01-17 19:01:39 +01005918 A new line consisting in <string> followed by a line feed will be added after
5919 the last header of an HTTP request.
5920
5921 Header transformations only apply to traffic which passes through HAProxy,
5922 and not to traffic generated by HAProxy, such as health-checks or error
5923 responses.
5924
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01005925 Example : add "X-Proto: SSL" to requests coming via port 81
5926 acl is-ssl dst_port 81
5927 reqadd X-Proto:\ SSL if is-ssl
5928
5929 See also: "rspadd", section 6 about HTTP header manipulation, and section 7
5930 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005931
5932
Willy Tarreau5321c422010-01-28 20:35:13 +01005933reqallow <search> [{if | unless} <cond>]
5934reqiallow <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01005935 Definitely allow an HTTP request if a line matches a regular expression
5936 May be used in sections : defaults | frontend | listen | backend
5937 no | yes | yes | yes
5938 Arguments :
5939 <search> is the regular expression applied to HTTP headers and to the
5940 request line. This is an extended regular expression. Parenthesis
5941 grouping is supported and no preliminary backslash is required.
5942 Any space or known delimiter must be escaped using a backslash
5943 ('\'). The pattern applies to a full line at a time. The
5944 "reqallow" keyword strictly matches case while "reqiallow"
5945 ignores case.
5946
Willy Tarreau5321c422010-01-28 20:35:13 +01005947 <cond> is an optional matching condition built from ACLs. It makes it
5948 possible to ignore this rule when other conditions are not met.
5949
Willy Tarreau303c0352008-01-17 19:01:39 +01005950 A request containing any line which matches extended regular expression
5951 <search> will mark the request as allowed, even if any later test would
5952 result in a deny. The test applies both to the request line and to request
5953 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01005954 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01005955
5956 It is easier, faster and more powerful to use ACLs to write access policies.
5957 Reqdeny, reqallow and reqpass should be avoided in new designs.
5958
5959 Example :
5960 # allow www.* but refuse *.local
5961 reqiallow ^Host:\ www\.
5962 reqideny ^Host:\ .*\.local
5963
Willy Tarreau5321c422010-01-28 20:35:13 +01005964 See also: "reqdeny", "block", section 6 about HTTP header manipulation, and
5965 section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005966
5967
Willy Tarreau5321c422010-01-28 20:35:13 +01005968reqdel <search> [{if | unless} <cond>]
5969reqidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01005970 Delete all headers matching a regular expression in an HTTP request
5971 May be used in sections : defaults | frontend | listen | backend
5972 no | yes | yes | yes
5973 Arguments :
5974 <search> is the regular expression applied to HTTP headers and to the
5975 request line. This is an extended regular expression. Parenthesis
5976 grouping is supported and no preliminary backslash is required.
5977 Any space or known delimiter must be escaped using a backslash
5978 ('\'). The pattern applies to a full line at a time. The "reqdel"
5979 keyword strictly matches case while "reqidel" ignores case.
5980
Willy Tarreau5321c422010-01-28 20:35:13 +01005981 <cond> is an optional matching condition built from ACLs. It makes it
5982 possible to ignore this rule when other conditions are not met.
5983
Willy Tarreau303c0352008-01-17 19:01:39 +01005984 Any header line matching extended regular expression <search> in the request
5985 will be completely deleted. Most common use of this is to remove unwanted
5986 and/or dangerous headers or cookies from a request before passing it to the
5987 next servers.
5988
5989 Header transformations only apply to traffic which passes through HAProxy,
5990 and not to traffic generated by HAProxy, such as health-checks or error
5991 responses. Keep in mind that header names are not case-sensitive.
5992
5993 Example :
5994 # remove X-Forwarded-For header and SERVER cookie
5995 reqidel ^X-Forwarded-For:.*
5996 reqidel ^Cookie:.*SERVER=
5997
Willy Tarreau5321c422010-01-28 20:35:13 +01005998 See also: "reqadd", "reqrep", "rspdel", section 6 about HTTP header
5999 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006000
6001
Willy Tarreau5321c422010-01-28 20:35:13 +01006002reqdeny <search> [{if | unless} <cond>]
6003reqideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01006004 Deny an HTTP request if a line matches a regular expression
6005 May be used in sections : defaults | frontend | listen | backend
6006 no | yes | yes | yes
6007 Arguments :
6008 <search> is the regular expression applied to HTTP headers and to the
6009 request line. This is an extended regular expression. Parenthesis
6010 grouping is supported and no preliminary backslash is required.
6011 Any space or known delimiter must be escaped using a backslash
6012 ('\'). The pattern applies to a full line at a time. The
6013 "reqdeny" keyword strictly matches case while "reqideny" ignores
6014 case.
6015
Willy Tarreau5321c422010-01-28 20:35:13 +01006016 <cond> is an optional matching condition built from ACLs. It makes it
6017 possible to ignore this rule when other conditions are not met.
6018
Willy Tarreau303c0352008-01-17 19:01:39 +01006019 A request containing any line which matches extended regular expression
6020 <search> will mark the request as denied, even if any later test would
6021 result in an allow. The test applies both to the request line and to request
6022 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01006023 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01006024
Willy Tarreauced27012008-01-17 20:35:34 +01006025 A denied request will generate an "HTTP 403 forbidden" response once the
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01006026 complete request has been parsed. This is consistent with what is practiced
Willy Tarreaud72758d2010-01-12 10:42:19 +01006027 using ACLs.
Willy Tarreauced27012008-01-17 20:35:34 +01006028
Willy Tarreau303c0352008-01-17 19:01:39 +01006029 It is easier, faster and more powerful to use ACLs to write access policies.
6030 Reqdeny, reqallow and reqpass should be avoided in new designs.
6031
6032 Example :
6033 # refuse *.local, then allow www.*
6034 reqideny ^Host:\ .*\.local
6035 reqiallow ^Host:\ www\.
6036
Willy Tarreau5321c422010-01-28 20:35:13 +01006037 See also: "reqallow", "rspdeny", "block", section 6 about HTTP header
6038 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006039
6040
Willy Tarreau5321c422010-01-28 20:35:13 +01006041reqpass <search> [{if | unless} <cond>]
6042reqipass <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01006043 Ignore any HTTP request line matching a regular expression in next rules
6044 May be used in sections : defaults | frontend | listen | backend
6045 no | yes | yes | yes
6046 Arguments :
6047 <search> is the regular expression applied to HTTP headers and to the
6048 request line. This is an extended regular expression. Parenthesis
6049 grouping is supported and no preliminary backslash is required.
6050 Any space or known delimiter must be escaped using a backslash
6051 ('\'). The pattern applies to a full line at a time. The
6052 "reqpass" keyword strictly matches case while "reqipass" ignores
6053 case.
6054
Willy Tarreau5321c422010-01-28 20:35:13 +01006055 <cond> is an optional matching condition built from ACLs. It makes it
6056 possible to ignore this rule when other conditions are not met.
6057
Willy Tarreau303c0352008-01-17 19:01:39 +01006058 A request containing any line which matches extended regular expression
6059 <search> will skip next rules, without assigning any deny or allow verdict.
6060 The test applies both to the request line and to request headers. Keep in
6061 mind that URLs in request line are case-sensitive while header names are not.
6062
6063 It is easier, faster and more powerful to use ACLs to write access policies.
6064 Reqdeny, reqallow and reqpass should be avoided in new designs.
6065
6066 Example :
6067 # refuse *.local, then allow www.*, but ignore "www.private.local"
6068 reqipass ^Host:\ www.private\.local
6069 reqideny ^Host:\ .*\.local
6070 reqiallow ^Host:\ www\.
6071
Willy Tarreau5321c422010-01-28 20:35:13 +01006072 See also: "reqallow", "reqdeny", "block", section 6 about HTTP header
6073 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006074
6075
Willy Tarreau5321c422010-01-28 20:35:13 +01006076reqrep <search> <string> [{if | unless} <cond>]
6077reqirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01006078 Replace a regular expression with a string in an HTTP request line
6079 May be used in sections : defaults | frontend | listen | backend
6080 no | yes | yes | yes
6081 Arguments :
6082 <search> is the regular expression applied to HTTP headers and to the
6083 request line. This is an extended regular expression. Parenthesis
6084 grouping is supported and no preliminary backslash is required.
6085 Any space or known delimiter must be escaped using a backslash
6086 ('\'). The pattern applies to a full line at a time. The "reqrep"
6087 keyword strictly matches case while "reqirep" ignores case.
6088
6089 <string> is the complete line to be added. Any space or known delimiter
6090 must be escaped using a backslash ('\'). References to matched
6091 pattern groups are possible using the common \N form, with N
6092 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006093 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01006094
Willy Tarreau5321c422010-01-28 20:35:13 +01006095 <cond> is an optional matching condition built from ACLs. It makes it
6096 possible to ignore this rule when other conditions are not met.
6097
Willy Tarreau303c0352008-01-17 19:01:39 +01006098 Any line matching extended regular expression <search> in the request (both
6099 the request line and header lines) will be completely replaced with <string>.
6100 Most common use of this is to rewrite URLs or domain names in "Host" headers.
6101
6102 Header transformations only apply to traffic which passes through HAProxy,
6103 and not to traffic generated by HAProxy, such as health-checks or error
6104 responses. Note that for increased readability, it is suggested to add enough
6105 spaces between the request and the response. Keep in mind that URLs in
6106 request line are case-sensitive while header names are not.
6107
6108 Example :
6109 # replace "/static/" with "/" at the beginning of any request path.
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04006110 reqrep ^([^\ :]*)\ /static/(.*) \1\ /\2
Willy Tarreau303c0352008-01-17 19:01:39 +01006111 # replace "www.mydomain.com" with "www" in the host name.
6112 reqirep ^Host:\ www.mydomain.com Host:\ www
6113
Dmitry Sivachenkof6f4f7b2012-10-21 18:10:25 +04006114 See also: "reqadd", "reqdel", "rsprep", "tune.bufsize", section 6 about
6115 HTTP header manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006116
6117
Willy Tarreau5321c422010-01-28 20:35:13 +01006118reqtarpit <search> [{if | unless} <cond>]
6119reqitarpit <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01006120 Tarpit an HTTP request containing a line matching a regular expression
6121 May be used in sections : defaults | frontend | listen | backend
6122 no | yes | yes | yes
6123 Arguments :
6124 <search> is the regular expression applied to HTTP headers and to the
6125 request line. This is an extended regular expression. Parenthesis
6126 grouping is supported and no preliminary backslash is required.
6127 Any space or known delimiter must be escaped using a backslash
6128 ('\'). The pattern applies to a full line at a time. The
6129 "reqtarpit" keyword strictly matches case while "reqitarpit"
6130 ignores case.
6131
Willy Tarreau5321c422010-01-28 20:35:13 +01006132 <cond> is an optional matching condition built from ACLs. It makes it
6133 possible to ignore this rule when other conditions are not met.
6134
Willy Tarreau303c0352008-01-17 19:01:39 +01006135 A request containing any line which matches extended regular expression
6136 <search> will be tarpitted, which means that it will connect to nowhere, will
Willy Tarreauced27012008-01-17 20:35:34 +01006137 be kept open for a pre-defined time, then will return an HTTP error 500 so
6138 that the attacker does not suspect it has been tarpitted. The status 500 will
6139 be reported in the logs, but the completion flags will indicate "PT". The
Willy Tarreau303c0352008-01-17 19:01:39 +01006140 delay is defined by "timeout tarpit", or "timeout connect" if the former is
6141 not set.
6142
6143 The goal of the tarpit is to slow down robots attacking servers with
6144 identifiable requests. Many robots limit their outgoing number of connections
6145 and stay connected waiting for a reply which can take several minutes to
6146 come. Depending on the environment and attack, it may be particularly
6147 efficient at reducing the load on the network and firewalls.
6148
Willy Tarreau5321c422010-01-28 20:35:13 +01006149 Examples :
Willy Tarreau303c0352008-01-17 19:01:39 +01006150 # ignore user-agents reporting any flavour of "Mozilla" or "MSIE", but
6151 # block all others.
6152 reqipass ^User-Agent:\.*(Mozilla|MSIE)
6153 reqitarpit ^User-Agent:
6154
Willy Tarreau5321c422010-01-28 20:35:13 +01006155 # block bad guys
6156 acl badguys src 10.1.0.3 172.16.13.20/28
6157 reqitarpit . if badguys
6158
6159 See also: "reqallow", "reqdeny", "reqpass", section 6 about HTTP header
6160 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006161
6162
Willy Tarreaue5c5ce92008-06-20 17:27:19 +02006163retries <value>
6164 Set the number of retries to perform on a server after a connection failure
6165 May be used in sections: defaults | frontend | listen | backend
6166 yes | no | yes | yes
6167 Arguments :
6168 <value> is the number of times a connection attempt should be retried on
6169 a server when a connection either is refused or times out. The
6170 default value is 3.
6171
6172 It is important to understand that this value applies to the number of
6173 connection attempts, not full requests. When a connection has effectively
6174 been established to a server, there will be no more retry.
6175
6176 In order to avoid immediate reconnections to a server which is restarting,
6177 a turn-around timer of 1 second is applied before a retry occurs.
6178
6179 When "option redispatch" is set, the last retry may be performed on another
6180 server even if a cookie references a different server.
6181
6182 See also : "option redispatch"
6183
6184
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006185rspadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01006186 Add a header at the end of the HTTP response
6187 May be used in sections : defaults | frontend | listen | backend
6188 no | yes | yes | yes
6189 Arguments :
6190 <string> is the complete line to be added. Any space or known delimiter
6191 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006192 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01006193
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006194 <cond> is an optional matching condition built from ACLs. It makes it
6195 possible to ignore this rule when other conditions are not met.
6196
Willy Tarreau303c0352008-01-17 19:01:39 +01006197 A new line consisting in <string> followed by a line feed will be added after
6198 the last header of an HTTP response.
6199
6200 Header transformations only apply to traffic which passes through HAProxy,
6201 and not to traffic generated by HAProxy, such as health-checks or error
6202 responses.
6203
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006204 See also: "reqadd", section 6 about HTTP header manipulation, and section 7
6205 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006206
6207
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006208rspdel <search> [{if | unless} <cond>]
6209rspidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01006210 Delete all headers matching a regular expression in an HTTP response
6211 May be used in sections : defaults | frontend | listen | backend
6212 no | yes | yes | yes
6213 Arguments :
6214 <search> is the regular expression applied to HTTP headers and to the
6215 response line. This is an extended regular expression, so
6216 parenthesis grouping is supported and no preliminary backslash
6217 is required. Any space or known delimiter must be escaped using
6218 a backslash ('\'). The pattern applies to a full line at a time.
6219 The "rspdel" keyword strictly matches case while "rspidel"
6220 ignores case.
6221
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006222 <cond> is an optional matching condition built from ACLs. It makes it
6223 possible to ignore this rule when other conditions are not met.
6224
Willy Tarreau303c0352008-01-17 19:01:39 +01006225 Any header line matching extended regular expression <search> in the response
6226 will be completely deleted. Most common use of this is to remove unwanted
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02006227 and/or sensitive headers or cookies from a response before passing it to the
Willy Tarreau303c0352008-01-17 19:01:39 +01006228 client.
6229
6230 Header transformations only apply to traffic which passes through HAProxy,
6231 and not to traffic generated by HAProxy, such as health-checks or error
6232 responses. Keep in mind that header names are not case-sensitive.
6233
6234 Example :
6235 # remove the Server header from responses
Willy Tarreau5e80e022013-05-25 08:31:25 +02006236 rspidel ^Server:.*
Willy Tarreau303c0352008-01-17 19:01:39 +01006237
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006238 See also: "rspadd", "rsprep", "reqdel", section 6 about HTTP header
6239 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006240
6241
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006242rspdeny <search> [{if | unless} <cond>]
6243rspideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01006244 Block an HTTP response if a line matches a regular expression
6245 May be used in sections : defaults | frontend | listen | backend
6246 no | yes | yes | yes
6247 Arguments :
6248 <search> is the regular expression applied to HTTP headers and to the
6249 response line. This is an extended regular expression, so
6250 parenthesis grouping is supported and no preliminary backslash
6251 is required. Any space or known delimiter must be escaped using
6252 a backslash ('\'). The pattern applies to a full line at a time.
6253 The "rspdeny" keyword strictly matches case while "rspideny"
6254 ignores case.
6255
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006256 <cond> is an optional matching condition built from ACLs. It makes it
6257 possible to ignore this rule when other conditions are not met.
6258
Willy Tarreau303c0352008-01-17 19:01:39 +01006259 A response containing any line which matches extended regular expression
6260 <search> will mark the request as denied. The test applies both to the
6261 response line and to response headers. Keep in mind that header names are not
6262 case-sensitive.
6263
6264 Main use of this keyword is to prevent sensitive information leak and to
Willy Tarreauced27012008-01-17 20:35:34 +01006265 block the response before it reaches the client. If a response is denied, it
6266 will be replaced with an HTTP 502 error so that the client never retrieves
6267 any sensitive data.
Willy Tarreau303c0352008-01-17 19:01:39 +01006268
6269 It is easier, faster and more powerful to use ACLs to write access policies.
6270 Rspdeny should be avoided in new designs.
6271
6272 Example :
6273 # Ensure that no content type matching ms-word will leak
6274 rspideny ^Content-type:\.*/ms-word
6275
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006276 See also: "reqdeny", "acl", "block", section 6 about HTTP header manipulation
6277 and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006278
6279
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006280rsprep <search> <string> [{if | unless} <cond>]
6281rspirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01006282 Replace a regular expression with a string in an HTTP response line
6283 May be used in sections : defaults | frontend | listen | backend
6284 no | yes | yes | yes
6285 Arguments :
6286 <search> is the regular expression applied to HTTP headers and to the
6287 response line. This is an extended regular expression, so
6288 parenthesis grouping is supported and no preliminary backslash
6289 is required. Any space or known delimiter must be escaped using
6290 a backslash ('\'). The pattern applies to a full line at a time.
6291 The "rsprep" keyword strictly matches case while "rspirep"
6292 ignores case.
6293
6294 <string> is the complete line to be added. Any space or known delimiter
6295 must be escaped using a backslash ('\'). References to matched
6296 pattern groups are possible using the common \N form, with N
6297 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006298 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01006299
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006300 <cond> is an optional matching condition built from ACLs. It makes it
6301 possible to ignore this rule when other conditions are not met.
6302
Willy Tarreau303c0352008-01-17 19:01:39 +01006303 Any line matching extended regular expression <search> in the response (both
6304 the response line and header lines) will be completely replaced with
6305 <string>. Most common use of this is to rewrite Location headers.
6306
6307 Header transformations only apply to traffic which passes through HAProxy,
6308 and not to traffic generated by HAProxy, such as health-checks or error
6309 responses. Note that for increased readability, it is suggested to add enough
6310 spaces between the request and the response. Keep in mind that header names
6311 are not case-sensitive.
6312
6313 Example :
6314 # replace "Location: 127.0.0.1:8080" with "Location: www.mydomain.com"
6315 rspirep ^Location:\ 127.0.0.1:8080 Location:\ www.mydomain.com
6316
Willy Tarreaufdb563c2010-01-31 15:43:27 +01006317 See also: "rspadd", "rspdel", "reqrep", section 6 about HTTP header
6318 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01006319
6320
David du Colombier486df472011-03-17 10:40:26 +01006321server <name> <address>[:[port]] [param*]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006322 Declare a server in a backend
6323 May be used in sections : defaults | frontend | listen | backend
6324 no | no | yes | yes
6325 Arguments :
6326 <name> is the internal name assigned to this server. This name will
Cyril Bonté941a0c62012-10-15 19:44:24 +02006327 appear in logs and alerts. If "http-send-name-header" is
Mark Lamourinec2247f02012-01-04 13:02:01 -05006328 set, it will be added to the request header sent to the server.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006329
David du Colombier486df472011-03-17 10:40:26 +01006330 <address> is the IPv4 or IPv6 address of the server. Alternatively, a
6331 resolvable hostname is supported, but this name will be resolved
6332 during start-up. Address "0.0.0.0" or "*" has a special meaning.
6333 It indicates that the connection will be forwarded to the same IP
Willy Tarreaud669a4f2010-07-13 14:49:50 +02006334 address as the one from the client connection. This is useful in
6335 transparent proxy architectures where the client's connection is
6336 intercepted and haproxy must forward to the original destination
6337 address. This is more or less what the "transparent" keyword does
6338 except that with a server it's possible to limit concurrency and
Willy Tarreau24709282013-03-10 21:32:12 +01006339 to report statistics. Optionally, an address family prefix may be
6340 used before the address to force the family regardless of the
6341 address format, which can be useful to specify a path to a unix
6342 socket with no slash ('/'). Currently supported prefixes are :
6343 - 'ipv4@' -> address is always IPv4
6344 - 'ipv6@' -> address is always IPv6
6345 - 'unix@' -> address is a path to a local unix socket
Willy Tarreauccfccef2014-05-10 01:49:15 +02006346 - 'abns@' -> address is in abstract namespace (Linux only)
Willy Tarreaudad36a32013-03-11 01:20:04 +01006347 Any part of the address string may reference any number of
6348 environment variables by preceding their name with a dollar
6349 sign ('$') and optionally enclosing them with braces ('{}'),
6350 similarly to what is done in Bourne shell.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006351
Willy Tarreaub6205fd2012-09-24 12:27:33 +02006352 <port> is an optional port specification. If set, all connections will
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006353 be sent to this port. If unset, the same port the client
6354 connected to will be used. The port may also be prefixed by a "+"
6355 or a "-". In this case, the server's port will be determined by
6356 adding this value to the client's port.
6357
6358 <param*> is a list of parameters for this server. The "server" keywords
6359 accepts an important number of options and has a complete section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006360 dedicated to it. Please refer to section 5 for more details.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006361
6362 Examples :
6363 server first 10.1.1.1:1080 cookie first check inter 1000
6364 server second 10.1.1.2:1080 cookie second check inter 1000
Willy Tarreau24709282013-03-10 21:32:12 +01006365 server transp ipv4@
Willy Tarreaudad36a32013-03-11 01:20:04 +01006366 server backup ${SRV_BACKUP}:1080 backup
6367 server www1_dc1 ${LAN_DC1}.101:80
6368 server www1_dc2 ${LAN_DC2}.101:80
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006369
Mark Lamourinec2247f02012-01-04 13:02:01 -05006370 See also: "default-server", "http-send-name-header" and section 5 about
6371 server options
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006372
6373
6374source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02006375source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreaud53f96b2009-02-04 18:46:54 +01006376source <addr>[:<port>] [interface <name>]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006377 Set the source address for outgoing connections
6378 May be used in sections : defaults | frontend | listen | backend
6379 yes | no | yes | yes
6380 Arguments :
6381 <addr> is the IPv4 address HAProxy will bind to before connecting to a
6382 server. This address is also used as a source for health checks.
Willy Tarreau24709282013-03-10 21:32:12 +01006383
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006384 The default value of 0.0.0.0 means that the system will select
Willy Tarreau24709282013-03-10 21:32:12 +01006385 the most appropriate address to reach its destination. Optionally
6386 an address family prefix may be used before the address to force
6387 the family regardless of the address format, which can be useful
6388 to specify a path to a unix socket with no slash ('/'). Currently
6389 supported prefixes are :
6390 - 'ipv4@' -> address is always IPv4
6391 - 'ipv6@' -> address is always IPv6
6392 - 'unix@' -> address is a path to a local unix socket
Willy Tarreauccfccef2014-05-10 01:49:15 +02006393 - 'abns@' -> address is in abstract namespace (Linux only)
Willy Tarreaudad36a32013-03-11 01:20:04 +01006394 Any part of the address string may reference any number of
6395 environment variables by preceding their name with a dollar
6396 sign ('$') and optionally enclosing them with braces ('{}'),
6397 similarly to what is done in Bourne shell.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006398
6399 <port> is an optional port. It is normally not needed but may be useful
6400 in some very specific contexts. The default value of zero means
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02006401 the system will select a free port. Note that port ranges are not
6402 supported in the backend. If you want to force port ranges, you
6403 have to specify them on each "server" line.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006404
6405 <addr2> is the IP address to present to the server when connections are
6406 forwarded in full transparent proxy mode. This is currently only
6407 supported on some patched Linux kernels. When this address is
6408 specified, clients connecting to the server will be presented
6409 with this address, while health checks will still use the address
6410 <addr>.
6411
6412 <port2> is the optional port to present to the server when connections
6413 are forwarded in full transparent proxy mode (see <addr2> above).
6414 The default value of zero means the system will select a free
6415 port.
6416
Willy Tarreaubce70882009-09-07 11:51:47 +02006417 <hdr> is the name of a HTTP header in which to fetch the IP to bind to.
6418 This is the name of a comma-separated header list which can
6419 contain multiple IP addresses. By default, the last occurrence is
6420 used. This is designed to work with the X-Forwarded-For header
Baptiste Assmannea3e73b2013-02-02 23:47:49 +01006421 and to automatically bind to the client's IP address as seen
Willy Tarreaubce70882009-09-07 11:51:47 +02006422 by previous proxy, typically Stunnel. In order to use another
6423 occurrence from the last one, please see the <occ> parameter
6424 below. When the header (or occurrence) is not found, no binding
6425 is performed so that the proxy's default IP address is used. Also
6426 keep in mind that the header name is case insensitive, as for any
6427 HTTP header.
6428
6429 <occ> is the occurrence number of a value to be used in a multi-value
6430 header. This is to be used in conjunction with "hdr_ip(<hdr>)",
Jamie Gloudonaaa21002012-08-25 00:18:33 -04006431 in order to specify which occurrence to use for the source IP
Willy Tarreaubce70882009-09-07 11:51:47 +02006432 address. Positive values indicate a position from the first
6433 occurrence, 1 being the first one. Negative values indicate
6434 positions relative to the last one, -1 being the last one. This
6435 is helpful for situations where an X-Forwarded-For header is set
6436 at the entry point of an infrastructure and must be used several
6437 proxy layers away. When this value is not specified, -1 is
6438 assumed. Passing a zero here disables the feature.
6439
Willy Tarreaud53f96b2009-02-04 18:46:54 +01006440 <name> is an optional interface name to which to bind to for outgoing
6441 traffic. On systems supporting this features (currently, only
6442 Linux), this allows one to bind all traffic to the server to
6443 this interface even if it is not the one the system would select
6444 based on routing tables. This should be used with extreme care.
6445 Note that using this option requires root privileges.
6446
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006447 The "source" keyword is useful in complex environments where a specific
6448 address only is allowed to connect to the servers. It may be needed when a
6449 private address must be used through a public gateway for instance, and it is
6450 known that the system cannot determine the adequate source address by itself.
6451
6452 An extension which is available on certain patched Linux kernels may be used
6453 through the "usesrc" optional keyword. It makes it possible to connect to the
6454 servers with an IP address which does not belong to the system itself. This
6455 is called "full transparent proxy mode". For this to work, the destination
6456 servers have to route their traffic back to this address through the machine
6457 running HAProxy, and IP forwarding must generally be enabled on this machine.
6458
6459 In this "full transparent proxy" mode, it is possible to force a specific IP
6460 address to be presented to the servers. This is not much used in fact. A more
6461 common use is to tell HAProxy to present the client's IP address. For this,
6462 there are two methods :
6463
6464 - present the client's IP and port addresses. This is the most transparent
6465 mode, but it can cause problems when IP connection tracking is enabled on
6466 the machine, because a same connection may be seen twice with different
6467 states. However, this solution presents the huge advantage of not
6468 limiting the system to the 64k outgoing address+port couples, because all
6469 of the client ranges may be used.
6470
6471 - present only the client's IP address and select a spare port. This
6472 solution is still quite elegant but slightly less transparent (downstream
6473 firewalls logs will not match upstream's). It also presents the downside
6474 of limiting the number of concurrent connections to the usual 64k ports.
6475 However, since the upstream and downstream ports are different, local IP
6476 connection tracking on the machine will not be upset by the reuse of the
6477 same session.
6478
6479 Note that depending on the transparent proxy technology used, it may be
6480 required to force the source address. In fact, cttproxy version 2 requires an
6481 IP address in <addr> above, and does not support setting of "0.0.0.0" as the
6482 IP address because it creates NAT entries which much match the exact outgoing
6483 address. Tproxy version 4 and some other kernel patches which work in pure
6484 forwarding mode generally will not have this limitation.
6485
6486 This option sets the default source for all servers in the backend. It may
6487 also be specified in a "defaults" section. Finer source address specification
6488 is possible at the server level using the "source" server option. Refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006489 section 5 for more information.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006490
6491 Examples :
6492 backend private
6493 # Connect to the servers using our 192.168.1.200 source address
6494 source 192.168.1.200
6495
6496 backend transparent_ssl1
6497 # Connect to the SSL farm from the client's source address
6498 source 192.168.1.200 usesrc clientip
6499
6500 backend transparent_ssl2
6501 # Connect to the SSL farm from the client's source address and port
6502 # not recommended if IP conntrack is present on the local machine.
6503 source 192.168.1.200 usesrc client
6504
6505 backend transparent_ssl3
6506 # Connect to the SSL farm from the client's source address. It
6507 # is more conntrack-friendly.
6508 source 192.168.1.200 usesrc clientip
6509
6510 backend transparent_smtp
6511 # Connect to the SMTP farm from the client's source address/port
6512 # with Tproxy version 4.
6513 source 0.0.0.0 usesrc clientip
6514
Willy Tarreaubce70882009-09-07 11:51:47 +02006515 backend transparent_http
6516 # Connect to the servers using the client's IP as seen by previous
6517 # proxy.
6518 source 0.0.0.0 usesrc hdr_ip(x-forwarded-for,-1)
6519
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006520 See also : the "source" server option in section 5, the Tproxy patches for
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006521 the Linux kernel on www.balabit.com, the "bind" keyword.
6522
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01006523
Willy Tarreau844e3c52008-01-11 16:28:18 +01006524srvtimeout <timeout> (deprecated)
6525 Set the maximum inactivity time on the server side.
6526 May be used in sections : defaults | frontend | listen | backend
6527 yes | no | yes | yes
6528 Arguments :
6529 <timeout> is the timeout value specified in milliseconds by default, but
6530 can be in any other unit if the number is suffixed by the unit,
6531 as explained at the top of this document.
6532
6533 The inactivity timeout applies when the server is expected to acknowledge or
6534 send data. In HTTP mode, this timeout is particularly important to consider
6535 during the first phase of the server's response, when it has to send the
6536 headers, as it directly represents the server's processing time for the
6537 request. To find out what value to put there, it's often good to start with
6538 what would be considered as unacceptable response times, then check the logs
6539 to observe the response time distribution, and adjust the value accordingly.
6540
6541 The value is specified in milliseconds by default, but can be in any other
6542 unit if the number is suffixed by the unit, as specified at the top of this
6543 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
6544 recommended that the client timeout remains equal to the server timeout in
6545 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01006546 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01006547 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreaud72758d2010-01-12 10:42:19 +01006548 seconds (eg: 4 or 5 seconds minimum).
Willy Tarreau844e3c52008-01-11 16:28:18 +01006549
6550 This parameter is specific to backends, but can be specified once for all in
6551 "defaults" sections. This is in fact one of the easiest solutions not to
6552 forget about it. An unspecified timeout results in an infinite timeout, which
6553 is not recommended. Such a usage is accepted and works but reports a warning
6554 during startup because it may results in accumulation of expired sessions in
6555 the system if the system's timeouts are not configured either.
6556
6557 This parameter is provided for compatibility but is currently deprecated.
6558 Please use "timeout server" instead.
6559
Willy Tarreauce887fd2012-05-12 12:50:00 +02006560 See also : "timeout server", "timeout tunnel", "timeout client" and
6561 "clitimeout".
Willy Tarreau844e3c52008-01-11 16:28:18 +01006562
6563
Cyril Bonté66c327d2010-10-12 00:14:37 +02006564stats admin { if | unless } <cond>
6565 Enable statistics admin level if/unless a condition is matched
6566 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006567 no | yes | yes | yes
Cyril Bonté66c327d2010-10-12 00:14:37 +02006568
6569 This statement enables the statistics admin level if/unless a condition is
6570 matched.
6571
6572 The admin level allows to enable/disable servers from the web interface. By
6573 default, statistics page is read-only for security reasons.
6574
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01006575 Note : Consider not using this feature in multi-process mode (nbproc > 1)
6576 unless you know what you do : memory is not shared between the
6577 processes, which can result in random behaviours.
6578
Cyril Bonté23b39d92011-02-10 22:54:44 +01006579 Currently, the POST request is limited to the buffer size minus the reserved
6580 buffer space, which means that if the list of servers is too long, the
6581 request won't be processed. It is recommended to alter few servers at a
6582 time.
Cyril Bonté66c327d2010-10-12 00:14:37 +02006583
6584 Example :
6585 # statistics admin level only for localhost
6586 backend stats_localhost
6587 stats enable
6588 stats admin if LOCALHOST
6589
6590 Example :
6591 # statistics admin level always enabled because of the authentication
6592 backend stats_auth
6593 stats enable
6594 stats auth admin:AdMiN123
6595 stats admin if TRUE
6596
6597 Example :
6598 # statistics admin level depends on the authenticated user
6599 userlist stats-auth
6600 group admin users admin
6601 user admin insecure-password AdMiN123
6602 group readonly users haproxy
6603 user haproxy insecure-password haproxy
6604
6605 backend stats_auth
6606 stats enable
6607 acl AUTH http_auth(stats-auth)
6608 acl AUTH_ADMIN http_auth_group(stats-auth) admin
6609 stats http-request auth unless AUTH
6610 stats admin if AUTH_ADMIN
6611
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01006612 See also : "stats enable", "stats auth", "stats http-request", "nbproc",
6613 "bind-process", section 3.4 about userlists and section 7 about
6614 ACL usage.
Cyril Bonté66c327d2010-10-12 00:14:37 +02006615
6616
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006617stats auth <user>:<passwd>
6618 Enable statistics with authentication and grant access to an account
6619 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006620 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006621 Arguments :
6622 <user> is a user name to grant access to
6623
6624 <passwd> is the cleartext password associated to this user
6625
6626 This statement enables statistics with default settings, and restricts access
6627 to declared users only. It may be repeated as many times as necessary to
6628 allow as many users as desired. When a user tries to access the statistics
6629 without a valid account, a "401 Forbidden" response will be returned so that
6630 the browser asks the user to provide a valid user and password. The real
6631 which will be returned to the browser is configurable using "stats realm".
6632
6633 Since the authentication method is HTTP Basic Authentication, the passwords
6634 circulate in cleartext on the network. Thus, it was decided that the
6635 configuration file would also use cleartext passwords to remind the users
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02006636 that those ones should not be sensitive and not shared with any other account.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006637
6638 It is also possible to reduce the scope of the proxies which appear in the
6639 report using "stats scope".
6640
6641 Though this statement alone is enough to enable statistics reporting, it is
6642 recommended to set all other settings in order to avoid relying on default
6643 unobvious parameters.
6644
6645 Example :
6646 # public access (limited to this backend only)
6647 backend public_www
6648 server srv1 192.168.0.1:80
6649 stats enable
6650 stats hide-version
6651 stats scope .
6652 stats uri /admin?stats
6653 stats realm Haproxy\ Statistics
6654 stats auth admin1:AdMiN123
6655 stats auth admin2:AdMiN321
6656
6657 # internal monitoring access (unlimited)
6658 backend private_monitoring
6659 stats enable
6660 stats uri /admin?stats
6661 stats refresh 5s
6662
6663 See also : "stats enable", "stats realm", "stats scope", "stats uri"
6664
6665
6666stats enable
6667 Enable statistics reporting with default settings
6668 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006669 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006670 Arguments : none
6671
6672 This statement enables statistics reporting with default settings defined
6673 at build time. Unless stated otherwise, these settings are used :
6674 - stats uri : /haproxy?stats
6675 - stats realm : "HAProxy Statistics"
6676 - stats auth : no authentication
6677 - stats scope : no restriction
6678
6679 Though this statement alone is enough to enable statistics reporting, it is
6680 recommended to set all other settings in order to avoid relying on default
6681 unobvious parameters.
6682
6683 Example :
6684 # public access (limited to this backend only)
6685 backend public_www
6686 server srv1 192.168.0.1:80
6687 stats enable
6688 stats hide-version
6689 stats scope .
6690 stats uri /admin?stats
6691 stats realm Haproxy\ Statistics
6692 stats auth admin1:AdMiN123
6693 stats auth admin2:AdMiN321
6694
6695 # internal monitoring access (unlimited)
6696 backend private_monitoring
6697 stats enable
6698 stats uri /admin?stats
6699 stats refresh 5s
6700
6701 See also : "stats auth", "stats realm", "stats uri"
6702
6703
Willy Tarreaud63335a2010-02-26 12:56:52 +01006704stats hide-version
6705 Enable statistics and hide HAProxy version reporting
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02006706 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006707 yes | yes | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +01006708 Arguments : none
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02006709
Willy Tarreaud63335a2010-02-26 12:56:52 +01006710 By default, the stats page reports some useful status information along with
6711 the statistics. Among them is HAProxy's version. However, it is generally
6712 considered dangerous to report precise version to anyone, as it can help them
6713 target known weaknesses with specific attacks. The "stats hide-version"
6714 statement removes the version from the statistics report. This is recommended
6715 for public sites or any site with a weak login/password.
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02006716
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02006717 Though this statement alone is enough to enable statistics reporting, it is
6718 recommended to set all other settings in order to avoid relying on default
6719 unobvious parameters.
6720
Willy Tarreaud63335a2010-02-26 12:56:52 +01006721 Example :
6722 # public access (limited to this backend only)
6723 backend public_www
6724 server srv1 192.168.0.1:80
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02006725 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01006726 stats hide-version
6727 stats scope .
6728 stats uri /admin?stats
6729 stats realm Haproxy\ Statistics
6730 stats auth admin1:AdMiN123
6731 stats auth admin2:AdMiN321
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02006732
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02006733 # internal monitoring access (unlimited)
6734 backend private_monitoring
6735 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01006736 stats uri /admin?stats
6737 stats refresh 5s
Krzysztof Piotr Oledzki15514c22010-01-04 16:03:09 +01006738
Willy Tarreaud63335a2010-02-26 12:56:52 +01006739 See also : "stats auth", "stats enable", "stats realm", "stats uri"
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02006740
Willy Tarreau983e01e2010-01-11 18:42:06 +01006741
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02006742stats http-request { allow | deny | auth [realm <realm>] }
6743 [ { if | unless } <condition> ]
6744 Access control for statistics
6745
6746 May be used in sections: defaults | frontend | listen | backend
6747 no | no | yes | yes
6748
6749 As "http-request", these set of options allow to fine control access to
6750 statistics. Each option may be followed by if/unless and acl.
6751 First option with matched condition (or option without condition) is final.
6752 For "deny" a 403 error will be returned, for "allow" normal processing is
6753 performed, for "auth" a 401/407 error code is returned so the client
6754 should be asked to enter a username and password.
6755
6756 There is no fixed limit to the number of http-request statements per
6757 instance.
6758
6759 See also : "http-request", section 3.4 about userlists and section 7
6760 about ACL usage.
6761
6762
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006763stats realm <realm>
6764 Enable statistics and set authentication realm
6765 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006766 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006767 Arguments :
6768 <realm> is the name of the HTTP Basic Authentication realm reported to
6769 the browser. The browser uses it to display it in the pop-up
6770 inviting the user to enter a valid username and password.
6771
6772 The realm is read as a single word, so any spaces in it should be escaped
6773 using a backslash ('\').
6774
6775 This statement is useful only in conjunction with "stats auth" since it is
6776 only related to authentication.
6777
6778 Though this statement alone is enough to enable statistics reporting, it is
6779 recommended to set all other settings in order to avoid relying on default
6780 unobvious parameters.
6781
6782 Example :
6783 # public access (limited to this backend only)
6784 backend public_www
6785 server srv1 192.168.0.1:80
6786 stats enable
6787 stats hide-version
6788 stats scope .
6789 stats uri /admin?stats
6790 stats realm Haproxy\ Statistics
6791 stats auth admin1:AdMiN123
6792 stats auth admin2:AdMiN321
6793
6794 # internal monitoring access (unlimited)
6795 backend private_monitoring
6796 stats enable
6797 stats uri /admin?stats
6798 stats refresh 5s
6799
6800 See also : "stats auth", "stats enable", "stats uri"
6801
6802
6803stats refresh <delay>
6804 Enable statistics with automatic refresh
6805 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006806 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006807 Arguments :
6808 <delay> is the suggested refresh delay, specified in seconds, which will
6809 be returned to the browser consulting the report page. While the
6810 browser is free to apply any delay, it will generally respect it
6811 and refresh the page this every seconds. The refresh interval may
6812 be specified in any other non-default time unit, by suffixing the
6813 unit after the value, as explained at the top of this document.
6814
6815 This statement is useful on monitoring displays with a permanent page
6816 reporting the load balancer's activity. When set, the HTML report page will
6817 include a link "refresh"/"stop refresh" so that the user can select whether
6818 he wants automatic refresh of the page or not.
6819
6820 Though this statement alone is enough to enable statistics reporting, it is
6821 recommended to set all other settings in order to avoid relying on default
6822 unobvious parameters.
6823
6824 Example :
6825 # public access (limited to this backend only)
6826 backend public_www
6827 server srv1 192.168.0.1:80
6828 stats enable
6829 stats hide-version
6830 stats scope .
6831 stats uri /admin?stats
6832 stats realm Haproxy\ Statistics
6833 stats auth admin1:AdMiN123
6834 stats auth admin2:AdMiN321
6835
6836 # internal monitoring access (unlimited)
6837 backend private_monitoring
6838 stats enable
6839 stats uri /admin?stats
6840 stats refresh 5s
6841
6842 See also : "stats auth", "stats enable", "stats realm", "stats uri"
6843
6844
6845stats scope { <name> | "." }
6846 Enable statistics and limit access scope
6847 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006848 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006849 Arguments :
6850 <name> is the name of a listen, frontend or backend section to be
6851 reported. The special name "." (a single dot) designates the
6852 section in which the statement appears.
6853
6854 When this statement is specified, only the sections enumerated with this
6855 statement will appear in the report. All other ones will be hidden. This
6856 statement may appear as many times as needed if multiple sections need to be
6857 reported. Please note that the name checking is performed as simple string
6858 comparisons, and that it is never checked that a give section name really
6859 exists.
6860
6861 Though this statement alone is enough to enable statistics reporting, it is
6862 recommended to set all other settings in order to avoid relying on default
6863 unobvious parameters.
6864
6865 Example :
6866 # public access (limited to this backend only)
6867 backend public_www
6868 server srv1 192.168.0.1:80
6869 stats enable
6870 stats hide-version
6871 stats scope .
6872 stats uri /admin?stats
6873 stats realm Haproxy\ Statistics
6874 stats auth admin1:AdMiN123
6875 stats auth admin2:AdMiN321
6876
6877 # internal monitoring access (unlimited)
6878 backend private_monitoring
6879 stats enable
6880 stats uri /admin?stats
6881 stats refresh 5s
6882
6883 See also : "stats auth", "stats enable", "stats realm", "stats uri"
6884
Willy Tarreaud63335a2010-02-26 12:56:52 +01006885
Willy Tarreauc9705a12010-07-27 20:05:50 +02006886stats show-desc [ <desc> ]
Willy Tarreaud63335a2010-02-26 12:56:52 +01006887 Enable reporting of a description on the statistics page.
6888 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006889 yes | yes | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +01006890
Willy Tarreauc9705a12010-07-27 20:05:50 +02006891 <desc> is an optional description to be reported. If unspecified, the
Willy Tarreaud63335a2010-02-26 12:56:52 +01006892 description from global section is automatically used instead.
6893
6894 This statement is useful for users that offer shared services to their
6895 customers, where node or description should be different for each customer.
6896
6897 Though this statement alone is enough to enable statistics reporting, it is
6898 recommended to set all other settings in order to avoid relying on default
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04006899 unobvious parameters. By default description is not shown.
Willy Tarreaud63335a2010-02-26 12:56:52 +01006900
6901 Example :
6902 # internal monitoring access (unlimited)
6903 backend private_monitoring
6904 stats enable
6905 stats show-desc Master node for Europe, Asia, Africa
6906 stats uri /admin?stats
6907 stats refresh 5s
6908
6909 See also: "show-node", "stats enable", "stats uri" and "description" in
6910 global section.
6911
6912
6913stats show-legends
Willy Tarreaued2119c2014-04-24 22:10:39 +02006914 Enable reporting additional information on the statistics page
6915 May be used in sections : defaults | frontend | listen | backend
6916 yes | yes | yes | yes
6917 Arguments : none
6918
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03006919 Enable reporting additional information on the statistics page :
Willy Tarreaud63335a2010-02-26 12:56:52 +01006920 - cap: capabilities (proxy)
6921 - mode: one of tcp, http or health (proxy)
6922 - id: SNMP ID (proxy, socket, server)
6923 - IP (socket, server)
6924 - cookie (backend, server)
6925
6926 Though this statement alone is enough to enable statistics reporting, it is
6927 recommended to set all other settings in order to avoid relying on default
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04006928 unobvious parameters. Default behaviour is not to show this information.
Willy Tarreaud63335a2010-02-26 12:56:52 +01006929
6930 See also: "stats enable", "stats uri".
6931
6932
6933stats show-node [ <name> ]
6934 Enable reporting of a host name on the statistics page.
6935 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006936 yes | yes | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +01006937 Arguments:
6938 <name> is an optional name to be reported. If unspecified, the
6939 node name from global section is automatically used instead.
6940
6941 This statement is useful for users that offer shared services to their
6942 customers, where node or description might be different on a stats page
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04006943 provided for each customer. Default behaviour is not to show host name.
Willy Tarreaud63335a2010-02-26 12:56:52 +01006944
6945 Though this statement alone is enough to enable statistics reporting, it is
6946 recommended to set all other settings in order to avoid relying on default
6947 unobvious parameters.
6948
6949 Example:
6950 # internal monitoring access (unlimited)
6951 backend private_monitoring
6952 stats enable
6953 stats show-node Europe-1
6954 stats uri /admin?stats
6955 stats refresh 5s
6956
6957 See also: "show-desc", "stats enable", "stats uri", and "node" in global
6958 section.
6959
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006960
6961stats uri <prefix>
6962 Enable statistics and define the URI prefix to access them
6963 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006964 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006965 Arguments :
6966 <prefix> is the prefix of any URI which will be redirected to stats. This
6967 prefix may contain a question mark ('?') to indicate part of a
6968 query string.
6969
6970 The statistics URI is intercepted on the relayed traffic, so it appears as a
6971 page within the normal application. It is strongly advised to ensure that the
6972 selected URI will never appear in the application, otherwise it will never be
6973 possible to reach it in the application.
6974
6975 The default URI compiled in haproxy is "/haproxy?stats", but this may be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006976 changed at build time, so it's better to always explicitly specify it here.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006977 It is generally a good idea to include a question mark in the URI so that
6978 intermediate proxies refrain from caching the results. Also, since any string
6979 beginning with the prefix will be accepted as a stats request, the question
6980 mark helps ensuring that no valid URI will begin with the same words.
6981
6982 It is sometimes very convenient to use "/" as the URI prefix, and put that
6983 statement in a "listen" instance of its own. That makes it easy to dedicate
6984 an address or a port to statistics only.
6985
6986 Though this statement alone is enough to enable statistics reporting, it is
6987 recommended to set all other settings in order to avoid relying on default
6988 unobvious parameters.
6989
6990 Example :
6991 # public access (limited to this backend only)
6992 backend public_www
6993 server srv1 192.168.0.1:80
6994 stats enable
6995 stats hide-version
6996 stats scope .
6997 stats uri /admin?stats
6998 stats realm Haproxy\ Statistics
6999 stats auth admin1:AdMiN123
7000 stats auth admin2:AdMiN321
7001
7002 # internal monitoring access (unlimited)
7003 backend private_monitoring
7004 stats enable
7005 stats uri /admin?stats
7006 stats refresh 5s
7007
7008 See also : "stats auth", "stats enable", "stats realm"
7009
7010
Willy Tarreaud63335a2010-02-26 12:56:52 +01007011stick match <pattern> [table <table>] [{if | unless} <cond>]
7012 Define a request pattern matching condition to stick a user to a server
Willy Tarreaueabeafa2008-01-16 16:17:06 +01007013 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaud63335a2010-02-26 12:56:52 +01007014 no | no | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007015
7016 Arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +02007017 <pattern> is a sample expression rule as described in section 7.3. It
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007018 describes what elements of the incoming request or connection
7019 will be analysed in the hope to find a matching entry in a
7020 stickiness table. This rule is mandatory.
7021
7022 <table> is an optional stickiness table name. If unspecified, the same
7023 backend's table is used. A stickiness table is declared using
7024 the "stick-table" statement.
7025
7026 <cond> is an optional matching condition. It makes it possible to match
7027 on a certain criterion only when other conditions are met (or
7028 not met). For instance, it could be used to match on a source IP
7029 address except when a request passes through a known proxy, in
7030 which case we'd match on a header containing that IP address.
7031
7032 Some protocols or applications require complex stickiness rules and cannot
7033 always simply rely on cookies nor hashing. The "stick match" statement
7034 describes a rule to extract the stickiness criterion from an incoming request
7035 or connection. See section 7 for a complete list of possible patterns and
7036 transformation rules.
7037
7038 The table has to be declared using the "stick-table" statement. It must be of
7039 a type compatible with the pattern. By default it is the one which is present
7040 in the same backend. It is possible to share a table with other backends by
7041 referencing it using the "table" keyword. If another table is referenced,
7042 the server's ID inside the backends are used. By default, all server IDs
7043 start at 1 in each backend, so the server ordering is enough. But in case of
7044 doubt, it is highly recommended to force server IDs using their "id" setting.
7045
7046 It is possible to restrict the conditions where a "stick match" statement
7047 will apply, using "if" or "unless" followed by a condition. See section 7 for
7048 ACL based conditions.
7049
7050 There is no limit on the number of "stick match" statements. The first that
7051 applies and matches will cause the request to be directed to the same server
7052 as was used for the request which created the entry. That way, multiple
7053 matches can be used as fallbacks.
7054
7055 The stick rules are checked after the persistence cookies, so they will not
7056 affect stickiness if a cookie has already been used to select a server. That
7057 way, it becomes very easy to insert cookies and match on IP addresses in
7058 order to maintain stickiness between HTTP and HTTPS.
7059
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01007060 Note : Consider not using this feature in multi-process mode (nbproc > 1)
7061 unless you know what you do : memory is not shared between the
7062 processes, which can result in random behaviours.
7063
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007064 Example :
7065 # forward SMTP users to the same server they just used for POP in the
7066 # last 30 minutes
7067 backend pop
7068 mode tcp
7069 balance roundrobin
7070 stick store-request src
7071 stick-table type ip size 200k expire 30m
7072 server s1 192.168.1.1:110
7073 server s2 192.168.1.1:110
7074
7075 backend smtp
7076 mode tcp
7077 balance roundrobin
7078 stick match src table pop
7079 server s1 192.168.1.1:25
7080 server s2 192.168.1.1:25
7081
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01007082 See also : "stick-table", "stick on", "nbproc", "bind-process" and section 7
Willy Tarreaube722a22014-06-13 16:31:59 +02007083 about ACLs and samples fetching.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007084
7085
7086stick on <pattern> [table <table>] [{if | unless} <condition>]
7087 Define a request pattern to associate a user to a server
7088 May be used in sections : defaults | frontend | listen | backend
7089 no | no | yes | yes
7090
7091 Note : This form is exactly equivalent to "stick match" followed by
7092 "stick store-request", all with the same arguments. Please refer
7093 to both keywords for details. It is only provided as a convenience
7094 for writing more maintainable configurations.
7095
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01007096 Note : Consider not using this feature in multi-process mode (nbproc > 1)
7097 unless you know what you do : memory is not shared between the
7098 processes, which can result in random behaviours.
7099
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007100 Examples :
7101 # The following form ...
Willy Tarreauec579d82010-02-26 19:15:04 +01007102 stick on src table pop if !localhost
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007103
7104 # ...is strictly equivalent to this one :
7105 stick match src table pop if !localhost
7106 stick store-request src table pop if !localhost
7107
7108
7109 # Use cookie persistence for HTTP, and stick on source address for HTTPS as
7110 # well as HTTP without cookie. Share the same table between both accesses.
7111 backend http
7112 mode http
7113 balance roundrobin
7114 stick on src table https
7115 cookie SRV insert indirect nocache
7116 server s1 192.168.1.1:80 cookie s1
7117 server s2 192.168.1.1:80 cookie s2
7118
7119 backend https
7120 mode tcp
7121 balance roundrobin
7122 stick-table type ip size 200k expire 30m
7123 stick on src
7124 server s1 192.168.1.1:443
7125 server s2 192.168.1.1:443
7126
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01007127 See also : "stick match", "stick store-request", "nbproc" and "bind-process".
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007128
7129
7130stick store-request <pattern> [table <table>] [{if | unless} <condition>]
7131 Define a request pattern used to create an entry in a stickiness table
7132 May be used in sections : defaults | frontend | listen | backend
7133 no | no | yes | yes
7134
7135 Arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +02007136 <pattern> is a sample expression rule as described in section 7.3. It
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007137 describes what elements of the incoming request or connection
7138 will be analysed, extracted and stored in the table once a
7139 server is selected.
7140
7141 <table> is an optional stickiness table name. If unspecified, the same
7142 backend's table is used. A stickiness table is declared using
7143 the "stick-table" statement.
7144
7145 <cond> is an optional storage condition. It makes it possible to store
7146 certain criteria only when some conditions are met (or not met).
7147 For instance, it could be used to store the source IP address
7148 except when the request passes through a known proxy, in which
7149 case we'd store a converted form of a header containing that IP
7150 address.
7151
7152 Some protocols or applications require complex stickiness rules and cannot
7153 always simply rely on cookies nor hashing. The "stick store-request" statement
7154 describes a rule to decide what to extract from the request and when to do
7155 it, in order to store it into a stickiness table for further requests to
7156 match it using the "stick match" statement. Obviously the extracted part must
7157 make sense and have a chance to be matched in a further request. Storing a
7158 client's IP address for instance often makes sense. Storing an ID found in a
7159 URL parameter also makes sense. Storing a source port will almost never make
7160 any sense because it will be randomly matched. See section 7 for a complete
7161 list of possible patterns and transformation rules.
7162
7163 The table has to be declared using the "stick-table" statement. It must be of
7164 a type compatible with the pattern. By default it is the one which is present
7165 in the same backend. It is possible to share a table with other backends by
7166 referencing it using the "table" keyword. If another table is referenced,
7167 the server's ID inside the backends are used. By default, all server IDs
7168 start at 1 in each backend, so the server ordering is enough. But in case of
7169 doubt, it is highly recommended to force server IDs using their "id" setting.
7170
7171 It is possible to restrict the conditions where a "stick store-request"
7172 statement will apply, using "if" or "unless" followed by a condition. This
7173 condition will be evaluated while parsing the request, so any criteria can be
7174 used. See section 7 for ACL based conditions.
7175
7176 There is no limit on the number of "stick store-request" statements, but
7177 there is a limit of 8 simultaneous stores per request or response. This
7178 makes it possible to store up to 8 criteria, all extracted from either the
7179 request or the response, regardless of the number of rules. Only the 8 first
7180 ones which match will be kept. Using this, it is possible to feed multiple
7181 tables at once in the hope to increase the chance to recognize a user on
Willy Tarreau9667a802013-12-09 12:52:13 +01007182 another protocol or access method. Using multiple store-request rules with
7183 the same table is possible and may be used to find the best criterion to rely
7184 on, by arranging the rules by decreasing preference order. Only the first
7185 extracted criterion for a given table will be stored. All subsequent store-
7186 request rules referencing the same table will be skipped and their ACLs will
7187 not be evaluated.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007188
7189 The "store-request" rules are evaluated once the server connection has been
7190 established, so that the table will contain the real server that processed
7191 the request.
7192
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01007193 Note : Consider not using this feature in multi-process mode (nbproc > 1)
7194 unless you know what you do : memory is not shared between the
7195 processes, which can result in random behaviours.
7196
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007197 Example :
7198 # forward SMTP users to the same server they just used for POP in the
7199 # last 30 minutes
7200 backend pop
7201 mode tcp
7202 balance roundrobin
7203 stick store-request src
7204 stick-table type ip size 200k expire 30m
7205 server s1 192.168.1.1:110
7206 server s2 192.168.1.1:110
7207
7208 backend smtp
7209 mode tcp
7210 balance roundrobin
7211 stick match src table pop
7212 server s1 192.168.1.1:25
7213 server s2 192.168.1.1:25
7214
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01007215 See also : "stick-table", "stick on", "nbproc", "bind-process" and section 7
Willy Tarreaube722a22014-06-13 16:31:59 +02007216 about ACLs and sample fetching.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007217
7218
Emeric Brun7c6b82e2010-09-24 16:34:28 +02007219stick-table type {ip | integer | string [len <length>] | binary [len <length>]}
Emeric Brunf099e792010-09-27 12:05:28 +02007220 size <size> [expire <expire>] [nopurge] [peers <peersect>]
7221 [store <data_type>]*
Godbach64cef792013-12-04 16:08:22 +08007222 Configure the stickiness table for the current section
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007223 May be used in sections : defaults | frontend | listen | backend
Willy Tarreauc00cdc22010-06-06 16:48:26 +02007224 no | yes | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007225
7226 Arguments :
7227 ip a table declared with "type ip" will only store IPv4 addresses.
7228 This form is very compact (about 50 bytes per entry) and allows
7229 very fast entry lookup and stores with almost no overhead. This
7230 is mainly used to store client source IP addresses.
7231
David du Colombier9a6d3c92011-03-17 10:40:24 +01007232 ipv6 a table declared with "type ipv6" will only store IPv6 addresses.
7233 This form is very compact (about 60 bytes per entry) and allows
7234 very fast entry lookup and stores with almost no overhead. This
7235 is mainly used to store client source IP addresses.
7236
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007237 integer a table declared with "type integer" will store 32bit integers
7238 which can represent a client identifier found in a request for
7239 instance.
