Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1 | ---------------------- |
Willy Tarreau | 8317b28 | 2014-04-23 01:49:41 +0200 | [diff] [blame] | 2 | HAProxy |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 3 | Configuration Manual |
| 4 | ---------------------- |
Willy Tarreau | 4dfb795 | 2014-06-24 11:30:21 +0200 | [diff] [blame] | 5 | version 1.5.1 |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 6 | willy tarreau |
Willy Tarreau | 4dfb795 | 2014-06-24 11:30:21 +0200 | [diff] [blame] | 7 | 2014/06/24 |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 8 | |
| 9 | |
| 10 | This document covers the configuration language as implemented in the version |
| 11 | specified above. It does not provide any hint, example or advice. For such |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 12 | documentation, please refer to the Reference Manual or the Architecture Manual. |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 13 | The summary below is meant to help you search sections by name and navigate |
| 14 | through the document. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 15 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 16 | Note to documentation contributors : |
Jamie Gloudon | aaa2100 | 2012-08-25 00:18:33 -0400 | [diff] [blame] | 17 | This document is formatted with 80 columns per line, with even number of |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 18 | spaces for indentation and without tabs. Please follow these rules strictly |
| 19 | so that it remains easily printable everywhere. If a line needs to be |
| 20 | printed verbatim and does not fit, please end each line with a backslash |
Willy Tarreau | 62a36c4 | 2010-08-17 15:53:10 +0200 | [diff] [blame] | 21 | ('\') and continue on next line, indented by two characters. It is also |
| 22 | sometimes useful to prefix all output lines (logs, console outs) with 3 |
| 23 | closing angle brackets ('>>>') in order to help get the difference between |
| 24 | inputs and outputs when it can become ambiguous. If you add sections, |
| 25 | please update the summary below for easier searching. |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 26 | |
| 27 | |
| 28 | Summary |
| 29 | ------- |
| 30 | |
| 31 | 1. Quick reminder about HTTP |
| 32 | 1.1. The HTTP transaction model |
| 33 | 1.2. HTTP request |
| 34 | 1.2.1. The Request line |
| 35 | 1.2.2. The request headers |
| 36 | 1.3. HTTP response |
| 37 | 1.3.1. The Response line |
| 38 | 1.3.2. The response headers |
| 39 | |
| 40 | 2. Configuring HAProxy |
| 41 | 2.1. Configuration file format |
| 42 | 2.2. Time format |
Patrick Mezard | 35da19c | 2010-06-12 17:02:47 +0200 | [diff] [blame] | 43 | 2.3. Examples |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 44 | |
| 45 | 3. Global parameters |
| 46 | 3.1. Process management and security |
| 47 | 3.2. Performance tuning |
| 48 | 3.3. Debugging |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 49 | 3.4. Userlists |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 50 | 3.5. Peers |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 51 | |
| 52 | 4. Proxies |
| 53 | 4.1. Proxy keywords matrix |
| 54 | 4.2. Alphabetically sorted keywords reference |
| 55 | |
Willy Tarreau | 086fbf5 | 2012-09-24 20:34:51 +0200 | [diff] [blame] | 56 | 5. Bind and Server options |
| 57 | 5.1. Bind options |
| 58 | 5.2. Server and default-server options |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 59 | |
| 60 | 6. HTTP header manipulation |
| 61 | |
Willy Tarreau | 74ca504 | 2013-06-11 23:12:07 +0200 | [diff] [blame] | 62 | 7. Using ACLs and fetching samples |
| 63 | 7.1. ACL basics |
| 64 | 7.1.1. Matching booleans |
| 65 | 7.1.2. Matching integers |
| 66 | 7.1.3. Matching strings |
| 67 | 7.1.4. Matching regular expressions (regexes) |
| 68 | 7.1.5. Matching arbitrary data blocks |
| 69 | 7.1.6. Matching IPv4 and IPv6 addresses |
| 70 | 7.2. Using ACLs to form conditions |
| 71 | 7.3. Fetching samples |
Thierry FOURNIER | 060762e | 2014-04-23 13:29:15 +0200 | [diff] [blame] | 72 | 7.3.1. Converters |
| 73 | 7.3.2. Fetching samples from internal states |
| 74 | 7.3.3. Fetching samples at Layer 4 |
| 75 | 7.3.4. Fetching samples at Layer 5 |
| 76 | 7.3.5. Fetching samples from buffer contents (Layer 6) |
| 77 | 7.3.6. Fetching HTTP samples (Layer 7) |
Willy Tarreau | 74ca504 | 2013-06-11 23:12:07 +0200 | [diff] [blame] | 78 | 7.4. Pre-defined ACLs |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 79 | |
| 80 | 8. Logging |
| 81 | 8.1. Log levels |
| 82 | 8.2. Log formats |
| 83 | 8.2.1. Default log format |
| 84 | 8.2.2. TCP log format |
| 85 | 8.2.3. HTTP log format |
William Lallemand | 4894040 | 2012-01-30 16:47:22 +0100 | [diff] [blame] | 86 | 8.2.4. Custom log format |
Willy Tarreau | 5f51e1a | 2012-12-03 18:40:10 +0100 | [diff] [blame] | 87 | 8.2.5. Error log format |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 88 | 8.3. Advanced logging options |
| 89 | 8.3.1. Disabling logging of external tests |
| 90 | 8.3.2. Logging before waiting for the session to terminate |
| 91 | 8.3.3. Raising log level upon errors |
| 92 | 8.3.4. Disabling logging of successful connections |
| 93 | 8.4. Timing events |
| 94 | 8.5. Session state at disconnection |
| 95 | 8.6. Non-printable characters |
| 96 | 8.7. Capturing HTTP cookies |
| 97 | 8.8. Capturing HTTP headers |
| 98 | 8.9. Examples of logs |
| 99 | |
| 100 | 9. Statistics and monitoring |
| 101 | 9.1. CSV format |
| 102 | 9.2. Unix Socket commands |
| 103 | |
| 104 | |
| 105 | 1. Quick reminder about HTTP |
| 106 | ---------------------------- |
| 107 | |
| 108 | When haproxy is running in HTTP mode, both the request and the response are |
| 109 | fully analyzed and indexed, thus it becomes possible to build matching criteria |
| 110 | on almost anything found in the contents. |
| 111 | |
| 112 | However, it is important to understand how HTTP requests and responses are |
| 113 | formed, and how HAProxy decomposes them. It will then become easier to write |
| 114 | correct rules and to debug existing configurations. |
| 115 | |
| 116 | |
| 117 | 1.1. The HTTP transaction model |
| 118 | ------------------------------- |
| 119 | |
| 120 | The HTTP protocol is transaction-driven. This means that each request will lead |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 121 | to one and only one response. Traditionally, a TCP connection is established |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 122 | from the client to the server, a request is sent by the client on the |
| 123 | connection, the server responds and the connection is closed. A new request |
| 124 | will involve a new connection : |
| 125 | |
| 126 | [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ... |
| 127 | |
| 128 | In this mode, called the "HTTP close" mode, there are as many connection |
| 129 | establishments as there are HTTP transactions. Since the connection is closed |
| 130 | by the server after the response, the client does not need to know the content |
| 131 | length. |
| 132 | |
| 133 | Due to the transactional nature of the protocol, it was possible to improve it |
| 134 | to avoid closing a connection between two subsequent transactions. In this mode |
| 135 | however, it is mandatory that the server indicates the content length for each |
| 136 | response so that the client does not wait indefinitely. For this, a special |
| 137 | header is used: "Content-length". This mode is called the "keep-alive" mode : |
| 138 | |
| 139 | [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ... |
| 140 | |
| 141 | Its advantages are a reduced latency between transactions, and less processing |
| 142 | power required on the server side. It is generally better than the close mode, |
| 143 | but not always because the clients often limit their concurrent connections to |
Patrick Mezard | 9ec2ec4 | 2010-06-12 17:02:45 +0200 | [diff] [blame] | 144 | a smaller value. |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 145 | |
| 146 | A last improvement in the communications is the pipelining mode. It still uses |
| 147 | keep-alive, but the client does not wait for the first response to send the |
| 148 | second request. This is useful for fetching large number of images composing a |
| 149 | page : |
| 150 | |
| 151 | [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ... |
| 152 | |
| 153 | This can obviously have a tremendous benefit on performance because the network |
| 154 | latency is eliminated between subsequent requests. Many HTTP agents do not |
| 155 | correctly support pipelining since there is no way to associate a response with |
| 156 | the corresponding request in HTTP. For this reason, it is mandatory for the |
Cyril Bonté | 78caf84 | 2010-03-10 22:41:43 +0100 | [diff] [blame] | 157 | server to reply in the exact same order as the requests were received. |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 158 | |
Willy Tarreau | 70dffda | 2014-01-30 03:07:23 +0100 | [diff] [blame] | 159 | By default HAProxy operates in keep-alive mode with regards to persistent |
| 160 | connections: for each connection it processes each request and response, and |
| 161 | leaves the connection idle on both sides between the end of a response and the |
| 162 | start of a new request. |
Patrick Mezard | 9ec2ec4 | 2010-06-12 17:02:45 +0200 | [diff] [blame] | 163 | |
Willy Tarreau | 70dffda | 2014-01-30 03:07:23 +0100 | [diff] [blame] | 164 | HAProxy supports 5 connection modes : |
| 165 | - keep alive : all requests and responses are processed (default) |
| 166 | - tunnel : only the first request and response are processed, |
| 167 | everything else is forwarded with no analysis. |
| 168 | - passive close : tunnel with "Connection: close" added in both directions. |
| 169 | - server close : the server-facing connection is closed after the response. |
| 170 | - forced close : the connection is actively closed after end of response. |
| 171 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 172 | |
| 173 | 1.2. HTTP request |
| 174 | ----------------- |
| 175 | |
| 176 | First, let's consider this HTTP request : |
| 177 | |
| 178 | Line Contents |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 179 | number |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 180 | 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1 |
| 181 | 2 Host: www.mydomain.com |