7240
7241 string a table declared with "type string" will store substrings of up
7242 to <len> characters. If the string provided by the pattern
7243 extractor is larger than <len>, it will be truncated before
7244 being stored. During matching, at most <len> characters will be
7245 compared between the string in the table and the extracted
7246 pattern. When not specified, the string is automatically limited
Emeric Brun7c6b82e2010-09-24 16:34:28 +02007247 to 32 characters.
7248
7249 binary a table declared with "type binary" will store binary blocks
7250 of <len> bytes. If the block provided by the pattern
7251 extractor is larger than <len>, it will be truncated before
Willy Tarreaube722a22014-06-13 16:31:59 +02007252 being stored. If the block provided by the sample expression
Emeric Brun7c6b82e2010-09-24 16:34:28 +02007253 is shorter than <len>, it will be padded by 0. When not
7254 specified, the block is automatically limited to 32 bytes.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007255
7256 <length> is the maximum number of characters that will be stored in a
Emeric Brun7c6b82e2010-09-24 16:34:28 +02007257 "string" type table (See type "string" above). Or the number
7258 of bytes of the block in "binary" type table. Be careful when
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007259 changing this parameter as memory usage will proportionally
7260 increase.
7261
7262 <size> is the maximum number of entries that can fit in the table. This
Cyril Bonté78caf842010-03-10 22:41:43 +01007263 value directly impacts memory usage. Count approximately
7264 50 bytes per entry, plus the size of a string if any. The size
7265 supports suffixes "k", "m", "g" for 2^10, 2^20 and 2^30 factors.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007266
7267 [nopurge] indicates that we refuse to purge older entries when the table
7268 is full. When not specified and the table is full when haproxy
7269 wants to store an entry in it, it will flush a few of the oldest
7270 entries in order to release some space for the new ones. This is
7271 most often the desired behaviour. In some specific cases, it
7272 be desirable to refuse new entries instead of purging the older
7273 ones. That may be the case when the amount of data to store is
7274 far above the hardware limits and we prefer not to offer access
7275 to new clients than to reject the ones already connected. When
7276 using this parameter, be sure to properly set the "expire"
7277 parameter (see below).
7278
Emeric Brunf099e792010-09-27 12:05:28 +02007279 <peersect> is the name of the peers section to use for replication. Entries
7280 which associate keys to server IDs are kept synchronized with
7281 the remote peers declared in this section. All entries are also
7282 automatically learned from the local peer (old process) during a
7283 soft restart.
7284
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01007285 NOTE : peers can't be used in multi-process mode.
7286
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007287 <expire> defines the maximum duration of an entry in the table since it
7288 was last created, refreshed or matched. The expiration delay is
7289 defined using the standard time format, similarly as the various
7290 timeouts. The maximum duration is slightly above 24 days. See
7291 section 2.2 for more information. If this delay is not specified,
Cyril Bontédc4d9032012-04-08 21:57:39 +02007292 the session won't automatically expire, but older entries will
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007293 be removed once full. Be sure not to use the "nopurge" parameter
7294 if not expiration delay is specified.
7295
Willy Tarreau08d5f982010-06-06 13:34:54 +02007296 <data_type> is used to store additional information in the stick-table. This
7297 may be used by ACLs in order to control various criteria related
7298 to the activity of the client matching the stick-table. For each
7299 item specified here, the size of each entry will be inflated so
Willy Tarreauc9705a12010-07-27 20:05:50 +02007300 that the additional data can fit. Several data types may be
7301 stored with an entry. Multiple data types may be specified after
7302 the "store" keyword, as a comma-separated list. Alternatively,
7303 it is possible to repeat the "store" keyword followed by one or
7304 several data types. Except for the "server_id" type which is
7305 automatically detected and enabled, all data types must be
7306 explicitly declared to be stored. If an ACL references a data
7307 type which is not stored, the ACL will simply not match. Some
7308 data types require an argument which must be passed just after
7309 the type between parenthesis. See below for the supported data
7310 types and their arguments.
7311
7312 The data types that can be stored with an entry are the following :
7313 - server_id : this is an integer which holds the numeric ID of the server a
7314 request was assigned to. It is used by the "stick match", "stick store",
7315 and "stick on" rules. It is automatically enabled when referenced.
7316
7317 - gpc0 : first General Purpose Counter. It is a positive 32-bit integer
7318 integer which may be used for anything. Most of the time it will be used
7319 to put a special tag on some entries, for instance to note that a
7320 specific behaviour was detected and must be known for future matches.
7321
Willy Tarreauba2ffd12013-05-29 15:54:14 +02007322 - gpc0_rate(<period>) : increment rate of the first General Purpose Counter
7323 over a period. It is a positive 32-bit integer integer which may be used
7324 for anything. Just like <gpc0>, it counts events, but instead of keeping
7325 a cumulative count, it maintains the rate at which the counter is
7326 incremented. Most of the time it will be used to measure the frequency of
7327 occurrence of certain events (eg: requests to a specific URL).
7328
Willy Tarreauc9705a12010-07-27 20:05:50 +02007329 - conn_cnt : Connection Count. It is a positive 32-bit integer which counts
7330 the absolute number of connections received from clients which matched
7331 this entry. It does not mean the connections were accepted, just that
7332 they were received.
7333
7334 - conn_cur : Current Connections. It is a positive 32-bit integer which
7335 stores the concurrent connection counts for the entry. It is incremented
7336 once an incoming connection matches the entry, and decremented once the
7337 connection leaves. That way it is possible to know at any time the exact
7338 number of concurrent connections for an entry.
7339
7340 - conn_rate(<period>) : frequency counter (takes 12 bytes). It takes an
7341 integer parameter <period> which indicates in milliseconds the length
7342 of the period over which the average is measured. It reports the average
7343 incoming connection rate over that period, in connections per period. The
7344 result is an integer which can be matched using ACLs.
7345
7346 - sess_cnt : Session Count. It is a positive 32-bit integer which counts
7347 the absolute number of sessions received from clients which matched this
7348 entry. A session is a connection that was accepted by the layer 4 rules.
7349
7350 - sess_rate(<period>) : frequency counter (takes 12 bytes). It takes an
7351 integer parameter <period> which indicates in milliseconds the length
7352 of the period over which the average is measured. It reports the average
7353 incoming session rate over that period, in sessions per period. The
7354 result is an integer which can be matched using ACLs.
7355
7356 - http_req_cnt : HTTP request Count. It is a positive 32-bit integer which
7357 counts the absolute number of HTTP requests received from clients which
7358 matched this entry. It does not matter whether they are valid requests or
7359 not. Note that this is different from sessions when keep-alive is used on
7360 the client side.
7361
7362 - http_req_rate(<period>) : frequency counter (takes 12 bytes). It takes an
7363 integer parameter <period> which indicates in milliseconds the length
7364 of the period over which the average is measured. It reports the average
7365 HTTP request rate over that period, in requests per period. The result is
7366 an integer which can be matched using ACLs. It does not matter whether
7367 they are valid requests or not. Note that this is different from sessions
7368 when keep-alive is used on the client side.
7369
7370 - http_err_cnt : HTTP Error Count. It is a positive 32-bit integer which
7371 counts the absolute number of HTTP requests errors induced by clients
7372 which matched this entry. Errors are counted on invalid and truncated
7373 requests, as well as on denied or tarpitted requests, and on failed
7374 authentications. If the server responds with 4xx, then the request is
7375 also counted as an error since it's an error triggered by the client
7376 (eg: vulnerability scan).
7377
7378 - http_err_rate(<period>) : frequency counter (takes 12 bytes). It takes an
7379 integer parameter <period> which indicates in milliseconds the length
7380 of the period over which the average is measured. It reports the average
7381 HTTP request error rate over that period, in requests per period (see
7382 http_err_cnt above for what is accounted as an error). The result is an
7383 integer which can be matched using ACLs.
7384
7385 - bytes_in_cnt : client to server byte count. It is a positive 64-bit
7386 integer which counts the cumulated amount of bytes received from clients
7387 which matched this entry. Headers are included in the count. This may be
7388 used to limit abuse of upload features on photo or video servers.
7389
7390 - bytes_in_rate(<period>) : frequency counter (takes 12 bytes). It takes an
7391 integer parameter <period> which indicates in milliseconds the length
7392 of the period over which the average is measured. It reports the average
7393 incoming bytes rate over that period, in bytes per period. It may be used
7394 to detect users which upload too much and too fast. Warning: with large
7395 uploads, it is possible that the amount of uploaded data will be counted
7396 once upon termination, thus causing spikes in the average transfer speed
7397 instead of having a smooth one. This may partially be smoothed with
7398 "option contstats" though this is not perfect yet. Use of byte_in_cnt is
7399 recommended for better fairness.
7400
7401 - bytes_out_cnt : server to client byte count. It is a positive 64-bit
7402 integer which counts the cumulated amount of bytes sent to clients which
7403 matched this entry. Headers are included in the count. This may be used
7404 to limit abuse of bots sucking the whole site.
7405
7406 - bytes_out_rate(<period>) : frequency counter (takes 12 bytes). It takes
7407 an integer parameter <period> which indicates in milliseconds the length
7408 of the period over which the average is measured. It reports the average
7409 outgoing bytes rate over that period, in bytes per period. It may be used
7410 to detect users which download too much and too fast. Warning: with large
7411 transfers, it is possible that the amount of transferred data will be
7412 counted once upon termination, thus causing spikes in the average
7413 transfer speed instead of having a smooth one. This may partially be
7414 smoothed with "option contstats" though this is not perfect yet. Use of
7415 byte_out_cnt is recommended for better fairness.
Willy Tarreau08d5f982010-06-06 13:34:54 +02007416
Willy Tarreauc00cdc22010-06-06 16:48:26 +02007417 There is only one stick-table per proxy. At the moment of writing this doc,
7418 it does not seem useful to have multiple tables per proxy. If this happens
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007419 to be required, simply create a dummy backend with a stick-table in it and
7420 reference it.
7421
7422 It is important to understand that stickiness based on learning information
7423 has some limitations, including the fact that all learned associations are
7424 lost upon restart. In general it can be good as a complement but not always
7425 as an exclusive stickiness.
7426
Willy Tarreauc9705a12010-07-27 20:05:50 +02007427 Last, memory requirements may be important when storing many data types.
7428 Indeed, storing all indicators above at once in each entry requires 116 bytes
7429 per entry, or 116 MB for a 1-million entries table. This is definitely not
7430 something that can be ignored.
7431
7432 Example:
7433 # Keep track of counters of up to 1 million IP addresses over 5 minutes
7434 # and store a general purpose counter and the average connection rate
7435 # computed over a sliding window of 30 seconds.
7436 stick-table type ip size 1m expire 5m store gpc0,conn_rate(30s)
7437
7438 See also : "stick match", "stick on", "stick store-request", section 2.2
David du Colombiera13d1b92011-03-17 10:40:22 +01007439 about time format and section 7 about ACLs.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007440
7441
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007442stick store-response <pattern> [table <table>] [{if | unless} <condition>]
7443 Define a request pattern used to create an entry in a stickiness table
7444 May be used in sections : defaults | frontend | listen | backend
7445 no | no | yes | yes
7446
7447 Arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +02007448 <pattern> is a sample expression rule as described in section 7.3. It
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007449 describes what elements of the response or connection will
7450 be analysed, extracted and stored in the table once a
7451 server is selected.
7452
7453 <table> is an optional stickiness table name. If unspecified, the same
7454 backend's table is used. A stickiness table is declared using
7455 the "stick-table" statement.
7456
7457 <cond> is an optional storage condition. It makes it possible to store
7458 certain criteria only when some conditions are met (or not met).
7459 For instance, it could be used to store the SSL session ID only
7460 when the response is a SSL server hello.
7461
7462 Some protocols or applications require complex stickiness rules and cannot
7463 always simply rely on cookies nor hashing. The "stick store-response"
7464 statement describes a rule to decide what to extract from the response and
7465 when to do it, in order to store it into a stickiness table for further
7466 requests to match it using the "stick match" statement. Obviously the
7467 extracted part must make sense and have a chance to be matched in a further
Cyril Bonté108cf6e2012-04-21 23:30:29 +02007468 request. Storing an ID found in a header of a response makes sense.
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007469 See section 7 for a complete list of possible patterns and transformation
7470 rules.
7471
7472 The table has to be declared using the "stick-table" statement. It must be of
7473 a type compatible with the pattern. By default it is the one which is present
7474 in the same backend. It is possible to share a table with other backends by
7475 referencing it using the "table" keyword. If another table is referenced,
7476 the server's ID inside the backends are used. By default, all server IDs
7477 start at 1 in each backend, so the server ordering is enough. But in case of
7478 doubt, it is highly recommended to force server IDs using their "id" setting.
7479
7480 It is possible to restrict the conditions where a "stick store-response"
7481 statement will apply, using "if" or "unless" followed by a condition. This
7482 condition will be evaluated while parsing the response, so any criteria can
7483 be used. See section 7 for ACL based conditions.
7484
7485 There is no limit on the number of "stick store-response" statements, but
7486 there is a limit of 8 simultaneous stores per request or response. This
7487 makes it possible to store up to 8 criteria, all extracted from either the
7488 request or the response, regardless of the number of rules. Only the 8 first
7489 ones which match will be kept. Using this, it is possible to feed multiple
7490 tables at once in the hope to increase the chance to recognize a user on
Willy Tarreau9667a802013-12-09 12:52:13 +01007491 another protocol or access method. Using multiple store-response rules with
7492 the same table is possible and may be used to find the best criterion to rely
7493 on, by arranging the rules by decreasing preference order. Only the first
7494 extracted criterion for a given table will be stored. All subsequent store-
7495 response rules referencing the same table will be skipped and their ACLs will
7496 not be evaluated. However, even if a store-request rule references a table, a
7497 store-response rule may also use the same table. This means that each table
7498 may learn exactly one element from the request and one element from the
7499 response at once.
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007500
7501 The table will contain the real server that processed the request.
7502
7503 Example :
7504 # Learn SSL session ID from both request and response and create affinity.
7505 backend https
7506 mode tcp
7507 balance roundrobin
Cyril Bontédc4d9032012-04-08 21:57:39 +02007508 # maximum SSL session ID length is 32 bytes.
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007509 stick-table type binary len 32 size 30k expire 30m
Cyril Bonté108cf6e2012-04-21 23:30:29 +02007510
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007511 acl clienthello req_ssl_hello_type 1
7512 acl serverhello rep_ssl_hello_type 2
7513
7514 # use tcp content accepts to detects ssl client and server hello.
7515 tcp-request inspect-delay 5s
7516 tcp-request content accept if clienthello
7517
7518 # no timeout on response inspect delay by default.
7519 tcp-response content accept if serverhello
Cyril Bonté108cf6e2012-04-21 23:30:29 +02007520
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007521 # SSL session ID (SSLID) may be present on a client or server hello.
7522 # Its length is coded on 1 byte at offset 43 and its value starts
7523 # at offset 44.
7524
7525 # Match and learn on request if client hello.
7526 stick on payload_lv(43,1) if clienthello
7527
7528 # Learn on response if server hello.
7529 stick store-response payload_lv(43,1) if serverhello
Cyril Bontédc4d9032012-04-08 21:57:39 +02007530
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007531 server s1 192.168.1.1:443
7532 server s2 192.168.1.1:443
7533
7534 See also : "stick-table", "stick on", and section 7 about ACLs and pattern
7535 extraction.
7536
7537
Willy Tarreau938c7fe2014-04-25 14:21:39 +02007538tcp-check connect [params*]
7539 Opens a new connection
7540 May be used in sections: defaults | frontend | listen | backend
7541 no | no | yes | yes
7542
7543 When an application lies on more than a single TCP port or when HAProxy
7544 load-balance many services in a single backend, it makes sense to probe all
7545 the services individually before considering a server as operational.
7546
7547 When there are no TCP port configured on the server line neither server port
7548 directive, then the 'tcp-check connect port <port>' must be the first step
7549 of the sequence.
7550
7551 In a tcp-check ruleset a 'connect' is required, it is also mandatory to start
7552 the ruleset with a 'connect' rule. Purpose is to ensure admin know what they
7553 do.
7554
7555 Parameters :
7556 They are optional and can be used to describe how HAProxy should open and
7557 use the TCP connection.
7558
7559 port if not set, check port or server port is used.
7560 It tells HAProxy where to open the connection to.
7561 <port> must be a valid TCP port source integer, from 1 to 65535.
7562
7563 send-proxy send a PROXY protocol string
7564
7565 ssl opens a ciphered connection
7566
7567 Examples:
7568 # check HTTP and HTTPs services on a server.
7569 # first open port 80 thanks to server line port directive, then
7570 # tcp-check opens port 443, ciphered and run a request on it:
7571 option tcp-check
7572 tcp-check connect
7573 tcp-check send GET\ /\ HTTP/1.0\r\n
7574 tcp-check send Host:\ haproxy.1wt.eu\r\n
7575 tcp-check send \r\n
7576 tcp-check expect rstring (2..|3..)
7577 tcp-check connect port 443 ssl
7578 tcp-check send GET\ /\ HTTP/1.0\r\n
7579 tcp-check send Host:\ haproxy.1wt.eu\r\n
7580 tcp-check send \r\n
7581 tcp-check expect rstring (2..|3..)
7582 server www 10.0.0.1 check port 80
7583
7584 # check both POP and IMAP from a single server:
7585 option tcp-check
7586 tcp-check connect port 110
7587 tcp-check expect string +OK\ POP3\ ready
7588 tcp-check connect port 143
7589 tcp-check expect string *\ OK\ IMAP4\ ready
7590 server mail 10.0.0.1 check
7591
7592 See also : "option tcp-check", "tcp-check send", "tcp-check expect"
7593
7594
7595tcp-check expect [!] <match> <pattern>
7596 Specify data to be collected and analysed during a generic health check
7597 May be used in sections: defaults | frontend | listen | backend
7598 no | no | yes | yes
7599
7600 Arguments :
7601 <match> is a keyword indicating how to look for a specific pattern in the
7602 response. The keyword may be one of "string", "rstring" or
7603 binary.
7604 The keyword may be preceded by an exclamation mark ("!") to negate
7605 the match. Spaces are allowed between the exclamation mark and the
7606 keyword. See below for more details on the supported keywords.
7607
7608 <pattern> is the pattern to look for. It may be a string or a regular
7609 expression. If the pattern contains spaces, they must be escaped
7610 with the usual backslash ('\').
7611 If the match is set to binary, then the pattern must be passed as
7612 a serie of hexadecimal digits in an even number. Each sequence of
7613 two digits will represent a byte. The hexadecimal digits may be
7614 used upper or lower case.
7615
7616
7617 The available matches are intentionally similar to their http-check cousins :
7618
7619 string <string> : test the exact string matches in the response buffer.
7620 A health check response will be considered valid if the
7621 response's buffer contains this exact string. If the
7622 "string" keyword is prefixed with "!", then the response
7623 will be considered invalid if the body contains this
7624 string. This can be used to look for a mandatory pattern
7625 in a protocol response, or to detect a failure when a
7626 specific error appears in a protocol banner.
7627
7628 rstring <regex> : test a regular expression on the response buffer.
7629 A health check response will be considered valid if the
7630 response's buffer matches this expression. If the
7631 "rstring" keyword is prefixed with "!", then the response
7632 will be considered invalid if the body matches the
7633 expression.
7634
7635 binary <hexstring> : test the exact string in its hexadecimal form matches
7636 in the response buffer. A health check response will
7637 be considered valid if the response's buffer contains
7638 this exact hexadecimal string.
7639 Purpose is to match data on binary protocols.
7640
7641 It is important to note that the responses will be limited to a certain size
7642 defined by the global "tune.chksize" option, which defaults to 16384 bytes.
7643 Thus, too large responses may not contain the mandatory pattern when using
7644 "string", "rstring" or binary. If a large response is absolutely required, it
7645 is possible to change the default max size by setting the global variable.
7646 However, it is worth keeping in mind that parsing very large responses can
7647 waste some CPU cycles, especially when regular expressions are used, and that
7648 it is always better to focus the checks on smaller resources. Also, in its
7649 current state, the check will not find any string nor regex past a null
7650 character in the response. Similarly it is not possible to request matching
7651 the null character.
7652
7653 Examples :
7654 # perform a POP check
7655 option tcp-check
7656 tcp-check expect string +OK\ POP3\ ready
7657
7658 # perform an IMAP check
7659 option tcp-check
7660 tcp-check expect string *\ OK\ IMAP4\ ready
7661
7662 # look for the redis master server
7663 option tcp-check
7664 tcp-check send PING\r\n
7665 tcp-check expect +PONG
7666 tcp-check send info\ replication\r\n
7667 tcp-check expect string role:master
7668 tcp-check send QUIT\r\n
7669 tcp-check expect string +OK
7670
7671
7672 See also : "option tcp-check", "tcp-check connect", "tcp-check send",
7673 "tcp-check send-binary", "http-check expect", tune.chksize
7674
7675
7676tcp-check send <data>
7677 Specify a string to be sent as a question during a generic health check
7678 May be used in sections: defaults | frontend | listen | backend
7679 no | no | yes | yes
7680
7681 <data> : the data to be sent as a question during a generic health check
7682 session. For now, <data> must be a string.
7683
7684 Examples :
7685 # look for the redis master server
7686 option tcp-check
7687 tcp-check send info\ replication\r\n
7688 tcp-check expect string role:master
7689
7690 See also : "option tcp-check", "tcp-check connect", "tcp-check expect",
7691 "tcp-check send-binary", tune.chksize
7692
7693
7694tcp-check send-binary <hexastring>
7695 Specify an hexa digits string to be sent as a binary question during a raw
7696 tcp health check
7697 May be used in sections: defaults | frontend | listen | backend
7698 no | no | yes | yes
7699
7700 <data> : the data to be sent as a question during a generic health check
7701 session. For now, <data> must be a string.
7702 <hexastring> : test the exact string in its hexadecimal form matches in the
7703 response buffer. A health check response will be considered
7704 valid if the response's buffer contains this exact
7705 hexadecimal string.
7706 Purpose is to send binary data to ask on binary protocols.
7707
7708 Examples :
7709 # redis check in binary
7710 option tcp-check
7711 tcp-check send-binary 50494e470d0a # PING\r\n
7712 tcp-check expect binary 2b504F4e47 # +PONG
7713
7714
7715 See also : "option tcp-check", "tcp-check connect", "tcp-check expect",
7716 "tcp-check send", tune.chksize
7717
7718
Willy Tarreaue9656522010-08-17 15:40:09 +02007719tcp-request connection <action> [{if | unless} <condition>]
7720 Perform an action on an incoming connection depending on a layer 4 condition
Willy Tarreau1a687942010-05-23 22:40:30 +02007721 May be used in sections : defaults | frontend | listen | backend
7722 no | yes | yes | no
Willy Tarreaue9656522010-08-17 15:40:09 +02007723 Arguments :
7724 <action> defines the action to perform if the condition applies. Valid
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007725 actions include : "accept", "reject", "track-sc0", "track-sc1",
7726 "track-sc2", and "expect-proxy". See below for more details.
Willy Tarreau1a687942010-05-23 22:40:30 +02007727
Willy Tarreaue9656522010-08-17 15:40:09 +02007728 <condition> is a standard layer4-only ACL-based condition (see section 7).
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007729
7730 Immediately after acceptance of a new incoming connection, it is possible to
7731 evaluate some conditions to decide whether this connection must be accepted
Willy Tarreaue9656522010-08-17 15:40:09 +02007732 or dropped or have its counters tracked. Those conditions cannot make use of
7733 any data contents because the connection has not been read from yet, and the
7734 buffers are not yet allocated. This is used to selectively and very quickly
7735 accept or drop connections from various sources with a very low overhead. If
7736 some contents need to be inspected in order to take the decision, the
7737 "tcp-request content" statements must be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007738
Willy Tarreaue9656522010-08-17 15:40:09 +02007739 The "tcp-request connection" rules are evaluated in their exact declaration
7740 order. If no rule matches or if there is no rule, the default action is to
7741 accept the incoming connection. There is no specific limit to the number of
7742 rules which may be inserted.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007743
Willy Tarreau18bf01e2014-06-13 16:18:52 +02007744 Five types of actions are supported :
Willy Tarreaue9656522010-08-17 15:40:09 +02007745 - accept :
7746 accepts the connection if the condition is true (when used with "if")
7747 or false (when used with "unless"). The first such rule executed ends
7748 the rules evaluation.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007749
Willy Tarreaue9656522010-08-17 15:40:09 +02007750 - reject :
7751 rejects the connection if the condition is true (when used with "if")
7752 or false (when used with "unless"). The first such rule executed ends
7753 the rules evaluation. Rejected connections do not even become a
7754 session, which is why they are accounted separately for in the stats,
7755 as "denied connections". They are not considered for the session
7756 rate-limit and are not logged either. The reason is that these rules
7757 should only be used to filter extremely high connection rates such as
7758 the ones encountered during a massive DDoS attack. Under these extreme
7759 conditions, the simple action of logging each event would make the
7760 system collapse and would considerably lower the filtering capacity. If
7761 logging is absolutely desired, then "tcp-request content" rules should
7762 be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007763
Willy Tarreau4f0d9192013-06-11 20:40:55 +02007764 - expect-proxy layer4 :
7765 configures the client-facing connection to receive a PROXY protocol
7766 header before any byte is read from the socket. This is equivalent to
7767 having the "accept-proxy" keyword on the "bind" line, except that using
7768 the TCP rule allows the PROXY protocol to be accepted only for certain
7769 IP address ranges using an ACL. This is convenient when multiple layers
7770 of load balancers are passed through by traffic coming from public
7771 hosts.
7772
Willy Tarreau18bf01e2014-06-13 16:18:52 +02007773 - capture <sample> len <length> :
7774 This only applies to "tcp-request content" rules. It captures sample
7775 expression <sample> from the request buffer, and converts it to a
7776 string of at most <len> characters. The resulting string is stored into
7777 the next request "capture" slot, so it will possibly appear next to
7778 some captured HTTP headers. It will then automatically appear in the
7779 logs, and it will be possible to extract it using sample fetch rules to
7780 feed it into headers or anything. The length should be limited given
7781 that this size will be allocated for each capture during the whole
7782 session life. Since it applies to Please check section 7.3 (Fetching
7783 samples) and "capture request header" for more information.
7784
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007785 - { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>] :
Willy Tarreaue9656522010-08-17 15:40:09 +02007786 enables tracking of sticky counters from current connection. These
Willy Tarreau09448f72014-06-25 18:12:15 +02007787 rules do not stop evaluation and do not change default action. 3 sets
Willy Tarreaue9656522010-08-17 15:40:09 +02007788 of counters may be simultaneously tracked by the same connection. The
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007789 first "track-sc0" rule executed enables tracking of the counters of the
7790 specified table as the first set. The first "track-sc1" rule executed
Willy Tarreaue9656522010-08-17 15:40:09 +02007791 enables tracking of the counters of the specified table as the second
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007792 set. The first "track-sc2" rule executed enables tracking of the
7793 counters of the specified table as the third set. It is a recommended
7794 practice to use the first set of counters for the per-frontend counters
7795 and the second set for the per-backend ones. But this is just a
7796 guideline, all may be used everywhere.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007797
Willy Tarreaue9656522010-08-17 15:40:09 +02007798 These actions take one or two arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +02007799 <key> is mandatory, and is a sample expression rule as described
Willy Tarreau74ca5042013-06-11 23:12:07 +02007800 in section 7.3. It describes what elements of the incoming
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007801 request or connection will be analysed, extracted, combined,
7802 and used to select which table entry to update the counters.
7803 Note that "tcp-request connection" cannot use content-based
7804 fetches.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007805
Willy Tarreaue9656522010-08-17 15:40:09 +02007806 <table> is an optional table to be used instead of the default one,
7807 which is the stick-table declared in the current proxy. All
7808 the counters for the matches and updates for the key will
7809 then be performed in that table until the session ends.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007810
Willy Tarreaue9656522010-08-17 15:40:09 +02007811 Once a "track-sc*" rule is executed, the key is looked up in the table
7812 and if it is not found, an entry is allocated for it. Then a pointer to
7813 that entry is kept during all the session's life, and this entry's
7814 counters are updated as often as possible, every time the session's
7815 counters are updated, and also systematically when the session ends.
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007816 Counters are only updated for events that happen after the tracking has
7817 been started. For example, connection counters will not be updated when
7818 tracking layer 7 information, since the connection event happens before
7819 layer7 information is extracted.
7820
Willy Tarreaue9656522010-08-17 15:40:09 +02007821 If the entry tracks concurrent connection counters, one connection is
7822 counted for as long as the entry is tracked, and the entry will not
7823 expire during that time. Tracking counters also provides a performance
7824 advantage over just checking the keys, because only one table lookup is
7825 performed for all ACL checks that make use of it.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007826
Willy Tarreaue9656522010-08-17 15:40:09 +02007827 Note that the "if/unless" condition is optional. If no condition is set on
7828 the action, it is simply performed unconditionally. That can be useful for
7829 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007830
Willy Tarreaue9656522010-08-17 15:40:09 +02007831 Example: accept all connections from white-listed hosts, reject too fast
7832 connection without counting them, and track accepted connections.
7833 This results in connection rate being capped from abusive sources.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007834
Willy Tarreaue9656522010-08-17 15:40:09 +02007835 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007836 tcp-request connection reject if { src_conn_rate gt 10 }
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007837 tcp-request connection track-sc0 src
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007838
Willy Tarreaue9656522010-08-17 15:40:09 +02007839 Example: accept all connections from white-listed hosts, count all other
7840 connections and reject too fast ones. This results in abusive ones
7841 being blocked as long as they don't slow down.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007842
Willy Tarreaue9656522010-08-17 15:40:09 +02007843 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007844 tcp-request connection track-sc0 src
7845 tcp-request connection reject if { sc0_conn_rate gt 10 }
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007846
Willy Tarreau4f0d9192013-06-11 20:40:55 +02007847 Example: enable the PROXY protocol for traffic coming from all known proxies.
7848
7849 tcp-request connection expect-proxy layer4 if { src -f proxies.lst }
7850
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007851 See section 7 about ACL usage.
7852
Willy Tarreaue9656522010-08-17 15:40:09 +02007853 See also : "tcp-request content", "stick-table"
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007854
7855
Willy Tarreaue9656522010-08-17 15:40:09 +02007856tcp-request content <action> [{if | unless} <condition>]
7857 Perform an action on a new session depending on a layer 4-7 condition
Willy Tarreau62644772008-07-16 18:36:06 +02007858 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02007859 no | yes | yes | yes
Willy Tarreaue9656522010-08-17 15:40:09 +02007860 Arguments :
7861 <action> defines the action to perform if the condition applies. Valid
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007862 actions include : "accept", "reject", "track-sc0", "track-sc1",
Thierry FOURNIER90da1912015-03-05 11:17:06 +01007863 "track-sc2", "capture" and "lua". See "tcp-request connection"
7864 above for their signification.
Willy Tarreau62644772008-07-16 18:36:06 +02007865
Willy Tarreaue9656522010-08-17 15:40:09 +02007866 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
Willy Tarreau62644772008-07-16 18:36:06 +02007867
Willy Tarreaue9656522010-08-17 15:40:09 +02007868 A request's contents can be analysed at an early stage of request processing
7869 called "TCP content inspection". During this stage, ACL-based rules are
7870 evaluated every time the request contents are updated, until either an
7871 "accept" or a "reject" rule matches, or the TCP request inspection delay
7872 expires with no matching rule.
Willy Tarreau62644772008-07-16 18:36:06 +02007873
Willy Tarreaue9656522010-08-17 15:40:09 +02007874 The first difference between these rules and "tcp-request connection" rules
7875 is that "tcp-request content" rules can make use of contents to take a
7876 decision. Most often, these decisions will consider a protocol recognition or
7877 validity. The second difference is that content-based rules can be used in
Willy Tarreauf3338342014-01-28 21:40:28 +01007878 both frontends and backends. In case of HTTP keep-alive with the client, all
7879 tcp-request content rules are evaluated again, so haproxy keeps a record of
7880 what sticky counters were assigned by a "tcp-request connection" versus a
7881 "tcp-request content" rule, and flushes all the content-related ones after
7882 processing an HTTP request, so that they may be evaluated again by the rules
7883 being evaluated again for the next request. This is of particular importance
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03007884 when the rule tracks some L7 information or when it is conditioned by an
Willy Tarreauf3338342014-01-28 21:40:28 +01007885 L7-based ACL, since tracking may change between requests.
Willy Tarreau62644772008-07-16 18:36:06 +02007886
Willy Tarreaue9656522010-08-17 15:40:09 +02007887 Content-based rules are evaluated in their exact declaration order. If no
7888 rule matches or if there is no rule, the default action is to accept the
7889 contents. There is no specific limit to the number of rules which may be
7890 inserted.
Willy Tarreau62644772008-07-16 18:36:06 +02007891
Willy Tarreau18bf01e2014-06-13 16:18:52 +02007892 Four types of actions are supported :
7893 - accept : the request is accepted
7894 - reject : the request is rejected and the connection is closed
7895 - capture : the specified sample expression is captured
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007896 - { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>]
Willy Tarreau62644772008-07-16 18:36:06 +02007897
Willy Tarreaue9656522010-08-17 15:40:09 +02007898 They have the same meaning as their counter-parts in "tcp-request connection"
7899 so please refer to that section for a complete description.
Willy Tarreau62644772008-07-16 18:36:06 +02007900
Willy Tarreauf3338342014-01-28 21:40:28 +01007901 While there is nothing mandatory about it, it is recommended to use the
7902 track-sc0 in "tcp-request connection" rules, track-sc1 for "tcp-request
7903 content" rules in the frontend, and track-sc2 for "tcp-request content"
7904 rules in the backend, because that makes the configuration more readable
7905 and easier to troubleshoot, but this is just a guideline and all counters
7906 may be used everywhere.
Willy Tarreau62644772008-07-16 18:36:06 +02007907
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007908 Note that the "if/unless" condition is optional. If no condition is set on
Willy Tarreaue9656522010-08-17 15:40:09 +02007909 the action, it is simply performed unconditionally. That can be useful for
7910 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau62644772008-07-16 18:36:06 +02007911
Willy Tarreaue9656522010-08-17 15:40:09 +02007912 It is perfectly possible to match layer 7 contents with "tcp-request content"
Willy Tarreauc0239e02012-04-16 14:42:55 +02007913 rules, since HTTP-specific ACL matches are able to preliminarily parse the
7914 contents of a buffer before extracting the required data. If the buffered
7915 contents do not parse as a valid HTTP message, then the ACL does not match.
7916 The parser which is involved there is exactly the same as for all other HTTP
Willy Tarreauf3338342014-01-28 21:40:28 +01007917 processing, so there is no risk of parsing something differently. In an HTTP
7918 backend connected to from an HTTP frontend, it is guaranteed that HTTP
7919 contents will always be immediately present when the rule is evaluated first.
Willy Tarreau62644772008-07-16 18:36:06 +02007920
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007921 Tracking layer7 information is also possible provided that the information
Willy Tarreau4d54c7c2014-09-16 15:48:15 +02007922 are present when the rule is processed. The rule processing engine is able to
7923 wait until the inspect delay expires when the data to be tracked is not yet
7924 available.
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007925
Thierry FOURNIER90da1912015-03-05 11:17:06 +01007926 The "lua" keyword is followed by a Lua function name. It is used to run a Lua
7927 function if the action is executed. The single parameter is the name of the
7928 function to run. The prototype of the function is documented in the API
7929 documentation.
7930
Willy Tarreau62644772008-07-16 18:36:06 +02007931 Example:
Willy Tarreaue9656522010-08-17 15:40:09 +02007932 # Accept HTTP requests containing a Host header saying "example.com"
7933 # and reject everything else.
7934 acl is_host_com hdr(Host) -i example.com
7935 tcp-request inspect-delay 30s
Willy Tarreauc0239e02012-04-16 14:42:55 +02007936 tcp-request content accept if is_host_com
Willy Tarreaue9656522010-08-17 15:40:09 +02007937 tcp-request content reject
7938
7939 Example:
Willy Tarreau62644772008-07-16 18:36:06 +02007940 # reject SMTP connection if client speaks first
7941 tcp-request inspect-delay 30s
7942 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007943 tcp-request content reject if content_present
Willy Tarreau62644772008-07-16 18:36:06 +02007944
7945 # Forward HTTPS connection only if client speaks
7946 tcp-request inspect-delay 30s
7947 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007948 tcp-request content accept if content_present
Willy Tarreaue9656522010-08-17 15:40:09 +02007949 tcp-request content reject
7950
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007951 Example:
7952 # Track the last IP from X-Forwarded-For
7953 tcp-request inspect-delay 10s
Willy Tarreau4d54c7c2014-09-16 15:48:15 +02007954 tcp-request content track-sc0 hdr(x-forwarded-for,-1)
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007955
7956 Example:
7957 # track request counts per "base" (concatenation of Host+URL)
7958 tcp-request inspect-delay 10s
Willy Tarreau4d54c7c2014-09-16 15:48:15 +02007959 tcp-request content track-sc0 base table req-rate
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007960
Willy Tarreaue9656522010-08-17 15:40:09 +02007961 Example: track per-frontend and per-backend counters, block abusers at the
7962 frontend when the backend detects abuse.
7963
7964 frontend http
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007965 # Use General Purpose Couter 0 in SC0 as a global abuse counter
Willy Tarreaue9656522010-08-17 15:40:09 +02007966 # protecting all our sites
7967 stick-table type ip size 1m expire 5m store gpc0
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007968 tcp-request connection track-sc0 src
7969 tcp-request connection reject if { sc0_get_gpc0 gt 0 }
Willy Tarreaue9656522010-08-17 15:40:09 +02007970 ...
7971 use_backend http_dynamic if { path_end .php }
7972
7973 backend http_dynamic
7974 # if a source makes too fast requests to this dynamic site (tracked
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007975 # by SC1), block it globally in the frontend.
Willy Tarreaue9656522010-08-17 15:40:09 +02007976 stick-table type ip size 1m expire 5m store http_req_rate(10s)
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007977 acl click_too_fast sc1_http_req_rate gt 10
7978 acl mark_as_abuser sc0_inc_gpc0 gt 0
7979 tcp-request content track-sc1 src
Willy Tarreaue9656522010-08-17 15:40:09 +02007980 tcp-request content reject if click_too_fast mark_as_abuser
Willy Tarreau62644772008-07-16 18:36:06 +02007981
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007982 See section 7 about ACL usage.
Willy Tarreau62644772008-07-16 18:36:06 +02007983
Willy Tarreaue9656522010-08-17 15:40:09 +02007984 See also : "tcp-request connection", "tcp-request inspect-delay"
Willy Tarreau62644772008-07-16 18:36:06 +02007985
7986
7987tcp-request inspect-delay <timeout>
7988 Set the maximum allowed time to wait for data during content inspection
7989 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02007990 no | yes | yes | yes
Willy Tarreau62644772008-07-16 18:36:06 +02007991 Arguments :
7992 <timeout> is the timeout value specified in milliseconds by default, but
7993 can be in any other unit if the number is suffixed by the unit,
7994 as explained at the top of this document.
7995
7996 People using haproxy primarily as a TCP relay are often worried about the
7997 risk of passing any type of protocol to a server without any analysis. In
7998 order to be able to analyze the request contents, we must first withhold
7999 the data then analyze them. This statement simply enables withholding of
8000 data for at most the specified amount of time.
8001
Willy Tarreaufb356202010-08-03 14:02:05 +02008002 TCP content inspection applies very early when a connection reaches a
8003 frontend, then very early when the connection is forwarded to a backend. This
8004 means that a connection may experience a first delay in the frontend and a
8005 second delay in the backend if both have tcp-request rules.
8006
Willy Tarreau62644772008-07-16 18:36:06 +02008007 Note that when performing content inspection, haproxy will evaluate the whole
8008 rules for every new chunk which gets in, taking into account the fact that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008009 those data are partial. If no rule matches before the aforementioned delay,
Willy Tarreau62644772008-07-16 18:36:06 +02008010 a last check is performed upon expiration, this time considering that the
Willy Tarreaud869b242009-03-15 14:43:58 +01008011 contents are definitive. If no delay is set, haproxy will not wait at all
8012 and will immediately apply a verdict based on the available information.
8013 Obviously this is unlikely to be very useful and might even be racy, so such
8014 setups are not recommended.
Willy Tarreau62644772008-07-16 18:36:06 +02008015
8016 As soon as a rule matches, the request is released and continues as usual. If
8017 the timeout is reached and no rule matches, the default policy will be to let
8018 it pass through unaffected.
8019
8020 For most protocols, it is enough to set it to a few seconds, as most clients
8021 send the full request immediately upon connection. Add 3 or more seconds to
8022 cover TCP retransmits but that's all. For some protocols, it may make sense
Willy Tarreaud72758d2010-01-12 10:42:19 +01008023 to use large values, for instance to ensure that the client never talks
Willy Tarreau62644772008-07-16 18:36:06 +02008024 before the server (eg: SMTP), or to wait for a client to talk before passing
8025 data to the server (eg: SSL). Note that the client timeout must cover at
Willy Tarreaub824b002010-09-29 16:36:16 +02008026 least the inspection delay, otherwise it will expire first. If the client
8027 closes the connection or if the buffer is full, the delay immediately expires
8028 since the contents will not be able to change anymore.
Willy Tarreau62644772008-07-16 18:36:06 +02008029
Willy Tarreau55165fe2009-05-10 12:02:55 +02008030 See also : "tcp-request content accept", "tcp-request content reject",
Willy Tarreau62644772008-07-16 18:36:06 +02008031 "timeout client".
8032
8033
Emeric Brun0a3b67f2010-09-24 15:34:53 +02008034tcp-response content <action> [{if | unless} <condition>]
8035 Perform an action on a session response depending on a layer 4-7 condition
8036 May be used in sections : defaults | frontend | listen | backend
8037 no | no | yes | yes
8038 Arguments :
8039 <action> defines the action to perform if the condition applies. Valid
Thierry FOURNIER90da1912015-03-05 11:17:06 +01008040 actions include : "accept", "close", "reject", "lua".
Emeric Brun0a3b67f2010-09-24 15:34:53 +02008041
8042 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
8043
8044 Response contents can be analysed at an early stage of response processing
8045 called "TCP content inspection". During this stage, ACL-based rules are
8046 evaluated every time the response contents are updated, until either an
Willy Tarreaucc1e04b2013-09-11 23:20:29 +02008047 "accept", "close" or a "reject" rule matches, or a TCP response inspection
8048 delay is set and expires with no matching rule.
Emeric Brun0a3b67f2010-09-24 15:34:53 +02008049
8050 Most often, these decisions will consider a protocol recognition or validity.
8051
8052 Content-based rules are evaluated in their exact declaration order. If no
8053 rule matches or if there is no rule, the default action is to accept the
8054 contents. There is no specific limit to the number of rules which may be
8055 inserted.
8056
8057 Two types of actions are supported :
8058 - accept :
8059 accepts the response if the condition is true (when used with "if")
8060 or false (when used with "unless"). The first such rule executed ends
8061 the rules evaluation.
8062
Willy Tarreaucc1e04b2013-09-11 23:20:29 +02008063 - close :
8064 immediately closes the connection with the server if the condition is
8065 true (when used with "if"), or false (when used with "unless"). The
8066 first such rule executed ends the rules evaluation. The main purpose of
8067 this action is to force a connection to be finished between a client
8068 and a server after an exchange when the application protocol expects
8069 some long time outs to elapse first. The goal is to eliminate idle
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008070 connections which take significant resources on servers with certain
Willy Tarreaucc1e04b2013-09-11 23:20:29 +02008071 protocols.
8072
Emeric Brun0a3b67f2010-09-24 15:34:53 +02008073 - reject :
8074 rejects the response if the condition is true (when used with "if")
8075 or false (when used with "unless"). The first such rule executed ends
Jamie Gloudonaaa21002012-08-25 00:18:33 -04008076 the rules evaluation. Rejected session are immediately closed.
Emeric Brun0a3b67f2010-09-24 15:34:53 +02008077
8078 Note that the "if/unless" condition is optional. If no condition is set on
8079 the action, it is simply performed unconditionally. That can be useful for
8080 for changing the default action to a reject.
8081
Jamie Gloudonaaa21002012-08-25 00:18:33 -04008082 It is perfectly possible to match layer 7 contents with "tcp-response
8083 content" rules, but then it is important to ensure that a full response has
8084 been buffered, otherwise no contents will match. In order to achieve this,
8085 the best solution involves detecting the HTTP protocol during the inspection
Emeric Brun0a3b67f2010-09-24 15:34:53 +02008086 period.
8087
Thierry FOURNIER90da1912015-03-05 11:17:06 +01008088 The "lua" keyword is followed by a Lua function name. It is used to run a Lua
8089 function if the action is executed. The single parameter is the name of the
8090 function to run. The prototype of the function is documented in the API
8091 documentation.
8092
Emeric Brun0a3b67f2010-09-24 15:34:53 +02008093 See section 7 about ACL usage.
8094
8095 See also : "tcp-request content", "tcp-response inspect-delay"
8096
8097
8098tcp-response inspect-delay <timeout>
8099 Set the maximum allowed time to wait for a response during content inspection
8100 May be used in sections : defaults | frontend | listen | backend
8101 no | no | yes | yes
8102 Arguments :
8103 <timeout> is the timeout value specified in milliseconds by default, but
8104 can be in any other unit if the number is suffixed by the unit,
8105 as explained at the top of this document.
8106
8107 See also : "tcp-response content", "tcp-request inspect-delay".
8108
8109
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01008110timeout check <timeout>
8111 Set additional check timeout, but only after a connection has been already
8112 established.
8113
8114 May be used in sections: defaults | frontend | listen | backend
8115 yes | no | yes | yes
8116 Arguments:
8117 <timeout> is the timeout value specified in milliseconds by default, but
8118 can be in any other unit if the number is suffixed by the unit,
8119 as explained at the top of this document.
8120
8121 If set, haproxy uses min("timeout connect", "inter") as a connect timeout
8122 for check and "timeout check" as an additional read timeout. The "min" is
8123 used so that people running with *very* long "timeout connect" (eg. those
8124 who needed this due to the queue or tarpit) do not slow down their checks.
Willy Tarreaud7550a22010-02-10 05:10:19 +01008125 (Please also note that there is no valid reason to have such long connect
8126 timeouts, because "timeout queue" and "timeout tarpit" can always be used to
8127 avoid that).
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01008128
8129 If "timeout check" is not set haproxy uses "inter" for complete check
8130 timeout (connect + read) exactly like all <1.3.15 version.
8131
8132 In most cases check request is much simpler and faster to handle than normal
8133 requests and people may want to kick out laggy servers so this timeout should
Willy Tarreau41a340d2008-01-22 12:25:31 +01008134 be smaller than "timeout server".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01008135
8136 This parameter is specific to backends, but can be specified once for all in
8137 "defaults" sections. This is in fact one of the easiest solutions not to
8138 forget about it.
8139
Willy Tarreau41a340d2008-01-22 12:25:31 +01008140 See also: "timeout connect", "timeout queue", "timeout server",
8141 "timeout tarpit".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01008142
8143
Willy Tarreau0ba27502007-12-24 16:55:16 +01008144timeout client <timeout>
8145timeout clitimeout <timeout> (deprecated)
8146 Set the maximum inactivity time on the client side.
8147 May be used in sections : defaults | frontend | listen | backend
8148 yes | yes | yes | no
8149 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01008150 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01008151 can be in any other unit if the number is suffixed by the unit,
8152 as explained at the top of this document.
8153
8154 The inactivity timeout applies when the client is expected to acknowledge or
8155 send data. In HTTP mode, this timeout is particularly important to consider
8156 during the first phase, when the client sends the request, and during the
8157 response while it is reading data sent by the server. The value is specified
8158 in milliseconds by default, but can be in any other unit if the number is
8159 suffixed by the unit, as specified at the top of this document. In TCP mode
8160 (and to a lesser extent, in HTTP mode), it is highly recommended that the
8161 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01008162 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01008163 losses by specifying timeouts that are slightly above multiples of 3 seconds
Willy Tarreauce887fd2012-05-12 12:50:00 +02008164 (eg: 4 or 5 seconds). If some long-lived sessions are mixed with short-lived
8165 sessions (eg: WebSocket and HTTP), it's worth considering "timeout tunnel",
Willy Tarreau05cdd962014-05-10 14:30:07 +02008166 which overrides "timeout client" and "timeout server" for tunnels, as well as
8167 "timeout client-fin" for half-closed connections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01008168
8169 This parameter is specific to frontends, but can be specified once for all in
8170 "defaults" sections. This is in fact one of the easiest solutions not to
8171 forget about it. An unspecified timeout results in an infinite timeout, which
8172 is not recommended. Such a usage is accepted and works but reports a warning
8173 during startup because it may results in accumulation of expired sessions in
8174 the system if the system's timeouts are not configured either.
8175
8176 This parameter replaces the old, deprecated "clitimeout". It is recommended
8177 to use it to write new configurations. The form "timeout clitimeout" is
8178 provided only by backwards compatibility but its use is strongly discouraged.
8179
Willy Tarreauce887fd2012-05-12 12:50:00 +02008180 See also : "clitimeout", "timeout server", "timeout tunnel".
Willy Tarreau0ba27502007-12-24 16:55:16 +01008181
8182
Willy Tarreau05cdd962014-05-10 14:30:07 +02008183timeout client-fin <timeout>
8184 Set the inactivity timeout on the client side for half-closed connections.
8185 May be used in sections : defaults | frontend | listen | backend
8186 yes | yes | yes | no
8187 Arguments :
8188 <timeout> is the timeout value specified in milliseconds by default, but
8189 can be in any other unit if the number is suffixed by the unit,
8190 as explained at the top of this document.
8191
8192 The inactivity timeout applies when the client is expected to acknowledge or
8193 send data while one direction is already shut down. This timeout is different
8194 from "timeout client" in that it only applies to connections which are closed
8195 in one direction. This is particularly useful to avoid keeping connections in
8196 FIN_WAIT state for too long when clients do not disconnect cleanly. This
8197 problem is particularly common long connections such as RDP or WebSocket.
8198 Note that this timeout can override "timeout tunnel" when a connection shuts
8199 down in one direction.
8200
8201 This parameter is specific to frontends, but can be specified once for all in
8202 "defaults" sections. By default it is not set, so half-closed connections
8203 will use the other timeouts (timeout.client or timeout.tunnel).
8204
8205 See also : "timeout client", "timeout server-fin", and "timeout tunnel".
8206
8207
Willy Tarreau0ba27502007-12-24 16:55:16 +01008208timeout connect <timeout>
8209timeout contimeout <timeout> (deprecated)
8210 Set the maximum time to wait for a connection attempt to a server to succeed.
8211 May be used in sections : defaults | frontend | listen | backend
8212 yes | no | yes | yes
8213 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01008214 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01008215 can be in any other unit if the number is suffixed by the unit,
8216 as explained at the top of this document.
8217
8218 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01008219 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01008220 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01008221 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01008222 connect timeout also presets both queue and tarpit timeouts to the same value
8223 if these have not been specified.
Willy Tarreau0ba27502007-12-24 16:55:16 +01008224
8225 This parameter is specific to backends, but can be specified once for all in
8226 "defaults" sections. This is in fact one of the easiest solutions not to
8227 forget about it. An unspecified timeout results in an infinite timeout, which
8228 is not recommended. Such a usage is accepted and works but reports a warning
8229 during startup because it may results in accumulation of failed sessions in
8230 the system if the system's timeouts are not configured either.
8231
8232 This parameter replaces the old, deprecated "contimeout". It is recommended
8233 to use it to write new configurations. The form "timeout contimeout" is
8234 provided only by backwards compatibility but its use is strongly discouraged.
8235
Willy Tarreau41a340d2008-01-22 12:25:31 +01008236 See also: "timeout check", "timeout queue", "timeout server", "contimeout",
8237 "timeout tarpit".
Willy Tarreau0ba27502007-12-24 16:55:16 +01008238
8239
Willy Tarreaub16a5742010-01-10 14:46:16 +01008240timeout http-keep-alive <timeout>
8241 Set the maximum allowed time to wait for a new HTTP request to appear
8242 May be used in sections : defaults | frontend | listen | backend
8243 yes | yes | yes | yes
8244 Arguments :
8245 <timeout> is the timeout value specified in milliseconds by default, but
8246 can be in any other unit if the number is suffixed by the unit,
8247 as explained at the top of this document.
8248
8249 By default, the time to wait for a new request in case of keep-alive is set
8250 by "timeout http-request". However this is not always convenient because some
8251 people want very short keep-alive timeouts in order to release connections
8252 faster, and others prefer to have larger ones but still have short timeouts
8253 once the request has started to present itself.
8254
8255 The "http-keep-alive" timeout covers these needs. It will define how long to
8256 wait for a new HTTP request to start coming after a response was sent. Once
8257 the first byte of request has been seen, the "http-request" timeout is used
8258 to wait for the complete request to come. Note that empty lines prior to a
8259 new request do not refresh the timeout and are not counted as a new request.
8260
8261 There is also another difference between the two timeouts : when a connection
8262 expires during timeout http-keep-alive, no error is returned, the connection
8263 just closes. If the connection expires in "http-request" while waiting for a
8264 connection to complete, a HTTP 408 error is returned.
8265
8266 In general it is optimal to set this value to a few tens to hundreds of
8267 milliseconds, to allow users to fetch all objects of a page at once but
8268 without waiting for further clicks. Also, if set to a very small value (eg:
8269 1 millisecond) it will probably only accept pipelined requests but not the
8270 non-pipelined ones. It may be a nice trade-off for very large sites running
Patrick Mézard2382ad62010-05-09 10:43:32 +02008271 with tens to hundreds of thousands of clients.
Willy Tarreaub16a5742010-01-10 14:46:16 +01008272
8273 If this parameter is not set, the "http-request" timeout applies, and if both
8274 are not set, "timeout client" still applies at the lower level. It should be
8275 set in the frontend to take effect, unless the frontend is in TCP mode, in
8276 which case the HTTP backend's timeout will be used.
8277
8278 See also : "timeout http-request", "timeout client".
8279
8280
Willy Tarreau036fae02008-01-06 13:24:40 +01008281timeout http-request <timeout>
8282 Set the maximum allowed time to wait for a complete HTTP request
8283 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaucd7afc02009-07-12 10:03:17 +02008284 yes | yes | yes | yes
Willy Tarreau036fae02008-01-06 13:24:40 +01008285 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01008286 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau036fae02008-01-06 13:24:40 +01008287 can be in any other unit if the number is suffixed by the unit,
8288 as explained at the top of this document.
8289
8290 In order to offer DoS protection, it may be required to lower the maximum
8291 accepted time to receive a complete HTTP request without affecting the client
8292 timeout. This helps protecting against established connections on which
8293 nothing is sent. The client timeout cannot offer a good protection against
8294 this abuse because it is an inactivity timeout, which means that if the
8295 attacker sends one character every now and then, the timeout will not
8296 trigger. With the HTTP request timeout, no matter what speed the client
Willy Tarreau2705a612014-05-23 17:38:34 +02008297 types, the request will be aborted if it does not complete in time. When the
8298 timeout expires, an HTTP 408 response is sent to the client to inform it
8299 about the problem, and the connection is closed. The logs will report
8300 termination codes "cR". Some recent browsers are having problems with this
8301 standard, well-documented behaviour, so it might be needed to hide the 408
8302 code using "errorfile 408 /dev/null". See more details in the explanations of
8303 the "cR" termination code in section 8.5.
Willy Tarreau036fae02008-01-06 13:24:40 +01008304
8305 Note that this timeout only applies to the header part of the request, and
8306 not to any data. As soon as the empty line is received, this timeout is not
Willy Tarreaub16a5742010-01-10 14:46:16 +01008307 used anymore. It is used again on keep-alive connections to wait for a second
8308 request if "timeout http-keep-alive" is not set.
Willy Tarreau036fae02008-01-06 13:24:40 +01008309
8310 Generally it is enough to set it to a few seconds, as most clients send the
8311 full request immediately upon connection. Add 3 or more seconds to cover TCP
8312 retransmits but that's all. Setting it to very low values (eg: 50 ms) will
8313 generally work on local networks as long as there are no packet losses. This
8314 will prevent people from sending bare HTTP requests using telnet.
8315
8316 If this parameter is not set, the client timeout still applies between each
Willy Tarreaucd7afc02009-07-12 10:03:17 +02008317 chunk of the incoming request. It should be set in the frontend to take
8318 effect, unless the frontend is in TCP mode, in which case the HTTP backend's
8319 timeout will be used.
Willy Tarreau036fae02008-01-06 13:24:40 +01008320
Willy Tarreau2705a612014-05-23 17:38:34 +02008321 See also : "errorfile", "timeout http-keep-alive", "timeout client".
Willy Tarreau036fae02008-01-06 13:24:40 +01008322
Willy Tarreau844e3c52008-01-11 16:28:18 +01008323
8324timeout queue <timeout>
8325 Set the maximum time to wait in the queue for a connection slot to be free
8326 May be used in sections : defaults | frontend | listen | backend
8327 yes | no | yes | yes
8328 Arguments :
8329 <timeout> is the timeout value specified in milliseconds by default, but
8330 can be in any other unit if the number is suffixed by the unit,
8331 as explained at the top of this document.
8332
8333 When a server's maxconn is reached, connections are left pending in a queue
8334 which may be server-specific or global to the backend. In order not to wait
8335 indefinitely, a timeout is applied to requests pending in the queue. If the
8336 timeout is reached, it is considered that the request will almost never be
8337 served, so it is dropped and a 503 error is returned to the client.
8338
8339 The "timeout queue" statement allows to fix the maximum time for a request to
8340 be left pending in a queue. If unspecified, the same value as the backend's
8341 connection timeout ("timeout connect") is used, for backwards compatibility
8342 with older versions with no "timeout queue" parameter.
8343
8344 See also : "timeout connect", "contimeout".
8345
8346
8347timeout server <timeout>
8348timeout srvtimeout <timeout> (deprecated)
8349 Set the maximum inactivity time on the server side.
8350 May be used in sections : defaults | frontend | listen | backend
8351 yes | no | yes | yes
8352 Arguments :
8353 <timeout> is the timeout value specified in milliseconds by default, but
8354 can be in any other unit if the number is suffixed by the unit,
8355 as explained at the top of this document.
8356
8357 The inactivity timeout applies when the server is expected to acknowledge or
8358 send data. In HTTP mode, this timeout is particularly important to consider
8359 during the first phase of the server's response, when it has to send the
8360 headers, as it directly represents the server's processing time for the
8361 request. To find out what value to put there, it's often good to start with
8362 what would be considered as unacceptable response times, then check the logs
8363 to observe the response time distribution, and adjust the value accordingly.
8364
8365 The value is specified in milliseconds by default, but can be in any other
8366 unit if the number is suffixed by the unit, as specified at the top of this
8367 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
8368 recommended that the client timeout remains equal to the server timeout in
8369 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01008370 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01008371 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreauce887fd2012-05-12 12:50:00 +02008372 seconds (eg: 4 or 5 seconds minimum). If some long-lived sessions are mixed
8373 with short-lived sessions (eg: WebSocket and HTTP), it's worth considering
8374 "timeout tunnel", which overrides "timeout client" and "timeout server" for
8375 tunnels.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008376
8377 This parameter is specific to backends, but can be specified once for all in
8378 "defaults" sections. This is in fact one of the easiest solutions not to
8379 forget about it. An unspecified timeout results in an infinite timeout, which
8380 is not recommended. Such a usage is accepted and works but reports a warning
8381 during startup because it may results in accumulation of expired sessions in
8382 the system if the system's timeouts are not configured either.
8383
8384 This parameter replaces the old, deprecated "srvtimeout". It is recommended
8385 to use it to write new configurations. The form "timeout srvtimeout" is
8386 provided only by backwards compatibility but its use is strongly discouraged.
8387
Willy Tarreauce887fd2012-05-12 12:50:00 +02008388 See also : "srvtimeout", "timeout client" and "timeout tunnel".
Willy Tarreau844e3c52008-01-11 16:28:18 +01008389
Willy Tarreau05cdd962014-05-10 14:30:07 +02008390
8391timeout server-fin <timeout>
8392 Set the inactivity timeout on the server side for half-closed connections.
8393 May be used in sections : defaults | frontend | listen | backend
8394 yes | no | yes | yes
8395 Arguments :
8396 <timeout> is the timeout value specified in milliseconds by default, but
8397 can be in any other unit if the number is suffixed by the unit,
8398 as explained at the top of this document.
8399
8400 The inactivity timeout applies when the server is expected to acknowledge or
8401 send data while one direction is already shut down. This timeout is different
8402 from "timeout server" in that it only applies to connections which are closed
8403 in one direction. This is particularly useful to avoid keeping connections in
8404 FIN_WAIT state for too long when a remote server does not disconnect cleanly.
8405 This problem is particularly common long connections such as RDP or WebSocket.
8406 Note that this timeout can override "timeout tunnel" when a connection shuts
8407 down in one direction. This setting was provided for completeness, but in most
8408 situations, it should not be needed.
8409
8410 This parameter is specific to backends, but can be specified once for all in
8411 "defaults" sections. By default it is not set, so half-closed connections
8412 will use the other timeouts (timeout.server or timeout.tunnel).
8413
8414 See also : "timeout client-fin", "timeout server", and "timeout tunnel".
8415
Willy Tarreau844e3c52008-01-11 16:28:18 +01008416
8417timeout tarpit <timeout>
Cyril Bonté78caf842010-03-10 22:41:43 +01008418 Set the duration for which tarpitted connections will be maintained
Willy Tarreau844e3c52008-01-11 16:28:18 +01008419 May be used in sections : defaults | frontend | listen | backend
8420 yes | yes | yes | yes
8421 Arguments :
8422 <timeout> is the tarpit duration specified in milliseconds by default, but
8423 can be in any other unit if the number is suffixed by the unit,
8424 as explained at the top of this document.
8425
8426 When a connection is tarpitted using "reqtarpit", it is maintained open with
8427 no activity for a certain amount of time, then closed. "timeout tarpit"
8428 defines how long it will be maintained open.
8429
8430 The value is specified in milliseconds by default, but can be in any other
8431 unit if the number is suffixed by the unit, as specified at the top of this
8432 document. If unspecified, the same value as the backend's connection timeout
8433 ("timeout connect") is used, for backwards compatibility with older versions
Cyril Bonté78caf842010-03-10 22:41:43 +01008434 with no "timeout tarpit" parameter.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008435
8436 See also : "timeout connect", "contimeout".
8437
8438
Willy Tarreauce887fd2012-05-12 12:50:00 +02008439timeout tunnel <timeout>
8440 Set the maximum inactivity time on the client and server side for tunnels.
8441 May be used in sections : defaults | frontend | listen | backend
8442 yes | no | yes | yes
8443 Arguments :
8444 <timeout> is the timeout value specified in milliseconds by default, but
8445 can be in any other unit if the number is suffixed by the unit,
8446 as explained at the top of this document.
8447
Jamie Gloudonaaa21002012-08-25 00:18:33 -04008448 The tunnel timeout applies when a bidirectional connection is established
Willy Tarreauce887fd2012-05-12 12:50:00 +02008449 between a client and a server, and the connection remains inactive in both
8450 directions. This timeout supersedes both the client and server timeouts once
8451 the connection becomes a tunnel. In TCP, this timeout is used as soon as no
8452 analyser remains attached to either connection (eg: tcp content rules are
8453 accepted). In HTTP, this timeout is used when a connection is upgraded (eg:
8454 when switching to the WebSocket protocol, or forwarding a CONNECT request
8455 to a proxy), or after the first response when no keepalive/close option is
8456 specified.
8457
Willy Tarreau05cdd962014-05-10 14:30:07 +02008458 Since this timeout is usually used in conjunction with long-lived connections,
8459 it usually is a good idea to also set "timeout client-fin" to handle the
8460 situation where a client suddenly disappears from the net and does not
8461 acknowledge a close, or sends a shutdown and does not acknowledge pending
8462 data anymore. This can happen in lossy networks where firewalls are present,
8463 and is detected by the presence of large amounts of sessions in a FIN_WAIT
8464 state.
8465
Willy Tarreauce887fd2012-05-12 12:50:00 +02008466 The value is specified in milliseconds by default, but can be in any other
8467 unit if the number is suffixed by the unit, as specified at the top of this
8468 document. Whatever the expected normal idle time, it is a good practice to
8469 cover at least one or several TCP packet losses by specifying timeouts that
8470 are slightly above multiples of 3 seconds (eg: 4 or 5 seconds minimum).
8471
8472 This parameter is specific to backends, but can be specified once for all in
8473 "defaults" sections. This is in fact one of the easiest solutions not to
8474 forget about it.
8475
8476 Example :
8477 defaults http
8478 option http-server-close
8479 timeout connect 5s
8480 timeout client 30s
Willy Tarreau05cdd962014-05-10 14:30:07 +02008481 timeout client-fin 30s
Willy Tarreauce887fd2012-05-12 12:50:00 +02008482 timeout server 30s
8483 timeout tunnel 1h # timeout to use with WebSocket and CONNECT
8484
Willy Tarreau05cdd962014-05-10 14:30:07 +02008485 See also : "timeout client", "timeout client-fin", "timeout server".
Willy Tarreauce887fd2012-05-12 12:50:00 +02008486
8487
Willy Tarreau844e3c52008-01-11 16:28:18 +01008488transparent (deprecated)
8489 Enable client-side transparent proxying
8490 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01008491 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01008492 Arguments : none
8493
8494 This keyword was introduced in order to provide layer 7 persistence to layer
8495 3 load balancers. The idea is to use the OS's ability to redirect an incoming
8496 connection for a remote address to a local process (here HAProxy), and let
8497 this process know what address was initially requested. When this option is
8498 used, sessions without cookies will be forwarded to the original destination
8499 IP address of the incoming request (which should match that of another
8500 equipment), while requests with cookies will still be forwarded to the
8501 appropriate server.
8502
8503 The "transparent" keyword is deprecated, use "option transparent" instead.
8504
8505 Note that contrary to a common belief, this option does NOT make HAProxy
8506 present the client's IP to the server when establishing the connection.
8507
Willy Tarreau844e3c52008-01-11 16:28:18 +01008508 See also: "option transparent"
8509
William Lallemanda73203e2012-03-12 12:48:57 +01008510unique-id-format <string>
8511 Generate a unique ID for each request.
8512 May be used in sections : defaults | frontend | listen | backend
8513 yes | yes | yes | no
8514 Arguments :
8515 <string> is a log-format string.
8516
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008517 This keyword creates a ID for each request using the custom log format. A
8518 unique ID is useful to trace a request passing through many components of
8519 a complex infrastructure. The newly created ID may also be logged using the
8520 %ID tag the log-format string.
William Lallemanda73203e2012-03-12 12:48:57 +01008521
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008522 The format should be composed from elements that are guaranteed to be
8523 unique when combined together. For instance, if multiple haproxy instances
8524 are involved, it might be important to include the node name. It is often
8525 needed to log the incoming connection's source and destination addresses
8526 and ports. Note that since multiple requests may be performed over the same
8527 connection, including a request counter may help differentiate them.
8528 Similarly, a timestamp may protect against a rollover of the counter.
8529 Logging the process ID will avoid collisions after a service restart.
William Lallemanda73203e2012-03-12 12:48:57 +01008530
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008531 It is recommended to use hexadecimal notation for many fields since it
8532 makes them more compact and saves space in logs.
William Lallemanda73203e2012-03-12 12:48:57 +01008533
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008534 Example:
William Lallemanda73203e2012-03-12 12:48:57 +01008535
Julien Vehentf21be322014-03-07 08:27:34 -05008536 unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
William Lallemanda73203e2012-03-12 12:48:57 +01008537
8538 will generate:
8539
8540 7F000001:8296_7F00001E:1F90_4F7B0A69_0003:790A
8541
8542 See also: "unique-id-header"
8543
8544unique-id-header <name>
8545 Add a unique ID header in the HTTP request.
8546 May be used in sections : defaults | frontend | listen | backend
8547 yes | yes | yes | no
8548 Arguments :
8549 <name> is the name of the header.
8550
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008551 Add a unique-id header in the HTTP request sent to the server, using the
8552 unique-id-format. It can't work if the unique-id-format doesn't exist.
William Lallemanda73203e2012-03-12 12:48:57 +01008553
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008554 Example:
William Lallemanda73203e2012-03-12 12:48:57 +01008555
Julien Vehentf21be322014-03-07 08:27:34 -05008556 unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
William Lallemanda73203e2012-03-12 12:48:57 +01008557 unique-id-header X-Unique-ID
8558
8559 will generate:
8560
8561 X-Unique-ID: 7F000001:8296_7F00001E:1F90_4F7B0A69_0003:790A
8562
8563 See also: "unique-id-format"
Willy Tarreau844e3c52008-01-11 16:28:18 +01008564
Willy Tarreauf51658d2014-04-23 01:21:56 +02008565use_backend <backend> [{if | unless} <condition>]
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02008566 Switch to a specific backend if/unless an ACL-based condition is matched.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008567 May be used in sections : defaults | frontend | listen | backend
8568 no | yes | yes | no
8569 Arguments :
Bertrand Jacquin702d44f2013-11-19 11:43:06 +01008570 <backend> is the name of a valid backend or "listen" section, or a
8571 "log-format" string resolving to a backend name.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008572
Willy Tarreauf51658d2014-04-23 01:21:56 +02008573 <condition> is a condition composed of ACLs, as described in section 7. If
8574 it is omitted, the rule is unconditionally applied.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008575
8576 When doing content-switching, connections arrive on a frontend and are then
8577 dispatched to various backends depending on a number of conditions. The
8578 relation between the conditions and the backends is described with the
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02008579 "use_backend" keyword. While it is normally used with HTTP processing, it can
8580 also be used in pure TCP, either without content using stateless ACLs (eg:
8581 source address validation) or combined with a "tcp-request" rule to wait for
8582 some payload.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008583
8584 There may be as many "use_backend" rules as desired. All of these rules are
8585 evaluated in their declaration order, and the first one which matches will
8586 assign the backend.
8587
8588 In the first form, the backend will be used if the condition is met. In the
8589 second form, the backend will be used if the condition is not met. If no
8590 condition is valid, the backend defined with "default_backend" will be used.
8591 If no default backend is defined, either the servers in the same section are
8592 used (in case of a "listen" section) or, in case of a frontend, no server is
8593 used and a 503 service unavailable response is returned.
8594
Willy Tarreau51aecc72009-07-12 09:47:04 +02008595 Note that it is possible to switch from a TCP frontend to an HTTP backend. In
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008596 this case, either the frontend has already checked that the protocol is HTTP,
Willy Tarreau51aecc72009-07-12 09:47:04 +02008597 and backend processing will immediately follow, or the backend will wait for
8598 a complete HTTP request to get in. This feature is useful when a frontend
8599 must decode several protocols on a unique port, one of them being HTTP.
8600
Bertrand Jacquin702d44f2013-11-19 11:43:06 +01008601 When <backend> is a simple name, it is resolved at configuration time, and an
8602 error is reported if the specified backend does not exist. If <backend> is
8603 a log-format string instead, no check may be done at configuration time, so
8604 the backend name is resolved dynamically at run time. If the resulting
8605 backend name does not correspond to any valid backend, no other rule is
8606 evaluated, and the default_backend directive is applied instead. Note that
8607 when using dynamic backend names, it is highly recommended to use a prefix
8608 that no other backend uses in order to ensure that an unauthorized backend
8609 cannot be forced from the request.
8610
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008611 It is worth mentioning that "use_backend" rules with an explicit name are
Bertrand Jacquin702d44f2013-11-19 11:43:06 +01008612 used to detect the association between frontends and backends to compute the
8613 backend's "fullconn" setting. This cannot be done for dynamic names.
8614
8615 See also: "default_backend", "tcp-request", "fullconn", "log-format", and
8616 section 7 about ACLs.
Willy Tarreaud72758d2010-01-12 10:42:19 +01008617
Willy Tarreau036fae02008-01-06 13:24:40 +01008618
Willy Tarreau4a5cade2012-04-05 21:09:48 +02008619use-server <server> if <condition>
8620use-server <server> unless <condition>
8621 Only use a specific server if/unless an ACL-based condition is matched.
8622 May be used in sections : defaults | frontend | listen | backend
8623 no | no | yes | yes
8624 Arguments :
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008625 <server> is the name of a valid server in the same backend section.
Willy Tarreau4a5cade2012-04-05 21:09:48 +02008626
8627 <condition> is a condition composed of ACLs, as described in section 7.
8628
8629 By default, connections which arrive to a backend are load-balanced across
8630 the available servers according to the configured algorithm, unless a
8631 persistence mechanism such as a cookie is used and found in the request.
8632
8633 Sometimes it is desirable to forward a particular request to a specific
8634 server without having to declare a dedicated backend for this server. This
8635 can be achieved using the "use-server" rules. These rules are evaluated after
8636 the "redirect" rules and before evaluating cookies, and they have precedence
8637 on them. There may be as many "use-server" rules as desired. All of these
8638 rules are evaluated in their declaration order, and the first one which
8639 matches will assign the server.
8640
8641 If a rule designates a server which is down, and "option persist" is not used
8642 and no force-persist rule was validated, it is ignored and evaluation goes on
8643 with the next rules until one matches.
8644
8645 In the first form, the server will be used if the condition is met. In the
8646 second form, the server will be used if the condition is not met. If no
8647 condition is valid, the processing continues and the server will be assigned
8648 according to other persistence mechanisms.
8649
8650 Note that even if a rule is matched, cookie processing is still performed but
8651 does not assign the server. This allows prefixed cookies to have their prefix
8652 stripped.
8653
8654 The "use-server" statement works both in HTTP and TCP mode. This makes it
8655 suitable for use with content-based inspection. For instance, a server could
8656 be selected in a farm according to the TLS SNI field. And if these servers
8657 have their weight set to zero, they will not be used for other traffic.
8658
8659 Example :
8660 # intercept incoming TLS requests based on the SNI field
8661 use-server www if { req_ssl_sni -i www.example.com }
8662 server www 192.168.0.1:443 weight 0
8663 use-server mail if { req_ssl_sni -i mail.example.com }
8664 server mail 192.168.0.1:587 weight 0
8665 use-server imap if { req_ssl_sni -i imap.example.com }
8666 server mail 192.168.0.1:993 weight 0
8667 # all the rest is forwarded to this server
8668 server default 192.168.0.2:443 check
8669
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008670 See also: "use_backend", section 5 about server and section 7 about ACLs.
Willy Tarreau4a5cade2012-04-05 21:09:48 +02008671
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008672
86735. Bind and Server options
8674--------------------------
8675
8676The "bind", "server" and "default-server" keywords support a number of settings
8677depending on some build options and on the system HAProxy was built on. These
8678settings generally each consist in one word sometimes followed by a value,
8679written on the same line as the "bind" or "server" line. All these options are
8680described in this section.
8681
8682
86835.1. Bind options
8684-----------------
8685
8686The "bind" keyword supports a certain number of settings which are all passed
8687as arguments on the same line. The order in which those arguments appear makes
8688no importance, provided that they appear after the bind address. All of these
8689parameters are optional. Some of them consist in a single words (booleans),
8690while other ones expect a value after them. In this case, the value must be
8691provided immediately after the setting name.
8692
8693The currently supported settings are the following ones.
8694
8695accept-proxy
8696 Enforces the use of the PROXY protocol over any connection accepted by any of
Willy Tarreau77992672014-06-14 11:06:17 +02008697 the sockets declared on the same line. Versions 1 and 2 of the PROXY protocol
8698 are supported and correctly detected. The PROXY protocol dictates the layer
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008699 3/4 addresses of the incoming connection to be used everywhere an address is
8700 used, with the only exception of "tcp-request connection" rules which will
8701 only see the real connection address. Logs will reflect the addresses
8702 indicated in the protocol, unless it is violated, in which case the real
8703 address will still be used. This keyword combined with support from external
8704 components can be used as an efficient and reliable alternative to the
8705 X-Forwarded-For mechanism which is not always reliable and not even always
Willy Tarreau4f0d9192013-06-11 20:40:55 +02008706 usable. See also "tcp-request connection expect-proxy" for a finer-grained
8707 setting of which client is allowed to use the protocol.
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008708
Willy Tarreauab861d32013-04-02 02:30:41 +02008709alpn <protocols>
8710 This enables the TLS ALPN extension and advertises the specified protocol
8711 list as supported on top of ALPN. The protocol list consists in a comma-
8712 delimited list of protocol names, for instance: "http/1.1,http/1.0" (without
8713 quotes). This requires that the SSL library is build with support for TLS
8714 extensions enabled (check with haproxy -vv). The ALPN extension replaces the
8715 initial NPN extension.
8716
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008717backlog <backlog>
8718 Sets the socket's backlog to this value. If unspecified, the frontend's
8719 backlog is used instead, which generally defaults to the maxconn value.
8720
Emeric Brun7fb34422012-09-28 15:26:15 +02008721ecdhe <named curve>
8722 This setting is only available when support for OpenSSL was built in. It sets
Emeric Brun6924ef82013-03-06 14:08:53 +01008723 the named curve (RFC 4492) used to generate ECDH ephemeral keys. By default,
8724 used named curve is prime256v1.
Emeric Brun7fb34422012-09-28 15:26:15 +02008725
Emeric Brunfd33a262012-10-11 16:28:27 +02008726ca-file <cafile>
Emeric Brun1a073b42012-09-28 17:07:34 +02008727 This setting is only available when support for OpenSSL was built in. It
8728 designates a PEM file from which to load CA certificates used to verify
8729 client's certificate.
8730
Emeric Brunb6dc9342012-09-28 17:55:37 +02008731ca-ignore-err [all|<errorID>,...]
8732 This setting is only available when support for OpenSSL was built in.
8733 Sets a comma separated list of errorIDs to ignore during verify at depth > 0.
8734 If set to 'all', all errors are ignored. SSL handshake is not aborted if an
8735 error is ignored.
8736
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008737ciphers <ciphers>
8738 This setting is only available when support for OpenSSL was built in. It sets
8739 the string describing the list of cipher algorithms ("cipher suite") that are
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008740 negotiated during the SSL/TLS handshake. The format of the string is defined
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008741 in "man 1 ciphers" from OpenSSL man pages, and can be for instance a string
8742 such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes).
8743
Emeric Brunfd33a262012-10-11 16:28:27 +02008744crl-file <crlfile>
Emeric Brun1a073b42012-09-28 17:07:34 +02008745 This setting is only available when support for OpenSSL was built in. It
8746 designates a PEM file from which to load certificate revocation list used
8747 to verify client's certificate.
8748
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008749crt <cert>
Alex Davies0fbf0162013-03-02 16:04:50 +00008750 This setting is only available when support for OpenSSL was built in. It
8751 designates a PEM file containing both the required certificates and any
8752 associated private keys. This file can be built by concatenating multiple
8753 PEM files into one (e.g. cat cert.pem key.pem > combined.pem). If your CA
8754 requires an intermediate certificate, this can also be concatenated into this
8755 file.
8756
8757 If the OpenSSL used supports Diffie-Hellman, parameters present in this file
8758 are loaded.
8759
8760 If a directory name is used instead of a PEM file, then all files found in
Cyril Bonté3180f7b2015-01-25 00:16:08 +01008761 that directory will be loaded in alphabetic order unless their name ends with
Janusz Dziemidowicz2c701b52015-03-07 23:03:59 +01008762 '.issuer', '.ocsp' or '.sctl' (reserved extensions). This directive may be
8763 specified multiple times in order to load certificates from multiple files or
8764 directories. The certificates will be presented to clients who provide a
8765 valid TLS Server Name Indication field matching one of their CN or alt
8766 subjects. Wildcards are supported, where a wildcard character '*' is used
8767 instead of the first hostname component (eg: *.example.org matches
8768 www.example.org but not www.sub.example.org).
Alex Davies0fbf0162013-03-02 16:04:50 +00008769
8770 If no SNI is provided by the client or if the SSL library does not support
8771 TLS extensions, or if the client provides an SNI hostname which does not
8772 match any certificate, then the first loaded certificate will be presented.
8773 This means that when loading certificates from a directory, it is highly
Cyril Bonté3180f7b2015-01-25 00:16:08 +01008774 recommended to load the default one first as a file or to ensure that it will
8775 always be the first one in the directory.
Alex Davies0fbf0162013-03-02 16:04:50 +00008776
Emeric Brune032bfa2012-09-28 13:01:45 +02008777 Note that the same cert may be loaded multiple times without side effects.
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008778
Alex Davies0fbf0162013-03-02 16:04:50 +00008779 Some CAs (such as Godaddy) offer a drop down list of server types that do not
8780 include HAProxy when obtaining a certificate. If this happens be sure to
Godbach8bf60a12014-04-21 21:42:41 +08008781 choose a webserver that the CA believes requires an intermediate CA (for
Alex Davies0fbf0162013-03-02 16:04:50 +00008782 Godaddy, selection Apache Tomcat will get the correct bundle, but many
8783 others, e.g. nginx, result in a wrong bundle that will not work for some
8784 clients).
8785
Emeric Brun4147b2e2014-06-16 18:36:30 +02008786 For each PEM file, haproxy checks for the presence of file at the same path
8787 suffixed by ".ocsp". If such file is found, support for the TLS Certificate
8788 Status Request extension (also known as "OCSP stapling") is automatically
8789 enabled. The content of this file is optional. If not empty, it must contain
8790 a valid OCSP Response in DER format. In order to be valid an OCSP Response
8791 must comply with the following rules: it has to indicate a good status,
8792 it has to be a single response for the certificate of the PEM file, and it
8793 has to be valid at the moment of addition. If these rules are not respected
8794 the OCSP Response is ignored and a warning is emitted. In order to identify
8795 which certificate an OCSP Response applies to, the issuer's certificate is
8796 necessary. If the issuer's certificate is not found in the PEM file, it will
8797 be loaded from a file at the same path as the PEM file suffixed by ".issuer"
8798 if it exists otherwise it will fail with an error.
8799
Janusz Dziemidowicz2c701b52015-03-07 23:03:59 +01008800 For each PEM file, haproxy also checks for the presence of file at the same
8801 path suffixed by ".sctl". If such file is found, support for Certificate
8802 Transparency (RFC6962) TLS extension is enabled. The file must contain a
8803 valid Signed Certificate Timestamp List, as described in RFC. File is parsed
8804 to check basic syntax, but no signatures are verified.
8805
Emeric Brunb6dc9342012-09-28 17:55:37 +02008806crt-ignore-err <errors>
Alex Davies0fbf0162013-03-02 16:04:50 +00008807 This setting is only available when support for OpenSSL was built in. Sets a
8808 comma separated list of errorIDs to ignore during verify at depth == 0. If
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008809 set to 'all', all errors are ignored. SSL handshake is not aborted if an error
Alex Davies0fbf0162013-03-02 16:04:50 +00008810 is ignored.
Emeric Brunb6dc9342012-09-28 17:55:37 +02008811
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01008812crt-list <file>
8813 This setting is only available when support for OpenSSL was built in. It
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02008814 designates a list of PEM file with an optional list of SNI filter per
8815 certificate, with the following format for each line :
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01008816
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02008817 <crtfile> [[!]<snifilter> ...]
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01008818
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02008819 Wildcards are supported in the SNI filter. Negative filter are also supported,
8820 only useful in combination with a wildcard filter to exclude a particular SNI.
8821 The certificates will be presented to clients who provide a valid TLS Server
8822 Name Indication field matching one of the SNI filters. If no SNI filter is
8823 specified, the CN and alt subjects are used. This directive may be specified
8824 multiple times. See the "crt" option for more information. The default
8825 certificate is still needed to meet OpenSSL expectations. If it is not used,
8826 the 'strict-sni' option may be used.
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01008827
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008828defer-accept
8829 Is an optional keyword which is supported only on certain Linux kernels. It
8830 states that a connection will only be accepted once some data arrive on it,
8831 or at worst after the first retransmit. This should be used only on protocols
8832 for which the client talks first (eg: HTTP). It can slightly improve
8833 performance by ensuring that most of the request is already available when
8834 the connection is accepted. On the other hand, it will not be able to detect
8835 connections which don't talk. It is important to note that this option is
8836 broken in all kernels up to 2.6.31, as the connection is never accepted until
8837 the client talks. This can cause issues with front firewalls which would see
8838 an established connection while the proxy will only see it in SYN_RECV. This
8839 option is only supported on TCPv4/TCPv6 sockets and ignored by other ones.
8840
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008841force-sslv3
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008842 This option enforces use of SSLv3 only on SSL connections instantiated from
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008843 this listener. SSLv3 is generally less expensive than the TLS counterparts
Emeric Brun2c86cbf2014-10-30 15:56:50 +01008844 for high connection rates. This option is also available on global statement
8845 "ssl-default-bind-options". See also "no-tlsv*" and "no-sslv3".
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008846
8847force-tlsv10
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008848 This option enforces use of TLSv1.0 only on SSL connections instantiated from
Emeric Brun2c86cbf2014-10-30 15:56:50 +01008849 this listener. This option is also available on global statement
8850 "ssl-default-bind-options". See also "no-tlsv*" and "no-sslv3".
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008851
8852force-tlsv11
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008853 This option enforces use of TLSv1.1 only on SSL connections instantiated from
Emeric Brun2c86cbf2014-10-30 15:56:50 +01008854 this listener. This option is also available on global statement
8855 "ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3".
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008856
8857force-tlsv12
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008858 This option enforces use of TLSv1.2 only on SSL connections instantiated from
Emeric Brun2c86cbf2014-10-30 15:56:50 +01008859 this listener. This option is also available on global statement
8860 "ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3".
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008861
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008862gid <gid>
8863 Sets the group of the UNIX sockets to the designated system gid. It can also
8864 be set by default in the global section's "unix-bind" statement. Note that
8865 some platforms simply ignore this. This setting is equivalent to the "group"
8866 setting except that the group ID is used instead of its name. This setting is
8867 ignored by non UNIX sockets.
8868
8869group <group>
8870 Sets the group of the UNIX sockets to the designated system group. It can
8871 also be set by default in the global section's "unix-bind" statement. Note
8872 that some platforms simply ignore this. This setting is equivalent to the
8873 "gid" setting except that the group name is used instead of its gid. This
8874 setting is ignored by non UNIX sockets.
8875
8876id <id>
8877 Fixes the socket ID. By default, socket IDs are automatically assigned, but
8878 sometimes it is more convenient to fix them to ease monitoring. This value
8879 must be strictly positive and unique within the listener/frontend. This
8880 option can only be used when defining only a single socket.
8881
8882interface <interface>
Lukas Tribusfce2e962013-02-12 22:13:19 +01008883 Restricts the socket to a specific interface. When specified, only packets
8884 received from that particular interface are processed by the socket. This is
8885 currently only supported on Linux. The interface must be a primary system
8886 interface, not an aliased interface. It is also possible to bind multiple
8887 frontends to the same address if they are bound to different interfaces. Note
8888 that binding to a network interface requires root privileges. This parameter
8889 is only compatible with TCPv4/TCPv6 sockets.
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008890
Willy Tarreauabb175f2012-09-24 12:43:26 +02008891level <level>
8892 This setting is used with the stats sockets only to restrict the nature of
8893 the commands that can be issued on the socket. It is ignored by other
8894 sockets. <level> can be one of :
8895 - "user" is the least privileged level ; only non-sensitive stats can be
8896 read, and no change is allowed. It would make sense on systems where it
8897 is not easy to restrict access to the socket.
8898 - "operator" is the default level and fits most common uses. All data can
8899 be read, and only non-sensitive changes are permitted (eg: clear max
8900 counters).
8901 - "admin" should be used with care, as everything is permitted (eg: clear
8902 all counters).
8903
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008904maxconn <maxconn>
8905 Limits the sockets to this number of concurrent connections. Extraneous
8906 connections will remain in the system's backlog until a connection is
8907 released. If unspecified, the limit will be the same as the frontend's
8908 maxconn. Note that in case of port ranges or multiple addresses, the same
8909 value will be applied to each socket. This setting enables different
8910 limitations on expensive sockets, for instance SSL entries which may easily
8911 eat all memory.
8912
8913mode <mode>
8914 Sets the octal mode used to define access permissions on the UNIX socket. It
8915 can also be set by default in the global section's "unix-bind" statement.
8916 Note that some platforms simply ignore this. This setting is ignored by non
8917 UNIX sockets.
8918
8919mss <maxseg>
8920 Sets the TCP Maximum Segment Size (MSS) value to be advertised on incoming
8921 connections. This can be used to force a lower MSS for certain specific
8922 ports, for instance for connections passing through a VPN. Note that this
8923 relies on a kernel feature which is theoretically supported under Linux but
8924 was buggy in all versions prior to 2.6.28. It may or may not work on other
8925 operating systems. It may also not change the advertised value but change the
8926 effective size of outgoing segments. The commonly advertised value for TCPv4
8927 over Ethernet networks is 1460 = 1500(MTU) - 40(IP+TCP). If this value is
8928 positive, it will be used as the advertised MSS. If it is negative, it will
8929 indicate by how much to reduce the incoming connection's advertised MSS for
8930 outgoing segments. This parameter is only compatible with TCP v4/v6 sockets.
8931
8932name <name>
8933 Sets an optional name for these sockets, which will be reported on the stats
8934 page.
8935
8936nice <nice>
8937 Sets the 'niceness' of connections initiated from the socket. Value must be
8938 in the range -1024..1024 inclusive, and defaults to zero. Positive values
8939 means that such connections are more friendly to others and easily offer
8940 their place in the scheduler. On the opposite, negative values mean that
8941 connections want to run with a higher priority than others. The difference
8942 only happens under high loads when the system is close to saturation.
8943 Negative values are appropriate for low-latency or administration services,
8944 and high values are generally recommended for CPU intensive tasks such as SSL
8945 processing or bulk transfers which are less sensible to latency. For example,
8946 it may make sense to use a positive value for an SMTP socket and a negative
8947 one for an RDP socket.
8948
Emeric Brun9b3009b2012-10-05 11:55:06 +02008949no-sslv3
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008950 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008951 disables support for SSLv3 on any sockets instantiated from the listener when
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008952 SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
Emeric Brun2c86cbf2014-10-30 15:56:50 +01008953 be enabled using any configuration option. This option is also available on
8954 global statement "ssl-default-bind-options". See also "force-tls*",
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008955 and "force-sslv3".
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008956
Emeric Brun90ad8722012-10-02 14:00:59 +02008957no-tls-tickets
8958 This setting is only available when support for OpenSSL was built in. It
8959 disables the stateless session resumption (RFC 5077 TLS Ticket
8960 extension) and force to use stateful session resumption. Stateless
Emeric Brun2c86cbf2014-10-30 15:56:50 +01008961 session resumption is more expensive in CPU usage. This option is also
8962 available on global statement "ssl-default-bind-options".
Emeric Brun90ad8722012-10-02 14:00:59 +02008963
Emeric Brun9b3009b2012-10-05 11:55:06 +02008964no-tlsv10
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008965 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008966 disables support for TLSv1.0 on any sockets instantiated from the listener
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008967 when SSL is supported. Note that SSLv2 is forced disabled in the code and
Emeric Brun2c86cbf2014-10-30 15:56:50 +01008968 cannot be enabled using any configuration option. This option is also
8969 available on global statement "ssl-default-bind-options". See also
8970 "force-tlsv*", and "force-sslv3".
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008971
Emeric Brun9b3009b2012-10-05 11:55:06 +02008972no-tlsv11
Emeric Brunf5da4932012-09-28 19:42:54 +02008973 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008974 disables support for TLSv1.1 on any sockets instantiated from the listener
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008975 when SSL is supported. Note that SSLv2 is forced disabled in the code and
Emeric Brun2c86cbf2014-10-30 15:56:50 +01008976 cannot be enabled using any configuration option. This option is also
8977 available on global statement "ssl-default-bind-options". See also
8978 "force-tlsv*", and "force-sslv3".
Emeric Brunf5da4932012-09-28 19:42:54 +02008979
Emeric Brun9b3009b2012-10-05 11:55:06 +02008980no-tlsv12
Emeric Brunf5da4932012-09-28 19:42:54 +02008981 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008982 disables support for TLSv1.2 on any sockets instantiated from the listener
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008983 when SSL is supported. Note that SSLv2 is forced disabled in the code and
Emeric Brun2c86cbf2014-10-30 15:56:50 +01008984 cannot be enabled using any configuration option. This option is also
8985 available on global statement "ssl-default-bind-options". See also
8986 "force-tlsv*", and "force-sslv3".
Emeric Brunf5da4932012-09-28 19:42:54 +02008987
Willy Tarreau6c9a3d52012-10-18 18:57:14 +02008988npn <protocols>
8989 This enables the NPN TLS extension and advertises the specified protocol list
8990 as supported on top of NPN. The protocol list consists in a comma-delimited
8991 list of protocol names, for instance: "http/1.1,http/1.0" (without quotes).
8992 This requires that the SSL library is build with support for TLS extensions
Willy Tarreauab861d32013-04-02 02:30:41 +02008993 enabled (check with haproxy -vv). Note that the NPN extension has been
8994 replaced with the ALPN extension (see the "alpn" keyword).
Willy Tarreau6c9a3d52012-10-18 18:57:14 +02008995
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02008996process [ all | odd | even | <number 1-64>[-<number 1-64>] ]
8997 This restricts the list of processes on which this listener is allowed to
8998 run. It does not enforce any process but eliminates those which do not match.
8999 If the frontend uses a "bind-process" setting, the intersection between the
9000 two is applied. If in the end the listener is not allowed to run on any
9001 remaining process, a warning is emitted, and the listener will either run on
9002 the first process of the listener if a single process was specified, or on
9003 all of its processes if multiple processes were specified. For the unlikely
Willy Tarreauae302532014-05-07 19:22:24 +02009004 case where several ranges are needed, this directive may be repeated. The
9005 main purpose of this directive is to be used with the stats sockets and have
9006 one different socket per process. The second purpose is to have multiple bind
9007 lines sharing the same IP:port but not the same process in a listener, so
9008 that the system can distribute the incoming connections into multiple queues
9009 and allow a smoother inter-process load balancing. Currently Linux 3.9 and
9010 above is known for supporting this. See also "bind-process" and "nbproc".
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02009011
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009012ssl
9013 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009014 enables SSL deciphering on connections instantiated from this listener. A
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009015 certificate is necessary (see "crt" above). All contents in the buffers will
9016 appear in clear text, so that ACLs and HTTP processing will only have access
9017 to deciphered contents.
9018
Emmanuel Hocdet65623372013-01-24 17:17:15 +01009019strict-sni
9020 This setting is only available when support for OpenSSL was built in. The
9021 SSL/TLS negotiation is allow only if the client provided an SNI which match
9022 a certificate. The default certificate is not used.
9023 See the "crt" option for more information.
9024
Willy Tarreau2af207a2015-02-04 00:45:58 +01009025tcp-ut <delay>
9026 Sets the TCP User Timeout for all incoming connections instanciated from this
9027 listening socket. This option is available on Linux since version 2.6.37. It
9028 allows haproxy to configure a timeout for sockets which contain data not
9029 receiving an acknoledgement for the configured delay. This is especially
9030 useful on long-lived connections experiencing long idle periods such as
9031 remote terminals or database connection pools, where the client and server
9032 timeouts must remain high to allow a long period of idle, but where it is
9033 important to detect that the client has disappeared in order to release all
9034 resources associated with its connection (and the server's session). The
9035 argument is a delay expressed in milliseconds by default. This only works
9036 for regular TCP connections, and is ignored for other protocols.
9037
Willy Tarreau1c862c52012-10-05 16:21:00 +02009038tfo
Lukas Tribus0defb902013-02-13 23:35:39 +01009039 Is an optional keyword which is supported only on Linux kernels >= 3.7. It
Willy Tarreau1c862c52012-10-05 16:21:00 +02009040 enables TCP Fast Open on the listening socket, which means that clients which
9041 support this feature will be able to send a request and receive a response
9042 during the 3-way handshake starting from second connection, thus saving one
9043 round-trip after the first connection. This only makes sense with protocols
9044 that use high connection rates and where each round trip matters. This can
9045 possibly cause issues with many firewalls which do not accept data on SYN
9046 packets, so this option should only be enabled once well tested. This option
Lukas Tribus0999f762013-04-02 16:43:24 +02009047 is only supported on TCPv4/TCPv6 sockets and ignored by other ones. You may
9048 need to build HAProxy with USE_TFO=1 if your libc doesn't define
9049 TCP_FASTOPEN.
Willy Tarreau1c862c52012-10-05 16:21:00 +02009050
Nenad Merdanovic188ad3e2015-02-27 19:56:50 +01009051tls-ticket-keys <keyfile>
9052 Sets the TLS ticket keys file to load the keys from. The keys need to be 48
9053 bytes long, encoded with base64 (ex. openssl rand -base64 48). Number of keys
9054 is specified by the TLS_TICKETS_NO build option (default 3) and at least as
9055 many keys need to be present in the file. Last TLS_TICKETS_NO keys will be
9056 used for decryption and the penultimate one for encryption. This enables easy
9057 key rotation by just appending new key to the file and reloading the process.
9058 Keys must be periodically rotated (ex. every 12h) or Perfect Forward Secrecy
9059 is compromised. It is also a good idea to keep the keys off any permanent
9060 storage such as hard drives (hint: use tmpfs and don't swap those files).
9061 Lifetime hint can be changed using tune.ssl.timeout.
9062
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009063transparent
9064 Is an optional keyword which is supported only on certain Linux kernels. It
9065 indicates that the addresses will be bound even if they do not belong to the
9066 local machine, and that packets targeting any of these addresses will be
9067 intercepted just as if the addresses were locally configured. This normally
9068 requires that IP forwarding is enabled. Caution! do not use this with the
9069 default address '*', as it would redirect any traffic for the specified port.
9070 This keyword is available only when HAProxy is built with USE_LINUX_TPROXY=1.
9071 This parameter is only compatible with TCPv4 and TCPv6 sockets, depending on
9072 kernel version. Some distribution kernels include backports of the feature,
9073 so check for support with your vendor.
9074
Willy Tarreau77e3af92012-11-24 15:07:23 +01009075v4v6
9076 Is an optional keyword which is supported only on most recent systems
9077 including Linux kernels >= 2.4.21. It is used to bind a socket to both IPv4
9078 and IPv6 when it uses the default address. Doing so is sometimes necessary
9079 on systems which bind to IPv6 only by default. It has no effect on non-IPv6
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009080 sockets, and is overridden by the "v6only" option.
Willy Tarreau77e3af92012-11-24 15:07:23 +01009081
Willy Tarreau9b6700f2012-11-24 11:55:28 +01009082v6only
9083 Is an optional keyword which is supported only on most recent systems
9084 including Linux kernels >= 2.4.21. It is used to bind a socket to IPv6 only
9085 when it uses the default address. Doing so is sometimes preferred to doing it
Willy Tarreau77e3af92012-11-24 15:07:23 +01009086 system-wide as it is per-listener. It has no effect on non-IPv6 sockets and
9087 has precedence over the "v4v6" option.
Willy Tarreau9b6700f2012-11-24 11:55:28 +01009088
Willy Tarreaub6205fd2012-09-24 12:27:33 +02009089uid <uid>
9090 Sets the owner of the UNIX sockets to the designated system uid. It can also
9091 be set by default in the global section's "unix-bind" statement. Note that
9092 some platforms simply ignore this. This setting is equivalent to the "user"
9093 setting except that the user numeric ID is used instead of its name. This
9094 setting is ignored by non UNIX sockets.
9095
9096user <user>
9097 Sets the owner of the UNIX sockets to the designated system user. It can also
9098 be set by default in the global section's "unix-bind" statement. Note that
9099 some platforms simply ignore this. This setting is equivalent to the "uid"
9100 setting except that the user name is used instead of its uid. This setting is
9101 ignored by non UNIX sockets.
9102
Emeric Brun1a073b42012-09-28 17:07:34 +02009103verify [none|optional|required]
9104 This setting is only available when support for OpenSSL was built in. If set
9105 to 'none', client certificate is not requested. This is the default. In other
9106 cases, a client certificate is requested. If the client does not provide a
9107 certificate after the request and if 'verify' is set to 'required', then the
9108 handshake is aborted, while it would have succeeded if set to 'optional'. The
Emeric Brunfd33a262012-10-11 16:28:27 +02009109 certificate provided by the client is always verified using CAs from
9110 'ca-file' and optional CRLs from 'crl-file'. On verify failure the handshake
9111 is aborted, regardless of the 'verify' option, unless the error code exactly
9112 matches one of those listed with 'ca-ignore-err' or 'crt-ignore-err'.
Willy Tarreau4a5cade2012-04-05 21:09:48 +02009113
Willy Tarreaub6205fd2012-09-24 12:27:33 +020091145.2. Server and default-server options
Cyril Bontéf0c60612010-02-06 14:44:47 +01009115------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02009116
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01009117The "server" and "default-server" keywords support a certain number of settings
9118which are all passed as arguments on the server line. The order in which those
9119arguments appear does not count, and they are all optional. Some of those
9120settings are single words (booleans) while others expect one or several values
9121after them. In this case, the values must immediately follow the setting name.
9122Except default-server, all those settings must be specified after the server's
9123address if they are used:
Willy Tarreau6a06a402007-07-15 20:15:28 +02009124
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009125 server <name> <address>[:port] [settings ...]
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01009126 default-server [settings ...]
Willy Tarreau6a06a402007-07-15 20:15:28 +02009127
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009128The currently supported settings are the following ones.
Willy Tarreau0ba27502007-12-24 16:55:16 +01009129
Willy Tarreauceb4ac92012-04-28 00:41:46 +02009130addr <ipv4|ipv6>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009131 Using the "addr" parameter, it becomes possible to use a different IP address
9132 to send health-checks. On some servers, it may be desirable to dedicate an IP
9133 address to specific component able to perform complex tests which are more
9134 suitable to health-checks than the application. This parameter is ignored if
9135 the "check" parameter is not set. See also the "port" parameter.
Willy Tarreau6a06a402007-07-15 20:15:28 +02009136
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009137 Supported in default-server: No
9138
Simon Hormand60d6912013-11-25 10:46:36 +09009139agent-check
9140 Enable an auxiliary agent check which is run independently of a regular
Willy Tarreau81f5d942013-12-09 20:51:51 +01009141 health check. An agent health check is performed by making a TCP connection
9142 to the port set by the "agent-port" parameter and reading an ASCII string.
9143 The string is made of a series of words delimited by spaces, tabs or commas
9144 in any order, optionally terminated by '\r' and/or '\n', each consisting of :
Simon Hormand60d6912013-11-25 10:46:36 +09009145
Willy Tarreau81f5d942013-12-09 20:51:51 +01009146 - An ASCII representation of a positive integer percentage, e.g. "75%".
Simon Hormand60d6912013-11-25 10:46:36 +09009147 Values in this format will set the weight proportional to the initial
Willy Tarreauc5af3a62014-10-07 15:27:33 +02009148 weight of a server as configured when haproxy starts. Note that a zero
9149 weight is reported on the stats page as "DRAIN" since it has the same
9150 effect on the server (it's removed from the LB farm).
Simon Hormand60d6912013-11-25 10:46:36 +09009151
Willy Tarreau81f5d942013-12-09 20:51:51 +01009152 - The word "ready". This will turn the server's administrative state to the
9153 READY mode, thus cancelling any DRAIN or MAINT state
Simon Hormand60d6912013-11-25 10:46:36 +09009154
Willy Tarreau81f5d942013-12-09 20:51:51 +01009155 - The word "drain". This will turn the server's administrative state to the
9156 DRAIN mode, thus it will not accept any new connections other than those
9157 that are accepted via persistence.
Simon Hormand60d6912013-11-25 10:46:36 +09009158
Willy Tarreau81f5d942013-12-09 20:51:51 +01009159 - The word "maint". This will turn the server's administrative state to the
9160 MAINT mode, thus it will not accept any new connections at all, and health
9161 checks will be stopped.
Simon Hormand60d6912013-11-25 10:46:36 +09009162
Willy Tarreau81f5d942013-12-09 20:51:51 +01009163 - The words "down", "failed", or "stopped", optionally followed by a
9164 description string after a sharp ('#'). All of these mark the server's
9165 operating state as DOWN, but since the word itself is reported on the stats
9166 page, the difference allows an administrator to know if the situation was
9167 expected or not : the service may intentionally be stopped, may appear up
9168 but fail some validity tests, or may be seen as down (eg: missing process,
9169 or port not responding).
Simon Hormand60d6912013-11-25 10:46:36 +09009170
Willy Tarreau81f5d942013-12-09 20:51:51 +01009171 - The word "up" sets back the server's operating state as UP if health checks
9172 also report that the service is accessible.
Simon Hormand60d6912013-11-25 10:46:36 +09009173
Willy Tarreau81f5d942013-12-09 20:51:51 +01009174 Parameters which are not advertised by the agent are not changed. For
9175 example, an agent might be designed to monitor CPU usage and only report a
9176 relative weight and never interact with the operating status. Similarly, an
9177 agent could be designed as an end-user interface with 3 radio buttons
9178 allowing an administrator to change only the administrative state. However,
9179 it is important to consider that only the agent may revert its own actions,
9180 so if a server is set to DRAIN mode or to DOWN state using the agent, the
9181 agent must implement the other equivalent actions to bring the service into
9182 operations again.
Simon Hormand60d6912013-11-25 10:46:36 +09009183
Simon Horman2f1f9552013-11-25 10:46:37 +09009184 Failure to connect to the agent is not considered an error as connectivity
9185 is tested by the regular health check which is enabled by the "check"
Willy Tarreau81f5d942013-12-09 20:51:51 +01009186 parameter. Warning though, it is not a good idea to stop an agent after it
9187 reports "down", since only an agent reporting "up" will be able to turn the
9188 server up again. Note that the CLI on the Unix stats socket is also able to
9189 force an agent's result in order to workaround a bogus agent if needed.
Simon Horman2f1f9552013-11-25 10:46:37 +09009190
Willy Tarreau81f5d942013-12-09 20:51:51 +01009191 Requires the "agent-port" parameter to be set. See also the "agent-inter"
9192 parameter.
Simon Hormand60d6912013-11-25 10:46:36 +09009193
9194 Supported in default-server: No
9195
9196agent-inter <delay>
9197 The "agent-inter" parameter sets the interval between two agent checks
9198 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
9199
9200 Just as with every other time-based parameter, it may be entered in any
9201 other explicit unit among { us, ms, s, m, h, d }. The "agent-inter"
9202 parameter also serves as a timeout for agent checks "timeout check" is
9203 not set. In order to reduce "resonance" effects when multiple servers are
9204 hosted on the same hardware, the agent and health checks of all servers
9205 are started with a small time offset between them. It is also possible to
9206 add some random noise in the agent and health checks interval using the
9207 global "spread-checks" keyword. This makes sense for instance when a lot
9208 of backends use the same servers.
9209
9210 See also the "agent-check" and "agent-port" parameters.
9211
9212 Supported in default-server: Yes
9213
9214agent-port <port>
9215 The "agent-port" parameter sets the TCP port used for agent checks.
9216
9217 See also the "agent-check" and "agent-inter" parameters.
9218
9219 Supported in default-server: Yes
9220
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009221backup
9222 When "backup" is present on a server line, the server is only used in load
9223 balancing when all other non-backup servers are unavailable. Requests coming
9224 with a persistence cookie referencing the server will always be served
9225 though. By default, only the first operational backup server is used, unless
9226 the "allbackups" option is set in the backend. See also the "allbackups"
9227 option.
Willy Tarreau6a06a402007-07-15 20:15:28 +02009228
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009229 Supported in default-server: No
9230
Emeric Brunef42d922012-10-11 16:11:36 +02009231ca-file <cafile>
9232 This setting is only available when support for OpenSSL was built in. It
9233 designates a PEM file from which to load CA certificates used to verify
9234 server's certificate.
9235
9236 Supported in default-server: No
9237
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009238check
9239 This option enables health checks on the server. By default, a server is
Patrick Mézardb7aeec62012-01-22 16:01:22 +01009240 always considered available. If "check" is set, the server is available when
9241 accepting periodic TCP connections, to ensure that it is really able to serve
9242 requests. The default address and port to send the tests to are those of the
9243 server, and the default source is the same as the one defined in the
9244 backend. It is possible to change the address using the "addr" parameter, the
9245 port using the "port" parameter, the source address using the "source"
9246 address, and the interval and timers using the "inter", "rise" and "fall"
Simon Hormanafc47ee2013-11-25 10:46:35 +09009247 parameters. The request method is define in the backend using the "httpchk",
9248 "smtpchk", "mysql-check", "pgsql-check" and "ssl-hello-chk" options. Please
9249 refer to those options and parameters for more information.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009250
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009251 Supported in default-server: No
9252
Willy Tarreau6c16adc2012-10-05 00:04:16 +02009253check-send-proxy
9254 This option forces emission of a PROXY protocol line with outgoing health
9255 checks, regardless of whether the server uses send-proxy or not for the
9256 normal traffic. By default, the PROXY protocol is enabled for health checks
9257 if it is already enabled for normal traffic and if no "port" nor "addr"
9258 directive is present. However, if such a directive is present, the
9259 "check-send-proxy" option needs to be used to force the use of the
9260 protocol. See also the "send-proxy" option for more information.
9261
9262 Supported in default-server: No
9263
Willy Tarreau763a95b2012-10-04 23:15:39 +02009264check-ssl
9265 This option forces encryption of all health checks over SSL, regardless of
9266 whether the server uses SSL or not for the normal traffic. This is generally
9267 used when an explicit "port" or "addr" directive is specified and SSL health
9268 checks are not inherited. It is important to understand that this option
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009269 inserts an SSL transport layer below the checks, so that a simple TCP connect
Willy Tarreau763a95b2012-10-04 23:15:39 +02009270 check becomes an SSL connect, which replaces the old ssl-hello-chk. The most
9271 common use is to send HTTPS checks by combining "httpchk" with SSL checks.
9272 All SSL settings are common to health checks and traffic (eg: ciphers).
9273 See the "ssl" option for more information.
9274
9275 Supported in default-server: No
9276
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02009277ciphers <ciphers>
9278 This option sets the string describing the list of cipher algorithms that is
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009279 is negotiated during the SSL/TLS handshake with the server. The format of the
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02009280 string is defined in "man 1 ciphers". When SSL is used to communicate with
9281 servers on the local network, it is common to see a weaker set of algorithms
9282 than what is used over the internet. Doing so reduces CPU usage on both the
9283 server and haproxy while still keeping it compatible with deployed software.
9284 Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all
9285 is needed and just connectivity, using DES can be appropriate.
9286
Willy Tarreau763a95b2012-10-04 23:15:39 +02009287 Supported in default-server: No
9288
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009289cookie <value>
9290 The "cookie" parameter sets the cookie value assigned to the server to
9291 <value>. This value will be checked in incoming requests, and the first
9292 operational server possessing the same value will be selected. In return, in
9293 cookie insertion or rewrite modes, this value will be assigned to the cookie
9294 sent to the client. There is nothing wrong in having several servers sharing
9295 the same cookie value, and it is in fact somewhat common between normal and
9296 backup servers. See also the "cookie" keyword in backend section.
9297
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009298 Supported in default-server: No
9299
Emeric Brunef42d922012-10-11 16:11:36 +02009300crl-file <crlfile>
9301 This setting is only available when support for OpenSSL was built in. It
9302 designates a PEM file from which to load certificate revocation list used
9303 to verify server's certificate.
9304
9305 Supported in default-server: No
9306
Emeric Bruna7aa3092012-10-26 12:58:00 +02009307crt <cert>
9308 This setting is only available when support for OpenSSL was built in.
9309 It designates a PEM file from which to load both a certificate and the
9310 associated private key. This file can be built by concatenating both PEM
9311 files into one. This certificate will be sent if the server send a client
9312 certificate request.
9313
9314 Supported in default-server: No
9315
Willy Tarreau96839092010-03-29 10:02:24 +02009316disabled
9317 The "disabled" keyword starts the server in the "disabled" state. That means
9318 that it is marked down in maintenance mode, and no connection other than the
9319 ones allowed by persist mode will reach it. It is very well suited to setup
9320 new servers, because normal traffic will never reach them, while it is still
9321 possible to test the service by making use of the force-persist mechanism.
9322
9323 Supported in default-server: No
9324
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009325error-limit <count>
Willy Tarreau983e01e2010-01-11 18:42:06 +01009326 If health observing is enabled, the "error-limit" parameter specifies the
9327 number of consecutive errors that triggers event selected by the "on-error"
9328 option. By default it is set to 10 consecutive errors.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01009329
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009330 Supported in default-server: Yes
9331
9332 See also the "check", "error-limit" and "on-error".
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01009333
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009334fall <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009335 The "fall" parameter states that a server will be considered as dead after
9336 <count> consecutive unsuccessful health checks. This value defaults to 3 if
9337 unspecified. See also the "check", "inter" and "rise" parameters.
9338
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009339 Supported in default-server: Yes
9340
Emeric Brun8694b9a2012-10-05 14:39:07 +02009341force-sslv3
9342 This option enforces use of SSLv3 only when SSL is used to communicate with
9343 the server. SSLv3 is generally less expensive than the TLS counterparts for
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009344 high connection rates. This option is also available on global statement
9345 "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Emeric Brun8694b9a2012-10-05 14:39:07 +02009346
9347 Supported in default-server: No
9348
9349force-tlsv10
9350 This option enforces use of TLSv1.0 only when SSL is used to communicate with
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009351 the server. This option is also available on global statement
9352 "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Emeric Brun8694b9a2012-10-05 14:39:07 +02009353
9354 Supported in default-server: No
9355
9356force-tlsv11
9357 This option enforces use of TLSv1.1 only when SSL is used to communicate with
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009358 the server. This option is also available on global statement
9359 "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Emeric Brun8694b9a2012-10-05 14:39:07 +02009360
9361 Supported in default-server: No
9362
9363force-tlsv12
9364 This option enforces use of TLSv1.2 only when SSL is used to communicate with
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009365 the server. This option is also available on global statement
9366 "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Emeric Brun8694b9a2012-10-05 14:39:07 +02009367
9368 Supported in default-server: No
9369
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009370id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02009371 Set a persistent ID for the server. This ID must be positive and unique for
9372 the proxy. An unused ID will automatically be assigned if unset. The first
9373 assigned value will be 1. This ID is currently only returned in statistics.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009374
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009375 Supported in default-server: No
9376
9377inter <delay>
9378fastinter <delay>
9379downinter <delay>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009380 The "inter" parameter sets the interval between two consecutive health checks
9381 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
9382 It is also possible to use "fastinter" and "downinter" to optimize delays
9383 between checks depending on the server state :
9384
9385 Server state | Interval used
9386 ---------------------------------+-----------------------------------------
9387 UP 100% (non-transitional) | "inter"
9388 ---------------------------------+-----------------------------------------
9389 Transitionally UP (going down), |
9390 Transitionally DOWN (going up), | "fastinter" if set, "inter" otherwise.
9391 or yet unchecked. |
9392 ---------------------------------+-----------------------------------------
9393 DOWN 100% (non-transitional) | "downinter" if set, "inter" otherwise.
9394 ---------------------------------+-----------------------------------------
Willy Tarreaud72758d2010-01-12 10:42:19 +01009395
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009396 Just as with every other time-based parameter, they can be entered in any
9397 other explicit unit among { us, ms, s, m, h, d }. The "inter" parameter also
9398 serves as a timeout for health checks sent to servers if "timeout check" is
9399 not set. In order to reduce "resonance" effects when multiple servers are
Simon Hormand60d6912013-11-25 10:46:36 +09009400 hosted on the same hardware, the agent and health checks of all servers
9401 are started with a small time offset between them. It is also possible to
9402 add some random noise in the agent and health checks interval using the
9403 global "spread-checks" keyword. This makes sense for instance when a lot
9404 of backends use the same servers.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009405
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009406 Supported in default-server: Yes
9407
9408maxconn <maxconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009409 The "maxconn" parameter specifies the maximal number of concurrent
9410 connections that will be sent to this server. If the number of incoming
9411 concurrent requests goes higher than this value, they will be queued, waiting
9412 for a connection to be released. This parameter is very important as it can
9413 save fragile servers from going down under extreme loads. If a "minconn"
9414 parameter is specified, the limit becomes dynamic. The default value is "0"
9415 which means unlimited. See also the "minconn" and "maxqueue" parameters, and
9416 the backend's "fullconn" keyword.