| 182 | 3 User-agent: my small browser |
| 183 | 4 Accept: image/jpeg, image/gif |
| 184 | 5 Accept: image/png |
| 185 | |
| 186 | |
| 187 | 1.2.1. The Request line |
| 188 | ----------------------- |
| 189 | |
| 190 | Line 1 is the "request line". It is always composed of 3 fields : |
| 191 | |
| 192 | - a METHOD : GET |
| 193 | - a URI : /serv/login.php?lang=en&profile=2 |
| 194 | - a version tag : HTTP/1.1 |
| 195 | |
| 196 | All of them are delimited by what the standard calls LWS (linear white spaces), |
| 197 | which are commonly spaces, but can also be tabs or line feeds/carriage returns |
| 198 | followed by spaces/tabs. The method itself cannot contain any colon (':') and |
| 199 | is limited to alphabetic letters. All those various combinations make it |
| 200 | desirable that HAProxy performs the splitting itself rather than leaving it to |
| 201 | the user to write a complex or inaccurate regular expression. |
| 202 | |
| 203 | The URI itself can have several forms : |
| 204 | |
| 205 | - A "relative URI" : |
| 206 | |
| 207 | /serv/login.php?lang=en&profile=2 |
| 208 | |
| 209 | It is a complete URL without the host part. This is generally what is |
| 210 | received by servers, reverse proxies and transparent proxies. |
| 211 | |
| 212 | - An "absolute URI", also called a "URL" : |
| 213 | |
| 214 | http://192.168.0.12:8080/serv/login.php?lang=en&profile=2 |
| 215 | |
| 216 | It is composed of a "scheme" (the protocol name followed by '://'), a host |
| 217 | name or address, optionally a colon (':') followed by a port number, then |
| 218 | a relative URI beginning at the first slash ('/') after the address part. |
| 219 | This is generally what proxies receive, but a server supporting HTTP/1.1 |
| 220 | must accept this form too. |
| 221 | |
| 222 | - a star ('*') : this form is only accepted in association with the OPTIONS |
| 223 | method and is not relayable. It is used to inquiry a next hop's |
| 224 | capabilities. |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 225 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 226 | - an address:port combination : 192.168.0.12:80 |
| 227 | This is used with the CONNECT method, which is used to establish TCP |
| 228 | tunnels through HTTP proxies, generally for HTTPS, but sometimes for |
| 229 | other protocols too. |
| 230 | |
| 231 | In a relative URI, two sub-parts are identified. The part before the question |
| 232 | mark is called the "path". It is typically the relative path to static objects |
| 233 | on the server. The part after the question mark is called the "query string". |
| 234 | It is mostly used with GET requests sent to dynamic scripts and is very |
| 235 | specific to the language, framework or application in use. |
| 236 | |
| 237 | |
| 238 | 1.2.2. The request headers |
| 239 | -------------------------- |
| 240 | |
| 241 | The headers start at the second line. They are composed of a name at the |
| 242 | beginning of the line, immediately followed by a colon (':'). Traditionally, |
| 243 | an LWS is added after the colon but that's not required. Then come the values. |
| 244 | Multiple identical headers may be folded into one single line, delimiting the |
| 245 | values with commas, provided that their order is respected. This is commonly |
| 246 | encountered in the "Cookie:" field. A header may span over multiple lines if |
| 247 | the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5 |
| 248 | define a total of 3 values for the "Accept:" header. |
| 249 | |
| 250 | Contrary to a common mis-conception, header names are not case-sensitive, and |
| 251 | their values are not either if they refer to other header names (such as the |
| 252 | "Connection:" header). |
| 253 | |
| 254 | The end of the headers is indicated by the first empty line. People often say |
| 255 | that it's a double line feed, which is not exact, even if a double line feed |
| 256 | is one valid form of empty line. |
| 257 | |
| 258 | Fortunately, HAProxy takes care of all these complex combinations when indexing |
| 259 | headers, checking values and counting them, so there is no reason to worry |
| 260 | about the way they could be written, but it is important not to accuse an |
| 261 | application of being buggy if it does unusual, valid things. |
| 262 | |
| 263 | Important note: |
| 264 | As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks |
| 265 | in the middle of headers by LWS in order to join multi-line headers. This |
| 266 | is necessary for proper analysis and helps less capable HTTP parsers to work |
| 267 | correctly and not to be fooled by such complex constructs. |
| 268 | |
| 269 | |
| 270 | 1.3. HTTP response |
| 271 | ------------------ |
| 272 | |
| 273 | An HTTP response looks very much like an HTTP request. Both are called HTTP |
| 274 | messages. Let's consider this HTTP response : |
| 275 | |
| 276 | Line Contents |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 277 | number |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 278 | 1 HTTP/1.1 200 OK |
| 279 | 2 Content-length: 350 |
| 280 | 3 Content-Type: text/html |
| 281 | |
Willy Tarreau | 816b979 | 2009-09-15 21:25:21 +0200 | [diff] [blame] | 282 | As a special case, HTTP supports so called "Informational responses" as status |
| 283 | codes 1xx. These messages are special in that they don't convey any part of the |
| 284 | response, they're just used as sort of a signaling message to ask a client to |
Willy Tarreau | 5843d1a | 2010-02-01 15:13:32 +0100 | [diff] [blame] | 285 | continue to post its request for instance. In the case of a status 100 response |
| 286 | the requested information will be carried by the next non-100 response message |
| 287 | following the informational one. This implies that multiple responses may be |
| 288 | sent to a single request, and that this only works when keep-alive is enabled |
| 289 | (1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to |
| 290 | correctly forward and skip them, and only process the next non-100 response. As |
| 291 | such, these messages are neither logged nor transformed, unless explicitly |
| 292 | state otherwise. Status 101 messages indicate that the protocol is changing |
| 293 | over the same connection and that haproxy must switch to tunnel mode, just as |
| 294 | if a CONNECT had occurred. Then the Upgrade header would contain additional |
| 295 | information about the type of protocol the connection is switching to. |
Willy Tarreau | 816b979 | 2009-09-15 21:25:21 +0200 | [diff] [blame] | 296 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 297 | |
| 298 | 1.3.1. The Response line |
| 299 | ------------------------ |
| 300 | |
| 301 | Line 1 is the "response line". It is always composed of 3 fields : |
| 302 | |
| 303 | - a version tag : HTTP/1.1 |
| 304 | - a status code : 200 |
| 305 | - a reason : OK |
| 306 | |
| 307 | The status code is always 3-digit. The first digit indicates a general status : |
Willy Tarreau | 816b979 | 2009-09-15 21:25:21 +0200 | [diff] [blame] | 308 | - 1xx = informational message to be skipped (eg: 100, 101) |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 309 | - 2xx = OK, content is following (eg: 200, 206) |
| 310 | - 3xx = OK, no content following (eg: 302, 304) |
| 311 | - 4xx = error caused by the client (eg: 401, 403, 404) |
| 312 | - 5xx = error caused by the server (eg: 500, 502, 503) |
| 313 | |
| 314 | Please refer to RFC2616 for the detailed meaning of all such codes. The |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 315 | "reason" field is just a hint, but is not parsed by clients. Anything can be |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 316 | found there, but it's a common practice to respect the well-established |
| 317 | messages. It can be composed of one or multiple words, such as "OK", "Found", |
| 318 | or "Authentication Required". |
| 319 | |
| 320 | Haproxy may emit the following status codes by itself : |
| 321 | |
| 322 | Code When / reason |
| 323 | 200 access to stats page, and when replying to monitoring requests |
| 324 | 301 when performing a redirection, depending on the configured code |
| 325 | 302 when performing a redirection, depending on the configured code |
| 326 | 303 when performing a redirection, depending on the configured code |
Willy Tarreau | b67fdc4 | 2013-03-29 19:28:11 +0100 | [diff] [blame] | 327 | 307 when performing a redirection, depending on the configured code |
| 328 | 308 when performing a redirection, depending on the configured code |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 329 | 400 for an invalid or too large request |
| 330 | 401 when an authentication is required to perform the action (when |
| 331 | accessing the stats page) |
| 332 | 403 when a request is forbidden by a "block" ACL or "reqdeny" filter |
| 333 | 408 when the request timeout strikes before the request is complete |
| 334 | 500 when haproxy encounters an unrecoverable internal error, such as a |
| 335 | memory allocation failure, which should never happen |
| 336 | 502 when the server returns an empty, invalid or incomplete response, or |
| 337 | when an "rspdeny" filter blocks the response. |
| 338 | 503 when no server was available to handle the request, or in response to |
| 339 | monitoring requests which match the "monitor fail" condition |
| 340 | 504 when the response timeout strikes before the server responds |
| 341 | |
| 342 | The error 4xx and 5xx codes above may be customized (see "errorloc" in section |
| 343 | 4.2). |
| 344 | |
| 345 | |
| 346 | 1.3.2. The response headers |
| 347 | --------------------------- |
| 348 | |
| 349 | Response headers work exactly like request headers, and as such, HAProxy uses |
| 350 | the same parsing function for both. Please refer to paragraph 1.2.2 for more |
| 351 | details. |
| 352 | |
| 353 | |
| 354 | 2. Configuring HAProxy |
| 355 | ---------------------- |
| 356 | |
| 357 | 2.1. Configuration file format |
| 358 | ------------------------------ |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 359 | |
| 360 | HAProxy's configuration process involves 3 major sources of parameters : |
| 361 | |
| 362 | - the arguments from the command-line, which always take precedence |
| 363 | - the "global" section, which sets process-wide parameters |
| 364 | - the proxies sections which can take form of "defaults", "listen", |
| 365 | "frontend" and "backend". |
| 366 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 367 | The configuration file syntax consists in lines beginning with a keyword |
| 368 | referenced in this manual, optionally followed by one or several parameters |
| 369 | delimited by spaces. If spaces have to be entered in strings, then they must be |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 370 | preceded by a backslash ('\') to be escaped. Backslashes also have to be |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 371 | escaped by doubling them. |
| 372 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 373 | |
| 374 | 2.2. Time format |
| 375 | ---------------- |
| 376 | |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 377 | Some parameters involve values representing time, such as timeouts. These |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 378 | values are generally expressed in milliseconds (unless explicitly stated |
| 379 | otherwise) but may be expressed in any other unit by suffixing the unit to the |
| 380 | numeric value. It is important to consider this because it will not be repeated |
| 381 | for every keyword. Supported units are : |
| 382 | |
| 383 | - us : microseconds. 1 microsecond = 1/1000000 second |
| 384 | - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default. |
| 385 | - s : seconds. 1s = 1000ms |
| 386 | - m : minutes. 1m = 60s = 60000ms |
| 387 | - h : hours. 1h = 60m = 3600s = 3600000ms |
| 388 | - d : days. 1d = 24h = 1440m = 86400s = 86400000ms |
| 389 | |
| 390 | |
Patrick Mezard | 35da19c | 2010-06-12 17:02:47 +0200 | [diff] [blame] | 391 | 2.3. Examples |
| 392 | ------------- |
| 393 | |
| 394 | # Simple configuration for an HTTP proxy listening on port 80 on all |
| 395 | # interfaces and forwarding requests to a single backend "servers" with a |
| 396 | # single server "server1" listening on 127.0.0.1:8000 |
| 397 | global |
| 398 | daemon |
| 399 | maxconn 256 |
| 400 | |
| 401 | defaults |
| 402 | mode http |
| 403 | timeout connect 5000ms |
| 404 | timeout client 50000ms |
| 405 | timeout server 50000ms |
| 406 | |
| 407 | frontend http-in |
| 408 | bind *:80 |
| 409 | default_backend servers |
| 410 | |
| 411 | backend servers |
| 412 | server server1 127.0.0.1:8000 maxconn 32 |
| 413 | |
| 414 | |
| 415 | # The same configuration defined with a single listen block. Shorter but |
| 416 | # less expressive, especially in HTTP mode. |
| 417 | global |
| 418 | daemon |
| 419 | maxconn 256 |
| 420 | |
| 421 | defaults |
| 422 | mode http |
| 423 | timeout connect 5000ms |
| 424 | timeout client 50000ms |
| 425 | timeout server 50000ms |
| 426 | |
| 427 | listen http-in |
| 428 | bind *:80 |
| 429 | server server1 127.0.0.1:8000 maxconn 32 |
| 430 | |
| 431 | |
| 432 | Assuming haproxy is in $PATH, test these configurations in a shell with: |
| 433 | |
Willy Tarreau | ccb289d | 2010-12-11 20:19:38 +0100 | [diff] [blame] | 434 | $ sudo haproxy -f configuration.conf -c |
Patrick Mezard | 35da19c | 2010-06-12 17:02:47 +0200 | [diff] [blame] | 435 | |
| 436 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 437 | 3. Global parameters |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 438 | -------------------- |
| 439 | |
| 440 | Parameters in the "global" section are process-wide and often OS-specific. They |
| 441 | are generally set once for all and do not need being changed once correct. Some |
| 442 | of them have command-line equivalents. |
| 443 | |
| 444 | The following keywords are supported in the "global" section : |
| 445 | |
| 446 | * Process management and security |
Emeric Brun | c8e8d12 | 2012-10-02 18:42:10 +0200 | [diff] [blame] | 447 | - ca-base |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 448 | - chroot |
Emeric Brun | c8e8d12 | 2012-10-02 18:42:10 +0200 | [diff] [blame] | 449 | - crt-base |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 450 | - daemon |
| 451 | - gid |
| 452 | - group |
| 453 | - log |
Joe Williams | df5b38f | 2010-12-29 17:05:48 +0100 | [diff] [blame] | 454 | - log-send-hostname |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 455 | - nbproc |
| 456 | - pidfile |
| 457 | - uid |
| 458 | - ulimit-n |
| 459 | - user |
Willy Tarreau | fbee713 | 2007-10-18 13:53:22 +0200 | [diff] [blame] | 460 | - stats |
Emeric Brun | 850efd5 | 2014-01-29 12:24:34 +0100 | [diff] [blame] | 461 | - ssl-server-verify |
Krzysztof Piotr Oledzki | 48cb2ae | 2009-10-02 22:51:14 +0200 | [diff] [blame] | 462 | - node |
| 463 | - description |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 464 | - unix-bind |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 465 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 466 | * Performance tuning |
Willy Tarreau | 1746eec | 2014-04-25 10:46:47 +0200 | [diff] [blame] | 467 | - max-spread-checks |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 468 | - maxconn |
Willy Tarreau | 81c25d0 | 2011-09-07 15:17:21 +0200 | [diff] [blame] | 469 | - maxconnrate |
William Lallemand | d85f917 | 2012-11-09 17:05:39 +0100 | [diff] [blame] | 470 | - maxcomprate |
William Lallemand | 072a2bf | 2012-11-20 17:01:01 +0100 | [diff] [blame] | 471 | - maxcompcpuusage |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 472 | - maxpipes |
Willy Tarreau | 93e7c00 | 2013-10-07 18:51:07 +0200 | [diff] [blame] | 473 | - maxsessrate |
Willy Tarreau | 403edff | 2012-09-06 11:58:37 +0200 | [diff] [blame] | 474 | - maxsslconn |
Willy Tarreau | e43d532 | 2013-10-07 20:01:52 +0200 | [diff] [blame] | 475 | - maxsslrate |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 476 | - noepoll |
| 477 | - nokqueue |
| 478 | - nopoll |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 479 | - nosplice |
Jarno Huuskonen | 0e82b92 | 2014-04-12 18:22:19 +0300 | [diff] [blame] | 480 | - nogetaddrinfo |
Willy Tarreau | fe255b7 | 2007-10-14 23:09:26 +0200 | [diff] [blame] | 481 | - spread-checks |
Willy Tarreau | 27a674e | 2009-08-17 07:23:33 +0200 | [diff] [blame] | 482 | - tune.bufsize |
Willy Tarreau | 43961d5 | 2010-10-04 20:39:20 +0200 | [diff] [blame] | 483 | - tune.chksize |
William Lallemand | f374783 | 2012-11-09 12:33:10 +0100 | [diff] [blame] | 484 | - tune.comp.maxlevel |
Willy Tarreau | 193b8c6 | 2012-11-22 00:17:38 +0100 | [diff] [blame] | 485 | - tune.http.cookielen |
Willy Tarreau | ac1932d | 2011-10-24 19:14:41 +0200 | [diff] [blame] | 486 | - tune.http.maxhdr |
Willy Tarreau | 7e31273 | 2014-02-12 16:35:14 +0100 | [diff] [blame] | 487 | - tune.idletimer |
Willy Tarreau | a0250ba | 2008-01-06 11:22:57 +0100 | [diff] [blame] | 488 | - tune.maxaccept |
| 489 | - tune.maxpollevents |
Willy Tarreau | 27a674e | 2009-08-17 07:23:33 +0200 | [diff] [blame] | 490 | - tune.maxrewrite |
Willy Tarreau | bd9a0a7 | 2011-10-23 21:14:29 +0200 | [diff] [blame] | 491 | - tune.pipesize |
Willy Tarreau | e803de2 | 2010-01-21 17:43:04 +0100 | [diff] [blame] | 492 | - tune.rcvbuf.client |
| 493 | - tune.rcvbuf.server |
| 494 | - tune.sndbuf.client |
| 495 | - tune.sndbuf.server |
Willy Tarreau | 6ec58db | 2012-11-16 16:32:15 +0100 | [diff] [blame] | 496 | - tune.ssl.cachesize |
Willy Tarreau | bfd5946 | 2013-02-21 07:46:09 +0100 | [diff] [blame] | 497 | - tune.ssl.lifetime |
Emeric Brun | 8dc6039 | 2014-05-09 13:52:00 +0200 | [diff] [blame] | 498 | - tune.ssl.force-private-cache |
Willy Tarreau | bfd5946 | 2013-02-21 07:46:09 +0100 | [diff] [blame] | 499 | - tune.ssl.maxrecord |
Remi Gacogne | f46cd6e | 2014-06-12 14:58:40 +0200 | [diff] [blame] | 500 | - tune.ssl.default-dh-param |
William Lallemand | a509e4c | 2012-11-07 16:54:34 +0100 | [diff] [blame] | 501 | - tune.zlib.memlevel |
| 502 | - tune.zlib.windowsize |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 503 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 504 | * Debugging |
| 505 | - debug |
| 506 | - quiet |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 507 | |
| 508 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 509 | 3.1. Process management and security |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 510 | ------------------------------------ |
| 511 | |
Emeric Brun | c8e8d12 | 2012-10-02 18:42:10 +0200 | [diff] [blame] | 512 | ca-base <dir> |
| 513 | Assigns a default directory to fetch SSL CA certificates and CRLs from when a |
Emeric Brun | fd33a26 | 2012-10-11 16:28:27 +0200 | [diff] [blame] | 514 | relative path is used with "ca-file" or "crl-file" directives. Absolute |
| 515 | locations specified in "ca-file" and "crl-file" prevail and ignore "ca-base". |
Emeric Brun | c8e8d12 | 2012-10-02 18:42:10 +0200 | [diff] [blame] | 516 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 517 | chroot <jail dir> |
| 518 | Changes current directory to <jail dir> and performs a chroot() there before |
| 519 | dropping privileges. This increases the security level in case an unknown |
| 520 | vulnerability would be exploited, since it would make it very hard for the |
| 521 | attacker to exploit the system. This only works when the process is started |
| 522 | with superuser privileges. It is important to ensure that <jail_dir> is both |
| 523 | empty and unwritable to anyone. |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 524 | |
Willy Tarreau | fc6c032 | 2012-11-16 16:12:27 +0100 | [diff] [blame] | 525 | cpu-map <"all"|"odd"|"even"|process_num> <cpu-set>... |
| 526 | On Linux 2.6 and above, it is possible to bind a process to a specific CPU |
| 527 | set. This means that the process will never run on other CPUs. The "cpu-map" |
| 528 | directive specifies CPU sets for process sets. The first argument is the |
Willy Tarreau | a9db57e | 2013-01-18 11:29:29 +0100 | [diff] [blame] | 529 | process number to bind. This process must have a number between 1 and 32 or |
| 530 | 64, depending on the machine's word size, and any process IDs above nbproc |
| 531 | are ignored. It is possible to specify all processes at once using "all", |
| 532 | only odd numbers using "odd" or even numbers using "even", just like with the |
| 533 | "bind-process" directive. The second and forthcoming arguments are CPU sets. |
| 534 | Each CPU set is either a unique number between 0 and 31 or 63 or a range with |
| 535 | two such numbers delimited by a dash ('-'). Multiple CPU numbers or ranges |
| 536 | may be specified, and the processes will be allowed to bind to all of them. |
| 537 | Obviously, multiple "cpu-map" directives may be specified. Each "cpu-map" |