9417
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009418 Supported in default-server: Yes
9419
9420maxqueue <maxqueue>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009421 The "maxqueue" parameter specifies the maximal number of connections which
9422 will wait in the queue for this server. If this limit is reached, next
9423 requests will be redispatched to other servers instead of indefinitely
9424 waiting to be served. This will break persistence but may allow people to
9425 quickly re-log in when the server they try to connect to is dying. The
9426 default value is "0" which means the queue is unlimited. See also the
9427 "maxconn" and "minconn" parameters.
9428
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009429 Supported in default-server: Yes
9430
9431minconn <minconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009432 When the "minconn" parameter is set, the maxconn limit becomes a dynamic
9433 limit following the backend's load. The server will always accept at least
9434 <minconn> connections, never more than <maxconn>, and the limit will be on
9435 the ramp between both values when the backend has less than <fullconn>
9436 concurrent connections. This makes it possible to limit the load on the
9437 server during normal loads, but push it further for important loads without
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009438 overloading the server during exceptional loads. See also the "maxconn"
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009439 and "maxqueue" parameters, as well as the "fullconn" backend keyword.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01009440
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009441 Supported in default-server: Yes
9442
Willy Tarreau2a3fb1c2015-02-05 16:47:07 +01009443no-ssl-reuse
9444 This option disables SSL session reuse when SSL is used to communicate with
9445 the server. It will force the server to perform a full handshake for every
9446 new connection. It's probably only useful for benchmarking, troubleshooting,
9447 and for paranoid users.
9448
9449 Supported in default-server: No
9450
Emeric Brun9b3009b2012-10-05 11:55:06 +02009451no-sslv3
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02009452 This option disables support for SSLv3 when SSL is used to communicate with
9453 the server. Note that SSLv2 is disabled in the code and cannot be enabled
Emeric Brun8694b9a2012-10-05 14:39:07 +02009454 using any configuration option. See also "force-sslv3", "force-tlsv*".
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02009455
Willy Tarreau763a95b2012-10-04 23:15:39 +02009456 Supported in default-server: No
9457
Emeric Brunf9c5c472012-10-11 15:28:34 +02009458no-tls-tickets
9459 This setting is only available when support for OpenSSL was built in. It
9460 disables the stateless session resumption (RFC 5077 TLS Ticket
9461 extension) and force to use stateful session resumption. Stateless
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009462 session resumption is more expensive in CPU usage for servers. This option
9463 is also available on global statement "ssl-default-server-options".
Emeric Brunf9c5c472012-10-11 15:28:34 +02009464
9465 Supported in default-server: No
9466
Emeric Brun9b3009b2012-10-05 11:55:06 +02009467no-tlsv10
Emeric Brun8694b9a2012-10-05 14:39:07 +02009468 This option disables support for TLSv1.0 when SSL is used to communicate with
Emeric Brunf5da4932012-09-28 19:42:54 +02009469 the server. Note that SSLv2 is disabled in the code and cannot be enabled
9470 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009471 often makes sense to disable it when communicating with local servers. This
9472 option is also available on global statement "ssl-default-server-options".
9473 See also "force-sslv3", "force-tlsv*".
Emeric Brunf5da4932012-09-28 19:42:54 +02009474
Willy Tarreau763a95b2012-10-04 23:15:39 +02009475 Supported in default-server: No
9476
Emeric Brun9b3009b2012-10-05 11:55:06 +02009477no-tlsv11
Emeric Brun8694b9a2012-10-05 14:39:07 +02009478 This option disables support for TLSv1.1 when SSL is used to communicate with
Emeric Brunf5da4932012-09-28 19:42:54 +02009479 the server. Note that SSLv2 is disabled in the code and cannot be enabled
9480 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009481 often makes sense to disable it when communicating with local servers. This
9482 option is also available on global statement "ssl-default-server-options".
9483 See also "force-sslv3", "force-tlsv*".
Emeric Brunf5da4932012-09-28 19:42:54 +02009484
Willy Tarreau763a95b2012-10-04 23:15:39 +02009485 Supported in default-server: No
9486
Emeric Brun9b3009b2012-10-05 11:55:06 +02009487no-tlsv12
Emeric Brun8694b9a2012-10-05 14:39:07 +02009488 This option disables support for TLSv1.2 when SSL is used to communicate with
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02009489 the server. Note that SSLv2 is disabled in the code and cannot be enabled
9490 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun2c86cbf2014-10-30 15:56:50 +01009491 often makes sense to disable it when communicating with local servers. This
9492 option is also available on global statement "ssl-default-server-options".
9493 See also "force-sslv3", "force-tlsv*".
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02009494
Willy Tarreau763a95b2012-10-04 23:15:39 +02009495 Supported in default-server: No
9496
Simon Hormanfa461682011-06-25 09:39:49 +09009497non-stick
9498 Never add connections allocated to this sever to a stick-table.
9499 This may be used in conjunction with backup to ensure that
9500 stick-table persistence is disabled for backup servers.
9501
Willy Tarreau763a95b2012-10-04 23:15:39 +02009502 Supported in default-server: No
9503
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01009504observe <mode>
9505 This option enables health adjusting based on observing communication with
9506 the server. By default this functionality is disabled and enabling it also
9507 requires to enable health checks. There are two supported modes: "layer4" and
9508 "layer7". In layer4 mode, only successful/unsuccessful tcp connections are
9509 significant. In layer7, which is only allowed for http proxies, responses
9510 received from server are verified, like valid/wrong http code, unparsable
Willy Tarreau150d1462012-03-10 08:19:02 +01009511 headers, a timeout, etc. Valid status codes include 100 to 499, 501 and 505.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01009512
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009513 Supported in default-server: No
9514
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01009515 See also the "check", "on-error" and "error-limit".
9516
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009517on-error <mode>
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01009518 Select what should happen when enough consecutive errors are detected.
9519 Currently, four modes are available:
9520 - fastinter: force fastinter
9521 - fail-check: simulate a failed check, also forces fastinter (default)
9522 - sudden-death: simulate a pre-fatal failed health check, one more failed
9523 check will mark a server down, forces fastinter
9524 - mark-down: mark the server immediately down and force fastinter
9525
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009526 Supported in default-server: Yes
9527
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01009528 See also the "check", "observe" and "error-limit".
9529
Simon Hormane0d1bfb2011-06-21 14:34:58 +09009530on-marked-down <action>
9531 Modify what occurs when a server is marked down.
9532 Currently one action is available:
Justin Karnegeseb2c24a2012-05-24 15:28:52 -07009533 - shutdown-sessions: Shutdown peer sessions. When this setting is enabled,
9534 all connections to the server are immediately terminated when the server
9535 goes down. It might be used if the health check detects more complex cases
9536 than a simple connection status, and long timeouts would cause the service
9537 to remain unresponsive for too long a time. For instance, a health check
9538 might detect that a database is stuck and that there's no chance to reuse
9539 existing connections anymore. Connections killed this way are logged with
9540 a 'D' termination code (for "Down").
Simon Hormane0d1bfb2011-06-21 14:34:58 +09009541
9542 Actions are disabled by default
9543
9544 Supported in default-server: Yes
9545
Justin Karnegeseb2c24a2012-05-24 15:28:52 -07009546on-marked-up <action>
9547 Modify what occurs when a server is marked up.
9548 Currently one action is available:
9549 - shutdown-backup-sessions: Shutdown sessions on all backup servers. This is
9550 done only if the server is not in backup state and if it is not disabled
9551 (it must have an effective weight > 0). This can be used sometimes to force
9552 an active server to take all the traffic back after recovery when dealing
9553 with long sessions (eg: LDAP, SQL, ...). Doing this can cause more trouble
9554 than it tries to solve (eg: incomplete transactions), so use this feature
9555 with extreme care. Sessions killed because a server comes up are logged
9556 with an 'U' termination code (for "Up").
9557
9558 Actions are disabled by default
9559
9560 Supported in default-server: Yes
9561
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009562port <port>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009563 Using the "port" parameter, it becomes possible to use a different port to
9564 send health-checks. On some servers, it may be desirable to dedicate a port
9565 to a specific component able to perform complex tests which are more suitable
9566 to health-checks than the application. It is common to run a simple script in
9567 inetd for instance. This parameter is ignored if the "check" parameter is not
9568 set. See also the "addr" parameter.
9569
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009570 Supported in default-server: Yes
9571
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009572redir <prefix>
9573 The "redir" parameter enables the redirection mode for all GET and HEAD
9574 requests addressing this server. This means that instead of having HAProxy
9575 forward the request to the server, it will send an "HTTP 302" response with
9576 the "Location" header composed of this prefix immediately followed by the
9577 requested URI beginning at the leading '/' of the path component. That means
9578 that no trailing slash should be used after <prefix>. All invalid requests
9579 will be rejected, and all non-GET or HEAD requests will be normally served by
9580 the server. Note that since the response is completely forged, no header
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009581 mangling nor cookie insertion is possible in the response. However, cookies in
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009582 requests are still analysed, making this solution completely usable to direct
9583 users to a remote location in case of local disaster. Main use consists in
9584 increasing bandwidth for static servers by having the clients directly
9585 connect to them. Note: never use a relative location here, it would cause a
9586 loop between the client and HAProxy!
9587
9588 Example : server srv1 192.168.1.1:80 redir http://image1.mydomain.com check
9589
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009590 Supported in default-server: No
9591
9592rise <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009593 The "rise" parameter states that a server will be considered as operational
9594 after <count> consecutive successful health checks. This value defaults to 2
9595 if unspecified. See also the "check", "inter" and "fall" parameters.
9596
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009597 Supported in default-server: Yes
9598
Willy Tarreau5ab04ec2011-03-20 10:32:26 +01009599send-proxy
9600 The "send-proxy" parameter enforces use of the PROXY protocol over any
9601 connection established to this server. The PROXY protocol informs the other
9602 end about the layer 3/4 addresses of the incoming connection, so that it can
9603 know the client's address or the public address it accessed to, whatever the
9604 upper layer protocol. For connections accepted by an "accept-proxy" listener,
9605 the advertised address will be used. Only TCPv4 and TCPv6 address families
9606 are supported. Other families such as Unix sockets, will report an UNKNOWN
9607 family. Servers using this option can fully be chained to another instance of
9608 haproxy listening with an "accept-proxy" setting. This setting must not be
Willy Tarreau6c16adc2012-10-05 00:04:16 +02009609 used if the server isn't aware of the protocol. When health checks are sent
9610 to the server, the PROXY protocol is automatically used when this option is
9611 set, unless there is an explicit "port" or "addr" directive, in which case an
9612 explicit "check-send-proxy" directive would also be needed to use the PROXY
9613 protocol. See also the "accept-proxy" option of the "bind" keyword.
Willy Tarreau5ab04ec2011-03-20 10:32:26 +01009614
9615 Supported in default-server: No
9616
David Safb76832014-05-08 23:42:08 -04009617send-proxy-v2
9618 The "send-proxy-v2" parameter enforces use of the PROXY protocol version 2
9619 over any connection established to this server. The PROXY protocol informs
9620 the other end about the layer 3/4 addresses of the incoming connection, so
9621 that it can know the client's address or the public address it accessed to,
9622 whatever the upper layer protocol. This setting must not be used if the
9623 server isn't aware of this version of the protocol. See also the "send-proxy"
9624 option of the "bind" keyword.
9625
9626 Supported in default-server: No
9627
9628send-proxy-v2-ssl
9629 The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version
9630 2 over any connection established to this server. The PROXY protocol informs
9631 the other end about the layer 3/4 addresses of the incoming connection, so
9632 that it can know the client's address or the public address it accessed to,
9633 whatever the upper layer protocol. In addition, the SSL information extension
9634 of the PROXY protocol is added to the PROXY protocol header. This setting
9635 must not be used if the server isn't aware of this version of the protocol.
9636 See also the "send-proxy-v2" option of the "bind" keyword.
9637
9638 Supported in default-server: No
9639
9640send-proxy-v2-ssl-cn
9641 The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version
9642 2 over any connection established to this server. The PROXY protocol informs
9643 the other end about the layer 3/4 addresses of the incoming connection, so
9644 that it can know the client's address or the public address it accessed to,
9645 whatever the upper layer protocol. In addition, the SSL information extension
9646 of the PROXY protocol, along along with the Common Name from the subject of
9647 the client certificate (if any), is added to the PROXY protocol header. This
9648 setting must not be used if the server isn't aware of this version of the
9649 protocol. See also the "send-proxy-v2" option of the "bind" keyword.
9650
9651 Supported in default-server: No
9652
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009653slowstart <start_time_in_ms>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009654 The "slowstart" parameter for a server accepts a value in milliseconds which
9655 indicates after how long a server which has just come back up will run at
9656 full speed. Just as with every other time-based parameter, it can be entered
9657 in any other explicit unit among { us, ms, s, m, h, d }. The speed grows
9658 linearly from 0 to 100% during this time. The limitation applies to two
9659 parameters :
9660
9661 - maxconn: the number of connections accepted by the server will grow from 1
9662 to 100% of the usual dynamic limit defined by (minconn,maxconn,fullconn).
9663
9664 - weight: when the backend uses a dynamic weighted algorithm, the weight
9665 grows linearly from 1 to 100%. In this case, the weight is updated at every
9666 health-check. For this reason, it is important that the "inter" parameter
9667 is smaller than the "slowstart", in order to maximize the number of steps.
9668
9669 The slowstart never applies when haproxy starts, otherwise it would cause
9670 trouble to running servers. It only applies when a server has been previously
9671 seen as failed.
9672
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009673 Supported in default-server: Yes
9674
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02009675source <addr>[:<pl>[-<ph>]] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02009676source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02009677source <addr>[:<pl>[-<ph>]] [interface <name>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009678 The "source" parameter sets the source address which will be used when
9679 connecting to the server. It follows the exact same parameters and principle
9680 as the backend "source" keyword, except that it only applies to the server
9681 referencing it. Please consult the "source" keyword for details.
9682
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02009683 Additionally, the "source" statement on a server line allows one to specify a
9684 source port range by indicating the lower and higher bounds delimited by a
9685 dash ('-'). Some operating systems might require a valid IP address when a
9686 source port range is specified. It is permitted to have the same IP/range for
9687 several servers. Doing so makes it possible to bypass the maximum of 64k
9688 total concurrent connections. The limit will then reach 64k connections per
9689 server.
9690
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009691 Supported in default-server: No
9692
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02009693ssl
Willy Tarreau44f65392013-06-25 07:56:20 +02009694 This option enables SSL ciphering on outgoing connections to the server. It
9695 is critical to verify server certificates using "verify" when using SSL to
9696 connect to servers, otherwise the communication is prone to trivial man in
9697 the-middle attacks rendering SSL useless. When this option is used, health
9698 checks are automatically sent in SSL too unless there is a "port" or an
9699 "addr" directive indicating the check should be sent to a different location.
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009700 See the "check-ssl" option to force SSL health checks.
Willy Tarreau763a95b2012-10-04 23:15:39 +02009701
9702 Supported in default-server: No
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02009703
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009704track [<proxy>/]<server>
Willy Tarreau32091232014-05-16 13:52:00 +02009705 This option enables ability to set the current state of the server by tracking
9706 another one. It is possible to track a server which itself tracks another
9707 server, provided that at the end of the chain, a server has health checks
9708 enabled. If <proxy> is omitted the current one is used. If disable-on-404 is
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009709 used, it has to be enabled on both proxies.
9710
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009711 Supported in default-server: No
9712
Emeric Brunef42d922012-10-11 16:11:36 +02009713verify [none|required]
9714 This setting is only available when support for OpenSSL was built in. If set
Emeric Brun850efd52014-01-29 12:24:34 +01009715 to 'none', server certificate is not verified. In the other case, The
9716 certificate provided by the server is verified using CAs from 'ca-file'
9717 and optional CRLs from 'crl-file'. If 'ssl_server_verify' is not specified
9718 in global section, this is the default. On verify failure the handshake
Willy Tarreau44f65392013-06-25 07:56:20 +02009719 is aborted. It is critically important to verify server certificates when
9720 using SSL to connect to servers, otherwise the communication is prone to
9721 trivial man-in-the-middle attacks rendering SSL totally useless.
Emeric Brunef42d922012-10-11 16:11:36 +02009722
9723 Supported in default-server: No
9724
Evan Broderbe554312013-06-27 00:05:25 -07009725verifyhost <hostname>
9726 This setting is only available when support for OpenSSL was built in, and
9727 only takes effect if 'verify required' is also specified. When set, the
9728 hostnames in the subject and subjectAlternateNames of the certificate
9729 provided by the server are checked. If none of the hostnames in the
9730 certificate match the specified hostname, the handshake is aborted. The
9731 hostnames in the server-provided certificate may include wildcards.
9732
9733 Supported in default-server: No
9734
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009735weight <weight>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009736 The "weight" parameter is used to adjust the server's weight relative to
9737 other servers. All servers will receive a load proportional to their weight
9738 relative to the sum of all weights, so the higher the weight, the higher the
Willy Tarreau6704d672009-06-15 10:56:05 +02009739 load. The default weight is 1, and the maximal value is 256. A value of 0
9740 means the server will not participate in load-balancing but will still accept
9741 persistent connections. If this parameter is used to distribute the load
9742 according to server's capacity, it is recommended to start with values which
9743 can both grow and shrink, for instance between 10 and 100 to leave enough
9744 room above and below for later adjustments.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009745
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009746 Supported in default-server: Yes
9747
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009748
97496. HTTP header manipulation
9750---------------------------
9751
9752In HTTP mode, it is possible to rewrite, add or delete some of the request and
9753response headers based on regular expressions. It is also possible to block a
9754request or a response if a particular header matches a regular expression,
9755which is enough to stop most elementary protocol attacks, and to protect
Willy Tarreau70dffda2014-01-30 03:07:23 +01009756against information leak from the internal network.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009757
Willy Tarreau70dffda2014-01-30 03:07:23 +01009758If HAProxy encounters an "Informational Response" (status code 1xx), it is able
9759to process all rsp* rules which can allow, deny, rewrite or delete a header,
9760but it will refuse to add a header to any such messages as this is not
9761HTTP-compliant. The reason for still processing headers in such responses is to
9762stop and/or fix any possible information leak which may happen, for instance
9763because another downstream equipment would unconditionally add a header, or if
9764a server name appears there. When such messages are seen, normal processing
9765still occurs on the next non-informational messages.
Willy Tarreau816b9792009-09-15 21:25:21 +02009766
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009767This section covers common usage of the following keywords, described in detail
9768in section 4.2 :
9769
9770 - reqadd <string>
9771 - reqallow <search>
9772 - reqiallow <search>
9773 - reqdel <search>
9774 - reqidel <search>
9775 - reqdeny <search>
9776 - reqideny <search>
9777 - reqpass <search>
9778 - reqipass <search>
9779 - reqrep <search> <replace>
9780 - reqirep <search> <replace>
9781 - reqtarpit <search>
9782 - reqitarpit <search>
9783 - rspadd <string>
9784 - rspdel <search>
9785 - rspidel <search>
9786 - rspdeny <search>
9787 - rspideny <search>
9788 - rsprep <search> <replace>
9789 - rspirep <search> <replace>
9790
9791With all these keywords, the same conventions are used. The <search> parameter
9792is a POSIX extended regular expression (regex) which supports grouping through
9793parenthesis (without the backslash). Spaces and other delimiters must be
9794prefixed with a backslash ('\') to avoid confusion with a field delimiter.
9795Other characters may be prefixed with a backslash to change their meaning :
9796
9797 \t for a tab
9798 \r for a carriage return (CR)
9799 \n for a new line (LF)
9800 \ to mark a space and differentiate it from a delimiter
9801 \# to mark a sharp and differentiate it from a comment
9802 \\ to use a backslash in a regex
9803 \\\\ to use a backslash in the text (*2 for regex, *2 for haproxy)
9804 \xXX to write the ASCII hex code XX as in the C language
9805
9806The <replace> parameter contains the string to be used to replace the largest
9807portion of text matching the regex. It can make use of the special characters
9808above, and can reference a substring which is delimited by parenthesis in the
9809regex, by writing a backslash ('\') immediately followed by one digit from 0 to
98109 indicating the group position (0 designating the entire line). This practice
9811is very common to users of the "sed" program.
9812
9813The <string> parameter represents the string which will systematically be added
9814after the last header line. It can also use special character sequences above.
9815
9816Notes related to these keywords :
9817---------------------------------
9818 - these keywords are not always convenient to allow/deny based on header
9819 contents. It is strongly recommended to use ACLs with the "block" keyword
9820 instead, resulting in far more flexible and manageable rules.
9821
9822 - lines are always considered as a whole. It is not possible to reference
9823 a header name only or a value only. This is important because of the way
9824 headers are written (notably the number of spaces after the colon).
9825
9826 - the first line is always considered as a header, which makes it possible to
9827 rewrite or filter HTTP requests URIs or response codes, but in turn makes
9828 it harder to distinguish between headers and request line. The regex prefix
9829 ^[^\ \t]*[\ \t] matches any HTTP method followed by a space, and the prefix
9830 ^[^ \t:]*: matches any header name followed by a colon.
9831
9832 - for performances reasons, the number of characters added to a request or to
9833 a response is limited at build time to values between 1 and 4 kB. This
9834 should normally be far more than enough for most usages. If it is too short
9835 on occasional usages, it is possible to gain some space by removing some
9836 useless headers before adding new ones.
9837
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009838 - keywords beginning with "reqi" and "rspi" are the same as their counterpart
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009839 without the 'i' letter except that they ignore case when matching patterns.
9840
9841 - when a request passes through a frontend then a backend, all req* rules
9842 from the frontend will be evaluated, then all req* rules from the backend
9843 will be evaluated. The reverse path is applied to responses.
9844
9845 - req* statements are applied after "block" statements, so that "block" is
9846 always the first one, but before "use_backend" in order to permit rewriting
Willy Tarreaud72758d2010-01-12 10:42:19 +01009847 before switching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009848
9849
Willy Tarreau74ca5042013-06-11 23:12:07 +020098507. Using ACLs and fetching samples
9851----------------------------------
9852
9853Haproxy is capable of extracting data from request or response streams, from
9854client or server information, from tables, environmental information etc...
9855The action of extracting such data is called fetching a sample. Once retrieved,
9856these samples may be used for various purposes such as a key to a stick-table,
9857but most common usages consist in matching them against predefined constant
9858data called patterns.
9859
9860
98617.1. ACL basics
9862---------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009863
9864The use of Access Control Lists (ACL) provides a flexible solution to perform
9865content switching and generally to take decisions based on content extracted
9866from the request, the response or any environmental status. The principle is
9867simple :
9868
Willy Tarreau74ca5042013-06-11 23:12:07 +02009869 - extract a data sample from a stream, table or the environment
Willy Tarreaue6b11e42013-11-26 19:02:32 +01009870 - optionally apply some format conversion to the extracted sample
Willy Tarreau74ca5042013-06-11 23:12:07 +02009871 - apply one or multiple pattern matching methods on this sample
9872 - perform actions only when a pattern matches the sample
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009873
Willy Tarreau74ca5042013-06-11 23:12:07 +02009874The actions generally consist in blocking a request, selecting a backend, or
9875adding a header.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009876
9877In order to define a test, the "acl" keyword is used. The syntax is :
9878
Willy Tarreau74ca5042013-06-11 23:12:07 +02009879 acl <aclname> <criterion> [flags] [operator] [<value>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009880
9881This creates a new ACL <aclname> or completes an existing one with new tests.
9882Those tests apply to the portion of request/response specified in <criterion>
9883and may be adjusted with optional flags [flags]. Some criteria also support
Willy Tarreaue6b11e42013-11-26 19:02:32 +01009884an operator which may be specified before the set of values. Optionally some
9885conversion operators may be applied to the sample, and they will be specified
9886as a comma-delimited list of keywords just after the first keyword. The values
9887are of the type supported by the criterion, and are separated by spaces.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009888
9889ACL names must be formed from upper and lower case letters, digits, '-' (dash),
9890'_' (underscore) , '.' (dot) and ':' (colon). ACL names are case-sensitive,
9891which means that "my_acl" and "My_Acl" are two different ACLs.
9892
9893There is no enforced limit to the number of ACLs. The unused ones do not affect
9894performance, they just consume a small amount of memory.
9895
Willy Tarreau74ca5042013-06-11 23:12:07 +02009896The criterion generally is the name of a sample fetch method, or one of its ACL
9897specific declinations. The default test method is implied by the output type of
9898this sample fetch method. The ACL declinations can describe alternate matching
Willy Tarreaue6b11e42013-11-26 19:02:32 +01009899methods of a same sample fetch method. The sample fetch methods are the only
9900ones supporting a conversion.
Willy Tarreau74ca5042013-06-11 23:12:07 +02009901
9902Sample fetch methods return data which can be of the following types :
9903 - boolean
9904 - integer (signed or unsigned)
9905 - IPv4 or IPv6 address
9906 - string
9907 - data block
9908
Willy Tarreaue6b11e42013-11-26 19:02:32 +01009909Converters transform any of these data into any of these. For example, some
9910converters might convert a string to a lower-case string while other ones
9911would turn a string to an IPv4 address, or apply a netmask to an IP address.
9912The resulting sample is of the type of the last converter applied to the list,
9913which defaults to the type of the sample fetch method.
9914
Thierry FOURNIER2a06e392014-05-11 15:49:55 +02009915Each sample or converter returns data of a specific type, specified with its
9916keyword in this documentation. When an ACL is declared using a standard sample
9917fetch method, certain types automatically involved a default matching method
9918which are summarized in the table below :
9919
9920 +---------------------+-----------------+
9921 | Sample or converter | Default |
9922 | output type | matching method |
9923 +---------------------+-----------------+
9924 | boolean | bool |
9925 +---------------------+-----------------+
9926 | integer | int |
9927 +---------------------+-----------------+
9928 | ip | ip |
9929 +---------------------+-----------------+
9930 | string | str |
9931 +---------------------+-----------------+
9932 | binary | none, use "-m" |
9933 +---------------------+-----------------+
9934
9935Note that in order to match a binary samples, it is mandatory to specify a
9936matching method, see below.
9937
Willy Tarreau74ca5042013-06-11 23:12:07 +02009938The ACL engine can match these types against patterns of the following types :
9939 - boolean
9940 - integer or integer range
9941 - IP address / network
9942 - string (exact, substring, suffix, prefix, subdir, domain)
9943 - regular expression
9944 - hex block
9945
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009946The following ACL flags are currently supported :
9947
Willy Tarreau2b5285d2010-05-09 23:45:24 +02009948 -i : ignore case during matching of all subsequent patterns.
9949 -f : load patterns from a file.
Willy Tarreau74ca5042013-06-11 23:12:07 +02009950 -m : use a specific pattern matching method
Thierry FOURNIERb7729c92014-02-11 16:24:41 +01009951 -n : forbid the DNS resolutions
Thierry FOURNIER9860c412014-01-29 14:23:29 +01009952 -M : load the file pointed by -f like a map file.
Thierry FOURNIER3534d882014-01-20 17:01:44 +01009953 -u : force the unique id of the ACL
Willy Tarreau6a06a402007-07-15 20:15:28 +02009954 -- : force end of flags. Useful when a string looks like one of the flags.
9955
Willy Tarreau74ca5042013-06-11 23:12:07 +02009956The "-f" flag is followed by the name of a file from which all lines will be
9957read as individual values. It is even possible to pass multiple "-f" arguments
9958if the patterns are to be loaded from multiple files. Empty lines as well as
9959lines beginning with a sharp ('#') will be ignored. All leading spaces and tabs
9960will be stripped. If it is absolutely necessary to insert a valid pattern
9961beginning with a sharp, just prefix it with a space so that it is not taken for
9962a comment. Depending on the data type and match method, haproxy may load the
9963lines into a binary tree, allowing very fast lookups. This is true for IPv4 and
9964exact string matching. In this case, duplicates will automatically be removed.
9965
Thierry FOURNIER9860c412014-01-29 14:23:29 +01009966The "-M" flag allows an ACL to use a map file. If this flag is set, the file is
9967parsed as two column file. The first column contains the patterns used by the
9968ACL, and the second column contain the samples. The sample can be used later by
9969a map. This can be useful in some rare cases where an ACL would just be used to
9970check for the existence of a pattern in a map before a mapping is applied.
9971
Thierry FOURNIER3534d882014-01-20 17:01:44 +01009972The "-u" flag forces the unique id of the ACL. This unique id is used with the
9973socket interface to identify ACL and dynamically change its values. Note that a
9974file is always identified by its name even if an id is set.
9975
Willy Tarreau74ca5042013-06-11 23:12:07 +02009976Also, note that the "-i" flag applies to subsequent entries and not to entries
9977loaded from files preceding it. For instance :
9978
9979 acl valid-ua hdr(user-agent) -f exact-ua.lst -i -f generic-ua.lst test
9980
9981In this example, each line of "exact-ua.lst" will be exactly matched against
9982the "user-agent" header of the request. Then each line of "generic-ua" will be
9983case-insensitively matched. Then the word "test" will be insensitively matched
9984as well.
9985
9986The "-m" flag is used to select a specific pattern matching method on the input
9987sample. All ACL-specific criteria imply a pattern matching method and generally
9988do not need this flag. However, this flag is useful with generic sample fetch
9989methods to describe how they're going to be matched against the patterns. This
9990is required for sample fetches which return data type for which there is no
9991obvious matching method (eg: string or binary). When "-m" is specified and
9992followed by a pattern matching method name, this method is used instead of the
9993default one for the criterion. This makes it possible to match contents in ways
9994that were not initially planned, or with sample fetch methods which return a
9995string. The matching method also affects the way the patterns are parsed.
9996
Thierry FOURNIERb7729c92014-02-11 16:24:41 +01009997The "-n" flag forbids the dns resolutions. It is used with the load of ip files.
9998By default, if the parser cannot parse ip address it considers that the parsed
9999string is maybe a domain name and try dns resolution. The flag "-n" disable this
10000resolution. It is useful for detecting malformed ip lists. Note that if the DNS
10001server is not reachable, the haproxy configuration parsing may last many minutes
10002waiting fir the timeout. During this time no error messages are displayed. The
10003flag "-n" disable this behavior. Note also that during the runtime, this
10004function is disabled for the dynamic acl modifications.
10005
Willy Tarreau74ca5042013-06-11 23:12:07 +020010006There are some restrictions however. Not all methods can be used with all
10007sample fetch methods. Also, if "-m" is used in conjunction with "-f", it must
10008be placed first. The pattern matching method must be one of the following :
Willy Tarreau5adeda12013-03-31 22:13:34 +020010009
10010 - "found" : only check if the requested sample could be found in the stream,
10011 but do not compare it against any pattern. It is recommended not
Willy Tarreau74ca5042013-06-11 23:12:07 +020010012 to pass any pattern to avoid confusion. This matching method is
10013 particularly useful to detect presence of certain contents such
10014 as headers, cookies, etc... even if they are empty and without
10015 comparing them to anything nor counting them.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010016
10017 - "bool" : check the value as a boolean. It can only be applied to fetches
10018 which return a boolean or integer value, and takes no pattern.
Willy Tarreau74ca5042013-06-11 23:12:07 +020010019 Value zero or false does not match, all other values do match.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010020
10021 - "int" : match the value as an integer. It can be used with integer and
Willy Tarreau74ca5042013-06-11 23:12:07 +020010022 boolean samples. Boolean false is integer 0, true is integer 1.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010023
10024 - "ip" : match the value as an IPv4 or IPv6 address. It is compatible
Willy Tarreau74ca5042013-06-11 23:12:07 +020010025 with IP address samples only, so it is implied and never needed.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010026
10027 - "bin" : match the contents against an hexadecimal string representing a
10028 binary sequence. This may be used with binary or string samples.
10029
10030 - "len" : match the sample's length as an integer. This may be used with
10031 binary or string samples.
10032
Willy Tarreau74ca5042013-06-11 23:12:07 +020010033 - "str" : exact match : match the contents against a string. This may be
10034 used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010035
Willy Tarreau74ca5042013-06-11 23:12:07 +020010036 - "sub" : substring match : check that the contents contain at least one of
10037 the provided string patterns. This may be used with binary or
10038 string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010039
Willy Tarreau74ca5042013-06-11 23:12:07 +020010040 - "reg" : regex match : match the contents against a list of regular
10041 expressions. This may be used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010042
Willy Tarreau74ca5042013-06-11 23:12:07 +020010043 - "beg" : prefix match : check that the contents begin like the provided
10044 string patterns. This may be used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010045
Willy Tarreau74ca5042013-06-11 23:12:07 +020010046 - "end" : suffix match : check that the contents end like the provided
10047 string patterns. This may be used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010048
Willy Tarreau74ca5042013-06-11 23:12:07 +020010049 - "dir" : subdir match : check that a slash-delimited portion of the
10050 contents exactly matches one of the provided string patterns.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010051 This may be used with binary or string samples.
10052
Willy Tarreau74ca5042013-06-11 23:12:07 +020010053 - "dom" : domain match : check that a dot-delimited portion of the contents
10054 exactly match one of the provided string patterns. This may be
10055 used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020010056
10057For example, to quickly detect the presence of cookie "JSESSIONID" in an HTTP
10058request, it is possible to do :
10059
10060 acl jsess_present cook(JSESSIONID) -m found
10061
10062In order to apply a regular expression on the 500 first bytes of data in the
10063buffer, one would use the following acl :
10064
10065 acl script_tag payload(0,500) -m reg -i <script>
10066
Willy Tarreaue6b11e42013-11-26 19:02:32 +010010067On systems where the regex library is much slower when using "-i", it is
10068possible to convert the sample to lowercase before matching, like this :
10069
10070 acl script_tag payload(0,500),lower -m reg <script>
10071
Willy Tarreau74ca5042013-06-11 23:12:07 +020010072All ACL-specific criteria imply a default matching method. Most often, these
10073criteria are composed by concatenating the name of the original sample fetch
10074method and the matching method. For example, "hdr_beg" applies the "beg" match
10075to samples retrieved using the "hdr" fetch method. Since all ACL-specific
10076criteria rely on a sample fetch method, it is always possible instead to use
10077the original sample fetch method and the explicit matching method using "-m".
Willy Tarreau2b5285d2010-05-09 23:45:24 +020010078
Willy Tarreau74ca5042013-06-11 23:12:07 +020010079If an alternate match is specified using "-m" on an ACL-specific criterion,
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030010080the matching method is simply applied to the underlying sample fetch method.
10081For example, all ACLs below are exact equivalent :
Willy Tarreau2b5285d2010-05-09 23:45:24 +020010082
Willy Tarreau74ca5042013-06-11 23:12:07 +020010083 acl short_form hdr_beg(host) www.
10084 acl alternate1 hdr_beg(host) -m beg www.
10085 acl alternate2 hdr_dom(host) -m beg www.
10086 acl alternate3 hdr(host) -m beg www.
Willy Tarreau2b5285d2010-05-09 23:45:24 +020010087
Willy Tarreau2b5285d2010-05-09 23:45:24 +020010088
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020010089The table below summarizes the compatibility matrix between sample or converter
10090types and the pattern types to fetch against. It indicates for each compatible
10091combination the name of the matching method to be used, surrounded with angle
10092brackets ">" and "<" when the method is the default one and will work by
10093default without "-m".
Willy Tarreau0ba27502007-12-24 16:55:16 +010010094
Willy Tarreau74ca5042013-06-11 23:12:07 +020010095 +-------------------------------------------------+
10096 | Input sample type |
10097 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020010098 | pattern type | boolean | integer | ip | string | binary |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010099 +----------------------+---------+---------+---------+---------+---------+
10100 | none (presence only) | found | found | found | found | found |
10101 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020010102 | none (boolean value) |> bool <| bool | | bool | |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010103 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020010104 | integer (value) | int |> int <| int | int | |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010105 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010010106 | integer (length) | len | len | len | len | len |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010107 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020010108 | IP address | | |> ip <| ip | ip |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010109 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020010110 | exact string | str | str | str |> str <| str |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010111 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010010112 | prefix | beg | beg | beg | beg | beg |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010113 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010010114 | suffix | end | end | end | end | end |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010115 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010010116 | substring | sub | sub | sub | sub | sub |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010117 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010010118 | subdir | dir | dir | dir | dir | dir |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010119 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010010120 | domain | dom | dom | dom | dom | dom |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010121 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010010122 | regex | reg | reg | reg | reg | reg |
Willy Tarreau74ca5042013-06-11 23:12:07 +020010123 +----------------------+---------+---------+---------+---------+---------+
10124 | hex block | | | | bin | bin |
10125 +----------------------+---------+---------+---------+---------+---------+
Willy Tarreau6a06a402007-07-15 20:15:28 +020010126
10127
Willy Tarreau74ca5042013-06-11 23:12:07 +0200101287.1.1. Matching booleans
10129------------------------
10130
10131In order to match a boolean, no value is needed and all values are ignored.
10132Boolean matching is used by default for all fetch methods of type "boolean".
10133When boolean matching is used, the fetched value is returned as-is, which means
10134that a boolean "true" will always match and a boolean "false" will never match.
10135
10136Boolean matching may also be enforced using "-m bool" on fetch methods which
10137return an integer value. Then, integer value 0 is converted to the boolean
10138"false" and all other values are converted to "true".
10139
Willy Tarreau6a06a402007-07-15 20:15:28 +020010140
Willy Tarreau74ca5042013-06-11 23:12:07 +0200101417.1.2. Matching integers
10142------------------------
10143
10144Integer matching applies by default to integer fetch methods. It can also be
10145enforced on boolean fetches using "-m int". In this case, "false" is converted
10146to the integer 0, and "true" is converted to the integer 1.
10147
10148Integer matching also supports integer ranges and operators. Note that integer
10149matching only applies to positive values. A range is a value expressed with a
10150lower and an upper bound separated with a colon, both of which may be omitted.
Willy Tarreau6a06a402007-07-15 20:15:28 +020010151
10152For instance, "1024:65535" is a valid range to represent a range of
10153unprivileged ports, and "1024:" would also work. "0:1023" is a valid
10154representation of privileged ports, and ":1023" would also work.
10155
Willy Tarreau62644772008-07-16 18:36:06 +020010156As a special case, some ACL functions support decimal numbers which are in fact
10157two integers separated by a dot. This is used with some version checks for
10158instance. All integer properties apply to those decimal numbers, including
10159ranges and operators.
10160
Willy Tarreau6a06a402007-07-15 20:15:28 +020010161For an easier usage, comparison operators are also supported. Note that using
Willy Tarreau0ba27502007-12-24 16:55:16 +010010162operators with ranges does not make much sense and is strongly discouraged.
10163Similarly, it does not make much sense to perform order comparisons with a set
10164of values.
Willy Tarreau6a06a402007-07-15 20:15:28 +020010165
Willy Tarreau0ba27502007-12-24 16:55:16 +010010166Available operators for integer matching are :
Willy Tarreau6a06a402007-07-15 20:15:28 +020010167
10168 eq : true if the tested value equals at least one value
10169 ge : true if the tested value is greater than or equal to at least one value
10170 gt : true if the tested value is greater than at least one value
10171 le : true if the tested value is less than or equal to at least one value
10172 lt : true if the tested value is less than at least one value
10173
Willy Tarreau0ba27502007-12-24 16:55:16 +010010174For instance, the following ACL matches any negative Content-Length header :
Willy Tarreau6a06a402007-07-15 20:15:28 +020010175
10176 acl negative-length hdr_val(content-length) lt 0
10177
Willy Tarreau62644772008-07-16 18:36:06 +020010178This one matches SSL versions between 3.0 and 3.1 (inclusive) :
10179
10180 acl sslv3 req_ssl_ver 3:3.1
10181
Willy Tarreau6a06a402007-07-15 20:15:28 +020010182
Willy Tarreau74ca5042013-06-11 23:12:07 +0200101837.1.3. Matching strings
10184-----------------------
10185
10186String matching applies to string or binary fetch methods, and exists in 6
10187different forms :
10188
10189 - exact match (-m str) : the extracted string must exactly match the
10190 patterns ;
10191
10192 - substring match (-m sub) : the patterns are looked up inside the
10193 extracted string, and the ACL matches if any of them is found inside ;
10194
10195 - prefix match (-m beg) : the patterns are compared with the beginning of
10196 the extracted string, and the ACL matches if any of them matches.
10197
10198 - suffix match (-m end) : the patterns are compared with the end of the
10199 extracted string, and the ACL matches if any of them matches.
10200
10201 - subdir match (-m sub) : the patterns are looked up inside the extracted
10202 string, delimited with slashes ("/"), and the ACL matches if any of them
10203 matches.
10204
10205 - domain match (-m dom) : the patterns are looked up inside the extracted
10206 string, delimited with dots ("."), and the ACL matches if any of them
10207 matches.
Willy Tarreau6a06a402007-07-15 20:15:28 +020010208
10209String matching applies to verbatim strings as they are passed, with the
10210exception of the backslash ("\") which makes it possible to escape some
10211characters such as the space. If the "-i" flag is passed before the first
10212string, then the matching will be performed ignoring the case. In order
10213to match the string "-i", either set it second, or pass the "--" flag
Willy Tarreau0ba27502007-12-24 16:55:16 +010010214before the first string. Same applies of course to match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +020010215
10216
Willy Tarreau74ca5042013-06-11 23:12:07 +0200102177.1.4. Matching regular expressions (regexes)
10218---------------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +020010219
10220Just like with string matching, regex matching applies to verbatim strings as
10221they are passed, with the exception of the backslash ("\") which makes it
10222possible to escape some characters such as the space. If the "-i" flag is
10223passed before the first regex, then the matching will be performed ignoring
10224the case. In order to match the string "-i", either set it second, or pass
Willy Tarreau0ba27502007-12-24 16:55:16 +010010225the "--" flag before the first string. Same principle applies of course to
10226match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +020010227
10228
Willy Tarreau74ca5042013-06-11 23:12:07 +0200102297.1.5. Matching arbitrary data blocks
10230-------------------------------------
10231
10232It is possible to match some extracted samples against a binary block which may
10233not safely be represented as a string. For this, the patterns must be passed as
10234a series of hexadecimal digits in an even number, when the match method is set
10235to binary. Each sequence of two digits will represent a byte. The hexadecimal
10236digits may be used upper or lower case.
10237
10238Example :
10239 # match "Hello\n" in the input stream (\x48 \x65 \x6c \x6c \x6f \x0a)
10240 acl hello payload(0,6) -m bin 48656c6c6f0a
10241
10242
102437.1.6. Matching IPv4 and IPv6 addresses
10244---------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +020010245
10246IPv4 addresses values can be specified either as plain addresses or with a
10247netmask appended, in which case the IPv4 address matches whenever it is
10248within the network. Plain addresses may also be replaced with a resolvable
Willy Tarreaud2a4aa22008-01-31 15:28:22 +010010249host name, but this practice is generally discouraged as it makes it more
Willy Tarreau0ba27502007-12-24 16:55:16 +010010250difficult to read and debug configurations. If hostnames are used, you should
10251at least ensure that they are present in /etc/hosts so that the configuration
10252does not depend on any random DNS match at the moment the configuration is
10253parsed.
Willy Tarreau6a06a402007-07-15 20:15:28 +020010254
Willy Tarreauceb4ac92012-04-28 00:41:46 +020010255IPv6 may be entered in their usual form, with or without a netmask appended.
10256Only bit counts are accepted for IPv6 netmasks. In order to avoid any risk of
10257trouble with randomly resolved IP addresses, host names are never allowed in
10258IPv6 patterns.
10259
10260HAProxy is also able to match IPv4 addresses with IPv6 addresses in the
10261following situations :
10262 - tested address is IPv4, pattern address is IPv4, the match applies
10263 in IPv4 using the supplied mask if any.
10264 - tested address is IPv6, pattern address is IPv6, the match applies
10265 in IPv6 using the supplied mask if any.
10266 - tested address is IPv6, pattern address is IPv4, the match applies in IPv4
10267 using the pattern's mask if the IPv6 address matches with 2002:IPV4::,
10268 ::IPV4 or ::ffff:IPV4, otherwise it fails.
10269 - tested address is IPv4, pattern address is IPv6, the IPv4 address is first
10270 converted to IPv6 by prefixing ::ffff: in front of it, then the match is
10271 applied in IPv6 using the supplied IPv6 mask.
10272
Willy Tarreau74ca5042013-06-11 23:12:07 +020010273
102747.2. Using ACLs to form conditions
10275----------------------------------
10276
10277Some actions are only performed upon a valid condition. A condition is a
10278combination of ACLs with operators. 3 operators are supported :
10279
10280 - AND (implicit)
10281 - OR (explicit with the "or" keyword or the "||" operator)
10282 - Negation with the exclamation mark ("!")
Willy Tarreau6a06a402007-07-15 20:15:28 +020010283
Willy Tarreau74ca5042013-06-11 23:12:07 +020010284A condition is formed as a disjunctive form:
Willy Tarreau6a06a402007-07-15 20:15:28 +020010285
Willy Tarreau74ca5042013-06-11 23:12:07 +020010286 [!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ...
Willy Tarreaubef91e72013-03-31 23:14:46 +020010287
Willy Tarreau74ca5042013-06-11 23:12:07 +020010288Such conditions are generally used after an "if" or "unless" statement,
10289indicating when the condition will trigger the action.
Willy Tarreaubef91e72013-03-31 23:14:46 +020010290
Willy Tarreau74ca5042013-06-11 23:12:07 +020010291For instance, to block HTTP requests to the "*" URL with methods other than
10292"OPTIONS", as well as POST requests without content-length, and GET or HEAD
10293requests with a content-length greater than 0, and finally every request which
10294is not either GET/HEAD/POST/OPTIONS !
10295
10296 acl missing_cl hdr_cnt(Content-length) eq 0
10297 block if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
10298 block if METH_GET HTTP_CONTENT
10299 block unless METH_GET or METH_POST or METH_OPTIONS
10300
10301To select a different backend for requests to static contents on the "www" site
10302and to every request on the "img", "video", "download" and "ftp" hosts :
10303
10304 acl url_static path_beg /static /images /img /css
10305 acl url_static path_end .gif .png .jpg .css .js
10306 acl host_www hdr_beg(host) -i www
10307 acl host_static hdr_beg(host) -i img. video. download. ftp.
10308
10309 # now use backend "static" for all static-only hosts, and for static urls
10310 # of host "www". Use backend "www" for the rest.
10311 use_backend static if host_static or host_www url_static
10312 use_backend www if host_www
10313
10314It is also possible to form rules using "anonymous ACLs". Those are unnamed ACL
10315expressions that are built on the fly without needing to be declared. They must
10316be enclosed between braces, with a space before and after each brace (because
10317the braces must be seen as independent words). Example :
10318
10319 The following rule :
10320
10321 acl missing_cl hdr_cnt(Content-length) eq 0
10322 block if METH_POST missing_cl
10323
10324 Can also be written that way :
10325
10326 block if METH_POST { hdr_cnt(Content-length) eq 0 }
10327
10328It is generally not recommended to use this construct because it's a lot easier
10329to leave errors in the configuration when written that way. However, for very
10330simple rules matching only one source IP address for instance, it can make more
10331sense to use them than to declare ACLs with random names. Another example of
10332good use is the following :
10333
10334 With named ACLs :
10335
10336 acl site_dead nbsrv(dynamic) lt 2
10337 acl site_dead nbsrv(static) lt 2
10338 monitor fail if site_dead
10339
10340 With anonymous ACLs :
10341
10342 monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
10343
10344See section 4.2 for detailed help on the "block" and "use_backend" keywords.
10345
10346
103477.3. Fetching samples
10348---------------------
10349
10350Historically, sample fetch methods were only used to retrieve data to match
10351against patterns using ACLs. With the arrival of stick-tables, a new class of
10352sample fetch methods was created, most often sharing the same syntax as their
10353ACL counterpart. These sample fetch methods are also known as "fetches". As
10354of now, ACLs and fetches have converged. All ACL fetch methods have been made
10355available as fetch methods, and ACLs may use any sample fetch method as well.
10356
10357This section details all available sample fetch methods and their output type.
10358Some sample fetch methods have deprecated aliases that are used to maintain
10359compatibility with existing configurations. They are then explicitly marked as
10360deprecated and should not be used in new setups.
10361
10362The ACL derivatives are also indicated when available, with their respective
10363matching methods. These ones all have a well defined default pattern matching
10364method, so it is never necessary (though allowed) to pass the "-m" option to
10365indicate how the sample will be matched using ACLs.
10366
10367As indicated in the sample type versus matching compatibility matrix above,
10368when using a generic sample fetch method in an ACL, the "-m" option is
10369mandatory unless the sample type is one of boolean, integer, IPv4 or IPv6. When
10370the same keyword exists as an ACL keyword and as a standard fetch method, the
10371ACL engine will automatically pick the ACL-only one by default.
10372
10373Some of these keywords support one or multiple mandatory arguments, and one or
10374multiple optional arguments. These arguments are strongly typed and are checked
10375when the configuration is parsed so that there is no risk of running with an
10376incorrect argument (eg: an unresolved backend name). Fetch function arguments
10377are passed between parenthesis and are delimited by commas. When an argument
10378is optional, it will be indicated below between square brackets ('[ ]'). When
10379all arguments are optional, the parenthesis may be omitted.
10380
10381Thus, the syntax of a standard sample fetch method is one of the following :
10382 - name
10383 - name(arg1)
10384 - name(arg1,arg2)
10385
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010386
103877.3.1. Converters
10388-----------------
10389
Willy Tarreaue6b11e42013-11-26 19:02:32 +010010390Sample fetch methods may be combined with transformations to be applied on top
10391of the fetched sample (also called "converters"). These combinations form what
10392is called "sample expressions" and the result is a "sample". Initially this
10393was only supported by "stick on" and "stick store-request" directives but this
10394has now be extended to all places where samples may be used (acls, log-format,
10395unique-id-format, add-header, ...).
10396
10397These transformations are enumerated as a series of specific keywords after the
10398sample fetch method. These keywords may equally be appended immediately after
10399the fetch keyword's argument, delimited by a comma. These keywords can also
10400support some arguments (eg: a netmask) which must be passed in parenthesis.
Willy Tarreau0ba27502007-12-24 16:55:16 +010010401
Willy Tarreau97707872015-01-27 15:12:13 +010010402A certain category of converters are bitwise and arithmetic operators which
10403support performing basic operations on integers. Some bitwise operations are
10404supported (and, or, xor, cpl) and some arithmetic operations are supported
10405(add, sub, mul, div, mod, neg). Some comparators are provided (odd, even, not,
10406bool) which make it possible to report a match without having to write an ACL.
10407
Willy Tarreau74ca5042013-06-11 23:12:07 +020010408The currently available list of transformation keywords include :
Willy Tarreau0ba27502007-12-24 16:55:16 +010010409
Willy Tarreau97707872015-01-27 15:12:13 +010010410add(<value>)
10411 Adds <value> to the input value of type unsigned integer, and returns the
10412 result as an unsigned integer.
10413
10414and(<value>)
10415 Performs a bitwise "AND" between <value> and the input value of type unsigned
10416 integer, and returns the result as an unsigned integer.
10417
Emeric Brun53d1a982014-04-30 18:21:37 +020010418base64
10419 Converts a binary input sample to a base64 string. It is used to log or
10420 transfer binary content in a way that can be reliably transferred (eg:
10421 an SSL ID can be copied in a header).
10422
Willy Tarreau97707872015-01-27 15:12:13 +010010423bool
10424 Returns a boolean TRUE if the input value of type unsigned integer is
10425 non-null, otherwise returns FALSE. Used in conjunction with and(), it can be
10426 used to report true/false for bit testing on input values (eg: verify the
10427 presence of a flag).
10428
Emeric Brun54c4ac82014-11-03 15:32:43 +010010429bytes(<offset>[,<length>])
10430 Extracts some bytes from an input binary sample. The result is a binary
10431 sample starting at an offset (in bytes) of the original sample and
10432 optionnaly truncated at the given length.
10433
Willy Tarreau97707872015-01-27 15:12:13 +010010434cpl
10435 Takes the input value of type unsigned integer, applies a twos-complement
10436 (flips all bits) and returns the result as an unsigned integer.
10437
Willy Tarreau80599772015-01-20 19:35:24 +010010438crc32([<avalanche>])
10439 Hashes a binary input sample into an unsigned 32-bit quantity using the CRC32
10440 hash function. Optionally, it is possible to apply a full avalanche hash
10441 function to the output if the optional <avalanche> argument equals 1. This
10442 converter uses the same functions as used by the various hash-based load
10443 balancing algorithms, so it will provide exactly the same results. It is
10444 provided for compatibility with other software which want a CRC32 to be
10445 computed on some input keys, so it follows the most common implementation as
10446 found in Ethernet, Gzip, PNG, etc... It is slower than the other algorithms
10447 but may provide a better or at least less predictable distribution. It must
10448 not be used for security purposes as a 32-bit hash is trivial to break. See
10449 also "djb2", "sdbm", "wt6" and the "hash-type" directive.
10450
Willy Tarreau97707872015-01-27 15:12:13 +010010451div(<value>)
10452 Divides the input value of type unsigned integer by <value>, and returns the
10453 result as an unsigned integer. If <value> is null, the largest unsigned
10454 integer is returned (typically 2^32-1).
10455
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020010456djb2([<avalanche>])
10457 Hashes a binary input sample into an unsigned 32-bit quantity using the DJB2
10458 hash function. Optionally, it is possible to apply a full avalanche hash
10459 function to the output if the optional <avalanche> argument equals 1. This
10460 converter uses the same functions as used by the various hash-based load
10461 balancing algorithms, so it will provide exactly the same results. It is
10462 mostly intended for debugging, but can be used as a stick-table entry to
10463 collect rough statistics. It must not be used for security purposes as a
Willy Tarreau80599772015-01-20 19:35:24 +010010464 32-bit hash is trivial to break. See also "crc32", "sdbm", "wt6" and the
10465 "hash-type" directive.
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020010466
Willy Tarreau97707872015-01-27 15:12:13 +010010467even
10468 Returns a boolean TRUE if the input value of type unsigned integer is even
10469 otherwise returns FALSE. It is functionally equivalent to "not,and(1),bool".
10470
Emeric Brunf399b0d2014-11-03 17:07:03 +010010471field(<index>,<delimiters>)
10472 Extracts the substring at the given index considering given delimiters from
10473 an input string. Indexes start at 1 and delimiters are a string formatted
10474 list of chars.
10475
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010476hex
10477 Converts a binary input sample to an hex string containing two hex digits per
10478 input byte. It is used to log or transfer hex dumps of some binary input data
10479 in a way that can be reliably transferred (eg: an SSL ID can be copied in a
10480 header).
Thierry FOURNIER2f49d6d2014-03-12 15:01:52 +010010481
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010482http_date([<offset>])
10483 Converts an integer supposed to contain a date since epoch to a string
10484 representing this date in a format suitable for use in HTTP header fields. If
10485 an offset value is specified, then it is a number of seconds that is added to
10486 the date before the conversion is operated. This is particularly useful to
10487 emit Date header fields, Expires values in responses when combined with a
10488 positive offset, or Last-Modified values when the offset is negative.
Willy Tarreau74ca5042013-06-11 23:12:07 +020010489
Willy Tarreaud9f316a2014-07-10 14:03:38 +020010490in_table(<table>)
10491 Uses the string representation of the input sample to perform a look up in
10492 the specified table. If the key is not found in the table, a boolean false
10493 is returned. Otherwise a boolean true is returned. This can be used to verify
10494 the presence of a certain key in a table tracking some elements (eg: whether
10495 or not a source IP address or an Authorization header was already seen).
10496
Willy Tarreauffcb2e42014-07-10 16:29:08 +020010497ipmask(<mask>)
10498 Apply a mask to an IPv4 address, and use the result for lookups and storage.
10499 This can be used to make all hosts within a certain mask to share the same
10500 table entries and as such use the same server. The mask can be passed in
10501 dotted form (eg: 255.255.255.0) or in CIDR form (eg: 24).
10502
Thierry FOURNIER317e1c42014-08-12 10:20:47 +020010503json([<input-code>])
10504 Escapes the input string and produces an ASCII ouput string ready to use as a
10505 JSON string. The converter tries to decode the input string according to the
10506 <input-code> parameter. It can be "ascii", "utf8", "utf8s", "utf8"" or
10507 "utf8ps". The "ascii" decoder never fails. The "utf8" decoder detects 3 types
10508 of errors:
10509 - bad UTF-8 sequence (lone continuation byte, bad number of continuation
10510 bytes, ...)
10511 - invalid range (the decoded value is within a UTF-8 prohibited range),
10512 - code overlong (the value is encoded with more bytes than necessary).
10513
10514 The UTF-8 JSON encoding can produce a "too long value" error when the UTF-8
10515 character is greater than 0xffff because the JSON string escape specification
10516 only authorizes 4 hex digits for the value encoding. The UTF-8 decoder exists
10517 in 4 variants designated by a combination of two suffix letters : "p" for
10518 "permissive" and "s" for "silently ignore". The behaviors of the decoders
10519 are :
10520 - "ascii" : never fails ;
10521 - "utf8" : fails on any detected errors ;
10522 - "utf8s" : never fails, but removes characters corresponding to errors ;
10523 - "utf8p" : accepts and fixes the overlong errors, but fails on any other
10524 error ;
10525 - "utf8ps" : never fails, accepts and fixes the overlong errors, but removes
10526 characters corresponding to the other errors.
10527
10528 This converter is particularly useful for building properly escaped JSON for
10529 logging to servers which consume JSON-formated traffic logs.
10530
10531 Example:
10532 capture request header user-agent len 150
10533 capture request header Host len 15
10534 log-format {"ip":"%[src]","user-agent":"%[capture.req.hdr(1),json]"}
10535
10536 Input request from client 127.0.0.1:
10537 GET / HTTP/1.0
10538 User-Agent: Very "Ugly" UA 1/2
10539
10540 Output log:
10541 {"ip":"127.0.0.1","user-agent":"Very \"Ugly\" UA 1\/2"}
10542
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010543language(<value>[,<default>])
10544 Returns the value with the highest q-factor from a list as extracted from the
10545 "accept-language" header using "req.fhdr". Values with no q-factor have a
10546 q-factor of 1. Values with a q-factor of 0 are dropped. Only values which
10547 belong to the list of semi-colon delimited <values> will be considered. The
10548 argument <value> syntax is "lang[;lang[;lang[;...]]]". If no value matches the
10549 given list and a default value is provided, it is returned. Note that language
10550 names may have a variant after a dash ('-'). If this variant is present in the
10551 list, it will be matched, but if it is not, only the base language is checked.