| 538 | directive will replace the previous ones when they overlap. |
Willy Tarreau | fc6c032 | 2012-11-16 16:12:27 +0100 | [diff] [blame] | 539 | |
Emeric Brun | c8e8d12 | 2012-10-02 18:42:10 +0200 | [diff] [blame] | 540 | crt-base <dir> |
| 541 | Assigns a default directory to fetch SSL certificates from when a relative |
| 542 | path is used with "crtfile" directives. Absolute locations specified after |
| 543 | "crtfile" prevail and ignore "crt-base". |
| 544 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 545 | daemon |
| 546 | Makes the process fork into background. This is the recommended mode of |
| 547 | operation. It is equivalent to the command line "-D" argument. It can be |
| 548 | disabled by the command line "-db" argument. |
| 549 | |
| 550 | gid <number> |
| 551 | Changes the process' group ID to <number>. It is recommended that the group |
| 552 | ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must |
| 553 | be started with a user belonging to this group, or with superuser privileges. |
Michael Scherer | ab012dd | 2013-01-12 18:35:19 +0100 | [diff] [blame] | 554 | Note that if haproxy is started from a user having supplementary groups, it |
| 555 | will only be able to drop these groups if started with superuser privileges. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 556 | See also "group" and "uid". |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 557 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 558 | group <group name> |
| 559 | Similar to "gid" but uses the GID of group name <group name> from /etc/group. |
| 560 | See also "gid" and "user". |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 561 | |
Willy Tarreau | dc2695c | 2014-06-27 18:10:07 +0200 | [diff] [blame] | 562 | log <address> [len <length>] <facility> [max level [min level]] |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 563 | Adds a global syslog server. Up to two global servers can be defined. They |
| 564 | will receive logs for startups and exits, as well as all logs from proxies |
Robert Tsai | 81ae195 | 2007-12-05 10:47:29 +0100 | [diff] [blame] | 565 | configured with "log global". |
| 566 | |
| 567 | <address> can be one of: |
| 568 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 569 | - An IPv4 address optionally followed by a colon and a UDP port. If |
Robert Tsai | 81ae195 | 2007-12-05 10:47:29 +0100 | [diff] [blame] | 570 | no port is specified, 514 is used by default (the standard syslog |
| 571 | port). |
| 572 | |
David du Colombier | 24bb5f5 | 2011-03-17 10:40:23 +0100 | [diff] [blame] | 573 | - An IPv6 address followed by a colon and optionally a UDP port. If |
| 574 | no port is specified, 514 is used by default (the standard syslog |
| 575 | port). |
| 576 | |
Robert Tsai | 81ae195 | 2007-12-05 10:47:29 +0100 | [diff] [blame] | 577 | - A filesystem path to a UNIX domain socket, keeping in mind |
| 578 | considerations for chroot (be sure the path is accessible inside |
| 579 | the chroot) and uid/gid (be sure the path is appropriately |
| 580 | writeable). |
| 581 | |
Willy Tarreau | dad36a3 | 2013-03-11 01:20:04 +0100 | [diff] [blame] | 582 | Any part of the address string may reference any number of environment |
| 583 | variables by preceding their name with a dollar sign ('$') and |
| 584 | optionally enclosing them with braces ('{}'), similarly to what is done |
| 585 | in Bourne shell. |
| 586 | |
Willy Tarreau | dc2695c | 2014-06-27 18:10:07 +0200 | [diff] [blame] | 587 | <length> is an optional maximum line length. Log lines larger than this value |
| 588 | will be truncated before being sent. The reason is that syslog |
| 589 | servers act differently on log line length. All servers support the |
| 590 | default value of 1024, but some servers simply drop larger lines |
| 591 | while others do log them. If a server supports long lines, it may |
| 592 | make sense to set this value here in order to avoid truncating long |
| 593 | lines. Similarly, if a server drops long lines, it is preferable to |
| 594 | truncate them before sending them. Accepted values are 80 to 65535 |
| 595 | inclusive. The default value of 1024 is generally fine for all |
| 596 | standard usages. Some specific cases of long captures or |
| 597 | JSON-formated logs may require larger values. |
| 598 | |
Robert Tsai | 81ae195 | 2007-12-05 10:47:29 +0100 | [diff] [blame] | 599 | <facility> must be one of the 24 standard syslog facilities : |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 600 | |
| 601 | kern user mail daemon auth syslog lpr news |
| 602 | uucp cron auth2 ftp ntp audit alert cron2 |
| 603 | local0 local1 local2 local3 local4 local5 local6 local7 |
| 604 | |
| 605 | An optional level can be specified to filter outgoing messages. By default, |
Willy Tarreau | f7edefa | 2009-05-10 17:20:05 +0200 | [diff] [blame] | 606 | all messages are sent. If a maximum level is specified, only messages with a |
| 607 | severity at least as important as this level will be sent. An optional minimum |
| 608 | level can be specified. If it is set, logs emitted with a more severe level |
| 609 | than this one will be capped to this level. This is used to avoid sending |
| 610 | "emerg" messages on all terminals on some default syslog configurations. |
| 611 | Eight levels are known : |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 612 | |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 613 | emerg alert crit err warning notice info debug |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 614 | |
Joe Williams | df5b38f | 2010-12-29 17:05:48 +0100 | [diff] [blame] | 615 | log-send-hostname [<string>] |
| 616 | Sets the hostname field in the syslog header. If optional "string" parameter |
| 617 | is set the header is set to the string contents, otherwise uses the hostname |
| 618 | of the system. Generally used if one is not relaying logs through an |
| 619 | intermediate syslog server or for simply customizing the hostname printed in |
| 620 | the logs. |
| 621 | |
Kevinm | 48936af | 2010-12-22 16:08:21 +0000 | [diff] [blame] | 622 | log-tag <string> |
| 623 | Sets the tag field in the syslog header to this string. It defaults to the |
| 624 | program name as launched from the command line, which usually is "haproxy". |
| 625 | Sometimes it can be useful to differentiate between multiple processes |
| 626 | running on the same host. |
| 627 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 628 | nbproc <number> |
| 629 | Creates <number> processes when going daemon. This requires the "daemon" |
| 630 | mode. By default, only one process is created, which is the recommended mode |
| 631 | of operation. For systems limited to small sets of file descriptors per |
| 632 | process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES |
| 633 | IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon". |
| 634 | |
| 635 | pidfile <pidfile> |
| 636 | Writes pids of all daemons into file <pidfile>. This option is equivalent to |
| 637 | the "-p" command line argument. The file must be accessible to the user |
| 638 | starting the process. See also "daemon". |
| 639 | |
Willy Tarreau | a9db57e | 2013-01-18 11:29:29 +0100 | [diff] [blame] | 640 | stats bind-process [ all | odd | even | <number 1-64>[-<number 1-64>] ] ... |
Willy Tarreau | 35b7b16 | 2012-10-22 23:17:18 +0200 | [diff] [blame] | 641 | Limits the stats socket to a certain set of processes numbers. By default the |
| 642 | stats socket is bound to all processes, causing a warning to be emitted when |
| 643 | nbproc is greater than 1 because there is no way to select the target process |
| 644 | when connecting. However, by using this setting, it becomes possible to pin |
| 645 | the stats socket to a specific set of processes, typically the first one. The |
| 646 | warning will automatically be disabled when this setting is used, whatever |
Willy Tarreau | a9db57e | 2013-01-18 11:29:29 +0100 | [diff] [blame] | 647 | the number of processes used. The maximum process ID depends on the machine's |
Willy Tarreau | ae30253 | 2014-05-07 19:22:24 +0200 | [diff] [blame] | 648 | word size (32 or 64). A better option consists in using the "process" setting |
| 649 | of the "stats socket" line to force the process on each line. |
Willy Tarreau | 35b7b16 | 2012-10-22 23:17:18 +0200 | [diff] [blame] | 650 | |
Willy Tarreau | 610f04b | 2014-02-13 11:36:41 +0100 | [diff] [blame] | 651 | ssl-default-bind-ciphers <ciphers> |
| 652 | This setting is only available when support for OpenSSL was built in. It sets |
| 653 | the default string describing the list of cipher algorithms ("cipher suite") |
Jarno Huuskonen | 0e82b92 | 2014-04-12 18:22:19 +0300 | [diff] [blame] | 654 | that are negotiated during the SSL/TLS handshake for all "bind" lines which |
Willy Tarreau | 610f04b | 2014-02-13 11:36:41 +0100 | [diff] [blame] | 655 | do not explicitly define theirs. The format of the string is defined in |
| 656 | "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such |
| 657 | as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the |
| 658 | "bind" keyword for more information. |
| 659 | |
| 660 | ssl-default-server-ciphers <ciphers> |
| 661 | This setting is only available when support for OpenSSL was built in. It |
| 662 | sets the default string describing the list of cipher algorithms that are |
Jarno Huuskonen | 0e82b92 | 2014-04-12 18:22:19 +0300 | [diff] [blame] | 663 | negotiated during the SSL/TLS handshake with the server, for all "server" |
Willy Tarreau | 610f04b | 2014-02-13 11:36:41 +0100 | [diff] [blame] | 664 | lines which do not explicitly define theirs. The format of the string is |
| 665 | defined in "man 1 ciphers". Please check the "server" keyword for more |
| 666 | information. |
| 667 | |
Emeric Brun | 850efd5 | 2014-01-29 12:24:34 +0100 | [diff] [blame] | 668 | ssl-server-verify [none|required] |
| 669 | The default behavior for SSL verify on servers side. If specified to 'none', |
| 670 | servers certificates are not verified. The default is 'required' except if |
| 671 | forced using cmdline option '-dV'. |
| 672 | |
Willy Tarreau | abb175f | 2012-09-24 12:43:26 +0200 | [diff] [blame] | 673 | stats socket [<address:port>|<path>] [param*] |
| 674 | Binds a UNIX socket to <path> or a TCPv4/v6 address to <address:port>. |
| 675 | Connections to this socket will return various statistics outputs and even |