10552 The match is case-sensitive, and the output string is always one of those
10553 provided in arguments. The ordering of arguments is meaningless, only the
10554 ordering of the values in the request counts, as the first value among
10555 multiple sharing the same q-factor is used.
Thierry FOURNIERad903512014-04-11 17:51:01 +020010556
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010557 Example :
Thierry FOURNIERad903512014-04-11 17:51:01 +020010558
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010559 # this configuration switches to the backend matching a
10560 # given language based on the request :
Thierry FOURNIERad903512014-04-11 17:51:01 +020010561
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010562 acl es req.fhdr(accept-language),language(es;fr;en) -m str es
10563 acl fr req.fhdr(accept-language),language(es;fr;en) -m str fr
10564 acl en req.fhdr(accept-language),language(es;fr;en) -m str en
10565 use_backend spanish if es
10566 use_backend french if fr
10567 use_backend english if en
10568 default_backend choose_your_language
Thierry FOURNIERad903512014-04-11 17:51:01 +020010569
Willy Tarreauffcb2e42014-07-10 16:29:08 +020010570lower
10571 Convert a string sample to lower case. This can only be placed after a string
10572 sample fetch function or after a transformation keyword returning a string
10573 type. The result is of type string.
10574
Willy Tarreau0dbfdba2014-07-10 16:37:47 +020010575ltime(<format>[,<offset>])
10576 Converts an integer supposed to contain a date since epoch to a string
10577 representing this date in local time using a format defined by the <format>
10578 string using strftime(3). The purpose is to allow any date format to be used
10579 in logs. An optional <offset> in seconds may be applied to the input date
10580 (positive or negative). See the strftime() man page for the format supported
10581 by your operating system. See also the utime converter.
10582
10583 Example :
10584
10585 # Emit two colons, one with the local time and another with ip:port
10586 # Eg: 20140710162350 127.0.0.1:57325
10587 log-format %[date,ltime(%Y%m%d%H%M%S)]\ %ci:%cp
10588
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010589map(<map_file>[,<default_value>])
10590map_<match_type>(<map_file>[,<default_value>])
10591map_<match_type>_<output_type>(<map_file>[,<default_value>])
10592 Search the input value from <map_file> using the <match_type> matching method,
10593 and return the associated value converted to the type <output_type>. If the
10594 input value cannot be found in the <map_file>, the converter returns the
10595 <default_value>. If the <default_value> is not set, the converter fails and
10596 acts as if no input value could be fetched. If the <match_type> is not set, it
10597 defaults to "str". Likewise, if the <output_type> is not set, it defaults to
10598 "str". For convenience, the "map" keyword is an alias for "map_str" and maps a
10599 string to another string.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010010600
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010601 It is important to avoid overlapping between the keys : IP addresses and
10602 strings are stored in trees, so the first of the finest match will be used.
10603 Other keys are stored in lists, so the first matching occurrence will be used.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010010604
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010605 The following array contains the list of all map functions avalaible sorted by
10606 input type, match type and output type.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010010607
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010608 input type | match method | output type str | output type int | output type ip
10609 -----------+--------------+-----------------+-----------------+---------------
10610 str | str | map_str | map_str_int | map_str_ip
10611 -----------+--------------+-----------------+-----------------+---------------
Willy Tarreau787a4c02014-05-10 07:55:30 +020010612 str | beg | map_beg | map_beg_int | map_end_ip
10613 -----------+--------------+-----------------+-----------------+---------------
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010614 str | sub | map_sub | map_sub_int | map_sub_ip
10615 -----------+--------------+-----------------+-----------------+---------------
10616 str | dir | map_dir | map_dir_int | map_dir_ip
10617 -----------+--------------+-----------------+-----------------+---------------
10618 str | dom | map_dom | map_dom_int | map_dom_ip
10619 -----------+--------------+-----------------+-----------------+---------------
10620 str | end | map_end | map_end_int | map_end_ip
10621 -----------+--------------+-----------------+-----------------+---------------
10622 str | reg | map_reg | map_reg_int | map_reg_ip
10623 -----------+--------------+-----------------+-----------------+---------------
10624 int | int | map_int | map_int_int | map_int_ip
10625 -----------+--------------+-----------------+-----------------+---------------
10626 ip | ip | map_ip | map_ip_int | map_ip_ip
10627 -----------+--------------+-----------------+-----------------+---------------
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010010628
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010629 The file contains one key + value per line. Lines which start with '#' are
10630 ignored, just like empty lines. Leading tabs and spaces are stripped. The key
10631 is then the first "word" (series of non-space/tabs characters), and the value
10632 is what follows this series of space/tab till the end of the line excluding
10633 trailing spaces/tabs.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010010634
Thierry FOURNIER060762e2014-04-23 13:29:15 +020010635 Example :
10636
10637 # this is a comment and is ignored
10638 2.22.246.0/23 United Kingdom \n
10639 <-><-----------><--><------------><---->
10640 | | | | `- trailing spaces ignored
10641 | | | `---------- value
10642 | | `-------------------- middle spaces ignored
10643 | `---------------------------- key
10644 `------------------------------------ leading spaces ignored
10645
Willy Tarreau97707872015-01-27 15:12:13 +010010646mod(<value>)
10647 Divides the input value of type unsigned integer by <value>, and returns the
10648 remainder as an unsigned integer. If <value> is null, then zero is returned.
10649
10650mul(<value>)
10651 Multiplies the input value of type unsigned integer by <value>, and returns
10652 the product as an unsigned integer. In case of overflow, the higher bits are
10653 lost, leading to seemingly strange values.
10654
10655neg
10656 Takes the input value of type unsigned integer, computes the opposite value,
10657 and returns the remainder as an unsigned integer. 0 is identity. This
10658 operator is provided for reversed subtracts : in order to subtract the input
10659 from a constant, simply perform a "neg,add(value)".
10660
10661not
10662 Returns a boolean FALSE if the input value of type unsigned integer is
10663 non-null, otherwise returns TRUE. Used in conjunction with and(), it can be
10664 used to report true/false for bit testing on input values (eg: verify the
10665 absence of a flag).
10666
10667odd
10668 Returns a boolean TRUE if the input value of type unsigned integer is odd
10669 otherwise returns FALSE. It is functionally equivalent to "and(1),bool".
10670
10671or(<value>)
10672 Performs a bitwise "OR" between <value> and the input value of type unsigned
10673 integer, and returns the result as an unsigned integer.
10674
Willy Tarreauc4dc3502015-01-23 20:39:28 +010010675regsub(<regex>,<subst>[,<flags>])
Willy Tarreau7eda8492015-01-20 19:47:06 +010010676 Applies a regex-based substitution to the input string. It does the same
10677 operation as the well-known "sed" utility with "s/<regex>/<subst>/". By
10678 default it will replace in the input string the first occurrence of the
10679 largest part matching the regular expression <regex> with the substitution
10680 string <subst>. It is possible to replace all occurrences instead by adding
10681 the flag "g" in the third argument <flags>. It is also possible to make the
10682 regex case insensitive by adding the flag "i" in <flags>. Since <flags> is a
10683 string, it is made up from the concatenation of all desired flags. Thus if
10684 both "i" and "g" are desired, using "gi" or "ig" will have the same effect.
10685 It is important to note that due to the current limitations of the
10686 configuration parser, some characters such as closing parenthesis or comma
10687 are not possible to use in the arguments. The first use of this converter is
10688 to replace certain characters or sequence of characters with other ones.
10689
10690 Example :
10691
10692 # de-duplicate "/" in header "x-path".
10693 # input: x-path: /////a///b/c/xzxyz/
10694 # output: x-path: /a/b/c/xzxyz/
10695 http-request set-header x-path %[hdr(x-path),regsub(/+,/,g)]
10696
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020010697sdbm([<avalanche>])
10698 Hashes a binary input sample into an unsigned 32-bit quantity using the SDBM
10699 hash function. Optionally, it is possible to apply a full avalanche hash
10700 function to the output if the optional <avalanche> argument equals 1. This
10701 converter uses the same functions as used by the various hash-based load
10702 balancing algorithms, so it will provide exactly the same results. It is
10703 mostly intended for debugging, but can be used as a stick-table entry to
10704 collect rough statistics. It must not be used for security purposes as a
Willy Tarreau80599772015-01-20 19:35:24 +010010705 32-bit hash is trivial to break. See also "crc32", "djb2", "wt6" and the
10706 "hash-type" directive.
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020010707
Willy Tarreau97707872015-01-27 15:12:13 +010010708sub(<value>)
10709 Subtracts <value> from the input value of type unsigned integer, and returns
10710 the result as an unsigned integer. Note: in order to subtract the input from
10711 a constant, simply perform a "neg,add(value)".
10712
Willy Tarreaud9f316a2014-07-10 14:03:38 +020010713table_bytes_in_rate(<table>)
10714 Uses the string representation of the input sample to perform a look up in
10715 the specified table. If the key is not found in the table, integer value zero
10716 is returned. Otherwise the converter returns the average client-to-server
10717 bytes rate associated with the input sample in the designated table, measured
10718 in amount of bytes over the period configured in the table. See also the
10719 sc_bytes_in_rate sample fetch keyword.
10720
10721
10722table_bytes_out_rate(<table>)
10723 Uses the string representation of the input sample to perform a look up in
10724 the specified table. If the key is not found in the table, integer value zero
10725 is returned. Otherwise the converter returns the average server-to-client
10726 bytes rate associated with the input sample in the designated table, measured
10727 in amount of bytes over the period configured in the table. See also the
10728 sc_bytes_out_rate sample fetch keyword.
10729
10730table_conn_cnt(<table>)
10731 Uses the string representation of the input sample to perform a look up in
10732 the specified table. If the key is not found in the table, integer value zero
10733 is returned. Otherwise the converter returns the cumulated amount of incoming
10734 connections associated with the input sample in the designated table. See
10735 also the sc_conn_cnt sample fetch keyword.
10736
10737table_conn_cur(<table>)
10738 Uses the string representation of the input sample to perform a look up in
10739 the specified table. If the key is not found in the table, integer value zero
10740 is returned. Otherwise the converter returns the current amount of concurrent
10741 tracked connections associated with the input sample in the designated table.
10742 See also the sc_conn_cur sample fetch keyword.
10743
10744table_conn_rate(<table>)
10745 Uses the string representation of the input sample to perform a look up in
10746 the specified table. If the key is not found in the table, integer value zero
10747 is returned. Otherwise the converter returns the average incoming connection
10748 rate associated with the input sample in the designated table. See also the
10749 sc_conn_rate sample fetch keyword.
10750
10751table_gpc0(<table>)
10752 Uses the string representation of the input sample to perform a look up in
10753 the specified table. If the key is not found in the table, integer value zero
10754 is returned. Otherwise the converter returns the current value of the first
10755 general purpose counter associated with the input sample in the designated
10756 table. See also the sc_get_gpc0 sample fetch keyword.
10757
10758table_gpc0_rate(<table>)
10759 Uses the string representation of the input sample to perform a look up in
10760 the specified table. If the key is not found in the table, integer value zero
10761 is returned. Otherwise the converter returns the frequency which the gpc0
10762 counter was incremented over the configured period in the table, associated
10763 with the input sample in the designated table. See also the sc_get_gpc0_rate
10764 sample fetch keyword.
10765
10766table_http_err_cnt(<table>)
10767 Uses the string representation of the input sample to perform a look up in
10768 the specified table. If the key is not found in the table, integer value zero
10769 is returned. Otherwise the converter returns the cumulated amount of HTTP
10770 errors associated with the input sample in the designated table. See also the
10771 sc_http_err_cnt sample fetch keyword.
10772
10773table_http_err_rate(<table>)
10774 Uses the string representation of the input sample to perform a look up in
10775 the specified table. If the key is not found in the table, integer value zero
10776 is returned. Otherwise the average rate of HTTP errors associated with the
10777 input sample in the designated table, measured in amount of errors over the
10778 period configured in the table. See also the sc_http_err_rate sample fetch
10779 keyword.
10780
10781table_http_req_cnt(<table>)
10782 Uses the string representation of the input sample to perform a look up in
10783 the specified table. If the key is not found in the table, integer value zero
10784 is returned. Otherwise the converter returns the cumulated amount of HTTP
10785 requests associated with the input sample in the designated table. See also
10786 the sc_http_req_cnt sample fetch keyword.
10787
10788table_http_req_rate(<table>)
10789 Uses the string representation of the input sample to perform a look up in
10790 the specified table. If the key is not found in the table, integer value zero
10791 is returned. Otherwise the average rate of HTTP requests associated with the
10792 input sample in the designated table, measured in amount of requests over the
10793 period configured in the table. See also the sc_http_req_rate sample fetch
10794 keyword.
10795
10796table_kbytes_in(<table>)
10797 Uses the string representation of the input sample to perform a look up in
10798 the specified table. If the key is not found in the table, integer value zero
10799 is returned. Otherwise the converter returns the cumulated amount of client-
10800 to-server data associated with the input sample in the designated table,
10801 measured in kilobytes. The test is currently performed on 32-bit integers,
10802 which limits values to 4 terabytes. See also the sc_kbytes_in sample fetch
10803 keyword.
10804
10805table_kbytes_out(<table>)
10806 Uses the string representation of the input sample to perform a look up in
10807 the specified table. If the key is not found in the table, integer value zero
10808 is returned. Otherwise the converter returns the cumulated amount of server-
10809 to-client data associated with the input sample in the designated table,
10810 measured in kilobytes. The test is currently performed on 32-bit integers,
10811 which limits values to 4 terabytes. See also the sc_kbytes_out sample fetch
10812 keyword.
10813
10814table_server_id(<table>)
10815 Uses the string representation of the input sample to perform a look up in
10816 the specified table. If the key is not found in the table, integer value zero
10817 is returned. Otherwise the converter returns the server ID associated with
10818 the input sample in the designated table. A server ID is associated to a
10819 sample by a "stick" rule when a connection to a server succeeds. A server ID
10820 zero means that no server is associated with this key.
10821
10822table_sess_cnt(<table>)
10823 Uses the string representation of the input sample to perform a look up in
10824 the specified table. If the key is not found in the table, integer value zero
10825 is returned. Otherwise the converter returns the cumulated amount of incoming
10826 sessions associated with the input sample in the designated table. Note that
10827 a session here refers to an incoming connection being accepted by the
10828 "tcp-request connection" rulesets. See also the sc_sess_cnt sample fetch
10829 keyword.
10830
10831table_sess_rate(<table>)
10832 Uses the string representation of the input sample to perform a look up in
10833 the specified table. If the key is not found in the table, integer value zero
10834 is returned. Otherwise the converter returns the average incoming session
10835 rate associated with the input sample in the designated table. Note that a
10836 session here refers to an incoming connection being accepted by the
10837 "tcp-request connection" rulesets. See also the sc_sess_rate sample fetch
10838 keyword.
10839
10840table_trackers(<table>)
10841 Uses the string representation of the input sample to perform a look up in
10842 the specified table. If the key is not found in the table, integer value zero
10843 is returned. Otherwise the converter returns the current amount of concurrent
10844 connections tracking the same key as the input sample in the designated
10845 table. It differs from table_conn_cur in that it does not rely on any stored
10846 information but on the table's reference count (the "use" value which is
10847 returned by "show table" on the CLI). This may sometimes be more suited for
10848 layer7 tracking. It can be used to tell a server how many concurrent
10849 connections there are from a given address for example. See also the
10850 sc_trackers sample fetch keyword.
10851
Willy Tarreauffcb2e42014-07-10 16:29:08 +020010852upper
10853 Convert a string sample to upper case. This can only be placed after a string
10854 sample fetch function or after a transformation keyword returning a string
10855 type. The result is of type string.
10856
Willy Tarreau0dbfdba2014-07-10 16:37:47 +020010857utime(<format>[,<offset>])
10858 Converts an integer supposed to contain a date since epoch to a string
10859 representing this date in UTC time using a format defined by the <format>
10860 string using strftime(3). The purpose is to allow any date format to be used
10861 in logs. An optional <offset> in seconds may be applied to the input date
10862 (positive or negative). See the strftime() man page for the format supported
10863 by your operating system. See also the ltime converter.
10864
10865 Example :
10866
10867 # Emit two colons, one with the UTC time and another with ip:port
10868 # Eg: 20140710162350 127.0.0.1:57325
10869 log-format %[date,utime(%Y%m%d%H%M%S)]\ %ci:%cp
10870
Emeric Brunc9a0f6d2014-11-25 14:09:01 +010010871word(<index>,<delimiters>)
10872 Extracts the nth word considering given delimiters from an input string.
10873 Indexes start at 1 and delimiters are a string formatted list of chars.
10874
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020010875wt6([<avalanche>])
10876 Hashes a binary input sample into an unsigned 32-bit quantity using the WT6
10877 hash function. Optionally, it is possible to apply a full avalanche hash
10878 function to the output if the optional <avalanche> argument equals 1. This
10879 converter uses the same functions as used by the various hash-based load
10880 balancing algorithms, so it will provide exactly the same results. It is
10881 mostly intended for debugging, but can be used as a stick-table entry to
10882 collect rough statistics. It must not be used for security purposes as a
Willy Tarreau80599772015-01-20 19:35:24 +010010883 32-bit hash is trivial to break. See also "crc32", "djb2", "sdbm", and the
10884 "hash-type" directive.
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020010885
Willy Tarreau97707872015-01-27 15:12:13 +010010886xor(<value>)
10887 Performs a bitwise "XOR" (exclusive OR) between <value> and the input value
10888 of type unsigned integer, and returns the result as an unsigned integer.
10889
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010010890
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200108917.3.2. Fetching samples from internal states
Willy Tarreau74ca5042013-06-11 23:12:07 +020010892--------------------------------------------
10893
10894A first set of sample fetch methods applies to internal information which does
10895not even relate to any client information. These ones are sometimes used with
10896"monitor-fail" directives to report an internal status to external watchers.
10897The sample fetch methods described in this section are usable anywhere.
10898
10899always_false : boolean
10900 Always returns the boolean "false" value. It may be used with ACLs as a
10901 temporary replacement for another one when adjusting configurations.
10902
10903always_true : boolean
10904 Always returns the boolean "true" value. It may be used with ACLs as a
10905 temporary replacement for another one when adjusting configurations.
10906
10907avg_queue([<backend>]) : integer
Willy Tarreaud63335a2010-02-26 12:56:52 +010010908 Returns the total number of queued connections of the designated backend
Willy Tarreau74ca5042013-06-11 23:12:07 +020010909 divided by the number of active servers. The current backend is used if no
10910 backend is specified. This is very similar to "queue" except that the size of
10911 the farm is considered, in order to give a more accurate measurement of the
10912 time it may take for a new connection to be processed. The main usage is with
10913 ACL to return a sorry page to new users when it becomes certain they will get
10914 a degraded service, or to pass to the backend servers in a header so that
10915 they decide to work in degraded mode or to disable some functions to speed up
10916 the processing a bit. Note that in the event there would not be any active
10917 server anymore, twice the number of queued connections would be considered as
10918 the measured value. This is a fair estimate, as we expect one server to get
10919 back soon anyway, but we still prefer to send new traffic to another backend
10920 if in better shape. See also the "queue", "be_conn", and "be_sess_rate"
10921 sample fetches.
Krzysztof Piotr Oledzki346f76d2010-01-12 21:59:30 +010010922
Willy Tarreau74ca5042013-06-11 23:12:07 +020010923be_conn([<backend>]) : integer
Willy Tarreaua36af912009-10-10 12:02:45 +020010924 Applies to the number of currently established connections on the backend,
10925 possibly including the connection being evaluated. If no backend name is
10926 specified, the current one is used. But it is also possible to check another
10927 backend. It can be used to use a specific farm when the nominal one is full.
10928 See also the "fe_conn", "queue" and "be_sess_rate" criteria.
Willy Tarreau6a06a402007-07-15 20:15:28 +020010929
Willy Tarreau74ca5042013-06-11 23:12:07 +020010930be_sess_rate([<backend>]) : integer
10931 Returns an integer value corresponding to the sessions creation rate on the
10932 backend, in number of new sessions per second. This is used with ACLs to
10933 switch to an alternate backend when an expensive or fragile one reaches too
10934 high a session rate, or to limit abuse of service (eg. prevent sucking of an
10935 online dictionary). It can also be useful to add this element to logs using a
10936 log-format directive.
Willy Tarreaud63335a2010-02-26 12:56:52 +010010937
10938 Example :
10939 # Redirect to an error page if the dictionary is requested too often
10940 backend dynamic
10941 mode http
10942 acl being_scanned be_sess_rate gt 100
10943 redirect location /denied.html if being_scanned
Willy Tarreau0ba27502007-12-24 16:55:16 +010010944
Willy Tarreau74ca5042013-06-11 23:12:07 +020010945connslots([<backend>]) : integer
10946 Returns an integer value corresponding to the number of connection slots
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030010947 still available in the backend, by totaling the maximum amount of
Willy Tarreau74ca5042013-06-11 23:12:07 +020010948 connections on all servers and the maximum queue size. This is probably only
10949 used with ACLs.
Tait Clarridge7896d522012-12-05 21:39:31 -050010950
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080010951 The basic idea here is to be able to measure the number of connection "slots"
Willy Tarreau55165fe2009-05-10 12:02:55 +020010952 still available (connection + queue), so that anything beyond that (intended
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080010953 usage; see "use_backend" keyword) can be redirected to a different backend.
10954
Willy Tarreau55165fe2009-05-10 12:02:55 +020010955 'connslots' = number of available server connection slots, + number of
10956 available server queue slots.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080010957
Willy Tarreaua36af912009-10-10 12:02:45 +020010958 Note that while "fe_conn" may be used, "connslots" comes in especially
Willy Tarreau55165fe2009-05-10 12:02:55 +020010959 useful when you have a case of traffic going to one single ip, splitting into
Willy Tarreau74ca5042013-06-11 23:12:07 +020010960 multiple backends (perhaps using ACLs to do name-based load balancing) and
Willy Tarreau55165fe2009-05-10 12:02:55 +020010961 you want to be able to differentiate between different backends, and their
10962 available "connslots". Also, whereas "nbsrv" only measures servers that are
Willy Tarreau74ca5042013-06-11 23:12:07 +020010963 actually *down*, this fetch is more fine-grained and looks into the number of
Willy Tarreaua36af912009-10-10 12:02:45 +020010964 available connection slots as well. See also "queue" and "avg_queue".
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080010965
Willy Tarreau55165fe2009-05-10 12:02:55 +020010966 OTHER CAVEATS AND NOTES: at this point in time, the code does not take care
10967 of dynamic connections. Also, if any of the server maxconn, or maxqueue is 0,
Willy Tarreau74ca5042013-06-11 23:12:07 +020010968 then this fetch clearly does not make sense, in which case the value returned
Willy Tarreau55165fe2009-05-10 12:02:55 +020010969 will be -1.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080010970
Willy Tarreau6236d3a2013-07-25 14:28:25 +020010971date([<offset>]) : integer
10972 Returns the current date as the epoch (number of seconds since 01/01/1970).
10973 If an offset value is specified, then it is a number of seconds that is added
10974 to the current date before returning the value. This is particularly useful
10975 to compute relative dates, as both positive and negative offsets are allowed.
Willy Tarreau276fae92013-07-25 14:36:01 +020010976 It is useful combined with the http_date converter.
10977
10978 Example :
10979
10980 # set an expires header to now+1 hour in every response
10981 http-response set-header Expires %[date(3600),http_date]
Willy Tarreau6236d3a2013-07-25 14:28:25 +020010982
Willy Tarreau595ec542013-06-12 21:34:28 +020010983env(<name>) : string
10984 Returns a string containing the value of environment variable <name>. As a
10985 reminder, environment variables are per-process and are sampled when the
10986 process starts. This can be useful to pass some information to a next hop
10987 server, or with ACLs to take specific action when the process is started a
10988 certain way.
10989
10990 Examples :
10991 # Pass the Via header to next hop with the local hostname in it
10992 http-request add-header Via 1.1\ %[env(HOSTNAME)]
10993
10994 # reject cookie-less requests when the STOP environment variable is set
10995 http-request deny if !{ cook(SESSIONID) -m found } { env(STOP) -m found }
10996
Willy Tarreau74ca5042013-06-11 23:12:07 +020010997fe_conn([<frontend>]) : integer
10998 Returns the number of currently established connections on the frontend,
Willy Tarreaud63335a2010-02-26 12:56:52 +010010999 possibly including the connection being evaluated. If no frontend name is
11000 specified, the current one is used. But it is also possible to check another
Willy Tarreau74ca5042013-06-11 23:12:07 +020011001 frontend. It can be used to return a sorry page before hard-blocking, or to
11002 use a specific backend to drain new requests when the farm is considered
11003 full. This is mostly used with ACLs but can also be used to pass some
11004 statistics to servers in HTTP headers. See also the "dst_conn", "be_conn",
11005 "fe_sess_rate" fetches.
Willy Tarreaua36af912009-10-10 12:02:45 +020011006
Willy Tarreau74ca5042013-06-11 23:12:07 +020011007fe_sess_rate([<frontend>]) : integer
11008 Returns an integer value corresponding to the sessions creation rate on the
11009 frontend, in number of new sessions per second. This is used with ACLs to
11010 limit the incoming session rate to an acceptable range in order to prevent
11011 abuse of service at the earliest moment, for example when combined with other
11012 layer 4 ACLs in order to force the clients to wait a bit for the rate to go
11013 down below the limit. It can also be useful to add this element to logs using
11014 a log-format directive. See also the "rate-limit sessions" directive for use
11015 in frontends.
Willy Tarreau079ff0a2009-03-05 21:34:28 +010011016
11017 Example :
11018 # This frontend limits incoming mails to 10/s with a max of 100
11019 # concurrent connections. We accept any connection below 10/s, and
11020 # force excess clients to wait for 100 ms. Since clients are limited to
11021 # 100 max, there cannot be more than 10 incoming mails per second.
11022 frontend mail
11023 bind :25
11024 mode tcp
11025 maxconn 100
11026 acl too_fast fe_sess_rate ge 10
11027 tcp-request inspect-delay 100ms
11028 tcp-request content accept if ! too_fast
11029 tcp-request content accept if WAIT_END
Willy Tarreaud72758d2010-01-12 10:42:19 +010011030
Willy Tarreau0f30d262014-11-24 16:02:05 +010011031nbproc : integer
11032 Returns an integer value corresponding to the number of processes that were
11033 started (it equals the global "nbproc" setting). This is useful for logging
11034 and debugging purposes.
11035
Willy Tarreau74ca5042013-06-11 23:12:07 +020011036nbsrv([<backend>]) : integer
11037 Returns an integer value corresponding to the number of usable servers of
11038 either the current backend or the named backend. This is mostly used with
11039 ACLs but can also be useful when added to logs. This is normally used to
Willy Tarreaud63335a2010-02-26 12:56:52 +010011040 switch to an alternate backend when the number of servers is too low to
11041 to handle some load. It is useful to report a failure when combined with
11042 "monitor fail".
Willy Tarreau079ff0a2009-03-05 21:34:28 +010011043
Willy Tarreau0f30d262014-11-24 16:02:05 +010011044proc : integer
11045 Returns an integer value corresponding to the position of the process calling
11046 the function, between 1 and global.nbproc. This is useful for logging and
11047 debugging purposes.
11048
Willy Tarreau74ca5042013-06-11 23:12:07 +020011049queue([<backend>]) : integer
Willy Tarreaud63335a2010-02-26 12:56:52 +010011050 Returns the total number of queued connections of the designated backend,
11051 including all the connections in server queues. If no backend name is
11052 specified, the current one is used, but it is also possible to check another
Willy Tarreau74ca5042013-06-11 23:12:07 +020011053 one. This is useful with ACLs or to pass statistics to backend servers. This
11054 can be used to take actions when queuing goes above a known level, generally
11055 indicating a surge of traffic or a massive slowdown on the servers. One
11056 possible action could be to reject new users but still accept old ones. See
11057 also the "avg_queue", "be_conn", and "be_sess_rate" fetches.
11058
Willy Tarreau84310e22014-02-14 11:59:04 +010011059rand([<range>]) : integer
11060 Returns a random integer value within a range of <range> possible values,
11061 starting at zero. If the range is not specified, it defaults to 2^32, which
11062 gives numbers between 0 and 4294967295. It can be useful to pass some values
11063 needed to take some routing decisions for example, or just for debugging
11064 purposes. This random must not be used for security purposes.
11065
Willy Tarreau74ca5042013-06-11 23:12:07 +020011066srv_conn([<backend>/]<server>) : integer
11067 Returns an integer value corresponding to the number of currently established
11068 connections on the designated server, possibly including the connection being
11069 evaluated. If <backend> is omitted, then the server is looked up in the
11070 current backend. It can be used to use a specific farm when one server is
11071 full, or to inform the server about our view of the number of active
11072 connections with it. See also the "fe_conn", "be_conn" and "queue" fetch
11073 methods.
11074
11075srv_is_up([<backend>/]<server>) : boolean
11076 Returns true when the designated server is UP, and false when it is either
11077 DOWN or in maintenance mode. If <backend> is omitted, then the server is
11078 looked up in the current backend. It is mainly used to take action based on
11079 an external status reported via a health check (eg: a geographical site's
11080 availability). Another possible use which is more of a hack consists in
11081 using dummy servers as boolean variables that can be enabled or disabled from
11082 the CLI, so that rules depending on those ACLs can be tweaked in realtime.
11083
11084srv_sess_rate([<backend>/]<server>) : integer
11085 Returns an integer corresponding to the sessions creation rate on the
11086 designated server, in number of new sessions per second. If <backend> is
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030011087 omitted, then the server is looked up in the current backend. This is mostly
Willy Tarreau74ca5042013-06-11 23:12:07 +020011088 used with ACLs but can make sense with logs too. This is used to switch to an
11089 alternate backend when an expensive or fragile one reaches too high a session
11090 rate, or to limit abuse of service (eg. prevent latent requests from
11091 overloading servers).
11092
11093 Example :
11094 # Redirect to a separate back
11095 acl srv1_full srv_sess_rate(be1/srv1) gt 50
11096 acl srv2_full srv_sess_rate(be1/srv2) gt 50
11097 use_backend be2 if srv1_full or srv2_full
11098
Willy Tarreau0f30d262014-11-24 16:02:05 +010011099stopping : boolean
11100 Returns TRUE if the process calling the function is currently stopping. This
11101 can be useful for logging, or for relaxing certain checks or helping close
11102 certain connections upon graceful shutdown.
11103
Willy Tarreau74ca5042013-06-11 23:12:07 +020011104table_avl([<table>]) : integer
11105 Returns the total number of available entries in the current proxy's
11106 stick-table or in the designated stick-table. See also table_cnt.
11107
11108table_cnt([<table>]) : integer
11109 Returns the total number of entries currently in use in the current proxy's
11110 stick-table or in the designated stick-table. See also src_conn_cnt and
11111 table_avl for other entry counting methods.
11112
11113
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200111147.3.3. Fetching samples at Layer 4
Willy Tarreau74ca5042013-06-11 23:12:07 +020011115----------------------------------
11116
11117The layer 4 usually describes just the transport layer which in haproxy is
11118closest to the connection, where no content is yet made available. The fetch
11119methods described here are usable as low as the "tcp-request connection" rule
11120sets unless they require some future information. Those generally include
11121TCP/IP addresses and ports, as well as elements from stick-tables related to
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011122the incoming connection. For retrieving a value from a sticky counters, the
11123counter number can be explicitly set as 0, 1, or 2 using the pre-defined
11124"sc0_", "sc1_", or "sc2_" prefix, or it can be specified as the first integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020011125argument when using the "sc_" prefix. An optional table may be specified with
11126the "sc*" form, in which case the currently tracked key will be looked up into
11127this alternate table instead of the table currently being tracked.
Willy Tarreau74ca5042013-06-11 23:12:07 +020011128
11129be_id : integer
11130 Returns an integer containing the current backend's id. It can be used in
11131 frontends with responses to check which backend processed the request.
11132
11133dst : ip
11134 This is the destination IPv4 address of the connection on the client side,
11135 which is the address the client connected to. It can be useful when running
11136 in transparent mode. It is of type IP and works on both IPv4 and IPv6 tables.
11137 On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent, according to
11138 RFC 4291.
11139
11140dst_conn : integer
11141 Returns an integer value corresponding to the number of currently established
11142 connections on the same socket including the one being evaluated. It is
11143 normally used with ACLs but can as well be used to pass the information to
11144 servers in an HTTP header or in logs. It can be used to either return a sorry
11145 page before hard-blocking, or to use a specific backend to drain new requests
11146 when the socket is considered saturated. This offers the ability to assign
11147 different limits to different listening ports or addresses. See also the
11148 "fe_conn" and "be_conn" fetches.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011149
Willy Tarreau74ca5042013-06-11 23:12:07 +020011150dst_port : integer
11151 Returns an integer value corresponding to the destination TCP port of the
11152 connection on the client side, which is the port the client connected to.
11153 This might be used when running in transparent mode, when assigning dynamic
11154 ports to some clients for a whole application session, to stick all users to
11155 a same server, or to pass the destination port information to a server using
11156 an HTTP header.
11157
11158fe_id : integer
11159 Returns an integer containing the current frontend's id. It can be used in
11160 backends to check from which backend it was called, or to stick all users
11161 coming via a same frontend to the same server.
11162
Cyril Bonté62ba8702014-04-22 23:52:25 +020011163sc_bytes_in_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020011164sc0_bytes_in_rate([<table>]) : integer
11165sc1_bytes_in_rate([<table>]) : integer
11166sc2_bytes_in_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020011167 Returns the average client-to-server bytes rate from the currently tracked
11168 counters, measured in amount of bytes over the period configured in the
11169 table. See also src_bytes_in_rate.
11170
Cyril Bonté62ba8702014-04-22 23:52:25 +020011171sc_bytes_out_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020011172sc0_bytes_out_rate([<table>]) : integer
11173sc1_bytes_out_rate([<table>]) : integer
11174sc2_bytes_out_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020011175 Returns the average server-to-client bytes rate from the currently tracked
11176 counters, measured in amount of bytes over the period configured in the
11177 table. See also src_bytes_out_rate.
11178
Cyril Bonté62ba8702014-04-22 23:52:25 +020011179sc_clr_gpc0(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020011180sc0_clr_gpc0([<table>]) : integer
11181sc1_clr_gpc0([<table>]) : integer
11182sc2_clr_gpc0([<table>]) : integer
Willy Tarreauf73cd112011-08-13 01:45:16 +020011183 Clears the first General Purpose Counter associated to the currently tracked
11184 counters, and returns its previous value. Before the first invocation, the
Willy Tarreau869948b2013-01-04 14:14:57 +010011185 stored value is zero, so first invocation will always return zero. This is
11186 typically used as a second ACL in an expression in order to mark a connection
11187 when a first ACL was verified :
Willy Tarreauf73cd112011-08-13 01:45:16 +020011188
11189 # block if 5 consecutive requests continue to come faster than 10 sess
11190 # per second, and reset the counter as soon as the traffic slows down.
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020011191 acl abuse sc0_http_req_rate gt 10
11192 acl kill sc0_inc_gpc0 gt 5
11193 acl save sc0_clr_gpc0 ge 0
Willy Tarreauf73cd112011-08-13 01:45:16 +020011194 tcp-request connection accept if !abuse save
11195 tcp-request connection reject if abuse kill
11196
Cyril Bonté62ba8702014-04-22 23:52:25 +020011197sc_conn_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020011198sc0_conn_cnt([<table>]) : integer
11199sc1_conn_cnt([<table>]) : integer
11200sc2_conn_cnt([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020011201 Returns the cumulated number of incoming connections from currently tracked
11202 counters. See also src_conn_cnt.
11203
Cyril Bonté62ba8702014-04-22 23:52:25 +020011204sc_conn_cur(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020011205sc0_conn_cur([<table>]) : integer
11206sc1_conn_cur([<table>]) : integer
11207sc2_conn_cur([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020011208 Returns the current amount of concurrent connections tracking the same
11209 tracked counters. This number is automatically incremented when tracking
11210 begins and decremented when tracking stops. See also src_conn_cur.
11211
Cyril Bonté62ba8702014-04-22 23:52:25 +020011212sc_conn_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020011213sc0_conn_rate([<table>]) : integer
11214sc1_conn_rate([<table>]) : integer
11215sc2_conn_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020011216 Returns the average connection rate from the currently tracked counters,
11217 measured in amount of connections over the period configured in the table.
11218 See also src_conn_rate.
11219
Cyril Bonté62ba8702014-04-22 23:52:25 +020011220sc_get_gpc0(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020011221sc0_get_gpc0([<table>]) : integer
11222sc1_get_gpc0([<table>]) : integer
11223sc2_get_gpc0([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020011224 Returns the value of the first General Purpose Counter associated to the
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011225 currently tracked counters. See also src_get_gpc0 and sc/sc0/sc1/sc2_inc_gpc0.
Willy Tarreauba2ffd12013-05-29 15:54:14 +020011226
Cyril Bonté62ba8702014-04-22 23:52:25 +020011227sc_gpc0_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020011228sc0_gpc0_rate([<table>]) : integer
11229sc1_gpc0_rate([<table>]) : integer
11230sc2_gpc0_rate([<table>]) : integer
Willy Tarreauba2ffd12013-05-29 15:54:14 +020011231 Returns the average increment rate of the first General Purpose Counter
11232 associated to the currently tracked counters. It reports the frequency
11233 which the gpc0 counter was incremented over the configured period. See also
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011234 src_gpc0_rate, sc/sc0/sc1/sc2_get_gpc0, and sc/sc0/sc1/sc2_inc_gpc0. Note
11235 that the "gpc0_rate" counter must be stored in the stick-table for a value to
11236 be returned, as "gpc0" only holds the event count.
Willy Tarreaue9656522010-08-17 15:40:09 +020011237
Cyril Bonté62ba8702014-04-22 23:52:25 +020011238sc_http_err_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020011239sc0_http_err_cnt([<table>]) : integer
11240sc1_http_err_cnt([<table>]) : integer
11241sc2_http_err_cnt([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020011242 Returns the cumulated number of HTTP errors from the currently tracked
11243 counters. This includes the both request errors and 4xx error responses.
11244 See also src_http_err_cnt.
11245
Cyril Bonté62ba8702014-04-22 23:52:25 +020011246sc_http_err_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020011247sc0_http_err_rate([<table>]) : integer
11248sc1_http_err_rate([<table>]) : integer
11249sc2_http_err_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020011250 Returns the average rate of HTTP errors from the currently tracked counters,
11251 measured in amount of errors over the period configured in the table. This
11252 includes the both request errors and 4xx error responses. See also
11253 src_http_err_rate.
11254
Cyril Bonté62ba8702014-04-22 23:52:25 +020011255sc_http_req_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020011256sc0_http_req_cnt([<table>]) : integer
11257sc1_http_req_cnt([<table>]) : integer
11258sc2_http_req_cnt([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020011259 Returns the cumulated number of HTTP requests from the currently tracked
11260 counters. This includes every started request, valid or not. See also
11261 src_http_req_cnt.
11262
Cyril Bonté62ba8702014-04-22 23:52:25 +020011263sc_http_req_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020011264sc0_http_req_rate([<table>]) : integer
11265sc1_http_req_rate([<table>]) : integer
11266sc2_http_req_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020011267 Returns the average rate of HTTP requests from the currently tracked
11268 counters, measured in amount of requests over the period configured in
11269 the table. This includes every started request, valid or not. See also
11270 src_http_req_rate.
11271
Cyril Bonté62ba8702014-04-22 23:52:25 +020011272sc_inc_gpc0(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020011273sc0_inc_gpc0([<table>]) : integer
11274sc1_inc_gpc0([<table>]) : integer
11275sc2_inc_gpc0([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020011276 Increments the first General Purpose Counter associated to the currently
Willy Tarreau869948b2013-01-04 14:14:57 +010011277 tracked counters, and returns its new value. Before the first invocation,
11278 the stored value is zero, so first invocation will increase it to 1 and will
11279 return 1. This is typically used as a second ACL in an expression in order
11280 to mark a connection when a first ACL was verified :
Willy Tarreaue9656522010-08-17 15:40:09 +020011281
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020011282 acl abuse sc0_http_req_rate gt 10
11283 acl kill sc0_inc_gpc0 gt 0
Willy Tarreaue9656522010-08-17 15:40:09 +020011284 tcp-request connection reject if abuse kill
11285
Cyril Bonté62ba8702014-04-22 23:52:25 +020011286sc_kbytes_in(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020011287sc0_kbytes_in([<table>]) : integer
11288sc1_kbytes_in([<table>]) : integer
11289sc2_kbytes_in([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020011290 Returns the total amount of client-to-server data from the currently tracked
11291 counters, measured in kilobytes. The test is currently performed on 32-bit
11292 integers, which limits values to 4 terabytes. See also src_kbytes_in.
Willy Tarreaue9656522010-08-17 15:40:09 +020011293
Cyril Bonté62ba8702014-04-22 23:52:25 +020011294sc_kbytes_out(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020011295sc0_kbytes_out([<table>]) : integer
11296sc1_kbytes_out([<table>]) : integer
11297sc2_kbytes_out([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020011298 Returns the total amount of server-to-client data from the currently tracked
11299 counters, measured in kilobytes. The test is currently performed on 32-bit
11300 integers, which limits values to 4 terabytes. See also src_kbytes_out.
Willy Tarreaue9656522010-08-17 15:40:09 +020011301
Cyril Bonté62ba8702014-04-22 23:52:25 +020011302sc_sess_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020011303sc0_sess_cnt([<table>]) : integer
11304sc1_sess_cnt([<table>]) : integer
11305sc2_sess_cnt([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020011306 Returns the cumulated number of incoming connections that were transformed
11307 into sessions, which means that they were accepted by a "tcp-request
11308 connection" rule, from the currently tracked counters. A backend may count
11309 more sessions than connections because each connection could result in many
Jamie Gloudonaaa21002012-08-25 00:18:33 -040011310 backend sessions if some HTTP keep-alive is performed over the connection
Willy Tarreaue9656522010-08-17 15:40:09 +020011311 with the client. See also src_sess_cnt.
11312
Cyril Bonté62ba8702014-04-22 23:52:25 +020011313sc_sess_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020011314sc0_sess_rate([<table>]) : integer
11315sc1_sess_rate([<table>]) : integer
11316sc2_sess_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020011317 Returns the average session rate from the currently tracked counters,
11318 measured in amount of sessions over the period configured in the table. A
11319 session is a connection that got past the early "tcp-request connection"
11320 rules. A backend may count more sessions than connections because each
11321 connection could result in many backend sessions if some HTTP keep-alive is
Jamie Gloudonaaa21002012-08-25 00:18:33 -040011322 performed over the connection with the client. See also src_sess_rate.
Willy Tarreaue9656522010-08-17 15:40:09 +020011323
Cyril Bonté62ba8702014-04-22 23:52:25 +020011324sc_tracked(<ctr>[,<table>]) : boolean
Willy Tarreau0f791d42013-07-23 19:56:43 +020011325sc0_tracked([<table>]) : boolean
11326sc1_tracked([<table>]) : boolean
11327sc2_tracked([<table>]) : boolean
Willy Tarreau6f1615f2013-06-03 15:15:22 +020011328 Returns true if the designated session counter is currently being tracked by
11329 the current session. This can be useful when deciding whether or not we want
11330 to set some values in a header passed to the server.
11331
Cyril Bonté62ba8702014-04-22 23:52:25 +020011332sc_trackers(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020011333sc0_trackers([<table>]) : integer
11334sc1_trackers([<table>]) : integer
11335sc2_trackers([<table>]) : integer
Willy Tarreau2406db42012-12-09 12:16:43 +010011336 Returns the current amount of concurrent connections tracking the same
11337 tracked counters. This number is automatically incremented when tracking
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020011338 begins and decremented when tracking stops. It differs from sc0_conn_cur in
Willy Tarreau2406db42012-12-09 12:16:43 +010011339 that it does not rely on any stored information but on the table's reference
11340 count (the "use" value which is returned by "show table" on the CLI). This
Willy Tarreau74ca5042013-06-11 23:12:07 +020011341 may sometimes be more suited for layer7 tracking. It can be used to tell a
11342 server how many concurrent connections there are from a given address for
11343 example.
Willy Tarreau2406db42012-12-09 12:16:43 +010011344
Willy Tarreau74ca5042013-06-11 23:12:07 +020011345so_id : integer
11346 Returns an integer containing the current listening socket's id. It is useful
11347 in frontends involving many "bind" lines, or to stick all users coming via a
11348 same socket to the same server.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011349
Willy Tarreau74ca5042013-06-11 23:12:07 +020011350src : ip
11351 This is the source IPv4 address of the client of the session. It is of type
11352 IP and works on both IPv4 and IPv6 tables. On IPv6 tables, IPv4 addresses are
11353 mapped to their IPv6 equivalent, according to RFC 4291. Note that it is the
11354 TCP-level source address which is used, and not the address of a client
11355 behind a proxy. However if the "accept-proxy" bind directive is used, it can
11356 be the address of a client behind another PROXY-protocol compatible component
11357 for all rule sets except "tcp-request connection" which sees the real address.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011358
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010011359 Example:
11360 # add an HTTP header in requests with the originating address' country
11361 http-request set-header X-Country %[src,map_ip(geoip.lst)]
11362
Willy Tarreau74ca5042013-06-11 23:12:07 +020011363src_bytes_in_rate([<table>]) : integer
11364 Returns the average bytes rate from the incoming connection's source address
11365 in the current proxy's stick-table or in the designated stick-table, measured
11366 in amount of bytes over the period configured in the table. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011367 not found, zero is returned. See also sc/sc0/sc1/sc2_bytes_in_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011368
Willy Tarreau74ca5042013-06-11 23:12:07 +020011369src_bytes_out_rate([<table>]) : integer
11370 Returns the average bytes rate to the incoming connection's source address in
11371 the current proxy's stick-table or in the designated stick-table, measured in
Willy Tarreauc9705a12010-07-27 20:05:50 +020011372 amount of bytes over the period configured in the table. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011373 not found, zero is returned. See also sc/sc0/sc1/sc2_bytes_out_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011374
Willy Tarreau74ca5042013-06-11 23:12:07 +020011375src_clr_gpc0([<table>]) : integer
11376 Clears the first General Purpose Counter associated to the incoming
11377 connection's source address in the current proxy's stick-table or in the
11378 designated stick-table, and returns its previous value. If the address is not
11379 found, an entry is created and 0 is returned. This is typically used as a
11380 second ACL in an expression in order to mark a connection when a first ACL
11381 was verified :
Willy Tarreauf73cd112011-08-13 01:45:16 +020011382
11383 # block if 5 consecutive requests continue to come faster than 10 sess
11384 # per second, and reset the counter as soon as the traffic slows down.
11385 acl abuse src_http_req_rate gt 10
11386 acl kill src_inc_gpc0 gt 5
Willy Tarreau869948b2013-01-04 14:14:57 +010011387 acl save src_clr_gpc0 ge 0
Willy Tarreauf73cd112011-08-13 01:45:16 +020011388 tcp-request connection accept if !abuse save
11389 tcp-request connection reject if abuse kill
11390
Willy Tarreau74ca5042013-06-11 23:12:07 +020011391src_conn_cnt([<table>]) : integer
Willy Tarreauc9705a12010-07-27 20:05:50 +020011392 Returns the cumulated number of connections initiated from the current
Willy Tarreau74ca5042013-06-11 23:12:07 +020011393 incoming connection's source address in the current proxy's stick-table or in
Willy Tarreauc9705a12010-07-27 20:05:50 +020011394 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011395 See also sc/sc0/sc1/sc2_conn_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011396
Willy Tarreau74ca5042013-06-11 23:12:07 +020011397src_conn_cur([<table>]) : integer
Willy Tarreauc9705a12010-07-27 20:05:50 +020011398 Returns the current amount of concurrent connections initiated from the
Willy Tarreau74ca5042013-06-11 23:12:07 +020011399 current incoming connection's source address in the current proxy's
11400 stick-table or in the designated stick-table. If the address is not found,
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011401 zero is returned. See also sc/sc0/sc1/sc2_conn_cur.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011402
Willy Tarreau74ca5042013-06-11 23:12:07 +020011403src_conn_rate([<table>]) : integer
11404 Returns the average connection rate from the incoming connection's source
11405 address in the current proxy's stick-table or in the designated stick-table,
11406 measured in amount of connections over the period configured in the table. If
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011407 the address is not found, zero is returned. See also sc/sc0/sc1/sc2_conn_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011408
Willy Tarreau74ca5042013-06-11 23:12:07 +020011409src_get_gpc0([<table>]) : integer
Willy Tarreauc9705a12010-07-27 20:05:50 +020011410 Returns the value of the first General Purpose Counter associated to the
Willy Tarreau74ca5042013-06-11 23:12:07 +020011411 incoming connection's source address in the current proxy's stick-table or in
Willy Tarreauc9705a12010-07-27 20:05:50 +020011412 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011413 See also sc/sc0/sc1/sc2_get_gpc0 and src_inc_gpc0.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011414
Willy Tarreau74ca5042013-06-11 23:12:07 +020011415src_gpc0_rate([<table>]) : integer
Willy Tarreauba2ffd12013-05-29 15:54:14 +020011416 Returns the average increment rate of the first General Purpose Counter
Willy Tarreau74ca5042013-06-11 23:12:07 +020011417 associated to the incoming connection's source address in the current proxy's
Willy Tarreauba2ffd12013-05-29 15:54:14 +020011418 stick-table or in the designated stick-table. It reports the frequency
11419 which the gpc0 counter was incremented over the configured period. See also
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011420 sc/sc0/sc1/sc2_gpc0_rate, src_get_gpc0, and sc/sc0/sc1/sc2_inc_gpc0. Note
11421 that the "gpc0_rate" counter must be stored in the stick-table for a value to
11422 be returned, as "gpc0" only holds the event count.
Willy Tarreauba2ffd12013-05-29 15:54:14 +020011423
Willy Tarreau74ca5042013-06-11 23:12:07 +020011424src_http_err_cnt([<table>]) : integer
11425 Returns the cumulated number of HTTP errors from the incoming connection's
11426 source address in the current proxy's stick-table or in the designated
Willy Tarreauc9705a12010-07-27 20:05:50 +020011427 stick-table. This includes the both request errors and 4xx error responses.
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011428 See also sc/sc0/sc1/sc2_http_err_cnt. If the address is not found, zero is
Willy Tarreau74ca5042013-06-11 23:12:07 +020011429 returned.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011430
Willy Tarreau74ca5042013-06-11 23:12:07 +020011431src_http_err_rate([<table>]) : integer
11432 Returns the average rate of HTTP errors from the incoming connection's source
11433 address in the current proxy's stick-table or in the designated stick-table,
11434 measured in amount of errors over the period configured in the table. This
11435 includes the both request errors and 4xx error responses. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011436 not found, zero is returned. See also sc/sc0/sc1/sc2_http_err_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011437
Willy Tarreau74ca5042013-06-11 23:12:07 +020011438src_http_req_cnt([<table>]) : integer
11439 Returns the cumulated number of HTTP requests from the incoming connection's
11440 source address in the current proxy's stick-table or in the designated stick-
11441 table. This includes every started request, valid or not. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011442 not found, zero is returned. See also sc/sc0/sc1/sc2_http_req_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011443
Willy Tarreau74ca5042013-06-11 23:12:07 +020011444src_http_req_rate([<table>]) : integer
11445 Returns the average rate of HTTP requests from the incoming connection's
11446 source address in the current proxy's stick-table or in the designated stick-
11447 table, measured in amount of requests over the period configured in the
Willy Tarreauc9705a12010-07-27 20:05:50 +020011448 table. This includes every started request, valid or not. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011449 not found, zero is returned. See also sc/sc0/sc1/sc2_http_req_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011450
Willy Tarreau74ca5042013-06-11 23:12:07 +020011451src_inc_gpc0([<table>]) : integer
11452 Increments the first General Purpose Counter associated to the incoming
11453 connection's source address in the current proxy's stick-table or in the
11454 designated stick-table, and returns its new value. If the address is not
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020011455 found, an entry is created and 1 is returned. See also sc0/sc2/sc2_inc_gpc0.
Willy Tarreau74ca5042013-06-11 23:12:07 +020011456 This is typically used as a second ACL in an expression in order to mark a
11457 connection when a first ACL was verified :
Willy Tarreauc9705a12010-07-27 20:05:50 +020011458
11459 acl abuse src_http_req_rate gt 10
Willy Tarreau869948b2013-01-04 14:14:57 +010011460 acl kill src_inc_gpc0 gt 0
Willy Tarreaue9656522010-08-17 15:40:09 +020011461 tcp-request connection reject if abuse kill
Willy Tarreauc9705a12010-07-27 20:05:50 +020011462
Willy Tarreau74ca5042013-06-11 23:12:07 +020011463src_kbytes_in([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020011464 Returns the total amount of data received from the incoming connection's
11465 source address in the current proxy's stick-table or in the designated
11466 stick-table, measured in kilobytes. If the address is not found, zero is
11467 returned. The test is currently performed on 32-bit integers, which limits
11468 values to 4 terabytes. See also sc/sc0/sc1/sc2_kbytes_in.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011469
Willy Tarreau74ca5042013-06-11 23:12:07 +020011470src_kbytes_out([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020011471 Returns the total amount of data sent to the incoming connection's source
11472 address in the current proxy's stick-table or in the designated stick-table,
11473 measured in kilobytes. If the address is not found, zero is returned. The
11474 test is currently performed on 32-bit integers, which limits values to 4
11475 terabytes. See also sc/sc0/sc1/sc2_kbytes_out.
Willy Tarreaua975b8f2010-06-05 19:13:27 +020011476
Willy Tarreau74ca5042013-06-11 23:12:07 +020011477src_port : integer
11478 Returns an integer value corresponding to the TCP source port of the
11479 connection on the client side, which is the port the client connected from.
11480 Usage of this function is very limited as modern protocols do not care much
11481 about source ports nowadays.
Willy Tarreau079ff0a2009-03-05 21:34:28 +010011482
Willy Tarreau74ca5042013-06-11 23:12:07 +020011483src_sess_cnt([<table>]) : integer
11484 Returns the cumulated number of connections initiated from the incoming
Willy Tarreauc9705a12010-07-27 20:05:50 +020011485 connection's source IPv4 address in the current proxy's stick-table or in the
11486 designated stick-table, that were transformed into sessions, which means that
11487 they were accepted by "tcp-request" rules. If the address is not found, zero
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011488 is returned. See also sc/sc0/sc1/sc2_sess_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011489
Willy Tarreau74ca5042013-06-11 23:12:07 +020011490src_sess_rate([<table>]) : integer
11491 Returns the average session rate from the incoming connection's source
11492 address in the current proxy's stick-table or in the designated stick-table,
11493 measured in amount of sessions over the period configured in the table. A
11494 session is a connection that went past the early "tcp-request" rules. If the
Willy Tarreau4d4149c2013-07-23 19:33:46 +020011495 address is not found, zero is returned. See also sc/sc0/sc1/sc2_sess_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011496
Willy Tarreau74ca5042013-06-11 23:12:07 +020011497src_updt_conn_cnt([<table>]) : integer
11498 Creates or updates the entry associated to the incoming connection's source
11499 address in the current proxy's stick-table or in the designated stick-table.
11500 This table must be configured to store the "conn_cnt" data type, otherwise
11501 the match will be ignored. The current count is incremented by one, and the
11502 expiration timer refreshed. The updated count is returned, so this match
11503 can't return zero. This was used to reject service abusers based on their
11504 source address. Note: it is recommended to use the more complete "track-sc*"
11505 actions in "tcp-request" rules instead.
Willy Tarreaua975b8f2010-06-05 19:13:27 +020011506
11507 Example :
11508 # This frontend limits incoming SSH connections to 3 per 10 second for
11509 # each source address, and rejects excess connections until a 10 second
11510 # silence is observed. At most 20 addresses are tracked.
11511 listen ssh
11512 bind :22
11513 mode tcp
11514 maxconn 100
Willy Tarreauc9705a12010-07-27 20:05:50 +020011515 stick-table type ip size 20 expire 10s store conn_cnt
Willy Tarreau74ca5042013-06-11 23:12:07 +020011516 tcp-request content reject if { src_updt_conn_cnt gt 3 }
Willy Tarreaua975b8f2010-06-05 19:13:27 +020011517 server local 127.0.0.1:22
11518
Willy Tarreau74ca5042013-06-11 23:12:07 +020011519srv_id : integer
11520 Returns an integer containing the server's id when processing the response.
11521 While it's almost only used with ACLs, it may be used for logging or
11522 debugging.
Hervé COMMOWICKdaa824e2011-08-05 12:09:44 +020011523
Hervé COMMOWICK35ed8012010-12-15 14:04:51 +010011524
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200115257.3.4. Fetching samples at Layer 5
Willy Tarreau74ca5042013-06-11 23:12:07 +020011526----------------------------------
Willy Tarreau0b1cd942010-05-16 22:18:27 +020011527
Willy Tarreau74ca5042013-06-11 23:12:07 +020011528The layer 5 usually describes just the session layer which in haproxy is
11529closest to the session once all the connection handshakes are finished, but
11530when no content is yet made available. The fetch methods described here are
11531usable as low as the "tcp-request content" rule sets unless they require some
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030011532future information. Those generally include the results of SSL negotiations.
Willy Tarreauc735a072011-03-29 00:57:02 +020011533
Emeric Brun645ae792014-04-30 14:21:06 +020011534ssl_bc : boolean
11535 Returns true when the back connection was made via an SSL/TLS transport
11536 layer and is locally deciphered. This means the outgoing connection was made
11537 other a server with the "ssl" option.
11538
11539ssl_bc_alg_keysize : integer
11540 Returns the symmetric cipher key size supported in bits when the outgoing
11541 connection was made over an SSL/TLS transport layer.
11542
11543ssl_bc_cipher : string
11544 Returns the name of the used cipher when the outgoing connection was made
11545 over an SSL/TLS transport layer.
11546
11547ssl_bc_protocol : string
11548 Returns the name of the used protocol when the outgoing connection was made
11549 over an SSL/TLS transport layer.