| 676 | allow some commands to be issued to change some runtime settings. Please |
| 677 | consult section 9.2 "Unix Socket commands" for more details. |
Willy Tarreau | 6162db2 | 2009-10-10 17:13:00 +0200 | [diff] [blame] | 678 | |
Willy Tarreau | abb175f | 2012-09-24 12:43:26 +0200 | [diff] [blame] | 679 | All parameters supported by "bind" lines are supported, for instance to |
| 680 | restrict access to some users or their access rights. Please consult |
| 681 | section 5.1 for more information. |
Willy Tarreau | fbee713 | 2007-10-18 13:53:22 +0200 | [diff] [blame] | 682 | |
| 683 | stats timeout <timeout, in milliseconds> |
| 684 | The default timeout on the stats socket is set to 10 seconds. It is possible |
| 685 | to change this value with "stats timeout". The value must be passed in |
Willy Tarreau | befdff1 | 2007-12-02 22:27:38 +0100 | [diff] [blame] | 686 | milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }. |
Willy Tarreau | fbee713 | 2007-10-18 13:53:22 +0200 | [diff] [blame] | 687 | |
| 688 | stats maxconn <connections> |
| 689 | By default, the stats socket is limited to 10 concurrent connections. It is |
| 690 | possible to change this value with "stats maxconn". |
| 691 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 692 | uid <number> |
| 693 | Changes the process' user ID to <number>. It is recommended that the user ID |
| 694 | is dedicated to HAProxy or to a small set of similar daemons. HAProxy must |
| 695 | be started with superuser privileges in order to be able to switch to another |
| 696 | one. See also "gid" and "user". |
| 697 | |
| 698 | ulimit-n <number> |
| 699 | Sets the maximum number of per-process file-descriptors to <number>. By |
| 700 | default, it is automatically computed, so it is recommended not to use this |
| 701 | option. |
| 702 | |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 703 | unix-bind [ prefix <prefix> ] [ mode <mode> ] [ user <user> ] [ uid <uid> ] |
| 704 | [ group <group> ] [ gid <gid> ] |
| 705 | |
| 706 | Fixes common settings to UNIX listening sockets declared in "bind" statements. |
| 707 | This is mainly used to simplify declaration of those UNIX sockets and reduce |
| 708 | the risk of errors, since those settings are most commonly required but are |
| 709 | also process-specific. The <prefix> setting can be used to force all socket |
| 710 | path to be relative to that directory. This might be needed to access another |
| 711 | component's chroot. Note that those paths are resolved before haproxy chroots |
| 712 | itself, so they are absolute. The <mode>, <user>, <uid>, <group> and <gid> |
| 713 | all have the same meaning as their homonyms used by the "bind" statement. If |
| 714 | both are specified, the "bind" statement has priority, meaning that the |
| 715 | "unix-bind" settings may be seen as process-wide default settings. |
| 716 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 717 | user <user name> |
| 718 | Similar to "uid" but uses the UID of user name <user name> from /etc/passwd. |
| 719 | See also "uid" and "group". |
| 720 | |
Krzysztof Piotr Oledzki | 48cb2ae | 2009-10-02 22:51:14 +0200 | [diff] [blame] | 721 | node <name> |
| 722 | Only letters, digits, hyphen and underscore are allowed, like in DNS names. |
| 723 | |
| 724 | This statement is useful in HA configurations where two or more processes or |
| 725 | servers share the same IP address. By setting a different node-name on all |
| 726 | nodes, it becomes easy to immediately spot what server is handling the |
| 727 | traffic. |
| 728 | |
| 729 | description <text> |
| 730 | Add a text that describes the instance. |
| 731 | |
| 732 | Please note that it is required to escape certain characters (# for example) |
| 733 | and this text is inserted into a html page so you should avoid using |
| 734 | "<" and ">" characters. |
| 735 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 736 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 737 | 3.2. Performance tuning |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 738 | ----------------------- |
| 739 | |
Willy Tarreau | 1746eec | 2014-04-25 10:46:47 +0200 | [diff] [blame] | 740 | max-spread-checks <delay in milliseconds> |
| 741 | By default, haproxy tries to spread the start of health checks across the |
| 742 | smallest health check interval of all the servers in a farm. The principle is |
| 743 | to avoid hammering services running on the same server. But when using large |
| 744 | check intervals (10 seconds or more), the last servers in the farm take some |
| 745 | time before starting to be tested, which can be a problem. This parameter is |
| 746 | used to enforce an upper bound on delay between the first and the last check, |
| 747 | even if the servers' check intervals are larger. When servers run with |
| 748 | shorter intervals, their intervals will be respected though. |
| 749 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 750 | maxconn <number> |
| 751 | Sets the maximum per-process number of concurrent connections to <number>. It |
| 752 | is equivalent to the command-line argument "-n". Proxies will stop accepting |
| 753 | connections when this limit is reached. The "ulimit-n" parameter is |
Willy Tarreau | 8274e10 | 2014-06-19 15:31:25 +0200 | [diff] [blame] | 754 | automatically adjusted according to this value. See also "ulimit-n". Note: |
| 755 | the "select" poller cannot reliably use more than 1024 file descriptors on |
| 756 | some platforms. If your platform only supports select and reports "select |
| 757 | FAILED" on startup, you need to reduce maxconn until it works (slightly |
| 758 | below 500 in general). |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 759 | |
Willy Tarreau | 81c25d0 | 2011-09-07 15:17:21 +0200 | [diff] [blame] | 760 | maxconnrate <number> |
| 761 | Sets the maximum per-process number of connections per second to <number>. |
| 762 | Proxies will stop accepting connections when this limit is reached. It can be |
| 763 | used to limit the global capacity regardless of each frontend capacity. It is |
| 764 | important to note that this can only be used as a service protection measure, |
| 765 | as there will not necessarily be a fair share between frontends when the |
| 766 | limit is reached, so it's a good idea to also limit each frontend to some |
| 767 | value close to its expected share. Also, lowering tune.maxaccept can improve |
| 768 | fairness. |
| 769 | |
William Lallemand | d85f917 | 2012-11-09 17:05:39 +0100 | [diff] [blame] | 770 | maxcomprate <number> |
| 771 | Sets the maximum per-process input compression rate to <number> kilobytes |
Jarno Huuskonen | 0e82b92 | 2014-04-12 18:22:19 +0300 | [diff] [blame] | 772 | per second. For each session, if the maximum is reached, the compression |
William Lallemand | d85f917 | 2012-11-09 17:05:39 +0100 | [diff] [blame] | 773 | level will be decreased during the session. If the maximum is reached at the |
| 774 | beginning of a session, the session will not compress at all. If the maximum |
| 775 | is not reached, the compression level will be increased up to |
| 776 | tune.comp.maxlevel. A value of zero means there is no limit, this is the |
| 777 | default value. |
| 778 | |
William Lallemand | 072a2bf | 2012-11-20 17:01:01 +0100 | [diff] [blame] | 779 | maxcompcpuusage <number> |
| 780 | Sets the maximum CPU usage HAProxy can reach before stopping the compression |
| 781 | for new requests or decreasing the compression level of current requests. |
| 782 | It works like 'maxcomprate' but measures CPU usage instead of incoming data |
| 783 | bandwidth. The value is expressed in percent of the CPU used by haproxy. In |
| 784 | case of multiple processes (nbproc > 1), each process manages its individual |
| 785 | usage. A value of 100 disable the limit. The default value is 100. Setting |
| 786 | a lower value will prevent the compression work from slowing the whole |
| 787 | process down and from introducing high latencies. |
| 788 | |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 789 | maxpipes <number> |
| 790 | Sets the maximum per-process number of pipes to <number>. Currently, pipes |
| 791 | are only used by kernel-based tcp splicing. Since a pipe contains two file |
| 792 | descriptors, the "ulimit-n" value will be increased accordingly. The default |
| 793 | value is maxconn/4, which seems to be more than enough for most heavy usages. |
| 794 | The splice code dynamically allocates and releases pipes, and can fall back |
| 795 | to standard copy, so setting this value too low may only impact performance. |
| 796 | |
Willy Tarreau | 93e7c00 | 2013-10-07 18:51:07 +0200 | [diff] [blame] | 797 | maxsessrate <number> |
| 798 | Sets the maximum per-process number of sessions per second to <number>. |
| 799 | Proxies will stop accepting connections when this limit is reached. It can be |
| 800 | used to limit the global capacity regardless of each frontend capacity. It is |
| 801 | important to note that this can only be used as a service protection measure, |
| 802 | as there will not necessarily be a fair share between frontends when the |
| 803 | limit is reached, so it's a good idea to also limit each frontend to some |
| 804 | value close to its expected share. Also, lowering tune.maxaccept can improve |
| 805 | fairness. |
| 806 | |
Willy Tarreau | 403edff | 2012-09-06 11:58:37 +0200 | [diff] [blame] | 807 | maxsslconn <number> |
| 808 | Sets the maximum per-process number of concurrent SSL connections to |
| 809 | <number>. By default there is no SSL-specific limit, which means that the |
| 810 | global maxconn setting will apply to all connections. Setting this limit |
| 811 | avoids having openssl use too much memory and crash when malloc returns NULL |
| 812 | (since it unfortunately does not reliably check for such conditions). Note |
| 813 | that the limit applies both to incoming and outgoing connections, so one |
| 814 | connection which is deciphered then ciphered accounts for 2 SSL connections. |
| 815 | |
Willy Tarreau | e43d532 | 2013-10-07 20:01:52 +0200 | [diff] [blame] | 816 | maxsslrate <number> |
| 817 | Sets the maximum per-process number of SSL sessions per second to <number>. |
| 818 | SSL listeners will stop accepting connections when this limit is reached. It |
| 819 | can be used to limit the global SSL CPU usage regardless of each frontend |