11550
Emeric Brunb73a9b02014-04-30 18:49:19 +020011551ssl_bc_unique_id : binary
Emeric Brun645ae792014-04-30 14:21:06 +020011552 When the outgoing connection was made over an SSL/TLS transport layer,
Emeric Brunb73a9b02014-04-30 18:49:19 +020011553 returns the TLS unique ID as defined in RFC5929 section 3. The unique id
11554 can be encoded to base64 using the converter: "ssl_bc_unique_id,base64".
Emeric Brun645ae792014-04-30 14:21:06 +020011555
11556ssl_bc_session_id : binary
11557 Returns the SSL ID of the back connection when the outgoing connection was
11558 made over an SSL/TLS transport layer. It is useful to log if we want to know
11559 if session was reused or not.
11560
11561ssl_bc_use_keysize : integer
11562 Returns the symmetric cipher key size used in bits when the outgoing
11563 connection was made over an SSL/TLS transport layer.
11564
Willy Tarreau74ca5042013-06-11 23:12:07 +020011565ssl_c_ca_err : integer
11566 When the incoming connection was made over an SSL/TLS transport layer,
11567 returns the ID of the first error detected during verification of the client
11568 certificate at depth > 0, or 0 if no error was encountered during this
11569 verification process. Please refer to your SSL library's documentation to
11570 find the exhaustive list of error codes.
Willy Tarreauc735a072011-03-29 00:57:02 +020011571
Willy Tarreau74ca5042013-06-11 23:12:07 +020011572ssl_c_ca_err_depth : integer
11573 When the incoming connection was made over an SSL/TLS transport layer,
11574 returns the depth in the CA chain of the first error detected during the
11575 verification of the client certificate. If no error is encountered, 0 is
11576 returned.
Willy Tarreau0ba27502007-12-24 16:55:16 +010011577
Emeric Brun43e79582014-10-29 19:03:26 +010011578ssl_c_der : binary
11579 Returns the DER formatted certificate presented by the client when the
11580 incoming connection was made over an SSL/TLS transport layer. When used for
11581 an ACL, the value(s) to match against can be passed in hexadecimal form.
11582
Willy Tarreau74ca5042013-06-11 23:12:07 +020011583ssl_c_err : integer
11584 When the incoming connection was made over an SSL/TLS transport layer,
11585 returns the ID of the first error detected during verification at depth 0, or
11586 0 if no error was encountered during this verification process. Please refer
11587 to your SSL library's documentation to find the exhaustive list of error
11588 codes.
Willy Tarreau62644772008-07-16 18:36:06 +020011589
Willy Tarreau74ca5042013-06-11 23:12:07 +020011590ssl_c_i_dn([<entry>[,<occ>]]) : string
11591 When the incoming connection was made over an SSL/TLS transport layer,
11592 returns the full distinguished name of the issuer of the certificate
11593 presented by the client when no <entry> is specified, or the value of the
11594 first given entry found from the beginning of the DN. If a positive/negative
11595 occurrence number is specified as the optional second argument, it returns
11596 the value of the nth given entry value from the beginning/end of the DN.
11597 For instance, "ssl_c_i_dn(OU,2)" the second organization unit, and
11598 "ssl_c_i_dn(CN)" retrieves the common name.
Willy Tarreau62644772008-07-16 18:36:06 +020011599
Willy Tarreau74ca5042013-06-11 23:12:07 +020011600ssl_c_key_alg : string
11601 Returns the name of the algorithm used to generate the key of the certificate
11602 presented by the client when the incoming connection was made over an SSL/TLS
11603 transport layer.
Willy Tarreau62644772008-07-16 18:36:06 +020011604
Willy Tarreau74ca5042013-06-11 23:12:07 +020011605ssl_c_notafter : string
11606 Returns the end date presented by the client as a formatted string
11607 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
11608 transport layer.
Emeric Brunbede3d02009-06-30 17:54:00 +020011609
Willy Tarreau74ca5042013-06-11 23:12:07 +020011610ssl_c_notbefore : string
11611 Returns the start date presented by the client as a formatted string
11612 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
11613 transport layer.
Willy Tarreaub6672b52011-12-12 17:23:41 +010011614
Willy Tarreau74ca5042013-06-11 23:12:07 +020011615ssl_c_s_dn([<entry>[,<occ>]]) : string
11616 When the incoming connection was made over an SSL/TLS transport layer,
11617 returns the full distinguished name of the subject of the certificate
11618 presented by the client when no <entry> is specified, or the value of the
11619 first given entry found from the beginning of the DN. If a positive/negative
11620 occurrence number is specified as the optional second argument, it returns
11621 the value of the nth given entry value from the beginning/end of the DN.
11622 For instance, "ssl_c_s_dn(OU,2)" the second organization unit, and
11623 "ssl_c_s_dn(CN)" retrieves the common name.
Willy Tarreaub6672b52011-12-12 17:23:41 +010011624
Willy Tarreau74ca5042013-06-11 23:12:07 +020011625ssl_c_serial : binary
11626 Returns the serial of the certificate presented by the client when the
11627 incoming connection was made over an SSL/TLS transport layer. When used for
11628 an ACL, the value(s) to match against can be passed in hexadecimal form.
Emeric Brun2525b6b2012-10-18 15:59:43 +020011629
Willy Tarreau74ca5042013-06-11 23:12:07 +020011630ssl_c_sha1 : binary
11631 Returns the SHA-1 fingerprint of the certificate presented by the client when
11632 the incoming connection was made over an SSL/TLS transport layer. This can be
11633 used to stick a client to a server, or to pass this information to a server.
Willy Tarreau2d0caa32014-07-02 19:01:22 +020011634 Note that the output is binary, so if you want to pass that signature to the
11635 server, you need to encode it in hex or base64, such as in the example below:
11636
11637 http-request set-header X-SSL-Client-SHA1 %[ssl_c_sha1,hex]
Emeric Brun2525b6b2012-10-18 15:59:43 +020011638
Willy Tarreau74ca5042013-06-11 23:12:07 +020011639ssl_c_sig_alg : string
11640 Returns the name of the algorithm used to sign the certificate presented by
11641 the client when the incoming connection was made over an SSL/TLS transport
11642 layer.
Emeric Brun87855892012-10-17 17:39:35 +020011643
Willy Tarreau74ca5042013-06-11 23:12:07 +020011644ssl_c_used : boolean
11645 Returns true if current SSL session uses a client certificate even if current
11646 connection uses SSL session resumption. See also "ssl_fc_has_crt".
Emeric Brun7f56e742012-10-19 18:15:40 +020011647
Willy Tarreau74ca5042013-06-11 23:12:07 +020011648ssl_c_verify : integer
11649 Returns the verify result error ID when the incoming connection was made over
11650 an SSL/TLS transport layer, otherwise zero if no error is encountered. Please
11651 refer to your SSL library's documentation for an exhaustive list of error
11652 codes.
Emeric Brunce5ad802012-10-22 14:11:22 +020011653
Willy Tarreau74ca5042013-06-11 23:12:07 +020011654ssl_c_version : integer
11655 Returns the version of the certificate presented by the client when the
11656 incoming connection was made over an SSL/TLS transport layer.
Emeric Brunce5ad802012-10-22 14:11:22 +020011657
Emeric Brun43e79582014-10-29 19:03:26 +010011658ssl_f_der : binary
11659 Returns the DER formatted certificate presented by the frontend when the
11660 incoming connection was made over an SSL/TLS transport layer. When used for
11661 an ACL, the value(s) to match against can be passed in hexadecimal form.
11662
Willy Tarreau74ca5042013-06-11 23:12:07 +020011663ssl_f_i_dn([<entry>[,<occ>]]) : string
11664 When the incoming connection was made over an SSL/TLS transport layer,
11665 returns the full distinguished name of the issuer of the certificate
11666 presented by the frontend when no <entry> is specified, or the value of the
11667 first given entry found from the beginning of the DN. If a positive/negative
Emeric Brun87855892012-10-17 17:39:35 +020011668 occurrence number is specified as the optional second argument, it returns
Willy Tarreau74ca5042013-06-11 23:12:07 +020011669 the value of the nth given entry value from the beginning/end of the DN.
11670 For instance, "ssl_f_i_dn(OU,2)" the second organization unit, and
11671 "ssl_f_i_dn(CN)" retrieves the common name.
Emeric Brun87855892012-10-17 17:39:35 +020011672
Willy Tarreau74ca5042013-06-11 23:12:07 +020011673ssl_f_key_alg : string
11674 Returns the name of the algorithm used to generate the key of the certificate
11675 presented by the frontend when the incoming connection was made over an
11676 SSL/TLS transport layer.
Emeric Brun7f56e742012-10-19 18:15:40 +020011677
Willy Tarreau74ca5042013-06-11 23:12:07 +020011678ssl_f_notafter : string
11679 Returns the end date presented by the frontend as a formatted string
11680 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
11681 transport layer.
Emeric Brun2525b6b2012-10-18 15:59:43 +020011682
Willy Tarreau74ca5042013-06-11 23:12:07 +020011683ssl_f_notbefore : string
11684 Returns the start date presented by the frontend as a formatted string
11685 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
11686 transport layer.
Emeric Brun87855892012-10-17 17:39:35 +020011687
Willy Tarreau74ca5042013-06-11 23:12:07 +020011688ssl_f_s_dn([<entry>[,<occ>]]) : string
11689 When the incoming connection was made over an SSL/TLS transport layer,
11690 returns the full distinguished name of the subject of the certificate
11691 presented by the frontend when no <entry> is specified, or the value of the
11692 first given entry found from the beginning of the DN. If a positive/negative
11693 occurrence number is specified as the optional second argument, it returns
11694 the value of the nth given entry value from the beginning/end of the DN.
11695 For instance, "ssl_f_s_dn(OU,2)" the second organization unit, and
11696 "ssl_f_s_dn(CN)" retrieves the common name.
Emeric Brunce5ad802012-10-22 14:11:22 +020011697
Willy Tarreau74ca5042013-06-11 23:12:07 +020011698ssl_f_serial : binary
11699 Returns the serial of the certificate presented by the frontend when the
11700 incoming connection was made over an SSL/TLS transport layer. When used for
11701 an ACL, the value(s) to match against can be passed in hexadecimal form.
Emeric Brun87855892012-10-17 17:39:35 +020011702
Emeric Brun55f4fa82014-04-30 17:11:25 +020011703ssl_f_sha1 : binary
11704 Returns the SHA-1 fingerprint of the certificate presented by the frontend
11705 when the incoming connection was made over an SSL/TLS transport layer. This
11706 can be used to know which certificate was chosen using SNI.
11707
Willy Tarreau74ca5042013-06-11 23:12:07 +020011708ssl_f_sig_alg : string
11709 Returns the name of the algorithm used to sign the certificate presented by
11710 the frontend when the incoming connection was made over an SSL/TLS transport
11711 layer.
Emeric Brun7f56e742012-10-19 18:15:40 +020011712
Willy Tarreau74ca5042013-06-11 23:12:07 +020011713ssl_f_version : integer
11714 Returns the version of the certificate presented by the frontend when the
11715 incoming connection was made over an SSL/TLS transport layer.
11716
11717ssl_fc : boolean
Emeric Brun2525b6b2012-10-18 15:59:43 +020011718 Returns true when the front connection was made via an SSL/TLS transport
11719 layer and is locally deciphered. This means it has matched a socket declared
11720 with a "bind" line having the "ssl" option.
11721
Willy Tarreau74ca5042013-06-11 23:12:07 +020011722 Example :
11723 # This passes "X-Proto: https" to servers when client connects over SSL
11724 listen http-https
11725 bind :80
11726 bind :443 ssl crt /etc/haproxy.pem
11727 http-request add-header X-Proto https if { ssl_fc }
11728
11729ssl_fc_alg_keysize : integer
11730 Returns the symmetric cipher key size supported in bits when the incoming
11731 connection was made over an SSL/TLS transport layer.
11732
11733ssl_fc_alpn : string
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030011734 This extracts the Application Layer Protocol Negotiation field from an
Willy Tarreau74ca5042013-06-11 23:12:07 +020011735 incoming connection made via a TLS transport layer and locally deciphered by
11736 haproxy. The result is a string containing the protocol name advertised by
11737 the client. The SSL library must have been built with support for TLS
11738 extensions enabled (check haproxy -vv). Note that the TLS ALPN extension is
11739 not advertised unless the "alpn" keyword on the "bind" line specifies a
11740 protocol list. Also, nothing forces the client to pick a protocol from this
11741 list, any other one may be requested. The TLS ALPN extension is meant to
11742 replace the TLS NPN extension. See also "ssl_fc_npn".
11743
Willy Tarreau74ca5042013-06-11 23:12:07 +020011744ssl_fc_cipher : string
11745 Returns the name of the used cipher when the incoming connection was made
11746 over an SSL/TLS transport layer.
Willy Tarreauab861d32013-04-02 02:30:41 +020011747
Willy Tarreau74ca5042013-06-11 23:12:07 +020011748ssl_fc_has_crt : boolean
Emeric Brun2525b6b2012-10-18 15:59:43 +020011749 Returns true if a client certificate is present in an incoming connection over
11750 SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'.
Emeric Brun9143d372012-12-20 15:44:16 +010011751 Note: on SSL session resumption with Session ID or TLS ticket, client
11752 certificate is not present in the current connection but may be retrieved
11753 from the cache or the ticket. So prefer "ssl_c_used" if you want to check if
11754 current SSL session uses a client certificate.
Emeric Brun2525b6b2012-10-18 15:59:43 +020011755
Willy Tarreau74ca5042013-06-11 23:12:07 +020011756ssl_fc_has_sni : boolean
11757 This checks for the presence of a Server Name Indication TLS extension (SNI)
Willy Tarreauf7bc57c2012-10-03 00:19:48 +020011758 in an incoming connection was made over an SSL/TLS transport layer. Returns
11759 true when the incoming connection presents a TLS SNI field. This requires
11760 that the SSL library is build with support for TLS extensions enabled (check
11761 haproxy -vv).
Willy Tarreau7875d092012-09-10 08:20:03 +020011762
Willy Tarreau74ca5042013-06-11 23:12:07 +020011763ssl_fc_npn : string
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030011764 This extracts the Next Protocol Negotiation field from an incoming connection
Willy Tarreau74ca5042013-06-11 23:12:07 +020011765 made via a TLS transport layer and locally deciphered by haproxy. The result
11766 is a string containing the protocol name advertised by the client. The SSL
11767 library must have been built with support for TLS extensions enabled (check
11768 haproxy -vv). Note that the TLS NPN extension is not advertised unless the
11769 "npn" keyword on the "bind" line specifies a protocol list. Also, nothing
11770 forces the client to pick a protocol from this list, any other one may be
11771 requested. Please note that the TLS NPN extension was replaced with ALPN.
Willy Tarreaua33c6542012-10-15 13:19:06 +020011772
Willy Tarreau74ca5042013-06-11 23:12:07 +020011773ssl_fc_protocol : string
11774 Returns the name of the used protocol when the incoming connection was made
11775 over an SSL/TLS transport layer.
Willy Tarreau7875d092012-09-10 08:20:03 +020011776
Emeric Brunb73a9b02014-04-30 18:49:19 +020011777ssl_fc_unique_id : binary
David Sc1ad52e2014-04-08 18:48:47 -040011778 When the incoming connection was made over an SSL/TLS transport layer,
Emeric Brunb73a9b02014-04-30 18:49:19 +020011779 returns the TLS unique ID as defined in RFC5929 section 3. The unique id
11780 can be encoded to base64 using the converter: "ssl_bc_unique_id,base64".
David Sc1ad52e2014-04-08 18:48:47 -040011781
Willy Tarreau74ca5042013-06-11 23:12:07 +020011782ssl_fc_session_id : binary
11783 Returns the SSL ID of the front connection when the incoming connection was
11784 made over an SSL/TLS transport layer. It is useful to stick a given client to
11785 a server. It is important to note that some browsers refresh their session ID
11786 every few minutes.
Willy Tarreau7875d092012-09-10 08:20:03 +020011787
Willy Tarreau74ca5042013-06-11 23:12:07 +020011788ssl_fc_sni : string
11789 This extracts the Server Name Indication TLS extension (SNI) field from an
11790 incoming connection made via an SSL/TLS transport layer and locally
11791 deciphered by haproxy. The result (when present) typically is a string
11792 matching the HTTPS host name (253 chars or less). The SSL library must have
11793 been built with support for TLS extensions enabled (check haproxy -vv).
11794
11795 This fetch is different from "req_ssl_sni" above in that it applies to the
11796 connection being deciphered by haproxy and not to SSL contents being blindly
11797 forwarded. See also "ssl_fc_sni_end" and "ssl_fc_sni_reg" below. This
Cyril Bonté9c1eb1e2012-10-09 22:45:34 +020011798 requires that the SSL library is build with support for TLS extensions
11799 enabled (check haproxy -vv).
Willy Tarreau62644772008-07-16 18:36:06 +020011800
Willy Tarreau74ca5042013-06-11 23:12:07 +020011801 ACL derivatives :
Willy Tarreau74ca5042013-06-11 23:12:07 +020011802 ssl_fc_sni_end : suffix match
11803 ssl_fc_sni_reg : regex match
Emeric Brun589fcad2012-10-16 14:13:26 +020011804
Willy Tarreau74ca5042013-06-11 23:12:07 +020011805ssl_fc_use_keysize : integer
11806 Returns the symmetric cipher key size used in bits when the incoming
11807 connection was made over an SSL/TLS transport layer.
Willy Tarreaub6fb4202008-07-20 11:18:28 +020011808
Willy Tarreaub6fb4202008-07-20 11:18:28 +020011809
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200118107.3.5. Fetching samples from buffer contents (Layer 6)
Willy Tarreau74ca5042013-06-11 23:12:07 +020011811------------------------------------------------------
Willy Tarreaub6fb4202008-07-20 11:18:28 +020011812
Willy Tarreau74ca5042013-06-11 23:12:07 +020011813Fetching samples from buffer contents is a bit different from the previous
11814sample fetches above because the sampled data are ephemeral. These data can
11815only be used when they're available and will be lost when they're forwarded.
11816For this reason, samples fetched from buffer contents during a request cannot
11817be used in a response for example. Even while the data are being fetched, they
11818can change. Sometimes it is necessary to set some delays or combine multiple
11819sample fetch methods to ensure that the expected data are complete and usable,
11820for example through TCP request content inspection. Please see the "tcp-request
11821content" keyword for more detailed information on the subject.
Willy Tarreau62644772008-07-16 18:36:06 +020011822
Willy Tarreau74ca5042013-06-11 23:12:07 +020011823payload(<offset>,<length>) : binary (deprecated)
11824 This is an alias for "req.payload" when used in the context of a request (eg:
11825 "stick on", "stick match"), and for "res.payload" when used in the context of
11826 a response such as in "stick store response".
Willy Tarreau0ba27502007-12-24 16:55:16 +010011827
Willy Tarreau74ca5042013-06-11 23:12:07 +020011828payload_lv(<offset1>,<length>[,<offset2>]) : binary (deprecated)
11829 This is an alias for "req.payload_lv" when used in the context of a request
11830 (eg: "stick on", "stick match"), and for "res.payload_lv" when used in the
11831 context of a response such as in "stick store response".
Willy Tarreau0ba27502007-12-24 16:55:16 +010011832
Willy Tarreau74ca5042013-06-11 23:12:07 +020011833req.len : integer
11834req_len : integer (deprecated)
11835 Returns an integer value corresponding to the number of bytes present in the
11836 request buffer. This is mostly used in ACL. It is important to understand
11837 that this test does not return false as long as the buffer is changing. This
11838 means that a check with equality to zero will almost always immediately match
11839 at the beginning of the session, while a test for more data will wait for
11840 that data to come in and return false only when haproxy is certain that no
11841 more data will come in. This test was designed to be used with TCP request
11842 content inspection.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020011843
Willy Tarreau74ca5042013-06-11 23:12:07 +020011844req.payload(<offset>,<length>) : binary
11845 This extracts a binary block of <length> bytes and starting at byte <offset>
Willy Tarreau00f00842013-08-02 11:07:32 +020011846 in the request buffer. As a special case, if the <length> argument is zero,
11847 the the whole buffer from <offset> to the end is extracted. This can be used
11848 with ACLs in order to check for the presence of some content in a buffer at
11849 any location.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020011850
Willy Tarreau74ca5042013-06-11 23:12:07 +020011851 ACL alternatives :
11852 payload(<offset>,<length>) : hex binary match
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020011853
Willy Tarreau74ca5042013-06-11 23:12:07 +020011854req.payload_lv(<offset1>,<length>[,<offset2>]) : binary
11855 This extracts a binary block whose size is specified at <offset1> for <length>
11856 bytes, and which starts at <offset2> if specified or just after the length in
11857 the request buffer. The <offset2> parameter also supports relative offsets if
11858 prepended with a '+' or '-' sign.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020011859
Willy Tarreau74ca5042013-06-11 23:12:07 +020011860 ACL alternatives :
11861 payload_lv(<offset1>,<length>[,<offset2>]) : hex binary match
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020011862
Willy Tarreau74ca5042013-06-11 23:12:07 +020011863 Example : please consult the example from the "stick store-response" keyword.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020011864
Willy Tarreau74ca5042013-06-11 23:12:07 +020011865req.proto_http : boolean
11866req_proto_http : boolean (deprecated)
11867 Returns true when data in the request buffer look like HTTP and correctly
11868 parses as such. It is the same parser as the common HTTP request parser which
11869 is used so there should be no surprises. The test does not match until the
11870 request is complete, failed or timed out. This test may be used to report the
11871 protocol in TCP logs, but the biggest use is to block TCP request analysis
11872 until a complete HTTP request is present in the buffer, for example to track
11873 a header.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020011874
Willy Tarreau74ca5042013-06-11 23:12:07 +020011875 Example:
11876 # track request counts per "base" (concatenation of Host+URL)
11877 tcp-request inspect-delay 10s
11878 tcp-request content reject if !HTTP
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020011879 tcp-request content track-sc0 base table req-rate
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020011880
Willy Tarreau74ca5042013-06-11 23:12:07 +020011881req.rdp_cookie([<name>]) : string
11882rdp_cookie([<name>]) : string (deprecated)
11883 When the request buffer looks like the RDP protocol, extracts the RDP cookie
11884 <name>, or any cookie if unspecified. The parser only checks for the first
11885 cookie, as illustrated in the RDP protocol specification. The cookie name is
11886 case insensitive. Generally the "MSTS" cookie name will be used, as it can
11887 contain the user name of the client connecting to the server if properly
11888 configured on the client. The "MSTSHASH" cookie is often used as well for
11889 session stickiness to servers.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011890
Willy Tarreau74ca5042013-06-11 23:12:07 +020011891 This differs from "balance rdp-cookie" in that any balancing algorithm may be
11892 used and thus the distribution of clients to backend servers is not linked to
11893 a hash of the RDP cookie. It is envisaged that using a balancing algorithm
11894 such as "balance roundrobin" or "balance leastconn" will lead to a more even
11895 distribution of clients to backend servers than the hash used by "balance
11896 rdp-cookie".
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011897
Willy Tarreau74ca5042013-06-11 23:12:07 +020011898 ACL derivatives :
11899 req_rdp_cookie([<name>]) : exact string match
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011900
Willy Tarreau74ca5042013-06-11 23:12:07 +020011901 Example :
11902 listen tse-farm
11903 bind 0.0.0.0:3389
11904 # wait up to 5s for an RDP cookie in the request
11905 tcp-request inspect-delay 5s
11906 tcp-request content accept if RDP_COOKIE
11907 # apply RDP cookie persistence
11908 persist rdp-cookie
11909 # Persist based on the mstshash cookie
11910 # This is only useful makes sense if
11911 # balance rdp-cookie is not used
11912 stick-table type string size 204800
11913 stick on req.rdp_cookie(mstshash)
11914 server srv1 1.1.1.1:3389
11915 server srv1 1.1.1.2:3389
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011916
Willy Tarreau74ca5042013-06-11 23:12:07 +020011917 See also : "balance rdp-cookie", "persist rdp-cookie", "tcp-request" and the
11918 "req_rdp_cookie" ACL.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011919
Willy Tarreau74ca5042013-06-11 23:12:07 +020011920req.rdp_cookie_cnt([name]) : integer
11921rdp_cookie_cnt([name]) : integer (deprecated)
11922 Tries to parse the request buffer as RDP protocol, then returns an integer
11923 corresponding to the number of RDP cookies found. If an optional cookie name
11924 is passed, only cookies matching this name are considered. This is mostly
11925 used in ACL.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011926
Willy Tarreau74ca5042013-06-11 23:12:07 +020011927 ACL derivatives :
11928 req_rdp_cookie_cnt([<name>]) : integer match
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011929
Willy Tarreau74ca5042013-06-11 23:12:07 +020011930req.ssl_hello_type : integer
11931req_ssl_hello_type : integer (deprecated)
11932 Returns an integer value containing the type of the SSL hello message found
11933 in the request buffer if the buffer contains data that parse as a complete
11934 SSL (v3 or superior) client hello message. Note that this only applies to raw
11935 contents found in the request buffer and not to contents deciphered via an
11936 SSL data layer, so this will not work with "bind" lines having the "ssl"
11937 option. This is mostly used in ACL to detect presence of an SSL hello message
11938 that is supposed to contain an SSL session ID usable for stickiness.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011939
Willy Tarreau74ca5042013-06-11 23:12:07 +020011940req.ssl_sni : string
11941req_ssl_sni : string (deprecated)
11942 Returns a string containing the value of the Server Name TLS extension sent
11943 by a client in a TLS stream passing through the request buffer if the buffer
11944 contains data that parse as a complete SSL (v3 or superior) client hello
11945 message. Note that this only applies to raw contents found in the request
11946 buffer and not to contents deciphered via an SSL data layer, so this will not
11947 work with "bind" lines having the "ssl" option. SNI normally contains the
11948 name of the host the client tries to connect to (for recent browsers). SNI is
11949 useful for allowing or denying access to certain hosts when SSL/TLS is used
11950 by the client. This test was designed to be used with TCP request content
11951 inspection. If content switching is needed, it is recommended to first wait
11952 for a complete client hello (type 1), like in the example below. See also
11953 "ssl_fc_sni".
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011954
Willy Tarreau74ca5042013-06-11 23:12:07 +020011955 ACL derivatives :
11956 req_ssl_sni : exact string match
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011957
Willy Tarreau74ca5042013-06-11 23:12:07 +020011958 Examples :
11959 # Wait for a client hello for at most 5 seconds
11960 tcp-request inspect-delay 5s
11961 tcp-request content accept if { req_ssl_hello_type 1 }
11962 use_backend bk_allow if { req_ssl_sni -f allowed_sites }
11963 default_backend bk_sorry_page
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011964
Willy Tarreau74ca5042013-06-11 23:12:07 +020011965res.ssl_hello_type : integer
11966rep_ssl_hello_type : integer (deprecated)
11967 Returns an integer value containing the type of the SSL hello message found
11968 in the response buffer if the buffer contains data that parses as a complete
11969 SSL (v3 or superior) hello message. Note that this only applies to raw
11970 contents found in the response buffer and not to contents deciphered via an
11971 SSL data layer, so this will not work with "server" lines having the "ssl"
11972 option. This is mostly used in ACL to detect presence of an SSL hello message
11973 that is supposed to contain an SSL session ID usable for stickiness.
Willy Tarreau51539362012-05-08 12:46:28 +020011974
Willy Tarreau74ca5042013-06-11 23:12:07 +020011975req.ssl_ver : integer
11976req_ssl_ver : integer (deprecated)
11977 Returns an integer value containing the version of the SSL/TLS protocol of a
11978 stream present in the request buffer. Both SSLv2 hello messages and SSLv3
11979 messages are supported. TLSv1 is announced as SSL version 3.1. The value is
11980 composed of the major version multiplied by 65536, added to the minor
11981 version. Note that this only applies to raw contents found in the request
11982 buffer and not to contents deciphered via an SSL data layer, so this will not
11983 work with "bind" lines having the "ssl" option. The ACL version of the test
11984 matches against a decimal notation in the form MAJOR.MINOR (eg: 3.1). This
11985 fetch is mostly used in ACL.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011986
Willy Tarreau74ca5042013-06-11 23:12:07 +020011987 ACL derivatives :
11988 req_ssl_ver : decimal match
Willy Tarreaud63335a2010-02-26 12:56:52 +010011989
Willy Tarreau47e8eba2013-09-11 23:28:46 +020011990res.len : integer
11991 Returns an integer value corresponding to the number of bytes present in the
11992 response buffer. This is mostly used in ACL. It is important to understand
11993 that this test does not return false as long as the buffer is changing. This
11994 means that a check with equality to zero will almost always immediately match
11995 at the beginning of the session, while a test for more data will wait for
11996 that data to come in and return false only when haproxy is certain that no
11997 more data will come in. This test was designed to be used with TCP response
11998 content inspection.
11999
Willy Tarreau74ca5042013-06-11 23:12:07 +020012000res.payload(<offset>,<length>) : binary
12001 This extracts a binary block of <length> bytes and starting at byte <offset>
Willy Tarreau00f00842013-08-02 11:07:32 +020012002 in the response buffer. As a special case, if the <length> argument is zero,
12003 the the whole buffer from <offset> to the end is extracted. This can be used
12004 with ACLs in order to check for the presence of some content in a buffer at
12005 any location.
Willy Tarreaud63335a2010-02-26 12:56:52 +010012006
Willy Tarreau74ca5042013-06-11 23:12:07 +020012007res.payload_lv(<offset1>,<length>[,<offset2>]) : binary
12008 This extracts a binary block whose size is specified at <offset1> for <length>
12009 bytes, and which starts at <offset2> if specified or just after the length in
12010 the response buffer. The <offset2> parameter also supports relative offsets
12011 if prepended with a '+' or '-' sign.
Willy Tarreaud63335a2010-02-26 12:56:52 +010012012
Willy Tarreau74ca5042013-06-11 23:12:07 +020012013 Example : please consult the example from the "stick store-response" keyword.
Willy Tarreaud63335a2010-02-26 12:56:52 +010012014
Willy Tarreau74ca5042013-06-11 23:12:07 +020012015wait_end : boolean
12016 This fetch either returns true when the inspection period is over, or does
12017 not fetch. It is only used in ACLs, in conjunction with content analysis to
12018 avoid returning a wrong verdict early. It may also be used to delay some
12019 actions, such as a delayed reject for some special addresses. Since it either
12020 stops the rules evaluation or immediately returns true, it is recommended to
12021 use this acl as the last one in a rule. Please note that the default ACL
12022 "WAIT_END" is always usable without prior declaration. This test was designed
12023 to be used with TCP request content inspection.
Willy Tarreaud63335a2010-02-26 12:56:52 +010012024
Willy Tarreau74ca5042013-06-11 23:12:07 +020012025 Examples :
12026 # delay every incoming request by 2 seconds
12027 tcp-request inspect-delay 2s
12028 tcp-request content accept if WAIT_END
Willy Tarreaud63335a2010-02-26 12:56:52 +010012029
Willy Tarreau74ca5042013-06-11 23:12:07 +020012030 # don't immediately tell bad guys they are rejected
12031 tcp-request inspect-delay 10s
12032 acl goodguys src 10.0.0.0/24
12033 acl badguys src 10.0.1.0/24
12034 tcp-request content accept if goodguys
12035 tcp-request content reject if badguys WAIT_END
12036 tcp-request content reject
12037
12038
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200120397.3.6. Fetching HTTP samples (Layer 7)
Willy Tarreau74ca5042013-06-11 23:12:07 +020012040--------------------------------------
12041
12042It is possible to fetch samples from HTTP contents, requests and responses.
12043This application layer is also called layer 7. It is only possible to fetch the
12044data in this section when a full HTTP request or response has been parsed from
12045its respective request or response buffer. This is always the case with all
12046HTTP specific rules and for sections running with "mode http". When using TCP
12047content inspection, it may be necessary to support an inspection delay in order
12048to let the request or response come in first. These fetches may require a bit
12049more CPU resources than the layer 4 ones, but not much since the request and
12050response are indexed.
12051
12052base : string
12053 This returns the concatenation of the first Host header and the path part of
12054 the request, which starts at the first slash and ends before the question
12055 mark. It can be useful in virtual hosted environments to detect URL abuses as
12056 well as to improve shared caches efficiency. Using this with a limited size
12057 stick table also allows one to collect statistics about most commonly
12058 requested objects by host/path. With ACLs it can allow simple content
12059 switching rules involving the host and the path at the same time, such as
12060 "www.example.com/favicon.ico". See also "path" and "uri".
12061
12062 ACL derivatives :
12063 base : exact string match
12064 base_beg : prefix match
12065 base_dir : subdir match
12066 base_dom : domain match
12067 base_end : suffix match
12068 base_len : length match
12069 base_reg : regex match
12070 base_sub : substring match
12071
12072base32 : integer
12073 This returns a 32-bit hash of the value returned by the "base" fetch method
12074 above. This is useful to track per-URL activity on high traffic sites without
12075 having to store all URLs. Instead a shorter hash is stored, saving a lot of
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020012076 memory. The output type is an unsigned integer. The hash function used is
12077 SDBM with full avalanche on the output. Technically, base32 is exactly equal
12078 to "base,sdbm(1)".
Willy Tarreau74ca5042013-06-11 23:12:07 +020012079
12080base32+src : binary
12081 This returns the concatenation of the base32 fetch above and the src fetch
12082 below. The resulting type is of type binary, with a size of 8 or 20 bytes
12083 depending on the source address family. This can be used to track per-IP,
12084 per-URL counters.
12085
William Lallemand65ad6e12014-01-31 15:08:02 +010012086capture.req.hdr(<idx>) : string
12087 This extracts the content of the header captured by the "capture request
12088 header", idx is the position of the capture keyword in the configuration.
12089 The first entry is an index of 0. See also: "capture request header".
12090
12091capture.req.method : string
12092 This extracts the METHOD of an HTTP request. It can be used in both request
12093 and response. Unlike "method", it can be used in both request and response
12094 because it's allocated.
12095
12096capture.req.uri : string
12097 This extracts the request's URI, which starts at the first slash and ends
12098 before the first space in the request (without the host part). Unlike "path"
12099 and "url", it can be used in both request and response because it's
12100 allocated.
12101
Willy Tarreau3c1b5ec2014-04-24 23:41:57 +020012102capture.req.ver : string
12103 This extracts the request's HTTP version and returns either "HTTP/1.0" or
12104 "HTTP/1.1". Unlike "req.ver", it can be used in both request, response, and
12105 logs because it relies on a persistent flag.
12106
William Lallemand65ad6e12014-01-31 15:08:02 +010012107capture.res.hdr(<idx>) : string
12108 This extracts the content of the header captured by the "capture response
12109 header", idx is the position of the capture keyword in the configuration.
12110 The first entry is an index of 0.
12111 See also: "capture response header"
12112
Willy Tarreau3c1b5ec2014-04-24 23:41:57 +020012113capture.res.ver : string
12114 This extracts the response's HTTP version and returns either "HTTP/1.0" or
12115 "HTTP/1.1". Unlike "res.ver", it can be used in logs because it relies on a
12116 persistent flag.
12117
Willy Tarreau74ca5042013-06-11 23:12:07 +020012118req.cook([<name>]) : string
12119cook([<name>]) : string (deprecated)
12120 This extracts the last occurrence of the cookie name <name> on a "Cookie"
12121 header line from the request, and returns its value as string. If no name is
12122 specified, the first cookie value is returned. When used with ACLs, all
12123 matching cookies are evaluated. Spaces around the name and the value are
12124 ignored as requested by the Cookie header specification (RFC6265). The cookie
12125 name is case-sensitive. Empty cookies are valid, so an empty cookie may very
12126 well return an empty value if it is present. Use the "found" match to detect
12127 presence. Use the res.cook() variant for response cookies sent by the server.
12128
12129 ACL derivatives :
12130 cook([<name>]) : exact string match
12131 cook_beg([<name>]) : prefix match
12132 cook_dir([<name>]) : subdir match
12133 cook_dom([<name>]) : domain match
12134 cook_end([<name>]) : suffix match
12135 cook_len([<name>]) : length match
12136 cook_reg([<name>]) : regex match
12137 cook_sub([<name>]) : substring match
Willy Tarreaud63335a2010-02-26 12:56:52 +010012138
Willy Tarreau74ca5042013-06-11 23:12:07 +020012139req.cook_cnt([<name>]) : integer
12140cook_cnt([<name>]) : integer (deprecated)
12141 Returns an integer value representing the number of occurrences of the cookie
12142 <name> in the request, or all cookies if <name> is not specified.
Willy Tarreaud63335a2010-02-26 12:56:52 +010012143
Willy Tarreau74ca5042013-06-11 23:12:07 +020012144req.cook_val([<name>]) : integer
12145cook_val([<name>]) : integer (deprecated)
12146 This extracts the last occurrence of the cookie name <name> on a "Cookie"
12147 header line from the request, and converts its value to an integer which is
12148 returned. If no name is specified, the first cookie value is returned. When
12149 used in ACLs, all matching names are iterated over until a value matches.
Willy Tarreau0e698542011-09-16 08:32:32 +020012150
Willy Tarreau74ca5042013-06-11 23:12:07 +020012151cookie([<name>]) : string (deprecated)
12152 This extracts the last occurrence of the cookie name <name> on a "Cookie"
12153 header line from the request, or a "Set-Cookie" header from the response, and
12154 returns its value as a string. A typical use is to get multiple clients
12155 sharing a same profile use the same server. This can be similar to what
12156 "appsession" does with the "request-learn" statement, but with support for
12157 multi-peer synchronization and state keeping across restarts. If no name is
12158 specified, the first cookie value is returned. This fetch should not be used
12159 anymore and should be replaced by req.cook() or res.cook() instead as it
12160 ambiguously uses the direction based on the context where it is used.
12161 See also : "appsession".
Willy Tarreaud63335a2010-02-26 12:56:52 +010012162
Willy Tarreau74ca5042013-06-11 23:12:07 +020012163hdr([<name>[,<occ>]]) : string
12164 This is equivalent to req.hdr() when used on requests, and to res.hdr() when
12165 used on responses. Please refer to these respective fetches for more details.
12166 In case of doubt about the fetch direction, please use the explicit ones.
12167 Note that contrary to the hdr() sample fetch method, the hdr_* ACL keywords
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012168 unambiguously apply to the request headers.
Willy Tarreaud63335a2010-02-26 12:56:52 +010012169
Willy Tarreau74ca5042013-06-11 23:12:07 +020012170req.fhdr(<name>[,<occ>]) : string
12171 This extracts the last occurrence of header <name> in an HTTP request. When
12172 used from an ACL, all occurrences are iterated over until a match is found.
12173 Optionally, a specific occurrence might be specified as a position number.
12174 Positive values indicate a position from the first occurrence, with 1 being
12175 the first one. Negative values indicate positions relative to the last one,
12176 with -1 being the last one. It differs from req.hdr() in that any commas
12177 present in the value are returned and are not used as delimiters. This is
12178 sometimes useful with headers such as User-Agent.
Willy Tarreaud63335a2010-02-26 12:56:52 +010012179
Willy Tarreau74ca5042013-06-11 23:12:07 +020012180req.fhdr_cnt([<name>]) : integer
12181 Returns an integer value representing the number of occurrences of request
12182 header field name <name>, or the total number of header fields if <name> is
12183 not specified. Contrary to its req.hdr_cnt() cousin, this function returns
12184 the number of full line headers and does not stop on commas.
Willy Tarreaud63335a2010-02-26 12:56:52 +010012185
Willy Tarreau74ca5042013-06-11 23:12:07 +020012186req.hdr([<name>[,<occ>]]) : string
12187 This extracts the last occurrence of header <name> in an HTTP request. When
12188 used from an ACL, all occurrences are iterated over until a match is found.
12189 Optionally, a specific occurrence might be specified as a position number.
12190 Positive values indicate a position from the first occurrence, with 1 being
12191 the first one. Negative values indicate positions relative to the last one,
12192 with -1 being the last one. A typical use is with the X-Forwarded-For header
12193 once converted to IP, associated with an IP stick-table. The function
12194 considers any comma as a delimiter for distinct values. If full-line headers
12195 are desired instead, use req.fhdr(). Please carefully check RFC2616 to know
12196 how certain headers are supposed to be parsed. Also, some of them are case
12197 insensitive (eg: Connection).
Willy Tarreaud63335a2010-02-26 12:56:52 +010012198
Willy Tarreau74ca5042013-06-11 23:12:07 +020012199 ACL derivatives :
12200 hdr([<name>[,<occ>]]) : exact string match
12201 hdr_beg([<name>[,<occ>]]) : prefix match
12202 hdr_dir([<name>[,<occ>]]) : subdir match
12203 hdr_dom([<name>[,<occ>]]) : domain match
12204 hdr_end([<name>[,<occ>]]) : suffix match
12205 hdr_len([<name>[,<occ>]]) : length match
12206 hdr_reg([<name>[,<occ>]]) : regex match
12207 hdr_sub([<name>[,<occ>]]) : substring match
12208
12209req.hdr_cnt([<name>]) : integer
12210hdr_cnt([<header>]) : integer (deprecated)
12211 Returns an integer value representing the number of occurrences of request
12212 header field name <name>, or the total number of header field values if
12213 <name> is not specified. It is important to remember that one header line may
12214 count as several headers if it has several values. The function considers any
12215 comma as a delimiter for distinct values. If full-line headers are desired
12216 instead, req.fhdr_cnt() should be used instead. With ACLs, it can be used to
12217 detect presence, absence or abuse of a specific header, as well as to block
12218 request smuggling attacks by rejecting requests which contain more than one
12219 of certain headers. See "req.hdr" for more information on header matching.
12220
12221req.hdr_ip([<name>[,<occ>]]) : ip
12222hdr_ip([<name>[,<occ>]]) : ip (deprecated)
12223 This extracts the last occurrence of header <name> in an HTTP request,
12224 converts it to an IPv4 or IPv6 address and returns this address. When used
12225 with ACLs, all occurrences are checked, and if <name> is omitted, every value
12226 of every header is checked. Optionally, a specific occurrence might be
12227 specified as a position number. Positive values indicate a position from the
12228 first occurrence, with 1 being the first one. Negative values indicate
12229 positions relative to the last one, with -1 being the last one. A typical use
12230 is with the X-Forwarded-For and X-Client-IP headers.
12231
12232req.hdr_val([<name>[,<occ>]]) : integer
12233hdr_val([<name>[,<occ>]]) : integer (deprecated)
12234 This extracts the last occurrence of header <name> in an HTTP request, and
12235 converts it to an integer value. When used with ACLs, all occurrences are
12236 checked, and if <name> is omitted, every value of every header is checked.
12237 Optionally, a specific occurrence might be specified as a position number.
12238 Positive values indicate a position from the first occurrence, with 1 being
12239 the first one. Negative values indicate positions relative to the last one,
12240 with -1 being the last one. A typical use is with the X-Forwarded-For header.
12241
12242http_auth(<userlist>) : boolean
12243 Returns a boolean indicating whether the authentication data received from
12244 the client match a username & password stored in the specified userlist. This
12245 fetch function is not really useful outside of ACLs. Currently only http
12246 basic auth is supported.
12247
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010012248http_auth_group(<userlist>) : string
12249 Returns a string corresponding to the user name found in the authentication
12250 data received from the client if both the user name and password are valid
12251 according to the specified userlist. The main purpose is to use it in ACLs
12252 where it is then checked whether the user belongs to any group within a list.
Willy Tarreau74ca5042013-06-11 23:12:07 +020012253 This fetch function is not really useful outside of ACLs. Currently only http
12254 basic auth is supported.
12255
12256 ACL derivatives :
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010012257 http_auth_group(<userlist>) : group ...
12258 Returns true when the user extracted from the request and whose password is
12259 valid according to the specified userlist belongs to at least one of the
12260 groups.
Willy Tarreau74ca5042013-06-11 23:12:07 +020012261
12262http_first_req : boolean
Willy Tarreau7f18e522010-10-22 20:04:13 +020012263 Returns true when the request being processed is the first one of the
12264 connection. This can be used to add or remove headers that may be missing
Willy Tarreau74ca5042013-06-11 23:12:07 +020012265 from some requests when a request is not the first one, or to help grouping
12266 requests in the logs.
Willy Tarreau7f18e522010-10-22 20:04:13 +020012267
Willy Tarreau74ca5042013-06-11 23:12:07 +020012268method : integer + string
12269 Returns an integer value corresponding to the method in the HTTP request. For
12270 example, "GET" equals 1 (check sources to establish the matching). Value 9
12271 means "other method" and may be converted to a string extracted from the
12272 stream. This should not be used directly as a sample, this is only meant to
12273 be used from ACLs, which transparently convert methods from patterns to these
12274 integer + string values. Some predefined ACL already check for most common
12275 methods.
Willy Tarreau6a06a402007-07-15 20:15:28 +020012276
Willy Tarreau74ca5042013-06-11 23:12:07 +020012277 ACL derivatives :
12278 method : case insensitive method match
Willy Tarreau6a06a402007-07-15 20:15:28 +020012279
Willy Tarreau74ca5042013-06-11 23:12:07 +020012280 Example :
12281 # only accept GET and HEAD requests
12282 acl valid_method method GET HEAD
12283 http-request deny if ! valid_method
Willy Tarreau6a06a402007-07-15 20:15:28 +020012284
Willy Tarreau74ca5042013-06-11 23:12:07 +020012285path : string
12286 This extracts the request's URL path, which starts at the first slash and
12287 ends before the question mark (without the host part). A typical use is with
12288 prefetch-capable caches, and with portals which need to aggregate multiple
12289 information from databases and keep them in caches. Note that with outgoing
12290 caches, it would be wiser to use "url" instead. With ACLs, it's typically
12291 used to match exact file names (eg: "/login.php"), or directory parts using
12292 the derivative forms. See also the "url" and "base" fetch methods.
Willy Tarreau6a06a402007-07-15 20:15:28 +020012293
Willy Tarreau74ca5042013-06-11 23:12:07 +020012294 ACL derivatives :
12295 path : exact string match
12296 path_beg : prefix match
12297 path_dir : subdir match
12298 path_dom : domain match
12299 path_end : suffix match
12300 path_len : length match
12301 path_reg : regex match
12302 path_sub : substring match
Willy Tarreau6a06a402007-07-15 20:15:28 +020012303
Willy Tarreau49ad95c2015-01-19 15:06:26 +010012304query : string
12305 This extracts the request's query string, which starts after the first
12306 question mark. If no question mark is present, this fetch returns nothing. If
12307 a question mark is present but nothing follows, it returns an empty string.
12308 This means it's possible to easily know whether a query string is present
12309 using the "found" matching method. This fetch is the completemnt of "path"
12310 which stops before the question mark.
12311
Willy Tarreaueb27ec72015-02-20 13:55:29 +010012312req.hdr_names([<delim>]) : string
12313 This builds a string made from the concatenation of all header names as they
12314 appear in the request when the rule is evaluated. The default delimiter is
12315 the comma (',') but it may be overridden as an optional argument <delim>. In
12316 this case, only the first character of <delim> is considered.
12317
Willy Tarreau74ca5042013-06-11 23:12:07 +020012318req.ver : string
12319req_ver : string (deprecated)
12320 Returns the version string from the HTTP request, for example "1.1". This can
12321 be useful for logs, but is mostly there for ACL. Some predefined ACL already
12322 check for versions 1.0 and 1.1.
Willy Tarreaud63335a2010-02-26 12:56:52 +010012323
Willy Tarreau74ca5042013-06-11 23:12:07 +020012324 ACL derivatives :
12325 req_ver : exact string match
Willy Tarreau0e698542011-09-16 08:32:32 +020012326
Willy Tarreau74ca5042013-06-11 23:12:07 +020012327res.comp : boolean
12328 Returns the boolean "true" value if the response has been compressed by
12329 HAProxy, otherwise returns boolean "false". This may be used to add
12330 information in the logs.
Willy Tarreau6a06a402007-07-15 20:15:28 +020012331
Willy Tarreau74ca5042013-06-11 23:12:07 +020012332res.comp_algo : string
12333 Returns a string containing the name of the algorithm used if the response
12334 was compressed by HAProxy, for example : "deflate". This may be used to add
12335 some information in the logs.
Willy Tarreaud63335a2010-02-26 12:56:52 +010012336
Willy Tarreau74ca5042013-06-11 23:12:07 +020012337res.cook([<name>]) : string
12338scook([<name>]) : string (deprecated)
12339 This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
12340 header line from the response, and returns its value as string. If no name is
12341 specified, the first cookie value is returned.
Willy Tarreau0ce3aa02012-04-25 18:46:33 +020012342
Willy Tarreau74ca5042013-06-11 23:12:07 +020012343 ACL derivatives :
12344 scook([<name>] : exact string match
Willy Tarreau0ce3aa02012-04-25 18:46:33 +020012345
Willy Tarreau74ca5042013-06-11 23:12:07 +020012346res.cook_cnt([<name>]) : integer
12347scook_cnt([<name>]) : integer (deprecated)
12348 Returns an integer value representing the number of occurrences of the cookie
12349 <name> in the response, or all cookies if <name> is not specified. This is
12350 mostly useful when combined with ACLs to detect suspicious responses.
Willy Tarreaud63335a2010-02-26 12:56:52 +010012351
Willy Tarreau74ca5042013-06-11 23:12:07 +020012352res.cook_val([<name>]) : integer
12353scook_val([<name>]) : integer (deprecated)
12354 This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
12355 header line from the response, and converts its value to an integer which is
12356 returned. If no name is specified, the first cookie value is returned.
Willy Tarreaud63335a2010-02-26 12:56:52 +010012357
Willy Tarreau74ca5042013-06-11 23:12:07 +020012358res.fhdr([<name>[,<occ>]]) : string
12359 This extracts the last occurrence of header <name> in an HTTP response, or of
12360 the last header if no <name> is specified. Optionally, a specific occurrence
12361 might be specified as a position number. Positive values indicate a position
12362 from the first occurrence, with 1 being the first one. Negative values
12363 indicate positions relative to the last one, with -1 being the last one. It
12364 differs from res.hdr() in that any commas present in the value are returned
12365 and are not used as delimiters. If this is not desired, the res.hdr() fetch
12366 should be used instead. This is sometimes useful with headers such as Date or
12367 Expires.
Willy Tarreau6a06a402007-07-15 20:15:28 +020012368
Willy Tarreau74ca5042013-06-11 23:12:07 +020012369res.fhdr_cnt([<name>]) : integer
12370 Returns an integer value representing the number of occurrences of response
12371 header field name <name>, or the total number of header fields if <name> is
12372 not specified. Contrary to its res.hdr_cnt() cousin, this function returns
12373 the number of full line headers and does not stop on commas. If this is not
12374 desired, the res.hdr_cnt() fetch should be used instead.
Willy Tarreau6a06a402007-07-15 20:15:28 +020012375
Willy Tarreau74ca5042013-06-11 23:12:07 +020012376res.hdr([<name>[,<occ>]]) : string
12377shdr([<name>[,<occ>]]) : string (deprecated)
12378 This extracts the last occurrence of header <name> in an HTTP response, or of
12379 the last header if no <name> is specified. Optionally, a specific occurrence
12380 might be specified as a position number. Positive values indicate a position
12381 from the first occurrence, with 1 being the first one. Negative values
12382 indicate positions relative to the last one, with -1 being the last one. This
12383 can be useful to learn some data into a stick-table. The function considers
12384 any comma as a delimiter for distinct values. If this is not desired, the
12385 res.fhdr() fetch should be used instead.
Willy Tarreau6a06a402007-07-15 20:15:28 +020012386
Willy Tarreau74ca5042013-06-11 23:12:07 +020012387 ACL derivatives :
12388 shdr([<name>[,<occ>]]) : exact string match
12389 shdr_beg([<name>[,<occ>]]) : prefix match
12390 shdr_dir([<name>[,<occ>]]) : subdir match
12391 shdr_dom([<name>[,<occ>]]) : domain match
12392 shdr_end([<name>[,<occ>]]) : suffix match
12393 shdr_len([<name>[,<occ>]]) : length match
12394 shdr_reg([<name>[,<occ>]]) : regex match
12395 shdr_sub([<name>[,<occ>]]) : substring match
12396
12397res.hdr_cnt([<name>]) : integer
12398shdr_cnt([<name>]) : integer (deprecated)
12399 Returns an integer value representing the number of occurrences of response
12400 header field name <name>, or the total number of header fields if <name> is
12401 not specified. The function considers any comma as a delimiter for distinct
12402 values. If this is not desired, the res.fhdr_cnt() fetch should be used
12403 instead.
Willy Tarreau6a06a402007-07-15 20:15:28 +020012404
Willy Tarreau74ca5042013-06-11 23:12:07 +020012405res.hdr_ip([<name>[,<occ>]]) : ip
12406shdr_ip([<name>[,<occ>]]) : ip (deprecated)
12407 This extracts the last occurrence of header <name> in an HTTP response,
12408 convert it to an IPv4 or IPv6 address and returns this address. Optionally, a
12409 specific occurrence might be specified as a position number. Positive values
12410 indicate a position from the first occurrence, with 1 being the first one.
12411 Negative values indicate positions relative to the last one, with -1 being
12412 the last one. This can be useful to learn some data into a stick table.
Willy Tarreau6a06a402007-07-15 20:15:28 +020012413
Willy Tarreaueb27ec72015-02-20 13:55:29 +010012414res.hdr_names([<delim>]) : string
12415 This builds a string made from the concatenation of all header names as they
12416 appear in the response when the rule is evaluated. The default delimiter is
12417 the comma (',') but it may be overridden as an optional argument <delim>. In
12418 this case, only the first character of <delim> is considered.
12419
Willy Tarreau74ca5042013-06-11 23:12:07 +020012420res.hdr_val([<name>[,<occ>]]) : integer
12421shdr_val([<name>[,<occ>]]) : integer (deprecated)
12422 This extracts the last occurrence of header <name> in an HTTP response, and
12423 converts it to an integer value. Optionally, a specific occurrence might be
12424 specified as a position number. Positive values indicate a position from the
12425 first occurrence, with 1 being the first one. Negative values indicate
12426 positions relative to the last one, with -1 being the last one. This can be
12427 useful to learn some data into a stick table.
Alexandre Cassen5eb1a902007-11-29 15:43:32 +010012428
Willy Tarreau74ca5042013-06-11 23:12:07 +020012429res.ver : string
12430resp_ver : string (deprecated)
12431 Returns the version string from the HTTP response, for example "1.1". This
12432 can be useful for logs, but is mostly there for ACL.
Willy Tarreau0e698542011-09-16 08:32:32 +020012433
Willy Tarreau74ca5042013-06-11 23:12:07 +020012434 ACL derivatives :
12435 resp_ver : exact string match
Alexandre Cassen5eb1a902007-11-29 15:43:32 +010012436
Willy Tarreau74ca5042013-06-11 23:12:07 +020012437set-cookie([<name>]) : string (deprecated)
12438 This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
12439 header line from the response and uses the corresponding value to match. This
12440 can be comparable to what "appsession" does with default options, but with
12441 support for multi-peer synchronization and state keeping across restarts.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +010012442
Willy Tarreau74ca5042013-06-11 23:12:07 +020012443 This fetch function is deprecated and has been superseded by the "res.cook"
12444 fetch. This keyword will disappear soon.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +010012445
Willy Tarreau74ca5042013-06-11 23:12:07 +020012446 See also : "appsession"
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012447
Willy Tarreau74ca5042013-06-11 23:12:07 +020012448status : integer
12449 Returns an integer containing the HTTP status code in the HTTP response, for
12450 example, 302. It is mostly used within ACLs and integer ranges, for example,
12451 to remove any Location header if the response is not a 3xx.
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012452
Willy Tarreau74ca5042013-06-11 23:12:07 +020012453url : string
12454 This extracts the request's URL as presented in the request. A typical use is
12455 with prefetch-capable caches, and with portals which need to aggregate
12456 multiple information from databases and keep them in caches. With ACLs, using
12457 "path" is preferred over using "url", because clients may send a full URL as
12458 is normally done with proxies. The only real use is to match "*" which does
12459 not match in "path", and for which there is already a predefined ACL. See
12460 also "path" and "base".
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012461
Willy Tarreau74ca5042013-06-11 23:12:07 +020012462 ACL derivatives :
12463 url : exact string match
12464 url_beg : prefix match
12465 url_dir : subdir match
12466 url_dom : domain match
12467 url_end : suffix match
12468 url_len : length match
12469 url_reg : regex match
12470 url_sub : substring match
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012471
Willy Tarreau74ca5042013-06-11 23:12:07 +020012472url_ip : ip
12473 This extracts the IP address from the request's URL when the host part is
12474 presented as an IP address. Its use is very limited. For instance, a
12475 monitoring system might use this field as an alternative for the source IP in
12476 order to test what path a given source address would follow, or to force an
12477 entry in a table for a given source address. With ACLs it can be used to
12478 restrict access to certain systems through a proxy, for example when combined
12479 with option "http_proxy".
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012480
Willy Tarreau74ca5042013-06-11 23:12:07 +020012481url_port : integer
12482 This extracts the port part from the request's URL. Note that if the port is
12483 not specified in the request, port 80 is assumed. With ACLs it can be used to
12484 restrict access to certain systems through a proxy, for example when combined
12485 with option "http_proxy".
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012486
Willy Tarreau74ca5042013-06-11 23:12:07 +020012487urlp(<name>[,<delim>]) : string
12488url_param(<name>[,<delim>]) : string
12489 This extracts the first occurrence of the parameter <name> in the query
12490 string, which begins after either '?' or <delim>, and which ends before '&',
12491 ';' or <delim>. The parameter name is case-sensitive. The result is a string
12492 corresponding to the value of the parameter <name> as presented in the
12493 request (no URL decoding is performed). This can be used for session
12494 stickiness based on a client ID, to extract an application cookie passed as a
12495 URL parameter, or in ACLs to apply some checks. Note that the ACL version of
12496 this fetch do not iterate over multiple parameters and stop at the first one
12497 as well.
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012498
Willy Tarreau74ca5042013-06-11 23:12:07 +020012499 ACL derivatives :
12500 urlp(<name>[,<delim>]) : exact string match
12501 urlp_beg(<name>[,<delim>]) : prefix match
12502 urlp_dir(<name>[,<delim>]) : subdir match
12503 urlp_dom(<name>[,<delim>]) : domain match
12504 urlp_end(<name>[,<delim>]) : suffix match
12505 urlp_len(<name>[,<delim>]) : length match
12506 urlp_reg(<name>[,<delim>]) : regex match
12507 urlp_sub(<name>[,<delim>]) : substring match
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012508
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012509
Willy Tarreau74ca5042013-06-11 23:12:07 +020012510 Example :
12511 # match http://example.com/foo?PHPSESSIONID=some_id
12512 stick on urlp(PHPSESSIONID)
12513 # match http://example.com/foo;JSESSIONID=some_id
12514 stick on urlp(JSESSIONID,;)
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020012515
Willy Tarreau74ca5042013-06-11 23:12:07 +020012516urlp_val(<name>[,<delim>]) : integer
12517 See "urlp" above. This one extracts the URL parameter <name> in the request
12518 and converts it to an integer value. This can be used for session stickiness
12519 based on a user ID for example, or with ACLs to match a page number or price.
Willy Tarreaua9fddca2012-07-31 07:51:48 +020012520
Willy Tarreau198a7442008-01-17 12:05:32 +010012521
Willy Tarreau74ca5042013-06-11 23:12:07 +0200125227.4. Pre-defined ACLs
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012523---------------------
Willy Tarreauced27012008-01-17 20:35:34 +010012524
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012525Some predefined ACLs are hard-coded so that they do not have to be declared in
12526every frontend which needs them. They all have their names in upper case in
Patrick Mézard2382ad62010-05-09 10:43:32 +020012527order to avoid confusion. Their equivalence is provided below.
Willy Tarreauced27012008-01-17 20:35:34 +010012528
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012529ACL name Equivalent to Usage
12530---------------+-----------------------------+---------------------------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012531FALSE always_false never match
Willy Tarreau2492d5b2009-07-11 00:06:00 +020012532HTTP req_proto_http match if protocol is valid HTTP
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012533HTTP_1.0 req_ver 1.0 match HTTP version 1.0
12534HTTP_1.1 req_ver 1.1 match HTTP version 1.1
Willy Tarreaud63335a2010-02-26 12:56:52 +010012535HTTP_CONTENT hdr_val(content-length) gt 0 match an existing content-length
12536HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme
12537HTTP_URL_SLASH url_beg / match URL beginning with "/"
12538HTTP_URL_STAR url * match URL equal to "*"
12539LOCALHOST src 127.0.0.1/8 match connection from local host
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012540METH_CONNECT method CONNECT match HTTP CONNECT method
12541METH_GET method GET HEAD match HTTP GET or HEAD method
12542METH_HEAD method HEAD match HTTP HEAD method
12543METH_OPTIONS method OPTIONS match HTTP OPTIONS method
12544METH_POST method POST match HTTP POST method
12545METH_TRACE method TRACE match HTTP TRACE method
Emeric Brunbede3d02009-06-30 17:54:00 +020012546RDP_COOKIE req_rdp_cookie_cnt gt 0 match presence of an RDP cookie
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012547REQ_CONTENT req_len gt 0 match data in the request buffer
Willy Tarreaud63335a2010-02-26 12:56:52 +010012548TRUE always_true always match
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012549WAIT_END wait_end wait for end of content analysis
12550---------------+-----------------------------+---------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +010012551
Willy Tarreaub937b7e2010-01-12 15:27:54 +010012552
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200125538. Logging
12554----------
Willy Tarreau844e3c52008-01-11 16:28:18 +010012555
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012556One of HAProxy's strong points certainly lies is its precise logs. It probably
12557provides the finest level of information available for such a product, which is
12558very important for troubleshooting complex environments. Standard information
12559provided in logs include client ports, TCP/HTTP state timers, precise session
12560state at termination and precise termination cause, information about decisions
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010012561to direct traffic to a server, and of course the ability to capture arbitrary
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012562headers.
12563
12564In order to improve administrators reactivity, it offers a great transparency
12565about encountered problems, both internal and external, and it is possible to
12566send logs to different sources at the same time with different level filters :
12567
12568 - global process-level logs (system errors, start/stop, etc..)
12569 - per-instance system and internal errors (lack of resource, bugs, ...)
12570 - per-instance external troubles (servers up/down, max connections)
12571 - per-instance activity (client connections), either at the establishment or
12572 at the termination.
12573
12574The ability to distribute different levels of logs to different log servers
12575allow several production teams to interact and to fix their problems as soon
12576as possible. For example, the system team might monitor system-wide errors,
12577while the application team might be monitoring the up/down for their servers in
12578real time, and the security team might analyze the activity logs with one hour
12579delay.
12580
12581
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200125828.1. Log levels
12583---------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012584
Simon Hormandf791f52011-05-29 15:01:10 +090012585TCP and HTTP connections can be logged with information such as the date, time,
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012586source IP address, destination address, connection duration, response times,
Simon Hormandf791f52011-05-29 15:01:10 +090012587HTTP request, HTTP return code, number of bytes transmitted, conditions
12588in which the session ended, and even exchanged cookies values. For example
12589track a particular user's problems. All messages may be sent to up to two
12590syslog servers. Check the "log" keyword in section 4.2 for more information
12591about log facilities.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012592
12593
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200125948.2. Log formats
12595----------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012596
William Lallemand48940402012-01-30 16:47:22 +010012597HAProxy supports 5 log formats. Several fields are common between these formats
Simon Hormandf791f52011-05-29 15:01:10 +090012598and will be detailed in the following sections. A few of them may vary
12599slightly with the configuration, due to indicators specific to certain
12600options. The supported formats are as follows :
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012601
12602 - the default format, which is very basic and very rarely used. It only
12603 provides very basic information about the incoming connection at the moment
12604 it is accepted : source IP:port, destination IP:port, and frontend-name.
12605 This mode will eventually disappear so it will not be described to great
12606 extents.
12607
12608 - the TCP format, which is more advanced. This format is enabled when "option
12609 tcplog" is set on the frontend. HAProxy will then usually wait for the
12610 connection to terminate before logging. This format provides much richer
12611 information, such as timers, connection counts, queue size, etc... This
12612 format is recommended for pure TCP proxies.
12613
12614 - the HTTP format, which is the most advanced for HTTP proxying. This format
12615 is enabled when "option httplog" is set on the frontend. It provides the
12616 same information as the TCP format with some HTTP-specific fields such as
12617 the request, the status code, and captures of headers and cookies. This
12618 format is recommended for HTTP proxies.
12619
Emeric Brun3a058f32009-06-30 18:26:00 +020012620 - the CLF HTTP format, which is equivalent to the HTTP format, but with the
12621 fields arranged in the same order as the CLF format. In this mode, all
12622 timers, captures, flags, etc... appear one per field after the end of the
12623 common fields, in the same order they appear in the standard HTTP format.
12624
William Lallemand48940402012-01-30 16:47:22 +010012625 - the custom log format, allows you to make your own log line.
12626
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012627Next sections will go deeper into details for each of these formats. Format
12628specification will be performed on a "field" basis. Unless stated otherwise, a
12629field is a portion of text delimited by any number of spaces. Since syslog
12630servers are susceptible of inserting fields at the beginning of a line, it is
12631always assumed that the first field is the one containing the process name and
12632identifier.
12633
12634Note : Since log lines may be quite long, the log examples in sections below
12635 might be broken into multiple lines. The example log lines will be
12636 prefixed with 3 closing angle brackets ('>>>') and each time a log is
12637 broken into multiple lines, each non-final line will end with a
12638 backslash ('\') and the next line will start indented by two characters.
12639
12640
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200126418.2.1. Default log format
12642-------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012643
12644This format is used when no specific option is set. The log is emitted as soon
12645as the connection is accepted. One should note that this currently is the only
12646format which logs the request's destination IP and ports.
12647
12648 Example :
12649 listen www
12650 mode http
12651 log global
12652 server srv1 127.0.0.1:8000
12653
12654 >>> Feb 6 12:12:09 localhost \
12655 haproxy[14385]: Connect from 10.0.1.2:33312 to 10.0.3.31:8012 \
12656 (www/HTTP)
12657
12658 Field Format Extract from the example above
12659 1 process_name '[' pid ']:' haproxy[14385]:
12660 2 'Connect from' Connect from
12661 3 source_ip ':' source_port 10.0.1.2:33312
12662 4 'to' to
12663 5 destination_ip ':' destination_port 10.0.3.31:8012
12664 6 '(' frontend_name '/' mode ')' (www/HTTP)
12665
12666Detailed fields description :
12667 - "source_ip" is the IP address of the client which initiated the connection.
12668 - "source_port" is the TCP port of the client which initiated the connection.
12669 - "destination_ip" is the IP address the client connected to.
12670 - "destination_port" is the TCP port the client connected to.
12671 - "frontend_name" is the name of the frontend (or listener) which received
12672 and processed the connection.
12673 - "mode is the mode the frontend is operating (TCP or HTTP).
12674
Willy Tarreauceb24bc2010-11-09 12:46:41 +010012675In case of a UNIX socket, the source and destination addresses are marked as
12676"unix:" and the ports reflect the internal ID of the socket which accepted the
12677connection (the same ID as reported in the stats).
12678
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012679It is advised not to use this deprecated format for newer installations as it
12680will eventually disappear.
12681
12682
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200126838.2.2. TCP log format
12684---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012685
12686The TCP format is used when "option tcplog" is specified in the frontend, and
12687is the recommended format for pure TCP proxies. It provides a lot of precious
12688information for troubleshooting. Since this format includes timers and byte
12689counts, the log is normally emitted at the end of the session. It can be
12690emitted earlier if "option logasap" is specified, which makes sense in most
12691environments with long sessions such as remote terminals. Sessions which match
12692the "monitor" rules are never logged. It is also possible not to emit logs for
12693sessions for which no data were exchanged between the client and the server, by
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020012694specifying "option dontlognull" in the frontend. Successful connections will
12695not be logged if "option dontlog-normal" is specified in the frontend. A few
12696fields may slightly vary depending on some configuration options, those are
12697marked with a star ('*') after the field name below.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012698
12699 Example :
12700 frontend fnt
12701 mode tcp
12702 option tcplog
12703 log global
12704 default_backend bck
12705
12706 backend bck
12707 server srv1 127.0.0.1:8000
12708
12709 >>> Feb 6 12:12:56 localhost \
12710 haproxy[14387]: 10.0.1.2:33313 [06/Feb/2009:12:12:51.443] fnt \
12711 bck/srv1 0/0/5007 212 -- 0/0/0/0/3 0/0
12712
12713 Field Format Extract from the example above
12714 1 process_name '[' pid ']:' haproxy[14387]:
12715 2 client_ip ':' client_port 10.0.1.2:33313
12716 3 '[' accept_date ']' [06/Feb/2009:12:12:51.443]
12717 4 frontend_name fnt
12718 5 backend_name '/' server_name bck/srv1
12719 6 Tw '/' Tc '/' Tt* 0/0/5007
12720 7 bytes_read* 212
12721 8 termination_state --
12722 9 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 0/0/0/0/3
12723 10 srv_queue '/' backend_queue 0/0
12724
12725Detailed fields description :
12726 - "client_ip" is the IP address of the client which initiated the TCP
Willy Tarreauceb24bc2010-11-09 12:46:41 +010012727 connection to haproxy. If the connection was accepted on a UNIX socket
12728 instead, the IP address would be replaced with the word "unix". Note that
12729 when the connection is accepted on a socket configured with "accept-proxy"
12730 and the PROXY protocol is correctly used, then the logs will reflect the
12731 forwarded connection's information.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012732
12733 - "client_port" is the TCP port of the client which initiated the connection.
Willy Tarreauceb24bc2010-11-09 12:46:41 +010012734 If the connection was accepted on a UNIX socket instead, the port would be
12735 replaced with the ID of the accepting socket, which is also reported in the
12736 stats interface.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012737
12738 - "accept_date" is the exact date when the connection was received by haproxy
12739 (which might be very slightly different from the date observed on the
12740 network if there was some queuing in the system's backlog). This is usually
12741 the same date which may appear in any upstream firewall's log.
12742
12743 - "frontend_name" is the name of the frontend (or listener) which received
12744 and processed the connection.
12745
12746 - "backend_name" is the name of the backend (or listener) which was selected
12747 to manage the connection to the server. This will be the same as the
12748 frontend if no switching rule has been applied, which is common for TCP
12749 applications.
12750
12751 - "server_name" is the name of the last server to which the connection was
12752 sent, which might differ from the first one if there were connection errors
12753 and a redispatch occurred. Note that this server belongs to the backend
12754 which processed the request. If the connection was aborted before reaching
12755 a server, "<NOSRV>" is indicated instead of a server name.
12756
12757 - "Tw" is the total time in milliseconds spent waiting in the various queues.
12758 It can be "-1" if the connection was aborted before reaching the queue.
12759 See "Timers" below for more details.
12760
12761 - "Tc" is the total time in milliseconds spent waiting for the connection to
12762 establish to the final server, including retries. It can be "-1" if the
12763 connection was aborted before a connection could be established. See
12764 "Timers" below for more details.
12765
12766 - "Tt" is the total time in milliseconds elapsed between the accept and the
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012767 last close. It covers all possible processing. There is one exception, if
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012768 "option logasap" was specified, then the time counting stops at the moment
12769 the log is emitted. In this case, a '+' sign is prepended before the value,
12770 indicating that the final one will be larger. See "Timers" below for more
12771 details.
12772
12773 - "bytes_read" is the total number of bytes transmitted from the server to
12774 the client when the log is emitted. If "option logasap" is specified, the
12775 this value will be prefixed with a '+' sign indicating that the final one
12776 may be larger. Please note that this value is a 64-bit counter, so log
12777 analysis tools must be able to handle it without overflowing.
12778
12779 - "termination_state" is the condition the session was in when the session
12780 ended. This indicates the session state, which side caused the end of
12781 session to happen, and for what reason (timeout, error, ...). The normal
12782 flags should be "--", indicating the session was closed by either end with
12783 no data remaining in buffers. See below "Session state at disconnection"
12784 for more details.
12785
12786 - "actconn" is the total number of concurrent connections on the process when
Jamie Gloudonaaa21002012-08-25 00:18:33 -040012787 the session was logged. It is useful to detect when some per-process system
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012788 limits have been reached. For instance, if actconn is close to 512 when
12789 multiple connection errors occur, chances are high that the system limits
12790 the process to use a maximum of 1024 file descriptors and that all of them
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012791 are used. See section 3 "Global parameters" to find how to tune the system.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012792
12793 - "feconn" is the total number of concurrent connections on the frontend when
12794 the session was logged. It is useful to estimate the amount of resource
12795 required to sustain high loads, and to detect when the frontend's "maxconn"
12796 has been reached. Most often when this value increases by huge jumps, it is
12797 because there is congestion on the backend servers, but sometimes it can be
12798 caused by a denial of service attack.
12799
12800 - "beconn" is the total number of concurrent connections handled by the
12801 backend when the session was logged. It includes the total number of
12802 concurrent connections active on servers as well as the number of
12803 connections pending in queues. It is useful to estimate the amount of
12804 additional servers needed to support high loads for a given application.
12805 Most often when this value increases by huge jumps, it is because there is
12806 congestion on the backend servers, but sometimes it can be caused by a
12807 denial of service attack.
12808
12809 - "srv_conn" is the total number of concurrent connections still active on
12810 the server when the session was logged. It can never exceed the server's
12811 configured "maxconn" parameter. If this value is very often close or equal
12812 to the server's "maxconn", it means that traffic regulation is involved a
12813 lot, meaning that either the server's maxconn value is too low, or that
12814 there aren't enough servers to process the load with an optimal response
12815 time. When only one of the server's "srv_conn" is high, it usually means
12816 that this server has some trouble causing the connections to take longer to
12817 be processed than on other servers.
12818
12819 - "retries" is the number of connection retries experienced by this session
12820 when trying to connect to the server. It must normally be zero, unless a
12821 server is being stopped at the same moment the connection was attempted.
12822 Frequent retries generally indicate either a network problem between
12823 haproxy and the server, or a misconfigured system backlog on the server
12824 preventing new connections from being queued. This field may optionally be
12825 prefixed with a '+' sign, indicating that the session has experienced a
12826 redispatch after the maximal retry count has been reached on the initial
12827 server. In this case, the server name appearing in the log is the one the
12828 connection was redispatched to, and not the first one, though both may
12829 sometimes be the same in case of hashing for instance. So as a general rule
12830 of thumb, when a '+' is present in front of the retry count, this count
12831 should not be attributed to the logged server.
12832
12833 - "srv_queue" is the total number of requests which were processed before
12834 this one in the server queue. It is zero when the request has not gone
12835 through the server queue. It makes it possible to estimate the approximate
12836 server's response time by dividing the time spent in queue by the number of
12837 requests in the queue. It is worth noting that if a session experiences a
12838 redispatch and passes through two server queues, their positions will be
12839 cumulated. A request should not pass through both the server queue and the
12840 backend queue unless a redispatch occurs.
12841
12842 - "backend_queue" is the total number of requests which were processed before
12843 this one in the backend's global queue. It is zero when the request has not
12844 gone through the global queue. It makes it possible to estimate the average
12845 queue length, which easily translates into a number of missing servers when
12846 divided by a server's "maxconn" parameter. It is worth noting that if a
12847 session experiences a redispatch, it may pass twice in the backend's queue,
12848 and then both positions will be cumulated. A request should not pass
12849 through both the server queue and the backend queue unless a redispatch
12850 occurs.
12851
12852
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200128538.2.3. HTTP log format
12854----------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012855
12856The HTTP format is the most complete and the best suited for HTTP proxies. It
12857is enabled by when "option httplog" is specified in the frontend. It provides
12858the same level of information as the TCP format with additional features which
12859are specific to the HTTP protocol. Just like the TCP format, the log is usually
12860emitted at the end of the session, unless "option logasap" is specified, which
12861generally only makes sense for download sites. A session which matches the
12862"monitor" rules will never logged. It is also possible not to log sessions for
12863which no data were sent by the client by specifying "option dontlognull" in the
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020012864frontend. Successful connections will not be logged if "option dontlog-normal"
12865is specified in the frontend.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012866
12867Most fields are shared with the TCP log, some being different. A few fields may
12868slightly vary depending on some configuration options. Those ones are marked
12869with a star ('*') after the field name below.
12870
12871 Example :
12872 frontend http-in
12873 mode http
12874 option httplog
12875 log global
12876 default_backend bck
12877
12878 backend static
12879 server srv1 127.0.0.1:8000
12880
12881 >>> Feb 6 12:14:14 localhost \
12882 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
12883 static/srv1 10/0/30/69/109 200 2750 - - ---- 1/1/1/1/0 0/0 {1wt.eu} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010012884 {} "GET /index.html HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012885
12886 Field Format Extract from the example above
12887 1 process_name '[' pid ']:' haproxy[14389]:
12888 2 client_ip ':' client_port 10.0.1.2:33317
12889 3 '[' accept_date ']' [06/Feb/2009:12:14:14.655]
12890 4 frontend_name http-in
12891 5 backend_name '/' server_name static/srv1
12892 6 Tq '/' Tw '/' Tc '/' Tr '/' Tt* 10/0/30/69/109
12893 7 status_code 200
12894 8 bytes_read* 2750
12895 9 captured_request_cookie -
12896 10 captured_response_cookie -
12897 11 termination_state ----
12898 12 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 1/1/1/1/0
12899 13 srv_queue '/' backend_queue 0/0
12900 14 '{' captured_request_headers* '}' {haproxy.1wt.eu}
12901 15 '{' captured_response_headers* '}' {}
12902 16 '"' http_request '"' "GET /index.html HTTP/1.1"
Willy Tarreaud72758d2010-01-12 10:42:19 +010012903
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012904
12905Detailed fields description :
12906 - "client_ip" is the IP address of the client which initiated the TCP
Willy Tarreauceb24bc2010-11-09 12:46:41 +010012907 connection to haproxy. If the connection was accepted on a UNIX socket
12908 instead, the IP address would be replaced with the word "unix". Note that
12909 when the connection is accepted on a socket configured with "accept-proxy"
12910 and the PROXY protocol is correctly used, then the logs will reflect the
12911 forwarded connection's information.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012912
12913 - "client_port" is the TCP port of the client which initiated the connection.
Willy Tarreauceb24bc2010-11-09 12:46:41 +010012914 If the connection was accepted on a UNIX socket instead, the port would be
12915 replaced with the ID of the accepting socket, which is also reported in the
12916 stats interface.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012917
12918 - "accept_date" is the exact date when the TCP connection was received by
12919 haproxy (which might be very slightly different from the date observed on
12920 the network if there was some queuing in the system's backlog). This is
12921 usually the same date which may appear in any upstream firewall's log. This
12922 does not depend on the fact that the client has sent the request or not.
12923
12924 - "frontend_name" is the name of the frontend (or listener) which received
12925 and processed the connection.
12926
12927 - "backend_name" is the name of the backend (or listener) which was selected
12928 to manage the connection to the server. This will be the same as the
12929 frontend if no switching rule has been applied.
12930
12931 - "server_name" is the name of the last server to which the connection was
12932 sent, which might differ from the first one if there were connection errors
12933 and a redispatch occurred. Note that this server belongs to the backend
12934 which processed the request. If the request was aborted before reaching a
12935 server, "<NOSRV>" is indicated instead of a server name. If the request was
12936 intercepted by the stats subsystem, "<STATS>" is indicated instead.
12937
12938 - "Tq" is the total time in milliseconds spent waiting for the client to send
12939 a full HTTP request, not counting data. It can be "-1" if the connection
12940 was aborted before a complete request could be received. It should always
12941 be very small because a request generally fits in one single packet. Large
12942 times here generally indicate network trouble between the client and
12943 haproxy. See "Timers" below for more details.
12944
12945 - "Tw" is the total time in milliseconds spent waiting in the various queues.
12946 It can be "-1" if the connection was aborted before reaching the queue.
12947 See "Timers" below for more details.
12948
12949 - "Tc" is the total time in milliseconds spent waiting for the connection to
12950 establish to the final server, including retries. It can be "-1" if the
12951 request was aborted before a connection could be established. See "Timers"
12952 below for more details.
12953
12954 - "Tr" is the total time in milliseconds spent waiting for the server to send
12955 a full HTTP response, not counting data. It can be "-1" if the request was
12956 aborted before a complete response could be received. It generally matches
12957 the server's processing time for the request, though it may be altered by
12958 the amount of data sent by the client to the server. Large times here on
12959 "GET" requests generally indicate an overloaded server. See "Timers" below
12960 for more details.
12961
12962 - "Tt" is the total time in milliseconds elapsed between the accept and the
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012963 last close. It covers all possible processing. There is one exception, if
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012964 "option logasap" was specified, then the time counting stops at the moment
12965 the log is emitted. In this case, a '+' sign is prepended before the value,
12966 indicating that the final one will be larger. See "Timers" below for more
12967 details.
12968
12969 - "status_code" is the HTTP status code returned to the client. This status
12970 is generally set by the server, but it might also be set by haproxy when
12971 the server cannot be reached or when its response is blocked by haproxy.
12972
12973 - "bytes_read" is the total number of bytes transmitted to the client when
12974 the log is emitted. This does include HTTP headers. If "option logasap" is
12975 specified, the this value will be prefixed with a '+' sign indicating that
12976 the final one may be larger. Please note that this value is a 64-bit
12977 counter, so log analysis tools must be able to handle it without
12978 overflowing.
12979
12980 - "captured_request_cookie" is an optional "name=value" entry indicating that
12981 the client had this cookie in the request. The cookie name and its maximum
12982 length are defined by the "capture cookie" statement in the frontend
12983 configuration. The field is a single dash ('-') when the option is not
12984 set. Only one cookie may be captured, it is generally used to track session
12985 ID exchanges between a client and a server to detect session crossing
12986 between clients due to application bugs. For more details, please consult
12987 the section "Capturing HTTP headers and cookies" below.
12988
12989 - "captured_response_cookie" is an optional "name=value" entry indicating
12990 that the server has returned a cookie with its response. The cookie name
12991 and its maximum length are defined by the "capture cookie" statement in the
12992 frontend configuration. The field is a single dash ('-') when the option is
12993 not set. Only one cookie may be captured, it is generally used to track
12994 session ID exchanges between a client and a server to detect session
12995 crossing between clients due to application bugs. For more details, please
12996 consult the section "Capturing HTTP headers and cookies" below.
12997
12998 - "termination_state" is the condition the session was in when the session
12999 ended. This indicates the session state, which side caused the end of
13000 session to happen, for what reason (timeout, error, ...), just like in TCP
13001 logs, and information about persistence operations on cookies in the last
13002 two characters. The normal flags should begin with "--", indicating the
13003 session was closed by either end with no data remaining in buffers. See
13004 below "Session state at disconnection" for more details.
13005
13006 - "actconn" is the total number of concurrent connections on the process when
Jamie Gloudonaaa21002012-08-25 00:18:33 -040013007 the session was logged. It is useful to detect when some per-process system
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013008 limits have been reached. For instance, if actconn is close to 512 or 1024
13009 when multiple connection errors occur, chances are high that the system
13010 limits the process to use a maximum of 1024 file descriptors and that all
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013011 of them are used. See section 3 "Global parameters" to find how to tune the
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013012 system.
13013
13014 - "feconn" is the total number of concurrent connections on the frontend when
13015 the session was logged. It is useful to estimate the amount of resource
13016 required to sustain high loads, and to detect when the frontend's "maxconn"
13017 has been reached. Most often when this value increases by huge jumps, it is
13018 because there is congestion on the backend servers, but sometimes it can be
13019 caused by a denial of service attack.
13020
13021 - "beconn" is the total number of concurrent connections handled by the
13022 backend when the session was logged. It includes the total number of
13023 concurrent connections active on servers as well as the number of
13024 connections pending in queues. It is useful to estimate the amount of
13025 additional servers needed to support high loads for a given application.
13026 Most often when this value increases by huge jumps, it is because there is
13027 congestion on the backend servers, but sometimes it can be caused by a
13028 denial of service attack.
13029
13030 - "srv_conn" is the total number of concurrent connections still active on
13031 the server when the session was logged. It can never exceed the server's
13032 configured "maxconn" parameter. If this value is very often close or equal
13033 to the server's "maxconn", it means that traffic regulation is involved a
13034 lot, meaning that either the server's maxconn value is too low, or that
13035 there aren't enough servers to process the load with an optimal response
13036 time. When only one of the server's "srv_conn" is high, it usually means
13037 that this server has some trouble causing the requests to take longer to be
13038 processed than on other servers.
13039
13040 - "retries" is the number of connection retries experienced by this session
13041 when trying to connect to the server. It must normally be zero, unless a
13042 server is being stopped at the same moment the connection was attempted.
13043 Frequent retries generally indicate either a network problem between
13044 haproxy and the server, or a misconfigured system backlog on the server
13045 preventing new connections from being queued. This field may optionally be
13046 prefixed with a '+' sign, indicating that the session has experienced a
13047 redispatch after the maximal retry count has been reached on the initial
13048 server. In this case, the server name appearing in the log is the one the
13049 connection was redispatched to, and not the first one, though both may
13050 sometimes be the same in case of hashing for instance. So as a general rule
13051 of thumb, when a '+' is present in front of the retry count, this count
13052 should not be attributed to the logged server.
13053
13054 - "srv_queue" is the total number of requests which were processed before
13055 this one in the server queue. It is zero when the request has not gone
13056 through the server queue. It makes it possible to estimate the approximate
13057 server's response time by dividing the time spent in queue by the number of
13058 requests in the queue. It is worth noting that if a session experiences a
13059 redispatch and passes through two server queues, their positions will be
13060 cumulated. A request should not pass through both the server queue and the
13061 backend queue unless a redispatch occurs.
13062
13063 - "backend_queue" is the total number of requests which were processed before
13064 this one in the backend's global queue. It is zero when the request has not
13065 gone through the global queue. It makes it possible to estimate the average
13066 queue length, which easily translates into a number of missing servers when
13067 divided by a server's "maxconn" parameter. It is worth noting that if a
13068 session experiences a redispatch, it may pass twice in the backend's queue,
13069 and then both positions will be cumulated. A request should not pass
13070 through both the server queue and the backend queue unless a redispatch
13071 occurs.
13072
13073 - "captured_request_headers" is a list of headers captured in the request due
13074 to the presence of the "capture request header" statement in the frontend.
13075 Multiple headers can be captured, they will be delimited by a vertical bar
13076 ('|'). When no capture is enabled, the braces do not appear, causing a
13077 shift of remaining fields. It is important to note that this field may
13078 contain spaces, and that using it requires a smarter log parser than when
13079 it's not used. Please consult the section "Capturing HTTP headers and
13080 cookies" below for more details.
13081
13082 - "captured_response_headers" is a list of headers captured in the response
13083 due to the presence of the "capture response header" statement in the
13084 frontend. Multiple headers can be captured, they will be delimited by a
13085 vertical bar ('|'). When no capture is enabled, the braces do not appear,
13086 causing a shift of remaining fields. It is important to note that this
13087 field may contain spaces, and that using it requires a smarter log parser
13088 than when it's not used. Please consult the section "Capturing HTTP headers
13089 and cookies" below for more details.
13090
13091 - "http_request" is the complete HTTP request line, including the method,
13092 request and HTTP version string. Non-printable characters are encoded (see
13093 below the section "Non-printable characters"). This is always the last
13094 field, and it is always delimited by quotes and is the only one which can
13095 contain quotes. If new fields are added to the log format, they will be
13096 added before this field. This field might be truncated if the request is
13097 huge and does not fit in the standard syslog buffer (1024 characters). This
13098 is the reason why this field must always remain the last one.
13099
13100
Cyril Bontédc4d9032012-04-08 21:57:39 +0200131018.2.4. Custom log format
13102------------------------
William Lallemand48940402012-01-30 16:47:22 +010013103
Willy Tarreau2beef582012-12-20 17:22:52 +010013104The directive log-format allows you to customize the logs in http mode and tcp
William Lallemandbddd4fd2012-02-27 11:23:10 +010013105mode. It takes a string as argument.
William Lallemand48940402012-01-30 16:47:22 +010013106
13107HAproxy understands some log format variables. % precedes log format variables.
13108Variables can take arguments using braces ('{}'), and multiple arguments are
13109separated by commas within the braces. Flags may be added or removed by
13110prefixing them with a '+' or '-' sign.
13111
13112Special variable "%o" may be used to propagate its flags to all other
13113variables on the same format string. This is particularly handy with quoted
13114string formats ("Q").
13115
Willy Tarreauc8368452012-12-21 00:09:23 +010013116If a variable is named between square brackets ('[' .. ']') then it is used
Willy Tarreaube722a22014-06-13 16:31:59 +020013117as a sample expression rule (see section 7.3). This it useful to add some
Willy Tarreauc8368452012-12-21 00:09:23 +010013118less common information such as the client's SSL certificate's DN, or to log
13119the key that would be used to store an entry into a stick table.
13120
William Lallemand48940402012-01-30 16:47:22 +010013121Note: spaces must be escaped. A space character is considered as a separator.
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013122In order to emit a verbatim '%', it must be preceded by another '%' resulting
Willy Tarreau06d97f92013-12-02 17:45:48 +010013123in '%%'. HAProxy will automatically merge consecutive separators.
William Lallemand48940402012-01-30 16:47:22 +010013124
13125Flags are :
13126 * Q: quote a string
Jamie Gloudonaaa21002012-08-25 00:18:33 -040013127 * X: hexadecimal representation (IPs, Ports, %Ts, %rt, %pid)
William Lallemand48940402012-01-30 16:47:22 +010013128
13129 Example:
13130
13131 log-format %T\ %t\ Some\ Text
13132 log-format %{+Q}o\ %t\ %s\ %{-Q}r
13133
13134At the moment, the default HTTP format is defined this way :
13135
Willy Tarreau2beef582012-12-20 17:22:52 +010013136 log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ \
13137 %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r
William Lallemand48940402012-01-30 16:47:22 +010013138
William Lallemandbddd4fd2012-02-27 11:23:10 +010013139the default CLF format is defined this way :
William Lallemand48940402012-01-30 16:47:22 +010013140
Willy Tarreau2beef582012-12-20 17:22:52 +010013141 log-format %{+Q}o\ %{-Q}ci\ -\ -\ [%T]\ %r\ %ST\ %B\ \"\"\ \"\"\ %cp\ \
Willy Tarreau773d65f2012-10-12 14:56:11 +020013142 %ms\ %ft\ %b\ %s\ \%Tq\ %Tw\ %Tc\ %Tr\ %Tt\ %tsc\ %ac\ %fc\ \
Willy Tarreau2beef582012-12-20 17:22:52 +010013143 %bc\ %sc\ %rc\ %sq\ %bq\ %CC\ %CS\ \%hrl\ %hsl
William Lallemand48940402012-01-30 16:47:22 +010013144
William Lallemandbddd4fd2012-02-27 11:23:10 +010013145and the default TCP format is defined this way :
13146
Willy Tarreau2beef582012-12-20 17:22:52 +010013147 log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tw/%Tc/%Tt\ %B\ %ts\ \
William Lallemandbddd4fd2012-02-27 11:23:10 +010013148 %ac/%fc/%bc/%sc/%rc\ %sq/%bq
13149
William Lallemand48940402012-01-30 16:47:22 +010013150Please refer to the table below for currently defined variables :
13151
William Lallemandbddd4fd2012-02-27 11:23:10 +010013152 +---+------+-----------------------------------------------+-------------+
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020013153 | R | var | field name (8.2.2 and 8.2.3 for description) | type |
William Lallemandbddd4fd2012-02-27 11:23:10 +010013154 +---+------+-----------------------------------------------+-------------+
13155 | | %o | special variable, apply flags on all next var | |
13156 +---+------+-----------------------------------------------+-------------+
Willy Tarreau2beef582012-12-20 17:22:52 +010013157 | | %B | bytes_read (from server to client) | numeric |
13158 | H | %CC | captured_request_cookie | string |
13159 | H | %CS | captured_response_cookie | string |
William Lallemand5f232402012-04-05 18:02:55 +020013160 | | %H | hostname | string |
William Lallemanda73203e2012-03-12 12:48:57 +010013161 | | %ID | unique-id | string |
Willy Tarreau4bf99632014-06-13 12:21:40 +020013162 | | %ST | status_code | numeric |
William Lallemand5f232402012-04-05 18:02:55 +020013163 | | %T | gmt_date_time | date |
William Lallemandbddd4fd2012-02-27 11:23:10 +010013164 | | %Tc | Tc | numeric |
Yuxans Yao4e25b012012-10-19 10:36:09 +080013165 | | %Tl | local_date_time | date |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020013166 | H | %Tq | Tq | numeric |
13167 | H | %Tr | Tr | numeric |
William Lallemand5f232402012-04-05 18:02:55 +020013168 | | %Ts | timestamp | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010013169 | | %Tt | Tt | numeric |
13170 | | %Tw | Tw | numeric |
Willy Tarreau2beef582012-12-20 17:22:52 +010013171 | | %U | bytes_uploaded (from client to server) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010013172 | | %ac | actconn | numeric |
13173 | | %b | backend_name | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010013174 | | %bc | beconn (backend concurrent connections) | numeric |
13175 | | %bi | backend_source_ip (connecting address) | IP |
13176 | | %bp | backend_source_port (connecting address) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010013177 | | %bq | backend_queue | numeric |
Willy Tarreau2beef582012-12-20 17:22:52 +010013178 | | %ci | client_ip (accepted address) | IP |
13179 | | %cp | client_port (accepted address) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010013180 | | %f | frontend_name | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010013181 | | %fc | feconn (frontend concurrent connections) | numeric |
13182 | | %fi | frontend_ip (accepting address) | IP |
13183 | | %fp | frontend_port (accepting address) | numeric |
Willy Tarreau773d65f2012-10-12 14:56:11 +020013184 | | %ft | frontend_name_transport ('~' suffix for SSL) | string |
Willy Tarreau7346acb2014-08-28 15:03:15 +020013185 | | %lc | frontend_log_counter | numeric |
Willy Tarreaud9ed3d22014-06-13 12:23:06 +020013186 | | %hr | captured_request_headers default style | string |
13187 | | %hrl | captured_request_headers CLF style | string list |
13188 | | %hs | captured_response_headers default style | string |
13189 | | %hsl | captured_response_headers CLF style | string list |
William Lallemandbddd4fd2012-02-27 11:23:10 +010013190 | | %ms | accept date milliseconds | numeric |
William Lallemand5f232402012-04-05 18:02:55 +020013191 | | %pid | PID | numeric |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020013192 | H | %r | http_request | string |
William Lallemandbddd4fd2012-02-27 11:23:10 +010013193 | | %rc | retries | numeric |
Willy Tarreau1f0da242014-01-25 11:01:50 +010013194 | | %rt | request_counter (HTTP req or TCP session) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010013195 | | %s | server_name | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010013196 | | %sc | srv_conn (server concurrent connections) | numeric |
13197 | | %si | server_IP (target address) | IP |
13198 | | %sp | server_port (target address) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010013199 | | %sq | srv_queue | numeric |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020013200 | S | %sslc| ssl_ciphers (ex: AES-SHA) | string |
13201 | S | %sslv| ssl_version (ex: TLSv1) | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010013202 | | %t | date_time (with millisecond resolution) | date |
William Lallemandbddd4fd2012-02-27 11:23:10 +010013203 | | %ts | termination_state | string |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020013204 | H | %tsc | termination_state with cookie status | string |
William Lallemandbddd4fd2012-02-27 11:23:10 +010013205 +---+------+-----------------------------------------------+-------------+
William Lallemand48940402012-01-30 16:47:22 +010013206
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020013207 R = Restrictions : H = mode http only ; S = SSL only
William Lallemand48940402012-01-30 16:47:22 +010013208
Willy Tarreau5f51e1a2012-12-03 18:40:10 +010013209
132108.2.5. Error log format
13211-----------------------
13212
13213When an incoming connection fails due to an SSL handshake or an invalid PROXY
13214protocol header, haproxy will log the event using a shorter, fixed line format.
13215By default, logs are emitted at the LOG_INFO level, unless the option
13216"log-separate-errors" is set in the backend, in which case the LOG_ERR level
13217will be used. Connections on which no data are exchanged (eg: probes) are not
13218logged if the "dontlognull" option is set.
13219
13220The format looks like this :
13221
13222 >>> Dec 3 18:27:14 localhost \
13223 haproxy[6103]: 127.0.0.1:56059 [03/Dec/2012:17:35:10.380] frt/f1: \
13224 Connection error during SSL handshake
13225
13226 Field Format Extract from the example above
13227 1 process_name '[' pid ']:' haproxy[6103]:
13228 2 client_ip ':' client_port 127.0.0.1:56059
13229 3 '[' accept_date ']' [03/Dec/2012:17:35:10.380]
13230 4 frontend_name "/" bind_name ":" frt/f1:
13231 5 message Connection error during SSL handshake
13232
13233These fields just provide minimal information to help debugging connection
13234failures.
13235
13236
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200132378.3. Advanced logging options
13238-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013239
13240Some advanced logging options are often looked for but are not easy to find out
13241just by looking at the various options. Here is an entry point for the few
13242options which can enable better logging. Please refer to the keywords reference
13243for more information about their usage.
13244
13245
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200132468.3.1. Disabling logging of external tests
13247------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013248
13249It is quite common to have some monitoring tools perform health checks on
13250haproxy. Sometimes it will be a layer 3 load-balancer such as LVS or any
13251commercial load-balancer, and sometimes it will simply be a more complete
13252monitoring system such as Nagios. When the tests are very frequent, users often
13253ask how to disable logging for those checks. There are three possibilities :
13254
13255 - if connections come from everywhere and are just TCP probes, it is often
13256 desired to simply disable logging of connections without data exchange, by
13257 setting "option dontlognull" in the frontend. It also disables logging of
13258 port scans, which may or may not be desired.
13259
13260 - if the connection come from a known source network, use "monitor-net" to
13261 declare this network as monitoring only. Any host in this network will then
13262 only be able to perform health checks, and their requests will not be
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013263 logged. This is generally appropriate to designate a list of equipment
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013264 such as other load-balancers.
13265
13266 - if the tests are performed on a known URI, use "monitor-uri" to declare
13267 this URI as dedicated to monitoring. Any host sending this request will
13268 only get the result of a health-check, and the request will not be logged.
13269
13270
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200132718.3.2. Logging before waiting for the session to terminate
13272----------------------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013273
13274The problem with logging at end of connection is that you have no clue about
13275what is happening during very long sessions, such as remote terminal sessions
13276or large file downloads. This problem can be worked around by specifying
13277"option logasap" in the frontend. Haproxy will then log as soon as possible,
13278just before data transfer begins. This means that in case of TCP, it will still
13279log the connection status to the server, and in case of HTTP, it will log just
13280after processing the server headers. In this case, the number of bytes reported
13281is the number of header bytes sent to the client. In order to avoid confusion
13282with normal logs, the total time field and the number of bytes are prefixed
13283with a '+' sign which means that real numbers are certainly larger.
13284
13285
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200132868.3.3. Raising log level upon errors
13287------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020013288
13289Sometimes it is more convenient to separate normal traffic from errors logs,
13290for instance in order to ease error monitoring from log files. When the option
13291"log-separate-errors" is used, connections which experience errors, timeouts,
13292retries, redispatches or HTTP status codes 5xx will see their syslog level
13293raised from "info" to "err". This will help a syslog daemon store the log in
13294a separate file. It is very important to keep the errors in the normal traffic
13295file too, so that log ordering is not altered. You should also be careful if
13296you already have configured your syslog daemon to store all logs higher than
13297"notice" in an "admin" file, because the "err" level is higher than "notice".
13298
13299
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200133008.3.4. Disabling logging of successful connections
13301--------------------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020013302
13303Although this may sound strange at first, some large sites have to deal with
13304multiple thousands of logs per second and are experiencing difficulties keeping
13305them intact for a long time or detecting errors within them. If the option
13306"dontlog-normal" is set on the frontend, all normal connections will not be
13307logged. In this regard, a normal connection is defined as one without any
13308error, timeout, retry nor redispatch. In HTTP, the status code is checked too,
13309and a response with a status 5xx is not considered normal and will be logged
13310too. Of course, doing is is really discouraged as it will remove most of the
13311useful information from the logs. Do this only if you have no other
13312alternative.
13313
13314
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200133158.4. Timing events
13316------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013317
13318Timers provide a great help in troubleshooting network problems. All values are
13319reported in milliseconds (ms). These timers should be used in conjunction with
13320the session termination flags. In TCP mode with "option tcplog" set on the
13321frontend, 3 control points are reported under the form "Tw/Tc/Tt", and in HTTP
13322mode, 5 control points are reported under the form "Tq/Tw/Tc/Tr/Tt" :
13323
13324 - Tq: total time to get the client request (HTTP mode only). It's the time
13325 elapsed between the moment the client connection was accepted and the
13326 moment the proxy received the last HTTP header. The value "-1" indicates
13327 that the end of headers (empty line) has never been seen. This happens when
13328 the client closes prematurely or times out.
13329
13330 - Tw: total time spent in the queues waiting for a connection slot. It
13331 accounts for backend queue as well as the server queues, and depends on the
13332 queue size, and the time needed for the server to complete previous
13333 requests. The value "-1" means that the request was killed before reaching
13334 the queue, which is generally what happens with invalid or denied requests.
13335
13336 - Tc: total time to establish the TCP connection to the server. It's the time
13337 elapsed between the moment the proxy sent the connection request, and the
13338 moment it was acknowledged by the server, or between the TCP SYN packet and
13339 the matching SYN/ACK packet in return. The value "-1" means that the
13340 connection never established.
13341
13342 - Tr: server response time (HTTP mode only). It's the time elapsed between
13343 the moment the TCP connection was established to the server and the moment
13344 the server sent its complete response headers. It purely shows its request
13345 processing time, without the network overhead due to the data transmission.
13346 It is worth noting that when the client has data to send to the server, for
13347 instance during a POST request, the time already runs, and this can distort
13348 apparent response time. For this reason, it's generally wise not to trust
13349 too much this field for POST requests initiated from clients behind an
13350 untrusted network. A value of "-1" here means that the last the response
13351 header (empty line) was never seen, most likely because the server timeout
13352 stroke before the server managed to process the request.
13353
13354 - Tt: total session duration time, between the moment the proxy accepted it
13355 and the moment both ends were closed. The exception is when the "logasap"
13356 option is specified. In this case, it only equals (Tq+Tw+Tc+Tr), and is
13357 prefixed with a '+' sign. From this field, we can deduce "Td", the data
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013358 transmission time, by subtracting other timers when valid :
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013359
13360 Td = Tt - (Tq + Tw + Tc + Tr)
13361
13362 Timers with "-1" values have to be excluded from this equation. In TCP
13363 mode, "Tq" and "Tr" have to be excluded too. Note that "Tt" can never be
13364 negative.
13365
13366These timers provide precious indications on trouble causes. Since the TCP
13367protocol defines retransmit delays of 3, 6, 12... seconds, we know for sure
13368that timers close to multiples of 3s are nearly always related to lost packets
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010013369due to network problems (wires, negotiation, congestion). Moreover, if "Tt" is
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013370close to a timeout value specified in the configuration, it often means that a
13371session has been aborted on timeout.
13372
13373Most common cases :
13374
13375 - If "Tq" is close to 3000, a packet has probably been lost between the
13376 client and the proxy. This is very rare on local networks but might happen
13377 when clients are on far remote networks and send large requests. It may
13378 happen that values larger than usual appear here without any network cause.
13379 Sometimes, during an attack or just after a resource starvation has ended,
13380 haproxy may accept thousands of connections in a few milliseconds. The time
13381 spent accepting these connections will inevitably slightly delay processing
13382 of other connections, and it can happen that request times in the order of
13383 a few tens of milliseconds are measured after a few thousands of new
Patrick Mezard105faca2010-06-12 17:02:46 +020013384 connections have been accepted at once. Setting "option http-server-close"
13385 may display larger request times since "Tq" also measures the time spent
13386 waiting for additional requests.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013387
13388 - If "Tc" is close to 3000, a packet has probably been lost between the
13389 server and the proxy during the server connection phase. This value should
13390 always be very low, such as 1 ms on local networks and less than a few tens
13391 of ms on remote networks.
13392
Willy Tarreau55165fe2009-05-10 12:02:55 +020013393 - If "Tr" is nearly always lower than 3000 except some rare values which seem
13394 to be the average majored by 3000, there are probably some packets lost
13395 between the proxy and the server.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013396
13397 - If "Tt" is large even for small byte counts, it generally is because
13398 neither the client nor the server decides to close the connection, for
13399 instance because both have agreed on a keep-alive connection mode. In order
13400 to solve this issue, it will be needed to specify "option httpclose" on
13401 either the frontend or the backend. If the problem persists, it means that
13402 the server ignores the "close" connection mode and expects the client to
13403 close. Then it will be required to use "option forceclose". Having the
13404 smallest possible 'Tt' is important when connection regulation is used with
13405 the "maxconn" option on the servers, since no new connection will be sent
13406 to the server until another one is released.
13407
13408Other noticeable HTTP log cases ('xx' means any value to be ignored) :
13409
13410 Tq/Tw/Tc/Tr/+Tt The "option logasap" is present on the frontend and the log
13411 was emitted before the data phase. All the timers are valid
13412 except "Tt" which is shorter than reality.
13413
13414 -1/xx/xx/xx/Tt The client was not able to send a complete request in time
13415 or it aborted too early. Check the session termination flags
13416 then "timeout http-request" and "timeout client" settings.
13417
13418 Tq/-1/xx/xx/Tt It was not possible to process the request, maybe because
13419 servers were out of order, because the request was invalid
13420 or forbidden by ACL rules. Check the session termination
13421 flags.
13422
13423 Tq/Tw/-1/xx/Tt The connection could not establish on the server. Either it
13424 actively refused it or it timed out after Tt-(Tq+Tw) ms.
13425 Check the session termination flags, then check the
13426 "timeout connect" setting. Note that the tarpit action might
13427 return similar-looking patterns, with "Tw" equal to the time
13428 the client connection was maintained open.
13429
13430 Tq/Tw/Tc/-1/Tt The server has accepted the connection but did not return
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013431 a complete response in time, or it closed its connection
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013432 unexpectedly after Tt-(Tq+Tw+Tc) ms. Check the session
13433 termination flags, then check the "timeout server" setting.
13434
13435
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200134368.5. Session state at disconnection
13437-----------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013438
13439TCP and HTTP logs provide a session termination indicator in the
13440"termination_state" field, just before the number of active connections. It is
134412-characters long in TCP mode, and is extended to 4 characters in HTTP mode,
13442each of which has a special meaning :
13443
13444 - On the first character, a code reporting the first event which caused the
13445 session to terminate :
13446
13447 C : the TCP session was unexpectedly aborted by the client.
13448
13449 S : the TCP session was unexpectedly aborted by the server, or the
13450 server explicitly refused it.
13451
13452 P : the session was prematurely aborted by the proxy, because of a
13453 connection limit enforcement, because a DENY filter was matched,
13454 because of a security check which detected and blocked a dangerous
13455 error in server response which might have caused information leak
Willy Tarreau570f2212013-06-10 16:42:09 +020013456 (eg: cacheable cookie).
13457
13458 L : the session was locally processed by haproxy and was not passed to
13459 a server. This is what happens for stats and redirects.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013460
13461 R : a resource on the proxy has been exhausted (memory, sockets, source
13462 ports, ...). Usually, this appears during the connection phase, and
13463 system logs should contain a copy of the precise error. If this
13464 happens, it must be considered as a very serious anomaly which
13465 should be fixed as soon as possible by any means.
13466
13467 I : an internal error was identified by the proxy during a self-check.
13468 This should NEVER happen, and you are encouraged to report any log
13469 containing this, because this would almost certainly be a bug. It
13470 would be wise to preventively restart the process after such an
13471 event too, in case it would be caused by memory corruption.
13472
Simon Horman752dc4a2011-06-21 14:34:59 +090013473 D : the session was killed by haproxy because the server was detected
13474 as down and was configured to kill all connections when going down.
13475
Justin Karnegeseb2c24a2012-05-24 15:28:52 -070013476 U : the session was killed by haproxy on this backup server because an
13477 active server was detected as up and was configured to kill all
13478 backup connections when going up.
13479
Willy Tarreaua2a64e92011-09-07 23:01:56 +020013480 K : the session was actively killed by an admin operating on haproxy.
13481
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013482 c : the client-side timeout expired while waiting for the client to
13483 send or receive data.
13484
13485 s : the server-side timeout expired while waiting for the server to
13486 send or receive data.
13487
13488 - : normal session completion, both the client and the server closed
13489 with nothing left in the buffers.
13490
13491 - on the second character, the TCP or HTTP session state when it was closed :
13492
Willy Tarreauf7b30a92010-12-06 22:59:17 +010013493 R : the proxy was waiting for a complete, valid REQUEST from the client
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013494 (HTTP mode only). Nothing was sent to any server.
13495
13496 Q : the proxy was waiting in the QUEUE for a connection slot. This can
13497 only happen when servers have a 'maxconn' parameter set. It can
13498 also happen in the global queue after a redispatch consecutive to
13499 a failed attempt to connect to a dying server. If no redispatch is
13500 reported, then no connection attempt was made to any server.
13501
13502 C : the proxy was waiting for the CONNECTION to establish on the
13503 server. The server might at most have noticed a connection attempt.
13504
13505 H : the proxy was waiting for complete, valid response HEADERS from the
13506 server (HTTP only).
13507
13508 D : the session was in the DATA phase.
13509
13510 L : the proxy was still transmitting LAST data to the client while the
13511 server had already finished. This one is very rare as it can only
13512 happen when the client dies while receiving the last packets.
13513
13514 T : the request was tarpitted. It has been held open with the client
13515 during the whole "timeout tarpit" duration or until the client
13516 closed, both of which will be reported in the "Tw" timer.
13517
13518 - : normal session completion after end of data transfer.
13519
13520 - the third character tells whether the persistence cookie was provided by
13521 the client (only in HTTP mode) :
13522
13523 N : the client provided NO cookie. This is usually the case for new
13524 visitors, so counting the number of occurrences of this flag in the
13525 logs generally indicate a valid trend for the site frequentation.
13526
13527 I : the client provided an INVALID cookie matching no known server.
13528 This might be caused by a recent configuration change, mixed
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +020013529 cookies between HTTP/HTTPS sites, persistence conditionally
13530 ignored, or an attack.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013531
13532 D : the client provided a cookie designating a server which was DOWN,
13533 so either "option persist" was used and the client was sent to
13534 this server, or it was not set and the client was redispatched to
13535 another server.
13536
Willy Tarreau996a92c2010-10-13 19:30:47 +020013537 V : the client provided a VALID cookie, and was sent to the associated
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013538 server.
13539
Willy Tarreau996a92c2010-10-13 19:30:47 +020013540 E : the client provided a valid cookie, but with a last date which was
13541 older than what is allowed by the "maxidle" cookie parameter, so
13542 the cookie is consider EXPIRED and is ignored. The request will be
13543 redispatched just as if there was no cookie.
13544
13545 O : the client provided a valid cookie, but with a first date which was
13546 older than what is allowed by the "maxlife" cookie parameter, so
13547 the cookie is consider too OLD and is ignored. The request will be
13548 redispatched just as if there was no cookie.
13549
Willy Tarreauc89ccb62012-04-05 21:18:22 +020013550 U : a cookie was present but was not used to select the server because
13551 some other server selection mechanism was used instead (typically a
13552 "use-server" rule).
13553
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013554 - : does not apply (no cookie set in configuration).
13555
13556 - the last character reports what operations were performed on the persistence
13557 cookie returned by the server (only in HTTP mode) :
13558
13559 N : NO cookie was provided by the server, and none was inserted either.
13560
13561 I : no cookie was provided by the server, and the proxy INSERTED one.
13562 Note that in "cookie insert" mode, if the server provides a cookie,
13563 it will still be overwritten and reported as "I" here.
13564
Willy Tarreau996a92c2010-10-13 19:30:47 +020013565 U : the proxy UPDATED the last date in the cookie that was presented by
13566 the client. This can only happen in insert mode with "maxidle". It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013567 happens every time there is activity at a different date than the
Willy Tarreau996a92c2010-10-13 19:30:47 +020013568 date indicated in the cookie. If any other change happens, such as
13569 a redispatch, then the cookie will be marked as inserted instead.
13570
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013571 P : a cookie was PROVIDED by the server and transmitted as-is.
13572
13573 R : the cookie provided by the server was REWRITTEN by the proxy, which
13574 happens in "cookie rewrite" or "cookie prefix" modes.
13575
13576 D : the cookie provided by the server was DELETED by the proxy.
13577
13578 - : does not apply (no cookie set in configuration).
13579
Willy Tarreau996a92c2010-10-13 19:30:47 +020013580The combination of the two first flags gives a lot of information about what
13581was happening when the session terminated, and why it did terminate. It can be
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013582helpful to detect server saturation, network troubles, local system resource
13583starvation, attacks, etc...
13584
13585The most common termination flags combinations are indicated below. They are
13586alphabetically sorted, with the lowercase set just after the upper case for
13587easier finding and understanding.
13588
13589 Flags Reason
13590
13591 -- Normal termination.
13592
13593 CC The client aborted before the connection could be established to the
13594 server. This can happen when haproxy tries to connect to a recently
13595 dead (or unchecked) server, and the client aborts while haproxy is
13596 waiting for the server to respond or for "timeout connect" to expire.
13597
13598 CD The client unexpectedly aborted during data transfer. This can be
13599 caused by a browser crash, by an intermediate equipment between the
13600 client and haproxy which decided to actively break the connection,
13601 by network routing issues between the client and haproxy, or by a
13602 keep-alive session between the server and the client terminated first
13603 by the client.
Willy Tarreaud72758d2010-01-12 10:42:19 +010013604
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013605 cD The client did not send nor acknowledge any data for as long as the
13606 "timeout client" delay. This is often caused by network failures on
Cyril Bontédc4d9032012-04-08 21:57:39 +020013607 the client side, or the client simply leaving the net uncleanly.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013608
13609 CH The client aborted while waiting for the server to start responding.
13610 It might be the server taking too long to respond or the client
13611 clicking the 'Stop' button too fast.
13612
13613 cH The "timeout client" stroke while waiting for client data during a
13614 POST request. This is sometimes caused by too large TCP MSS values
13615 for PPPoE networks which cannot transport full-sized packets. It can
13616 also happen when client timeout is smaller than server timeout and
13617 the server takes too long to respond.
13618
13619 CQ The client aborted while its session was queued, waiting for a server
13620 with enough empty slots to accept it. It might be that either all the
13621 servers were saturated or that the assigned server was taking too
13622 long a time to respond.
13623
13624 CR The client aborted before sending a full HTTP request. Most likely
13625 the request was typed by hand using a telnet client, and aborted
13626 too early. The HTTP status code is likely a 400 here. Sometimes this
13627 might also be caused by an IDS killing the connection between haproxy
13628 and the client.
13629
13630 cR The "timeout http-request" stroke before the client sent a full HTTP
13631 request. This is sometimes caused by too large TCP MSS values on the
13632 client side for PPPoE networks which cannot transport full-sized
13633 packets, or by clients sending requests by hand and not typing fast
13634 enough, or forgetting to enter the empty line at the end of the
Willy Tarreau2705a612014-05-23 17:38:34 +020013635 request. The HTTP status code is likely a 408 here. Note: recently,
13636 some browsers such as Google Chrome started to break the deployed Web
13637 infrastructure by aggressively implementing a new "pre-connect"
13638 feature, consisting in sending connections to sites recently visited
13639 without sending any request on them until the user starts to browse
13640 the site. This mechanism causes massive disruption among resource-
13641 limited servers, and causes a lot of 408 errors in HAProxy logs.
13642 Worse, some people report that sometimes the browser displays the 408
13643 error when the user expects to see the actual content (Mozilla fixed
13644 this bug in 2004, while Chrome users continue to report it in 2014),
13645 so in this case, using "errorfile 408 /dev/null" can be used as a
13646 workaround. More information on the subject is available here :
13647 https://bugzilla.mozilla.org/show_bug.cgi?id=248827
13648 https://code.google.com/p/chromium/issues/detail?id=85229
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013649
13650 CT The client aborted while its session was tarpitted. It is important to
13651 check if this happens on valid requests, in order to be sure that no
Willy Tarreau55165fe2009-05-10 12:02:55 +020013652 wrong tarpit rules have been written. If a lot of them happen, it
13653 might make sense to lower the "timeout tarpit" value to something
13654 closer to the average reported "Tw" timer, in order not to consume
13655 resources for just a few attackers.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013656
Willy Tarreau570f2212013-06-10 16:42:09 +020013657 LR The request was intercepted and locally handled by haproxy. Generally
13658 it means that this was a redirect or a stats request.