| 820 | capacity. It is important to note that this can only be used as a service |
| 821 | protection measure, as there will not necessarily be a fair share between |
| 822 | frontends when the limit is reached, so it's a good idea to also limit each |
| 823 | frontend to some value close to its expected share. It is also important to |
| 824 | note that the sessions are accounted before they enter the SSL stack and not |
| 825 | after, which also protects the stack against bad handshakes. Also, lowering |
| 826 | tune.maxaccept can improve fairness. |
| 827 | |
William Lallemand | 9d5f548 | 2012-11-07 16:12:57 +0100 | [diff] [blame] | 828 | maxzlibmem <number> |
| 829 | Sets the maximum amount of RAM in megabytes per process usable by the zlib. |
| 830 | When the maximum amount is reached, future sessions will not compress as long |
| 831 | as RAM is unavailable. When sets to 0, there is no limit. |
William Lallemand | e3a7d99 | 2012-11-20 11:25:20 +0100 | [diff] [blame] | 832 | The default value is 0. The value is available in bytes on the UNIX socket |
| 833 | with "show info" on the line "MaxZlibMemUsage", the memory used by zlib is |
| 834 | "ZlibMemUsage" in bytes. |
| 835 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 836 | noepoll |
| 837 | Disables the use of the "epoll" event polling system on Linux. It is |
| 838 | equivalent to the command-line argument "-de". The next polling system |
Willy Tarreau | e9f49e7 | 2012-11-11 17:42:00 +0100 | [diff] [blame] | 839 | used will generally be "poll". See also "nopoll". |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 840 | |
| 841 | nokqueue |
| 842 | Disables the use of the "kqueue" event polling system on BSD. It is |
| 843 | equivalent to the command-line argument "-dk". The next polling system |
| 844 | used will generally be "poll". See also "nopoll". |
| 845 | |
| 846 | nopoll |
| 847 | Disables the use of the "poll" event polling system. It is equivalent to the |
| 848 | command-line argument "-dp". The next polling system used will be "select". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 849 | It should never be needed to disable "poll" since it's available on all |
Willy Tarreau | e9f49e7 | 2012-11-11 17:42:00 +0100 | [diff] [blame] | 850 | platforms supported by HAProxy. See also "nokqueue" and "noepoll". |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 851 | |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 852 | nosplice |
| 853 | Disables the use of kernel tcp splicing between sockets on Linux. It is |
| 854 | equivalent to the command line argument "-dS". Data will then be copied |
| 855 | using conventional and more portable recv/send calls. Kernel tcp splicing is |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 856 | limited to some very recent instances of kernel 2.6. Most versions between |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 857 | 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not |
| 858 | be used. This option makes it easier to globally disable kernel splicing in |
| 859 | case of doubt. See also "option splice-auto", "option splice-request" and |
| 860 | "option splice-response". |
| 861 | |
Jarno Huuskonen | 0e82b92 | 2014-04-12 18:22:19 +0300 | [diff] [blame] | 862 | nogetaddrinfo |
| 863 | Disables the use of getaddrinfo(3) for name resolving. It is equivalent to |
| 864 | the command line argument "-dG". Deprecated gethostbyname(3) will be used. |
| 865 | |
Willy Tarreau | fe255b7 | 2007-10-14 23:09:26 +0200 | [diff] [blame] | 866 | spread-checks <0..50, in percent> |
Simon Horman | d60d691 | 2013-11-25 10:46:36 +0900 | [diff] [blame] | 867 | Sometimes it is desirable to avoid sending agent and health checks to |
| 868 | servers at exact intervals, for instance when many logical servers are |
| 869 | located on the same physical server. With the help of this parameter, it |
| 870 | becomes possible to add some randomness in the check interval between 0 |
| 871 | and +/- 50%. A value between 2 and 5 seems to show good results. The |
| 872 | default value remains at 0. |
Willy Tarreau | fe255b7 | 2007-10-14 23:09:26 +0200 | [diff] [blame] | 873 | |
Willy Tarreau | 27a674e | 2009-08-17 07:23:33 +0200 | [diff] [blame] | 874 | tune.bufsize <number> |
| 875 | Sets the buffer size to this size (in bytes). Lower values allow more |
| 876 | sessions to coexist in the same amount of RAM, and higher values allow some |
| 877 | applications with very large cookies to work. The default value is 16384 and |
| 878 | can be changed at build time. It is strongly recommended not to change this |
| 879 | from the default value, as very low values will break some services such as |
| 880 | statistics, and values larger than default size will increase memory usage, |
| 881 | possibly causing the system to run out of memory. At least the global maxconn |
| 882 | parameter should be decreased by the same factor as this one is increased. |
Dmitry Sivachenko | f6f4f7b | 2012-10-21 18:10:25 +0400 | [diff] [blame] | 883 | If HTTP request is larger than (tune.bufsize - tune.maxrewrite), haproxy will |
| 884 | return HTTP 400 (Bad Request) error. Similarly if an HTTP response is larger |
| 885 | than this size, haproxy will return HTTP 502 (Bad Gateway). |
Willy Tarreau | 27a674e | 2009-08-17 07:23:33 +0200 | [diff] [blame] | 886 | |
Willy Tarreau | 43961d5 | 2010-10-04 20:39:20 +0200 | [diff] [blame] | 887 | tune.chksize <number> |
| 888 | Sets the check buffer size to this size (in bytes). Higher values may help |
| 889 | find string or regex patterns in very large pages, though doing so may imply |
| 890 | more memory and CPU usage. The default value is 16384 and can be changed at |
| 891 | build time. It is not recommended to change this value, but to use better |
| 892 | checks whenever possible. |
| 893 | |
William Lallemand | f374783 | 2012-11-09 12:33:10 +0100 | [diff] [blame] | 894 | tune.comp.maxlevel <number> |
| 895 | Sets the maximum compression level. The compression level affects CPU |
| 896 | usage during compression. This value affects CPU usage during compression. |
| 897 | Each session using compression initializes the compression algorithm with |
| 898 | this value. The default value is 1. |
| 899 | |
Willy Tarreau | 193b8c6 | 2012-11-22 00:17:38 +0100 | [diff] [blame] | 900 | tune.http.cookielen <number> |
| 901 | Sets the maximum length of captured cookies. This is the maximum value that |
| 902 | the "capture cookie xxx len yyy" will be allowed to take, and any upper value |
| 903 | will automatically be truncated to this one. It is important not to set too |
| 904 | high a value because all cookie captures still allocate this size whatever |
| 905 | their configured value (they share a same pool). This value is per request |
| 906 | per response, so the memory allocated is twice this value per connection. |
| 907 | When not specified, the limit is set to 63 characters. It is recommended not |
| 908 | to change this value. |
| 909 | |
Willy Tarreau | ac1932d | 2011-10-24 19:14:41 +0200 | [diff] [blame] | 910 | tune.http.maxhdr <number> |
| 911 | Sets the maximum number of headers in a request. When a request comes with a |
| 912 | number of headers greater than this value (including the first line), it is |
| 913 | rejected with a "400 Bad Request" status code. Similarly, too large responses |
| 914 | are blocked with "502 Bad Gateway". The default value is 101, which is enough |
| 915 | for all usages, considering that the widely deployed Apache server uses the |
| 916 | same limit. It can be useful to push this limit further to temporarily allow |
| 917 | a buggy application to work by the time it gets fixed. Keep in mind that each |
| 918 | new header consumes 32bits of memory for each session, so don't push this |
| 919 | limit too high. |
| 920 | |
Willy Tarreau | 7e31273 | 2014-02-12 16:35:14 +0100 | [diff] [blame] | 921 | tune.idletimer <timeout> |
| 922 | Sets the duration after which haproxy will consider that an empty buffer is |
| 923 | probably associated with an idle stream. This is used to optimally adjust |
| 924 | some packet sizes while forwarding large and small data alternatively. The |
| 925 | decision to use splice() or to send large buffers in SSL is modulated by this |
| 926 | parameter. The value is in milliseconds between 0 and 65535. A value of zero |
| 927 | means that haproxy will not try to detect idle streams. The default is 1000, |
| 928 | which seems to correctly detect end user pauses (eg: read a page before |
| 929 | clicking). There should be not reason for changing this value. Please check |
| 930 | tune.ssl.maxrecord below. |
| 931 | |
Willy Tarreau | a0250ba | 2008-01-06 11:22:57 +0100 | [diff] [blame] | 932 | tune.maxaccept <number> |
Willy Tarreau | 16a2147 | 2012-11-19 12:39:59 +0100 | [diff] [blame] | 933 | Sets the maximum number of consecutive connections a process may accept in a |
| 934 | row before switching to other work. In single process mode, higher numbers |
| 935 | give better performance at high connection rates. However in multi-process |
| 936 | modes, keeping a bit of fairness between processes generally is better to |
| 937 | increase performance. This value applies individually to each listener, so |
| 938 | that the number of processes a listener is bound to is taken into account. |
| 939 | This value defaults to 64. In multi-process mode, it is divided by twice |
| 940 | the number of processes the listener is bound to. Setting this value to -1 |
| 941 | completely disables the limitation. It should normally not be needed to tweak |
| 942 | this value. |
Willy Tarreau | a0250ba | 2008-01-06 11:22:57 +0100 | [diff] [blame] | 943 | |
| 944 | tune.maxpollevents <number> |
| 945 | Sets the maximum amount of events that can be processed at once in a call to |
| 946 | the polling system. The default value is adapted to the operating system. It |
| 947 | has been noticed that reducing it below 200 tends to slightly decrease |
| 948 | latency at the expense of network bandwidth, and increasing it above 200 |
| 949 | tends to trade latency for slightly increased bandwidth. |
| 950 | |
Willy Tarreau | 27a674e | 2009-08-17 07:23:33 +0200 | [diff] [blame] | 951 | tune.maxrewrite <number> |
| 952 | Sets the reserved buffer space to this size in bytes. The reserved space is |
| 953 | used for header rewriting or appending. The first reads on sockets will never |