13659
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010013660 SC The server or an equipment between it and haproxy explicitly refused
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013661 the TCP connection (the proxy received a TCP RST or an ICMP message
13662 in return). Under some circumstances, it can also be the network
13663 stack telling the proxy that the server is unreachable (eg: no route,
13664 or no ARP response on local network). When this happens in HTTP mode,
13665 the status code is likely a 502 or 503 here.
13666
13667 sC The "timeout connect" stroke before a connection to the server could
13668 complete. When this happens in HTTP mode, the status code is likely a
13669 503 or 504 here.
13670
13671 SD The connection to the server died with an error during the data
13672 transfer. This usually means that haproxy has received an RST from
13673 the server or an ICMP message from an intermediate equipment while
13674 exchanging data with the server. This can be caused by a server crash
13675 or by a network issue on an intermediate equipment.
13676
13677 sD The server did not send nor acknowledge any data for as long as the
13678 "timeout server" setting during the data phase. This is often caused
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010013679 by too short timeouts on L4 equipments before the server (firewalls,
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013680 load-balancers, ...), as well as keep-alive sessions maintained
13681 between the client and the server expiring first on haproxy.
13682
13683 SH The server aborted before sending its full HTTP response headers, or
13684 it crashed while processing the request. Since a server aborting at
13685 this moment is very rare, it would be wise to inspect its logs to
13686 control whether it crashed and why. The logged request may indicate a
13687 small set of faulty requests, demonstrating bugs in the application.
13688 Sometimes this might also be caused by an IDS killing the connection
13689 between haproxy and the server.
13690
13691 sH The "timeout server" stroke before the server could return its
13692 response headers. This is the most common anomaly, indicating too
13693 long transactions, probably caused by server or database saturation.
13694 The immediate workaround consists in increasing the "timeout server"
13695 setting, but it is important to keep in mind that the user experience
13696 will suffer from these long response times. The only long term
13697 solution is to fix the application.
13698
13699 sQ The session spent too much time in queue and has been expired. See
13700 the "timeout queue" and "timeout connect" settings to find out how to
13701 fix this if it happens too often. If it often happens massively in
13702 short periods, it may indicate general problems on the affected
13703 servers due to I/O or database congestion, or saturation caused by
13704 external attacks.
13705
13706 PC The proxy refused to establish a connection to the server because the
13707 process' socket limit has been reached while attempting to connect.
Cyril Bontédc4d9032012-04-08 21:57:39 +020013708 The global "maxconn" parameter may be increased in the configuration
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013709 so that it does not happen anymore. This status is very rare and
13710 might happen when the global "ulimit-n" parameter is forced by hand.
13711
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010013712 PD The proxy blocked an incorrectly formatted chunked encoded message in
13713 a request or a response, after the server has emitted its headers. In
13714 most cases, this will indicate an invalid message from the server to
Willy Tarreauf3a3e132013-08-31 08:16:26 +020013715 the client. Haproxy supports chunk sizes of up to 2GB - 1 (2147483647
13716 bytes). Any larger size will be considered as an error.
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010013717
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013718 PH The proxy blocked the server's response, because it was invalid,
13719 incomplete, dangerous (cache control), or matched a security filter.
13720 In any case, an HTTP 502 error is sent to the client. One possible
13721 cause for this error is an invalid syntax in an HTTP header name
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010013722 containing unauthorized characters. It is also possible but quite
13723 rare, that the proxy blocked a chunked-encoding request from the
13724 client due to an invalid syntax, before the server responded. In this
13725 case, an HTTP 400 error is sent to the client and reported in the
13726 logs.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013727
13728 PR The proxy blocked the client's HTTP request, either because of an
13729 invalid HTTP syntax, in which case it returned an HTTP 400 error to
13730 the client, or because a deny filter matched, in which case it
13731 returned an HTTP 403 error.
13732
13733 PT The proxy blocked the client's request and has tarpitted its
13734 connection before returning it a 500 server error. Nothing was sent
13735 to the server. The connection was maintained open for as long as
13736 reported by the "Tw" timer field.
13737
13738 RC A local resource has been exhausted (memory, sockets, source ports)
13739 preventing the connection to the server from establishing. The error
13740 logs will tell precisely what was missing. This is very rare and can
13741 only be solved by proper system tuning.
13742
Willy Tarreau996a92c2010-10-13 19:30:47 +020013743The combination of the two last flags gives a lot of information about how
13744persistence was handled by the client, the server and by haproxy. This is very
13745important to troubleshoot disconnections, when users complain they have to
13746re-authenticate. The commonly encountered flags are :
13747
13748 -- Persistence cookie is not enabled.
13749
13750 NN No cookie was provided by the client, none was inserted in the
13751 response. For instance, this can be in insert mode with "postonly"
13752 set on a GET request.
13753
13754 II A cookie designating an invalid server was provided by the client,
13755 a valid one was inserted in the response. This typically happens when
Jamie Gloudonaaa21002012-08-25 00:18:33 -040013756 a "server" entry is removed from the configuration, since its cookie
Willy Tarreau996a92c2010-10-13 19:30:47 +020013757 value can be presented by a client when no other server knows it.
13758
13759 NI No cookie was provided by the client, one was inserted in the
13760 response. This typically happens for first requests from every user
13761 in "insert" mode, which makes it an easy way to count real users.
13762
13763 VN A cookie was provided by the client, none was inserted in the
13764 response. This happens for most responses for which the client has
13765 already got a cookie.
13766
13767 VU A cookie was provided by the client, with a last visit date which is
13768 not completely up-to-date, so an updated cookie was provided in
13769 response. This can also happen if there was no date at all, or if
13770 there was a date but the "maxidle" parameter was not set, so that the
13771 cookie can be switched to unlimited time.
13772
13773 EI A cookie was provided by the client, with a last visit date which is
13774 too old for the "maxidle" parameter, so the cookie was ignored and a
13775 new cookie was inserted in the response.
13776
13777 OI A cookie was provided by the client, with a first visit date which is
13778 too old for the "maxlife" parameter, so the cookie was ignored and a
13779 new cookie was inserted in the response.
13780
13781 DI The server designated by the cookie was down, a new server was
13782 selected and a new cookie was emitted in the response.
13783
13784 VI The server designated by the cookie was not marked dead but could not
13785 be reached. A redispatch happened and selected another one, which was
13786 then advertised in the response.
13787
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013788
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200137898.6. Non-printable characters
13790-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013791
13792In order not to cause trouble to log analysis tools or terminals during log
13793consulting, non-printable characters are not sent as-is into log files, but are
13794converted to the two-digits hexadecimal representation of their ASCII code,
13795prefixed by the character '#'. The only characters that can be logged without
13796being escaped are comprised between 32 and 126 (inclusive). Obviously, the
13797escape character '#' itself is also encoded to avoid any ambiguity ("#23"). It
13798is the same for the character '"' which becomes "#22", as well as '{', '|' and
13799'}' when logging headers.
13800
13801Note that the space character (' ') is not encoded in headers, which can cause
13802issues for tools relying on space count to locate fields. A typical header
13803containing spaces is "User-Agent".
13804
13805Last, it has been observed that some syslog daemons such as syslog-ng escape
13806the quote ('"') with a backslash ('\'). The reverse operation can safely be
13807performed since no quote may appear anywhere else in the logs.
13808
13809
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200138108.7. Capturing HTTP cookies
13811---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013812
13813Cookie capture simplifies the tracking a complete user session. This can be
13814achieved using the "capture cookie" statement in the frontend. Please refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013815section 4.2 for more details. Only one cookie can be captured, and the same
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013816cookie will simultaneously be checked in the request ("Cookie:" header) and in
13817the response ("Set-Cookie:" header). The respective values will be reported in
13818the HTTP logs at the "captured_request_cookie" and "captured_response_cookie"
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013819locations (see section 8.2.3 about HTTP log format). When either cookie is
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013820not seen, a dash ('-') replaces the value. This way, it's easy to detect when a
13821user switches to a new session for example, because the server will reassign it
13822a new cookie. It is also possible to detect if a server unexpectedly sets a
13823wrong cookie to a client, leading to session crossing.
13824
13825 Examples :
13826 # capture the first cookie whose name starts with "ASPSESSION"
13827 capture cookie ASPSESSION len 32
13828
13829 # capture the first cookie whose name is exactly "vgnvisitor"
13830 capture cookie vgnvisitor= len 32
13831
13832
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200138338.8. Capturing HTTP headers
13834---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013835
13836Header captures are useful to track unique request identifiers set by an upper
13837proxy, virtual host names, user-agents, POST content-length, referrers, etc. In
13838the response, one can search for information about the response length, how the
13839server asked the cache to behave, or an object location during a redirection.
13840
13841Header captures are performed using the "capture request header" and "capture
13842response header" statements in the frontend. Please consult their definition in
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013843section 4.2 for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013844
13845It is possible to include both request headers and response headers at the same
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010013846time. Non-existent headers are logged as empty strings, and if one header
13847appears more than once, only its last occurrence will be logged. Request headers
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013848are grouped within braces '{' and '}' in the same order as they were declared,
13849and delimited with a vertical bar '|' without any space. Response headers
13850follow the same representation, but are displayed after a space following the
13851request headers block. These blocks are displayed just before the HTTP request
13852in the logs.
13853
Willy Tarreaud9ed3d22014-06-13 12:23:06 +020013854As a special case, it is possible to specify an HTTP header capture in a TCP
13855frontend. The purpose is to enable logging of headers which will be parsed in
13856an HTTP backend if the request is then switched to this HTTP backend.
13857
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013858 Example :
13859 # This instance chains to the outgoing proxy
13860 listen proxy-out
13861 mode http
13862 option httplog
13863 option logasap
13864 log global
13865 server cache1 192.168.1.1:3128
13866
13867 # log the name of the virtual server
13868 capture request header Host len 20
13869
13870 # log the amount of data uploaded during a POST
13871 capture request header Content-Length len 10
13872
13873 # log the beginning of the referrer
13874 capture request header Referer len 20
13875
13876 # server name (useful for outgoing proxies only)
13877 capture response header Server len 20
13878
13879 # logging the content-length is useful with "option logasap"
13880 capture response header Content-Length len 10
13881
13882 # log the expected cache behaviour on the response
13883 capture response header Cache-Control len 8
13884
13885 # the Via header will report the next proxy's name
13886 capture response header Via len 20
13887
13888 # log the URL location during a redirection
13889 capture response header Location len 20
13890
13891 >>> Aug 9 20:26:09 localhost \
13892 haproxy[2022]: 127.0.0.1:34014 [09/Aug/2004:20:26:09] proxy-out \
13893 proxy-out/cache1 0/0/0/162/+162 200 +350 - - ---- 0/0/0/0/0 0/0 \
13894 {fr.adserver.yahoo.co||http://fr.f416.mail.} {|864|private||} \
13895 "GET http://fr.adserver.yahoo.com/"
13896
13897 >>> Aug 9 20:30:46 localhost \
13898 haproxy[2022]: 127.0.0.1:34020 [09/Aug/2004:20:30:46] proxy-out \
13899 proxy-out/cache1 0/0/0/182/+182 200 +279 - - ---- 0/0/0/0/0 0/0 \
13900 {w.ods.org||} {Formilux/0.1.8|3495|||} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010013901 "GET http://trafic.1wt.eu/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013902
13903 >>> Aug 9 20:30:46 localhost \
13904 haproxy[2022]: 127.0.0.1:34028 [09/Aug/2004:20:30:46] proxy-out \
13905 proxy-out/cache1 0/0/2/126/+128 301 +223 - - ---- 0/0/0/0/0 0/0 \
13906 {www.sytadin.equipement.gouv.fr||http://trafic.1wt.eu/} \
13907 {Apache|230|||http://www.sytadin.} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010013908 "GET http://www.sytadin.equipement.gouv.fr/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013909
13910
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200139118.9. Examples of logs
13912---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013913
13914These are real-world examples of logs accompanied with an explanation. Some of
13915them have been made up by hand. The syslog part has been removed for better
13916reading. Their sole purpose is to explain how to decipher them.
13917
13918 >>> haproxy[674]: 127.0.0.1:33318 [15/Oct/2003:08:31:57.130] px-http \
13919 px-http/srv1 6559/0/7/147/6723 200 243 - - ---- 5/3/3/1/0 0/0 \
13920 "HEAD / HTTP/1.0"
13921
13922 => long request (6.5s) entered by hand through 'telnet'. The server replied
13923 in 147 ms, and the session ended normally ('----')
13924
13925 >>> haproxy[674]: 127.0.0.1:33319 [15/Oct/2003:08:31:57.149] px-http \
13926 px-http/srv1 6559/1230/7/147/6870 200 243 - - ---- 324/239/239/99/0 \
13927 0/9 "HEAD / HTTP/1.0"
13928
13929 => Idem, but the request was queued in the global queue behind 9 other
13930 requests, and waited there for 1230 ms.
13931
13932 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.654] px-http \
13933 px-http/srv1 9/0/7/14/+30 200 +243 - - ---- 3/3/3/1/0 0/0 \
13934 "GET /image.iso HTTP/1.0"
13935
13936 => request for a long data transfer. The "logasap" option was specified, so
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010013937 the log was produced just before transferring data. The server replied in
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013938 14 ms, 243 bytes of headers were sent to the client, and total time from
13939 accept to first data byte is 30 ms.
13940
13941 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.925] px-http \
13942 px-http/srv1 9/0/7/14/30 502 243 - - PH-- 3/2/2/0/0 0/0 \
13943 "GET /cgi-bin/bug.cgi? HTTP/1.0"
13944
13945 => the proxy blocked a server response either because of an "rspdeny" or
13946 "rspideny" filter, or because the response was improperly formatted and
Willy Tarreau3c92c5f2011-08-28 09:45:47 +020013947 not HTTP-compliant, or because it blocked sensitive information which
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013948 risked being cached. In this case, the response is replaced with a "502
13949 bad gateway". The flags ("PH--") tell us that it was haproxy who decided
13950 to return the 502 and not the server.
13951
13952 >>> haproxy[18113]: 127.0.0.1:34548 [15/Oct/2003:15:18:55.798] px-http \
Willy Tarreaud72758d2010-01-12 10:42:19 +010013953 px-http/<NOSRV> -1/-1/-1/-1/8490 -1 0 - - CR-- 2/2/2/0/0 0/0 ""
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013954
13955 => the client never completed its request and aborted itself ("C---") after
13956 8.5s, while the proxy was waiting for the request headers ("-R--").
13957 Nothing was sent to any server.
13958
13959 >>> haproxy[18113]: 127.0.0.1:34549 [15/Oct/2003:15:19:06.103] px-http \
13960 px-http/<NOSRV> -1/-1/-1/-1/50001 408 0 - - cR-- 2/2/2/0/0 0/0 ""
13961
13962 => The client never completed its request, which was aborted by the
13963 time-out ("c---") after 50s, while the proxy was waiting for the request
13964 headers ("-R--"). Nothing was sent to any server, but the proxy could
13965 send a 408 return code to the client.
13966
13967 >>> haproxy[18989]: 127.0.0.1:34550 [15/Oct/2003:15:24:28.312] px-tcp \
13968 px-tcp/srv1 0/0/5007 0 cD 0/0/0/0/0 0/0
13969
13970 => This log was produced with "option tcplog". The client timed out after
13971 5 seconds ("c----").
13972
13973 >>> haproxy[18989]: 10.0.0.1:34552 [15/Oct/2003:15:26:31.462] px-http \
13974 px-http/srv1 3183/-1/-1/-1/11215 503 0 - - SC-- 205/202/202/115/3 \
Willy Tarreaud72758d2010-01-12 10:42:19 +010013975 0/0 "HEAD / HTTP/1.0"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013976
13977 => The request took 3s to complete (probably a network problem), and the
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013978 connection to the server failed ('SC--') after 4 attempts of 2 seconds
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013979 (config says 'retries 3'), and no redispatch (otherwise we would have
13980 seen "/+3"). Status code 503 was returned to the client. There were 115
13981 connections on this server, 202 connections on this proxy, and 205 on
13982 the global process. It is possible that the server refused the
13983 connection because of too many already established.
Willy Tarreau844e3c52008-01-11 16:28:18 +010013984
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010013985
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200139869. Statistics and monitoring
13987----------------------------
13988
13989It is possible to query HAProxy about its status. The most commonly used
13990mechanism is the HTTP statistics page. This page also exposes an alternative
13991CSV output format for monitoring tools. The same format is provided on the
13992Unix socket.
13993
13994
139959.1. CSV format
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010013996---------------
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +010013997
Willy Tarreau7f062c42009-03-05 18:43:00 +010013998The statistics may be consulted either from the unix socket or from the HTTP
Willy Tarreaua3310dc2014-06-16 15:43:21 +020013999page. Both means provide a CSV format whose fields follow. The first line
14000begins with a sharp ('#') and has one word per comma-delimited field which
14001represents the title of the column. All other lines starting at the second one
14002use a classical CSV format using a comma as the delimiter, and the double quote
14003('"') as an optional text delimiter, but only if the enclosed text is ambiguous
14004(if it contains a quote or a comma). The double-quote character ('"') in the
14005text is doubled ('""'), which is the format that most tools recognize. Please
14006do not insert any column before these ones in order not to break tools which
14007use hard-coded column positions.
Willy Tarreau7f062c42009-03-05 18:43:00 +010014008
James Westbyebe62d62014-07-08 10:14:57 -040014009In brackets after each field name are the types which may have a value for
14010that field. The types are L (Listeners), F (Frontends), B (Backends), and
14011S (Servers).
14012
14013 0. pxname [LFBS]: proxy name
14014 1. svname [LFBS]: service name (FRONTEND for frontend, BACKEND for backend,
14015 any name for server/listener)
14016 2. qcur [..BS]: current queued requests. For the backend this reports the
14017 number queued without a server assigned.
14018 3. qmax [..BS]: max value of qcur
14019 4. scur [LFBS]: current sessions
14020 5. smax [LFBS]: max sessions
14021 6. slim [LFBS]: configured session limit
14022 7. stot [LFBS]: cumulative number of connections
14023 8. bin [LFBS]: bytes in
14024 9. bout [LFBS]: bytes out
14025 10. dreq [LFB.]: requests denied because of security concerns.
14026 - For tcp this is because of a matched tcp-request content rule.
14027 - For http this is because of a matched http-request or tarpit rule.
14028 11. dresp [LFBS]: responses denied because of security concerns.
14029 - For http this is because of a matched http-request rule, or
14030 "option checkcache".
14031 12. ereq [LF..]: request errors. Some of the possible causes are:
14032 - early termination from the client, before the request has been sent.
14033 - read error from the client
14034 - client timeout
14035 - client closed connection
14036 - various bad requests from the client.
14037 - request was tarpitted.
14038 13. econ [..BS]: number of requests that encountered an error trying to
14039 connect to a backend server. The backend stat is the sum of the stat
14040 for all servers of that backend, plus any connection errors not
14041 associated with a particular server (such as the backend having no
14042 active servers).
14043 14. eresp [..BS]: response errors. srv_abrt will be counted here also.
14044 Some other errors are:
14045 - write error on the client socket (won't be counted for the server stat)
14046 - failure applying filters to the response.
14047 15. wretr [..BS]: number of times a connection to a server was retried.
14048 16. wredis [..BS]: number of times a request was redispatched to another
14049 server. The server value counts the number of times that server was
14050 switched away from.
14051 17. status [LFBS]: status (UP/DOWN/NOLB/MAINT/MAINT(via)...)
14052 18. weight [..BS]: server weight (server), total weight (backend)
14053 19. act [..BS]: server is active (server), number of active servers (backend)
14054 20. bck [..BS]: server is backup (server), number of backup servers (backend)
14055 21. chkfail [...S]: number of failed checks. (Only counts checks failed when
14056 the server is up.)
14057 22. chkdown [..BS]: number of UP->DOWN transitions. The backend counter counts
14058 transitions to the whole backend being down, rather than the sum of the
14059 counters for each server.
14060 23. lastchg [..BS]: number of seconds since the last UP<->DOWN transition
14061 24. downtime [..BS]: total downtime (in seconds). The value for the backend
14062 is the downtime for the whole backend, not the sum of the server downtime.
14063 25. qlimit [...S]: configured maxqueue for the server, or nothing in the
14064 value is 0 (default, meaning no limit)
14065 26. pid [LFBS]: process id (0 for first instance, 1 for second, ...)
14066 27. iid [LFBS]: unique proxy id
14067 28. sid [L..S]: server id (unique inside a proxy)
14068 29. throttle [...S]: current throttle percentage for the server, when
14069 slowstart is active, or no value if not in slowstart.
14070 30. lbtot [..BS]: total number of times a server was selected, either for new
14071 sessions, or when re-dispatching. The server counter is the number
14072 of times that server was selected.
14073 31. tracked [...S]: id of proxy/server if tracking is enabled.
14074 32. type [LFBS]: (0=frontend, 1=backend, 2=server, 3=socket/listener)
14075 33. rate [.FBS]: number of sessions per second over last elapsed second
14076 34. rate_lim [.F..]: configured limit on new sessions per second
14077 35. rate_max [.FBS]: max number of new sessions per second
14078 36. check_status [...S]: status of last health check, one of:
Cyril Bontéf0c60612010-02-06 14:44:47 +010014079 UNK -> unknown
14080 INI -> initializing
14081 SOCKERR -> socket error
14082 L4OK -> check passed on layer 4, no upper layers testing enabled
14083 L4TMOUT -> layer 1-4 timeout
14084 L4CON -> layer 1-4 connection problem, for example
14085 "Connection refused" (tcp rst) or "No route to host" (icmp)
14086 L6OK -> check passed on layer 6
14087 L6TOUT -> layer 6 (SSL) timeout
14088 L6RSP -> layer 6 invalid response - protocol error
14089 L7OK -> check passed on layer 7
14090 L7OKC -> check conditionally passed on layer 7, for example 404 with
14091 disable-on-404
14092 L7TOUT -> layer 7 (HTTP/SMTP) timeout
14093 L7RSP -> layer 7 invalid response - protocol error
14094 L7STS -> layer 7 response error, for example HTTP 5xx
James Westbyebe62d62014-07-08 10:14:57 -040014095 37. check_code [...S]: layer5-7 code, if available
14096 38. check_duration [...S]: time in ms took to finish last health check
14097 39. hrsp_1xx [.FBS]: http responses with 1xx code
14098 40. hrsp_2xx [.FBS]: http responses with 2xx code
14099 41. hrsp_3xx [.FBS]: http responses with 3xx code
14100 42. hrsp_4xx [.FBS]: http responses with 4xx code
14101 43. hrsp_5xx [.FBS]: http responses with 5xx code
14102 44. hrsp_other [.FBS]: http responses with other codes (protocol error)
14103 45. hanafail [...S]: failed health checks details
14104 46. req_rate [.F..]: HTTP requests per second over last elapsed second
14105 47. req_rate_max [.F..]: max number of HTTP requests per second observed
14106 48. req_tot [.F..]: total number of HTTP requests received
14107 49. cli_abrt [..BS]: number of data transfers aborted by the client
14108 50. srv_abrt [..BS]: number of data transfers aborted by the server
14109 (inc. in eresp)
14110 51. comp_in [.FB.]: number of HTTP response bytes fed to the compressor
14111 52. comp_out [.FB.]: number of HTTP response bytes emitted by the compressor
14112 53. comp_byp [.FB.]: number of bytes that bypassed the HTTP compressor
14113 (CPU/BW limit)
14114 54. comp_rsp [.FB.]: number of HTTP responses that were compressed
14115 55. lastsess [..BS]: number of seconds since last session assigned to
14116 server/backend
14117 56. last_chk [...S]: last health check contents or textual error
14118 57. last_agt [...S]: last agent check contents or textual error
14119 58. qtime [..BS]: the average queue time in ms over the 1024 last requests
14120 59. ctime [..BS]: the average connect time in ms over the 1024 last requests
14121 60. rtime [..BS]: the average response time in ms over the 1024 last requests
14122 (0 for TCP)
14123 61. ttime [..BS]: the average total session time in ms over the 1024 last
14124 requests
Willy Tarreau844e3c52008-01-11 16:28:18 +010014125
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010014126
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200141279.2. Unix Socket commands
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010014128-------------------------
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010014129
Willy Tarreau468f4932013-08-01 16:50:16 +020014130The stats socket is not enabled by default. In order to enable it, it is
14131necessary to add one line in the global section of the haproxy configuration.
14132A second line is recommended to set a larger timeout, always appreciated when
14133issuing commands by hand :
14134
14135 global
14136 stats socket /var/run/haproxy.sock mode 600 level admin
14137 stats timeout 2m
14138
14139It is also possible to add multiple instances of the stats socket by repeating
14140the line, and make them listen to a TCP port instead of a UNIX socket. This is
14141never done by default because this is dangerous, but can be handy in some
14142situations :
14143
14144 global
14145 stats socket /var/run/haproxy.sock mode 600 level admin
14146 stats socket ipv4@192.168.0.1:9999 level admin
14147 stats timeout 2m
14148
14149To access the socket, an external utility such as "socat" is required. Socat is a
14150swiss-army knife to connect anything to anything. We use it to connect terminals
14151to the socket, or a couple of stdin/stdout pipes to it for scripts. The two main
14152syntaxes we'll use are the following :
14153
14154 # socat /var/run/haproxy.sock stdio
14155 # socat /var/run/haproxy.sock readline
14156
14157The first one is used with scripts. It is possible to send the output of a
14158script to haproxy, and pass haproxy's output to another script. That's useful
14159for retrieving counters or attack traces for example.
14160
14161The second one is only useful for issuing commands by hand. It has the benefit
14162that the terminal is handled by the readline library which supports line
14163editing and history, which is very convenient when issuing repeated commands
14164(eg: watch a counter).
14165
14166The socket supports two operation modes :
14167 - interactive
14168 - non-interactive
14169
14170The non-interactive mode is the default when socat connects to the socket. In
14171this mode, a single line may be sent. It is processed as a whole, responses are
14172sent back, and the connection closes after the end of the response. This is the
14173mode that scripts and monitoring tools use. It is possible to send multiple
14174commands in this mode, they need to be delimited by a semi-colon (';'). For
14175example :
14176
14177 # echo "show info;show stat;show table" | socat /var/run/haproxy stdio
14178
14179The interactive mode displays a prompt ('>') and waits for commands to be
14180entered on the line, then processes them, and displays the prompt again to wait
14181for a new command. This mode is entered via the "prompt" command which must be
14182sent on the first line in non-interactive mode. The mode is a flip switch, if
14183"prompt" is sent in interactive mode, it is disabled and the connection closes
14184after processing the last command of the same line.
14185
14186For this reason, when debugging by hand, it's quite common to start with the
14187"prompt" command :
14188
14189 # socat /var/run/haproxy readline
14190 prompt
14191 > show info
14192 ...
14193 >
14194
14195Since multiple commands may be issued at once, haproxy uses the empty line as a
14196delimiter to mark an end of output for each command, and takes care of ensuring
14197that no command can emit an empty line on output. A script can thus easily
14198parse the output even when multiple commands were pipelined on a single line.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010014199
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020014200It is important to understand that when multiple haproxy processes are started
14201on the same sockets, any process may pick up the request and will output its
14202own stats.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010014203
Willy Tarreau468f4932013-08-01 16:50:16 +020014204The list of commands currently supported on the stats socket is provided below.
14205If an unknown command is sent, haproxy displays the usage message which reminds
14206all supported commands. Some commands support a more complex syntax, generally
14207it will explain what part of the command is invalid when this happens.
14208
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010014209add acl <acl> <pattern>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010014210 Add an entry into the acl <acl>. <acl> is the #<id> or the <file> returned by
14211 "show acl". This command does not verify if the entry already exists. This
14212 command cannot be used if the reference <acl> is a file also used with a map.
14213 In this case, you must use the command "add map" in place of "add acl".
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010014214
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010014215add map <map> <key> <value>
14216 Add an entry into the map <map> to associate the value <value> to the key
14217 <key>. This command does not verify if the entry already exists. It is
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010014218 mainly used to fill a map after a clear operation. Note that if the reference
14219 <map> is a file and is shared with a map, this map will contain also a new
14220 pattern entry.
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010014221
Willy Tarreaud63335a2010-02-26 12:56:52 +010014222clear counters
14223 Clear the max values of the statistics counters in each proxy (frontend &
14224 backend) and in each server. The cumulated counters are not affected. This
14225 can be used to get clean counters after an incident, without having to
14226 restart nor to clear traffic counters. This command is restricted and can
14227 only be issued on sockets configured for levels "operator" or "admin".
14228
14229clear counters all
14230 Clear all statistics counters in each proxy (frontend & backend) and in each
14231 server. This has the same effect as restarting. This command is restricted
14232 and can only be issued on sockets configured for level "admin".
14233
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010014234clear acl <acl>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010014235 Remove all entries from the acl <acl>. <acl> is the #<id> or the <file>
14236 returned by "show acl". Note that if the reference <acl> is a file and is
14237 shared with a map, this map will be also cleared.
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010014238
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010014239clear map <map>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010014240 Remove all entries from the map <map>. <map> is the #<id> or the <file>
14241 returned by "show map". Note that if the reference <map> is a file and is
14242 shared with a acl, this acl will be also cleared.
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010014243
Simon Hormanc88b8872011-06-15 15:18:49 +090014244clear table <table> [ data.<type> <operator> <value> ] | [ key <key> ]
14245 Remove entries from the stick-table <table>.
14246
14247 This is typically used to unblock some users complaining they have been
14248 abusively denied access to a service, but this can also be used to clear some
14249 stickiness entries matching a server that is going to be replaced (see "show
14250 table" below for details). Note that sometimes, removal of an entry will be
14251 refused because it is currently tracked by a session. Retrying a few seconds
14252 later after the session ends is usual enough.
14253
14254 In the case where no options arguments are given all entries will be removed.
14255
14256 When the "data." form is used entries matching a filter applied using the
14257 stored data (see "stick-table" in section 4.2) are removed. A stored data
14258 type must be specified in <type>, and this data type must be stored in the
14259 table otherwise an error is reported. The data is compared according to
14260 <operator> with the 64-bit integer <value>. Operators are the same as with
14261 the ACLs :
14262
14263 - eq : match entries whose data is equal to this value
14264 - ne : match entries whose data is not equal to this value
14265 - le : match entries whose data is less than or equal to this value
14266 - ge : match entries whose data is greater than or equal to this value
14267 - lt : match entries whose data is less than this value
14268 - gt : match entries whose data is greater than this value
14269
14270 When the key form is used the entry <key> is removed. The key must be of the
Simon Horman619e3cc2011-06-15 15:18:52 +090014271 same type as the table, which currently is limited to IPv4, IPv6, integer and
14272 string.
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014273
14274 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020014275 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Emeric Brun7c6b82e2010-09-24 16:34:28 +020014276 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020014277 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
14278 bytes_out_rate(60000)=187
14279 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
14280 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014281
14282 $ echo "clear table http_proxy key 127.0.0.1" | socat stdio /tmp/sock1
14283
14284 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Emeric Brun7c6b82e2010-09-24 16:34:28 +020014285 >>> # table: http_proxy, type: ip, size:204800, used:1
Willy Tarreau62a36c42010-08-17 15:53:10 +020014286 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
14287 bytes_out_rate(60000)=191
Simon Hormanc88b8872011-06-15 15:18:49 +090014288 $ echo "clear table http_proxy data.gpc0 eq 1" | socat stdio /tmp/sock1
14289 $ echo "show table http_proxy" | socat stdio /tmp/sock1
14290 >>> # table: http_proxy, type: ip, size:204800, used:1
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014291
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010014292del acl <acl> [<key>|#<ref>]
14293 Delete all the acl entries from the acl <acl> corresponding to the key <key>.
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010014294 <acl> is the #<id> or the <file> returned by "show acl". If the <ref> is used,
14295 this command delete only the listed reference. The reference can be found with
14296 listing the content of the acl. Note that if the reference <acl> is a file and
14297 is shared with a map, the entry will be also deleted in the map.
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010014298
14299del map <map> [<key>|#<ref>]
Thierry FOURNIER0b90f312014-01-29 20:40:18 +010014300 Delete all the map entries from the map <map> corresponding to the key <key>.
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010014301 <map> is the #<id> or the <file> returned by "show map". If the <ref> is used,
14302 this command delete only the listed reference. The reference can be found with
14303 listing the content of the map. Note that if the reference <map> is a file and
14304 is shared with a acl, the entry will be also deleted in the map.
Thierry FOURNIER0b90f312014-01-29 20:40:18 +010014305
14306disable agent <backend>/<server>
Simon Horman671b6f02013-11-25 10:46:39 +090014307 Mark the auxiliary agent check as temporarily stopped.
14308
14309 In the case where an agent check is being run as a auxiliary check, due
14310 to the agent-check parameter of a server directive, new checks are only
14311 initialised when the agent is in the enabled. Thus, disable agent will
14312 prevent any new agent checks from begin initiated until the agent
14313 re-enabled using enable agent.
14314
14315 When an agent is disabled the processing of an auxiliary agent check that
14316 was initiated while the agent was set as enabled is as follows: All
14317 results that would alter the weight, specifically "drain" or a weight
14318 returned by the agent, are ignored. The processing of agent check is
14319 otherwise unchanged.
14320
14321 The motivation for this feature is to allow the weight changing effects
14322 of the agent checks to be paused to allow the weight of a server to be
14323 configured using set weight without being overridden by the agent.
14324
14325 This command is restricted and can only be issued on sockets configured for
14326 level "admin".
14327
Willy Tarreau532a4502011-09-07 22:37:44 +020014328disable frontend <frontend>
14329 Mark the frontend as temporarily stopped. This corresponds to the mode which
14330 is used during a soft restart : the frontend releases the port but can be
14331 enabled again if needed. This should be used with care as some non-Linux OSes
14332 are unable to enable it back. This is intended to be used in environments
14333 where stopping a proxy is not even imaginable but a misconfigured proxy must
14334 be fixed. That way it's possible to release the port and bind it into another
14335 process to restore operations. The frontend will appear with status "STOP"
14336 on the stats page.
14337
14338 The frontend may be specified either by its name or by its numeric ID,
14339 prefixed with a sharp ('#').
14340
14341 This command is restricted and can only be issued on sockets configured for
14342 level "admin".
14343
Willy Tarreau9b5aecd2014-05-23 11:53:10 +020014344disable health <backend>/<server>
14345 Mark the primary health check as temporarily stopped. This will disable
14346 sending of health checks, and the last health check result will be ignored.
14347 The server will be in unchecked state and considered UP unless an auxiliary
14348 agent check forces it down.
14349
14350 This command is restricted and can only be issued on sockets configured for
14351 level "admin".
14352
Willy Tarreaud63335a2010-02-26 12:56:52 +010014353disable server <backend>/<server>
14354 Mark the server DOWN for maintenance. In this mode, no more checks will be
14355 performed on the server until it leaves maintenance.
14356 If the server is tracked by other servers, those servers will be set to DOWN
14357 during the maintenance.
14358
14359 In the statistics page, a server DOWN for maintenance will appear with a
14360 "MAINT" status, its tracking servers with the "MAINT(via)" one.
14361
14362 Both the backend and the server may be specified either by their name or by
Willy Tarreauf5f31922011-08-02 11:32:07 +020014363 their numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010014364
14365 This command is restricted and can only be issued on sockets configured for
14366 level "admin".
14367
Simon Horman671b6f02013-11-25 10:46:39 +090014368enable agent <backend>/<server>
14369 Resume auxiliary agent check that was temporarily stopped.
14370
14371 See "disable agent" for details of the effect of temporarily starting
14372 and stopping an auxiliary agent.
14373
14374 This command is restricted and can only be issued on sockets configured for
14375 level "admin".
14376
Willy Tarreau532a4502011-09-07 22:37:44 +020014377enable frontend <frontend>
14378 Resume a frontend which was temporarily stopped. It is possible that some of
14379 the listening ports won't be able to bind anymore (eg: if another process
14380 took them since the 'disable frontend' operation). If this happens, an error
14381 is displayed. Some operating systems might not be able to resume a frontend
14382 which was disabled.
14383
14384 The frontend may be specified either by its name or by its numeric ID,
14385 prefixed with a sharp ('#').
14386
14387 This command is restricted and can only be issued on sockets configured for
14388 level "admin".
14389
Willy Tarreau9b5aecd2014-05-23 11:53:10 +020014390enable health <backend>/<server>
14391 Resume a primary health check that was temporarily stopped. This will enable
14392 sending of health checks again. Please see "disable health" for details.
14393
14394 This command is restricted and can only be issued on sockets configured for
14395 level "admin".
14396
Willy Tarreaud63335a2010-02-26 12:56:52 +010014397enable server <backend>/<server>
14398 If the server was previously marked as DOWN for maintenance, this marks the
14399 server UP and checks are re-enabled.
14400
14401 Both the backend and the server may be specified either by their name or by
Willy Tarreauf5f31922011-08-02 11:32:07 +020014402 their numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010014403
14404 This command is restricted and can only be issued on sockets configured for
14405 level "admin".
14406
Thierry FOURNIER5b16df72014-02-26 18:07:38 +010014407get map <map> <value>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010014408get acl <acl> <value>
14409 Lookup the value <value> in the map <map> or in the ACL <acl>. <map> or <acl>
14410 are the #<id> or the <file> returned by "show map" or "show acl". This command
14411 returns all the matching patterns associated with this map. This is useful for
14412 debugging maps and ACLs. The output format is composed by one line par
14413 matching type. Each line is composed by space-delimited series of words.
Thierry FOURNIER5b16df72014-02-26 18:07:38 +010014414
14415 The first two words are:
14416
14417 <match method>: The match method applied. It can be "found", "bool",
14418 "int", "ip", "bin", "len", "str", "beg", "sub", "dir",
14419 "dom", "end" or "reg".
14420
14421 <match result>: The result. Can be "match" or "no-match".
14422
14423 The following words are returned only if the pattern matches an entry.
14424
14425 <index type>: "tree" or "list". The internal lookup algorithm.
14426
14427 <case>: "case-insensitive" or "case-sensitive". The
14428 interpretation of the case.
14429
14430 <entry matched>: match="<entry>". Return the matched pattern. It is
14431 useful with regular expressions.
14432
14433 The two last word are used to show the returned value and its type. With the
14434 "acl" case, the pattern doesn't exist.
14435
14436 return=nothing: No return because there are no "map".
14437 return="<value>": The value returned in the string format.
14438 return=cannot-display: The value cannot be converted as string.
14439
14440 type="<type>": The type of the returned sample.
14441
Willy Tarreaud63335a2010-02-26 12:56:52 +010014442get weight <backend>/<server>
14443 Report the current weight and the initial weight of server <server> in
14444 backend <backend> or an error if either doesn't exist. The initial weight is
14445 the one that appears in the configuration file. Both are normally equal
14446 unless the current weight has been changed. Both the backend and the server
14447 may be specified either by their name or by their numeric ID, prefixed with a
Willy Tarreauf5f31922011-08-02 11:32:07 +020014448 sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010014449
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020014450help
14451 Print the list of known keywords and their basic usage. The same help screen
14452 is also displayed for unknown commands.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010014453
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020014454prompt
14455 Toggle the prompt at the beginning of the line and enter or leave interactive
14456 mode. In interactive mode, the connection is not closed after a command
14457 completes. Instead, the prompt will appear again, indicating the user that
14458 the interpreter is waiting for a new command. The prompt consists in a right
14459 angle bracket followed by a space "> ". This mode is particularly convenient
14460 when one wants to periodically check information such as stats or errors.
14461 It is also a good idea to enter interactive mode before issuing a "help"
14462 command.
14463
14464quit
14465 Close the connection when in interactive mode.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010014466
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010014467set map <map> [<key>|#<ref>] <value>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010014468 Modify the value corresponding to each key <key> in a map <map>. <map> is the
14469 #<id> or <file> returned by "show map". If the <ref> is used in place of
14470 <key>, only the entry pointed by <ref> is changed. The new value is <value>.
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010014471
Willy Tarreau2a0f4d22011-08-02 11:49:05 +020014472set maxconn frontend <frontend> <value>
Willy Tarreau3c7a79d2012-09-26 21:07:15 +020014473 Dynamically change the specified frontend's maxconn setting. Any positive
14474 value is allowed including zero, but setting values larger than the global
14475 maxconn does not make much sense. If the limit is increased and connections
14476 were pending, they will immediately be accepted. If it is lowered to a value
14477 below the current number of connections, new connections acceptation will be
Willy Tarreau2a0f4d22011-08-02 11:49:05 +020014478 delayed until the threshold is reached. The frontend might be specified by
14479 either its name or its numeric ID prefixed with a sharp ('#').
14480
Willy Tarreau91886b62011-09-07 14:38:31 +020014481set maxconn global <maxconn>
14482 Dynamically change the global maxconn setting within the range defined by the
14483 initial global maxconn setting. If it is increased and connections were
14484 pending, they will immediately be accepted. If it is lowered to a value below
14485 the current number of connections, new connections acceptation will be
14486 delayed until the threshold is reached. A value of zero restores the initial
14487 setting.
14488
Willy Tarreauf5b22872011-09-07 16:13:44 +020014489set rate-limit connections global <value>
14490 Change the process-wide connection rate limit, which is set by the global
14491 'maxconnrate' setting. A value of zero disables the limitation. This limit
14492 applies to all frontends and the change has an immediate effect. The value
14493 is passed in number of connections per second.
14494
William Lallemandd85f9172012-11-09 17:05:39 +010014495set rate-limit http-compression global <value>
14496 Change the maximum input compression rate, which is set by the global
14497 'maxcomprate' setting. A value of zero disables the limitation. The value is
William Lallemand096f5542012-11-19 17:26:05 +010014498 passed in number of kilobytes per second. The value is available in the "show
14499 info" on the line "CompressBpsRateLim" in bytes.
William Lallemandd85f9172012-11-09 17:05:39 +010014500
Willy Tarreau93e7c002013-10-07 18:51:07 +020014501set rate-limit sessions global <value>
14502 Change the process-wide session rate limit, which is set by the global
14503 'maxsessrate' setting. A value of zero disables the limitation. This limit
14504 applies to all frontends and the change has an immediate effect. The value
14505 is passed in number of sessions per second.
14506
Willy Tarreaue43d5322013-10-07 20:01:52 +020014507set rate-limit ssl-sessions global <value>
14508 Change the process-wide SSL session rate limit, which is set by the global
14509 'maxsslrate' setting. A value of zero disables the limitation. This limit
14510 applies to all frontends and the change has an immediate effect. The value
14511 is passed in number of sessions per second sent to the SSL stack. It applies
14512 before the handshake in order to protect the stack against handshake abuses.
14513
Willy Tarreau2a4b70f2014-05-22 18:42:35 +020014514set server <backend>/<server> agent [ up | down ]
14515 Force a server's agent to a new state. This can be useful to immediately
14516 switch a server's state regardless of some slow agent checks for example.
14517 Note that the change is propagated to tracking servers if any.
14518
14519set server <backend>/<server> health [ up | stopping | down ]
14520 Force a server's health to a new state. This can be useful to immediately
14521 switch a server's state regardless of some slow health checks for example.
14522 Note that the change is propagated to tracking servers if any.
14523
14524set server <backend>/<server> state [ ready | drain | maint ]
14525 Force a server's administrative state to a new state. This can be useful to
14526 disable load balancing and/or any traffic to a server. Setting the state to
14527 "ready" puts the server in normal mode, and the command is the equivalent of
14528 the "enable server" command. Setting the state to "maint" disables any traffic
14529 to the server as well as any health checks. This is the equivalent of the
14530 "disable server" command. Setting the mode to "drain" only removes the server
14531 from load balancing but still allows it to be checked and to accept new
14532 persistent connections. Changes are propagated to tracking servers if any.
14533
14534set server <backend>/<server> weight <weight>[%]
14535 Change a server's weight to the value passed in argument. This is the exact
14536 equivalent of the "set weight" command below.
14537
Emeric Brun4147b2e2014-06-16 18:36:30 +020014538set ssl ocsp-response <response>
14539 This command is used to update an OCSP Response for a certificate (see "crt"
14540 on "bind" lines). Same controls are performed as during the initial loading of
14541 the response. The <response> must be passed as a base64 encoded string of the
14542 DER encoded response from the OCSP server.
14543
14544 Example:
14545 openssl ocsp -issuer issuer.pem -cert server.pem \
14546 -host ocsp.issuer.com:80 -respout resp.der
14547 echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \
14548 socat stdio /var/run/haproxy.stat
14549
Willy Tarreau47060b62013-08-01 21:11:42 +020014550set table <table> key <key> [data.<data_type> <value>]*
Willy Tarreau654694e2012-06-07 01:03:16 +020014551 Create or update a stick-table entry in the table. If the key is not present,
14552 an entry is inserted. See stick-table in section 4.2 to find all possible
14553 values for <data_type>. The most likely use consists in dynamically entering
14554 entries for source IP addresses, with a flag in gpc0 to dynamically block an
Willy Tarreau47060b62013-08-01 21:11:42 +020014555 IP address or affect its quality of service. It is possible to pass multiple
14556 data_types in a single call.
Willy Tarreau654694e2012-06-07 01:03:16 +020014557
Willy Tarreaud63335a2010-02-26 12:56:52 +010014558set timeout cli <delay>
14559 Change the CLI interface timeout for current connection. This can be useful
14560 during long debugging sessions where the user needs to constantly inspect
14561 some indicators without being disconnected. The delay is passed in seconds.
14562
14563set weight <backend>/<server> <weight>[%]
14564 Change a server's weight to the value passed in argument. If the value ends
14565 with the '%' sign, then the new weight will be relative to the initially
Simon Horman58b5d292013-02-12 10:45:52 +090014566 configured weight. Absolute weights are permitted between 0 and 256.
14567 Relative weights must be positive with the resulting absolute weight is
14568 capped at 256. Servers which are part of a farm running a static
14569 load-balancing algorithm have stricter limitations because the weight
14570 cannot change once set. Thus for these servers, the only accepted values
14571 are 0 and 100% (or 0 and the initial weight). Changes take effect
14572 immediately, though certain LB algorithms require a certain amount of
14573 requests to consider changes. A typical usage of this command is to
14574 disable a server during an update by setting its weight to zero, then to
14575 enable it again after the update by setting it back to 100%. This command
14576 is restricted and can only be issued on sockets configured for level
14577 "admin". Both the backend and the server may be specified either by their
14578 name or by their numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010014579
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010014580show errors [<iid>]
14581 Dump last known request and response errors collected by frontends and
14582 backends. If <iid> is specified, the limit the dump to errors concerning
Willy Tarreau6162db22009-10-10 17:13:00 +020014583 either frontend or backend whose ID is <iid>. This command is restricted
14584 and can only be issued on sockets configured for levels "operator" or
14585 "admin".
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010014586
14587 The errors which may be collected are the last request and response errors
14588 caused by protocol violations, often due to invalid characters in header
14589 names. The report precisely indicates what exact character violated the
14590 protocol. Other important information such as the exact date the error was
14591 detected, frontend and backend names, the server name (when known), the
14592 internal session ID and the source address which has initiated the session
14593 are reported too.
14594
14595 All characters are returned, and non-printable characters are encoded. The
14596 most common ones (\t = 9, \n = 10, \r = 13 and \e = 27) are encoded as one
14597 letter following a backslash. The backslash itself is encoded as '\\' to
14598 avoid confusion. Other non-printable characters are encoded '\xNN' where
14599 NN is the two-digits hexadecimal representation of the character's ASCII
14600 code.
14601
14602 Lines are prefixed with the position of their first character, starting at 0
14603 for the beginning of the buffer. At most one input line is printed per line,
14604 and large lines will be broken into multiple consecutive output lines so that
14605 the output never goes beyond 79 characters wide. It is easy to detect if a
14606 line was broken, because it will not end with '\n' and the next line's offset
14607 will be followed by a '+' sign, indicating it is a continuation of previous
14608 line.
14609
14610 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020014611 $ echo "show errors" | socat stdio /tmp/sock1
14612 >>> [04/Mar/2009:15:46:56.081] backend http-in (#2) : invalid response
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010014613 src 127.0.0.1, session #54, frontend fe-eth0 (#1), server s2 (#1)
14614 response length 213 bytes, error at position 23:
14615
14616 00000 HTTP/1.0 200 OK\r\n
14617 00017 header/bizarre:blah\r\n
14618 00038 Location: blah\r\n
14619 00054 Long-line: this is a very long line which should b
14620 00104+ e broken into multiple lines on the output buffer,
14621 00154+ otherwise it would be too large to print in a ter
14622 00204+ minal\r\n
14623 00211 \r\n
14624
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014625 In the example above, we see that the backend "http-in" which has internal
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010014626 ID 2 has blocked an invalid response from its server s2 which has internal
14627 ID 1. The request was on session 54 initiated by source 127.0.0.1 and
14628 received by frontend fe-eth0 whose ID is 1. The total response length was
14629 213 bytes when the error was detected, and the error was at byte 23. This
14630 is the slash ('/') in header name "header/bizarre", which is not a valid
14631 HTTP character for a header name.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010014632
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020014633show info
14634 Dump info about haproxy status on current process.
14635
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010014636show map [<map>]
14637 Dump info about map converters. Without argument, the list of all available
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010014638 maps is returned. If a <map> is specified, its contents are dumped. <map> is
14639 the #<id> or <file>. The first column is a unique identifier. It can be used
14640 as reference for the operation "del map" and "set map". The second column is
14641 the pattern and the third column is the sample if available. The data returned
14642 are not directly a list of available maps, but are the list of all patterns
14643 composing any map. Many of these patterns can be shared with ACL.
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010014644
14645show acl [<acl>]
14646 Dump info about acl converters. Without argument, the list of all available
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010014647 acls is returned. If a <acl> is specified, its contents are dumped. <acl> if
14648 the #<id> or <file>. The dump format is the same than the map even for the
14649 sample value. The data returned are not a list of available ACL, but are the
14650 list of all patterns composing any ACL. Many of these patterns can be shared
14651 with maps.
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010014652
Willy Tarreau12833bb2014-01-28 16:49:56 +010014653show pools
14654 Dump the status of internal memory pools. This is useful to track memory
14655 usage when suspecting a memory leak for example. It does exactly the same
14656 as the SIGQUIT when running in foreground except that it does not flush
14657 the pools.
14658
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020014659show sess
14660 Dump all known sessions. Avoid doing this on slow connections as this can
Willy Tarreau6162db22009-10-10 17:13:00 +020014661 be huge. This command is restricted and can only be issued on sockets
14662 configured for levels "operator" or "admin".
14663
Willy Tarreau66dc20a2010-03-05 17:53:32 +010014664show sess <id>
14665 Display a lot of internal information about the specified session identifier.
14666 This identifier is the first field at the beginning of the lines in the dumps
14667 of "show sess" (it corresponds to the session pointer). Those information are
14668 useless to most users but may be used by haproxy developers to troubleshoot a
14669 complex bug. The output format is intentionally not documented so that it can
Olivierce31e6e2014-09-05 18:49:10 +020014670 freely evolve depending on demands. You may find a description of all fields
14671 returned in src/dumpstats.c
14672
14673 The special id "all" dumps the states of all sessions, which must be avoided
14674 as much as possible as it is highly CPU intensive and can take a lot of time.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020014675
14676show stat [<iid> <type> <sid>]
14677 Dump statistics in the CSV format. By passing <id>, <type> and <sid>, it is
14678 possible to dump only selected items :
14679 - <iid> is a proxy ID, -1 to dump everything
14680 - <type> selects the type of dumpable objects : 1 for frontends, 2 for
14681 backends, 4 for servers, -1 for everything. These values can be ORed,
14682 for example:
14683 1 + 2 = 3 -> frontend + backend.
14684 1 + 2 + 4 = 7 -> frontend + backend + server.
14685 - <sid> is a server ID, -1 to dump everything from the selected proxy.
14686
14687 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020014688 $ echo "show info;show stat" | socat stdio unix-connect:/tmp/sock1
14689 >>> Name: HAProxy
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020014690 Version: 1.4-dev2-49
14691 Release_date: 2009/09/23
14692 Nbproc: 1
14693 Process_num: 1
14694 (...)
14695
14696 # pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq, (...)
14697 stats,FRONTEND,,,0,0,1000,0,0,0,0,0,0,,,,,OPEN,,,,,,,,,1,1,0, (...)
14698 stats,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,0,0,0,,0,250,(...)
14699 (...)
14700 www1,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,1,1,0,,0,250, (...)
14701
14702 $
14703
14704 Here, two commands have been issued at once. That way it's easy to find
14705 which process the stats apply to in multi-process mode. Notice the empty
14706 line after the information output which marks the end of the first block.
14707 A similar empty line appears at the end of the second block (stats) so that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010014708 the reader knows the output has not been truncated.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020014709
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014710show table
14711 Dump general information on all known stick-tables. Their name is returned
14712 (the name of the proxy which holds them), their type (currently zero, always
14713 IP), their size in maximum possible number of entries, and the number of
14714 entries currently in use.
14715
14716 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020014717 $ echo "show table" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090014718 >>> # table: front_pub, type: ip, size:204800, used:171454
14719 >>> # table: back_rdp, type: ip, size:204800, used:0
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014720
Simon Horman17bce342011-06-15 15:18:47 +090014721show table <name> [ data.<type> <operator> <value> ] | [ key <key> ]
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014722 Dump contents of stick-table <name>. In this mode, a first line of generic
14723 information about the table is reported as with "show table", then all
14724 entries are dumped. Since this can be quite heavy, it is possible to specify
Simon Horman17bce342011-06-15 15:18:47 +090014725 a filter in order to specify what entries to display.
14726
14727 When the "data." form is used the filter applies to the stored data (see
14728 "stick-table" in section 4.2). A stored data type must be specified
14729 in <type>, and this data type must be stored in the table otherwise an
14730 error is reported. The data is compared according to <operator> with the
14731 64-bit integer <value>. Operators are the same as with the ACLs :
14732
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014733 - eq : match entries whose data is equal to this value
14734 - ne : match entries whose data is not equal to this value
14735 - le : match entries whose data is less than or equal to this value
14736 - ge : match entries whose data is greater than or equal to this value
14737 - lt : match entries whose data is less than this value
14738 - gt : match entries whose data is greater than this value
14739
Simon Hormanc88b8872011-06-15 15:18:49 +090014740
14741 When the key form is used the entry <key> is shown. The key must be of the
Simon Horman619e3cc2011-06-15 15:18:52 +090014742 same type as the table, which currently is limited to IPv4, IPv6, integer,
14743 and string.
Simon Horman17bce342011-06-15 15:18:47 +090014744
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014745 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020014746 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090014747 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020014748 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
14749 bytes_out_rate(60000)=187
14750 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
14751 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014752
Willy Tarreau62a36c42010-08-17 15:53:10 +020014753 $ echo "show table http_proxy data.gpc0 gt 0" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090014754 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020014755 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
14756 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014757
Willy Tarreau62a36c42010-08-17 15:53:10 +020014758 $ echo "show table http_proxy data.conn_rate gt 5" | \
14759 socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090014760 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020014761 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
14762 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014763
Simon Horman17bce342011-06-15 15:18:47 +090014764 $ echo "show table http_proxy key 127.0.0.2" | \
14765 socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090014766 >>> # table: http_proxy, type: ip, size:204800, used:2
Simon Horman17bce342011-06-15 15:18:47 +090014767 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
14768 bytes_out_rate(60000)=191
14769
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014770 When the data criterion applies to a dynamic value dependent on time such as
14771 a bytes rate, the value is dynamically computed during the evaluation of the
14772 entry in order to decide whether it has to be dumped or not. This means that
14773 such a filter could match for some time then not match anymore because as
14774 time goes, the average event rate drops.
14775
14776 It is possible to use this to extract lists of IP addresses abusing the
14777 service, in order to monitor them or even blacklist them in a firewall.
14778 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020014779 $ echo "show table http_proxy data.gpc0 gt 0" \
14780 | socat stdio /tmp/sock1 \
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020014781 | fgrep 'key=' | cut -d' ' -f2 | cut -d= -f2 > abusers-ip.txt
14782 ( or | awk '/key/{ print a[split($2,a,"=")]; }' )
Krzysztof Piotr Oledzki719e7262009-10-04 15:02:46 +020014783
Willy Tarreau532a4502011-09-07 22:37:44 +020014784shutdown frontend <frontend>
14785 Completely delete the specified frontend. All the ports it was bound to will
14786 be released. It will not be possible to enable the frontend anymore after
14787 this operation. This is intended to be used in environments where stopping a
14788 proxy is not even imaginable but a misconfigured proxy must be fixed. That
14789 way it's possible to release the port and bind it into another process to
14790 restore operations. The frontend will not appear at all on the stats page
14791 once it is terminated.
14792
14793 The frontend may be specified either by its name or by its numeric ID,
14794 prefixed with a sharp ('#').
14795
14796 This command is restricted and can only be issued on sockets configured for
14797 level "admin".
14798
Willy Tarreaua295edc2011-09-07 23:21:03 +020014799shutdown session <id>
14800 Immediately terminate the session matching the specified session identifier.
14801 This identifier is the first field at the beginning of the lines in the dumps
14802 of "show sess" (it corresponds to the session pointer). This can be used to
14803 terminate a long-running session without waiting for a timeout or when an
14804 endless transfer is ongoing. Such terminated sessions are reported with a 'K'
14805 flag in the logs.
14806
Cyril Bontée63a1eb2014-07-12 18:22:42 +020014807shutdown sessions server <backend>/<server>
Willy Tarreau52b2d222011-09-07 23:48:48 +020014808 Immediately terminate all the sessions attached to the specified server. This
14809 can be used to terminate long-running sessions after a server is put into
14810 maintenance mode, for instance. Such terminated sessions are reported with a
14811 'K' flag in the logs.
14812
Willy Tarreau0ba27502007-12-24 16:55:16 +010014813/*
14814 * Local variables:
14815 * fill-column: 79
14816 * End:
14817 */