| 954 | fill more than bufsize-maxrewrite. Historically it has defaulted to half of |
| 955 | bufsize, though that does not make much sense since there are rarely large |
| 956 | numbers of headers to add. Setting it too high prevents processing of large |
| 957 | requests or responses. Setting it too low prevents addition of new headers |
| 958 | to already large requests or to POST requests. It is generally wise to set it |
| 959 | to about 1024. It is automatically readjusted to half of bufsize if it is |
| 960 | larger than that. This means you don't have to worry about it when changing |
| 961 | bufsize. |
| 962 | |
Willy Tarreau | bd9a0a7 | 2011-10-23 21:14:29 +0200 | [diff] [blame] | 963 | tune.pipesize <number> |
| 964 | Sets the kernel pipe buffer size to this size (in bytes). By default, pipes |
| 965 | are the default size for the system. But sometimes when using TCP splicing, |
| 966 | it can improve performance to increase pipe sizes, especially if it is |
| 967 | suspected that pipes are not filled and that many calls to splice() are |
| 968 | performed. This has an impact on the kernel's memory footprint, so this must |
| 969 | not be changed if impacts are not understood. |
| 970 | |
Willy Tarreau | e803de2 | 2010-01-21 17:43:04 +0100 | [diff] [blame] | 971 | tune.rcvbuf.client <number> |
| 972 | tune.rcvbuf.server <number> |
| 973 | Forces the kernel socket receive buffer size on the client or the server side |
| 974 | to the specified value in bytes. This value applies to all TCP/HTTP frontends |
| 975 | and backends. It should normally never be set, and the default size (0) lets |
| 976 | the kernel autotune this value depending on the amount of available memory. |
| 977 | However it can sometimes help to set it to very low values (eg: 4096) in |
| 978 | order to save kernel memory by preventing it from buffering too large amounts |
| 979 | of received data. Lower values will significantly increase CPU usage though. |
| 980 | |
| 981 | tune.sndbuf.client <number> |
| 982 | tune.sndbuf.server <number> |
| 983 | Forces the kernel socket send buffer size on the client or the server side to |
| 984 | the specified value in bytes. This value applies to all TCP/HTTP frontends |
| 985 | and backends. It should normally never be set, and the default size (0) lets |
| 986 | the kernel autotune this value depending on the amount of available memory. |
| 987 | However it can sometimes help to set it to very low values (eg: 4096) in |
| 988 | order to save kernel memory by preventing it from buffering too large amounts |
| 989 | of received data. Lower values will significantly increase CPU usage though. |
| 990 | Another use case is to prevent write timeouts with extremely slow clients due |
| 991 | to the kernel waiting for a large part of the buffer to be read before |
| 992 | notifying haproxy again. |
| 993 | |
Willy Tarreau | 6ec58db | 2012-11-16 16:32:15 +0100 | [diff] [blame] | 994 | tune.ssl.cachesize <number> |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 995 | Sets the size of the global SSL session cache, in a number of blocks. A block |
| 996 | is large enough to contain an encoded session without peer certificate. |
| 997 | An encoded session with peer certificate is stored in multiple blocks |
Jarno Huuskonen | 0e82b92 | 2014-04-12 18:22:19 +0300 | [diff] [blame] | 998 | depending on the size of the peer certificate. A block uses approximately |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 999 | 200 bytes of memory. The default value may be forced at build time, otherwise |
| 1000 | defaults to 20000. When the cache is full, the most idle entries are purged |
| 1001 | and reassigned. Higher values reduce the occurrence of such a purge, hence |
| 1002 | the number of CPU-intensive SSL handshakes by ensuring that all users keep |
| 1003 | their session as long as possible. All entries are pre-allocated upon startup |
Emeric Brun | 22890a1 | 2012-12-28 14:41:32 +0100 | [diff] [blame] | 1004 | and are shared between all processes if "nbproc" is greater than 1. Setting |
| 1005 | this value to 0 disables the SSL session cache. |
Willy Tarreau | 6ec58db | 2012-11-16 16:32:15 +0100 | [diff] [blame] | 1006 | |
Emeric Brun | 8dc6039 | 2014-05-09 13:52:00 +0200 | [diff] [blame] | 1007 | tune.ssl.force-private-cache |
| 1008 | This boolean disables SSL session cache sharing between all processes. It |
| 1009 | should normally not be used since it will force many renegotiations due to |
| 1010 | clients hitting a random process. But it may be required on some operating |
| 1011 | systems where none of the SSL cache synchronization method may be used. In |
| 1012 | this case, adding a first layer of hash-based load balancing before the SSL |
| 1013 | layer might limit the impact of the lack of session sharing. |
| 1014 | |
Emeric Brun | 4f65bff | 2012-11-16 15:11:00 +0100 | [diff] [blame] | 1015 | tune.ssl.lifetime <timeout> |
| 1016 | Sets how long a cached SSL session may remain valid. This time is expressed |
Jarno Huuskonen | 0e82b92 | 2014-04-12 18:22:19 +0300 | [diff] [blame] | 1017 | in seconds and defaults to 300 (5 min). It is important to understand that it |
Emeric Brun | 4f65bff | 2012-11-16 15:11:00 +0100 | [diff] [blame] | 1018 | does not guarantee that sessions will last that long, because if the cache is |
| 1019 | full, the longest idle sessions will be purged despite their configured |
| 1020 | lifetime. The real usefulness of this setting is to prevent sessions from |
| 1021 | being used for too long. |
| 1022 | |
Willy Tarreau | bfd5946 | 2013-02-21 07:46:09 +0100 | [diff] [blame] | 1023 | tune.ssl.maxrecord <number> |
| 1024 | Sets the maximum amount of bytes passed to SSL_write() at a time. Default |
| 1025 | value 0 means there is no limit. Over SSL/TLS, the client can decipher the |
| 1026 | data only once it has received a full record. With large records, it means |
| 1027 | that clients might have to download up to 16kB of data before starting to |
| 1028 | process them. Limiting the value can improve page load times on browsers |
| 1029 | located over high latency or low bandwidth networks. It is suggested to find |
| 1030 | optimal values which fit into 1 or 2 TCP segments (generally 1448 bytes over |
| 1031 | Ethernet with TCP timestamps enabled, or 1460 when timestamps are disabled), |
| 1032 | keeping in mind that SSL/TLS add some overhead. Typical values of 1419 and |
| 1033 | 2859 gave good results during tests. Use "strace -e trace=write" to find the |
Willy Tarreau | 7e31273 | 2014-02-12 16:35:14 +0100 | [diff] [blame] | 1034 | best value. Haproxy will automatically switch to this setting after an idle |
| 1035 | stream has been detected (see tune.idletimer above). |
Willy Tarreau | bfd5946 | 2013-02-21 07:46:09 +0100 | [diff] [blame] | 1036 | |
Remi Gacogne | f46cd6e | 2014-06-12 14:58:40 +0200 | [diff] [blame] | 1037 | tune.ssl.default-dh-param <number> |
| 1038 | Sets the maximum size of the Diffie-Hellman parameters used for generating |
| 1039 | the ephemeral/temporary Diffie-Hellman key in case of DHE key exchange. The |
| 1040 | final size will try to match the size of the server's RSA (or DSA) key (e.g, |
| 1041 | a 2048 bits temporary DH key for a 2048 bits RSA key), but will not exceed |
| 1042 | this maximum value. Default value if 1024. Only 1024 or higher values are |
| 1043 | allowed. Higher values will increase the CPU load, and values greater than |
| 1044 | 1024 bits are not supported by Java 7 and earlier clients. This value is not |
| 1045 | used if static Diffie-Hellman parameters are supplied via the certificate file. |
| 1046 | |
William Lallemand | a509e4c | 2012-11-07 16:54:34 +0100 | [diff] [blame] | 1047 | tune.zlib.memlevel <number> |
| 1048 | Sets the memLevel parameter in zlib initialization for each session. It |
Jarno Huuskonen | 0e82b92 | 2014-04-12 18:22:19 +0300 | [diff] [blame] | 1049 | defines how much memory should be allocated for the internal compression |
William Lallemand | a509e4c | 2012-11-07 16:54:34 +0100 | [diff] [blame] | 1050 | state. A value of 1 uses minimum memory but is slow and reduces compression |
| 1051 | ratio, a value of 9 uses maximum memory for optimal speed. Can be a value |
| 1052 | between 1 and 9. The default value is 8. |
| 1053 | |
| 1054 | tune.zlib.windowsize <number> |
| 1055 | Sets the window size (the size of the history buffer) as a parameter of the |
| 1056 | zlib initialization for each session. Larger values of this parameter result |
| 1057 | in better compression at the expense of memory usage. Can be a value between |
| 1058 | 8 and 15. The default value is 15. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1059 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1060 | 3.3. Debugging |
| 1061 | -------------- |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1062 | |
| 1063 | debug |
| 1064 | Enables debug mode which dumps to stdout all exchanges, and disables forking |
| 1065 | into background. It is the equivalent of the command-line argument "-d". It |
| 1066 | should never be used in a production configuration since it may prevent full |
| 1067 | system startup. |
| 1068 | |
| 1069 | quiet |
| 1070 | Do not display any message during startup. It is equivalent to the command- |
| 1071 | line argument "-q". |
| 1072 | |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 1073 | |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 1074 | 3.4. Userlists |
| 1075 | -------------- |
| 1076 | It is possible to control access to frontend/backend/listen sections or to |
| 1077 | http stats by allowing only authenticated and authorized users. To do this, |
| 1078 | it is required to create at least one userlist and to define users. |
| 1079 | |
| 1080 | userlist <listname> |
Cyril Bonté | 78caf84 | 2010-03-10 22:41:43 +0100 | [diff] [blame] | 1081 | Creates new userlist with name <listname>. Many independent userlists can be |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 1082 | used to store authentication & authorization data for independent customers. |
| 1083 | |
| 1084 | group <groupname> [users <user>,<user>,(...)] |
Cyril Bonté | 78caf84 | 2010-03-10 22:41:43 +0100 | [diff] [blame] | 1085 | Adds group <groupname> to the current userlist. It is also possible to |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 1086 | attach users to this group by using a comma separated list of names |
| 1087 | proceeded by "users" keyword. |
| 1088 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 1089 | user <username> [password|insecure-password <password>] |
| 1090 | [groups <group>,<group>,(...)] |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 1091 | Adds user <username> to the current userlist. Both secure (encrypted) and |
| 1092 | insecure (unencrypted) passwords can be used. Encrypted passwords are |
Cyril Bonté | 78caf84 | 2010-03-10 22:41:43 +0100 | [diff] [blame] | 1093 | evaluated using the crypt(3) function so depending of the system's |
| 1094 | capabilities, different algorithms are supported. For example modern Glibc |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 1095 | based Linux system supports MD5, SHA-256, SHA-512 and of course classic, |
Jarno Huuskonen | 0e82b92 | 2014-04-12 18:22:19 +0300 | [diff] [blame] | 1096 | DES-based method of encrypting passwords. |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 1097 | |
| 1098 | |
| 1099 | Example: |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 1100 | userlist L1 |
| 1101 | group G1 users tiger,scott |
| 1102 | group G2 users xdb,scott |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 1103 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 1104 | user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91 |
| 1105 | user scott insecure-password elgato |
| 1106 | user xdb insecure-password hello |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 1107 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 1108 | userlist L2 |
| 1109 | group G1 |
| 1110 | group G2 |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 1111 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 1112 | user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1 |
| 1113 | user scott insecure-password elgato groups G1,G2 |
| 1114 | user xdb insecure-password hello groups G2 |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 1115 | |
| 1116 | Please note that both lists are functionally identical. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1117 | |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 1118 | |
| 1119 | 3.5. Peers |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 1120 | ---------- |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 1121 | It is possible to synchronize server entries in stick tables between several |
| 1122 | haproxy instances over TCP connections in a multi-master fashion. Each instance |
| 1123 | pushes its local updates and insertions to remote peers. Server IDs are used to |
| 1124 | identify servers remotely, so it is important that configurations look similar |
| 1125 | or at least that the same IDs are forced on each server on all participants. |
| 1126 | Interrupted exchanges are automatically detected and recovered from the last |
| 1127 | known point. In addition, during a soft restart, the old process connects to |
| 1128 | the new one using such a TCP connection to push all its entries before the new |
| 1129 | process tries to connect to other peers. That ensures very fast replication |
| 1130 | during a reload, it typically takes a fraction of a second even for large |
| 1131 | tables. |
| 1132 | |
| 1133 | peers <peersect> |
Jamie Gloudon | 801a0a3 | 2012-08-25 00:18:33 -0400 | [diff] [blame] | 1134 | Creates a new peer list with name <peersect>. It is an independent section, |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 1135 | which is referenced by one or more stick-tables. |
| 1136 | |
| 1137 | peer <peername> <ip>:<port> |
| 1138 | Defines a peer inside a peers section. |
| 1139 | If <peername> is set to the local peer name (by default hostname, or forced |
| 1140 | using "-L" command line option), haproxy will listen for incoming remote peer |
| 1141 | connection on <ip>:<port>. Otherwise, <ip>:<port> defines where to connect to |
| 1142 | to join the remote peer, and <peername> is used at the protocol level to |
| 1143 | identify and validate the remote peer on the server side. |
| 1144 | |
| 1145 | During a soft restart, local peer <ip>:<port> is used by the old instance to |
| 1146 | connect the new one and initiate a complete replication (teaching process). |
| 1147 | |
| 1148 | It is strongly recommended to have the exact same peers declaration on all |
| 1149 | peers and to only rely on the "-L" command line argument to change the local |
| 1150 | peer name. This makes it easier to maintain coherent configuration files |
| 1151 | across all peers. |
| 1152 | |
Willy Tarreau | dad36a3 | 2013-03-11 01:20:04 +0100 | [diff] [blame] | 1153 | Any part of the address string may reference any number of environment |
| 1154 | variables by preceding their name with a dollar sign ('$') and optionally |
| 1155 | enclosing them with braces ('{}'), similarly to what is done in Bourne shell. |
| 1156 | |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 1157 | Example: |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 1158 | peers mypeers |
Willy Tarreau | f7b30a9 | 2010-12-06 22:59:17 +0100 | [diff] [blame] | 1159 | peer haproxy1 192.168.0.1:1024 |
| 1160 | peer haproxy2 192.168.0.2:1024 |
| 1161 | peer haproxy3 10.2.0.1:1024 |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 1162 | |
| 1163 | backend mybackend |
| 1164 | mode tcp |
| 1165 | balance roundrobin |
| 1166 | stick-table type ip size 20k peers mypeers |
| 1167 | stick on src |
| 1168 | |
Willy Tarreau | f7b30a9 | 2010-12-06 22:59:17 +0100 | [diff] [blame] | 1169 | server srv1 192.168.0.30:80 |
| 1170 | server srv2 192.168.0.31:80 |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 1171 | |
| 1172 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1173 | 4. Proxies |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1174 | ---------- |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1175 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1176 | Proxy configuration can be located in a set of sections : |
| 1177 | - defaults <name> |
| 1178 | - frontend <name> |
| 1179 | - backend <name> |
| 1180 | - listen <name> |
| 1181 | |
| 1182 | A "defaults" section sets default parameters for all other sections following |
| 1183 | its declaration. Those default parameters are reset by the next "defaults" |
| 1184 | section. See below for the list of parameters which can be set in a "defaults" |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1185 | section. The name is optional but its use is encouraged for better readability. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1186 | |
| 1187 | A "frontend" section describes a set of listening sockets accepting client |
| 1188 | connections. |
| 1189 | |
| 1190 | A "backend" section describes a set of servers to which the proxy will connect |
| 1191 | to forward incoming connections. |
| 1192 | |
| 1193 | A "listen" section defines a complete proxy with its frontend and backend |
| 1194 | parts combined in one section. It is generally useful for TCP-only traffic. |
| 1195 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1196 | All proxy names must be formed from upper and lower case letters, digits, |
| 1197 | '-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are |
| 1198 | case-sensitive, which means that "www" and "WWW" are two different proxies. |
| 1199 | |
| 1200 | Historically, all proxy names could overlap, it just caused troubles in the |
| 1201 | logs. Since the introduction of content switching, it is mandatory that two |
| 1202 | proxies with overlapping capabilities (frontend/backend) have different names. |
| 1203 | However, it is still permitted that a frontend and a backend share the same |
| 1204 | name, as this configuration seems to be commonly encountered. |
| 1205 | |
| 1206 | Right now, two major proxy modes are supported : "tcp", also known as layer 4, |
| 1207 | and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1208 | bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1209 | protocol, and can interact with it by allowing, blocking, switching, adding, |
| 1210 | modifying, or removing arbitrary contents in requests or responses, based on |
| 1211 | arbitrary criteria. |
| 1212 | |
Willy Tarreau | 70dffda | 2014-01-30 03:07:23 +0100 | [diff] [blame] | 1213 | In HTTP mode, the processing applied to requests and responses flowing over |
| 1214 | a connection depends in the combination of the frontend's HTTP options and |
| 1215 | the backend's. HAProxy supports 5 connection modes : |
| 1216 | |
| 1217 | - KAL : keep alive ("option http-keep-alive") which is the default mode : all |
| 1218 | requests and responses are processed, and connections remain open but idle |
| 1219 | between responses and new requests. |
| 1220 | |
| 1221 | - TUN: tunnel ("option http-tunnel") : this was the default mode for versions |
| 1222 | 1.0 to 1.5-dev21 : only the first request and response are processed, and |
| 1223 | everything else is forwarded with no analysis at all. This mode should not |
| 1224 | be used as it creates lots of trouble with logging and HTTP processing. |
| 1225 | |
| 1226 | - PCL: passive close ("option httpclose") : exactly the same as tunnel mode, |
| 1227 | but with "Connection: close" appended in both directions to try to make |
| 1228 | both ends close after the first request/response exchange. |
| 1229 | |
| 1230 | - SCL: server close ("option http-server-close") : the server-facing |
| 1231 | connection is closed after the end of the response is received, but the |
| 1232 | client-facing connection remains open. |
| 1233 | |
| 1234 | - FCL: forced close ("option forceclose") : the connection is actively closed |
| 1235 | after the end of the response. |
| 1236 | |
| 1237 | The effective mode that will be applied to a connection passing through a |
| 1238 | frontend and a backend can be determined by both proxy modes according to the |
| 1239 | following matrix, but in short, the modes are symmetric, keep-alive is the |
| 1240 | weakest option and force close is the strongest. |
| 1241 | |
| 1242 | Backend mode |
| 1243 | |
| 1244 | | KAL | TUN | PCL | SCL | FCL |
| 1245 | ----+-----+-----+-----+-----+---- |
| 1246 | KAL | KAL | TUN | PCL | SCL | FCL |
| 1247 | ----+-----+-----+-----+-----+---- |
| 1248 | TUN | TUN | TUN | PCL | SCL | FCL |
| 1249 | Frontend ----+-----+-----+-----+-----+---- |
| 1250 | mode PCL | PCL | PCL | PCL | FCL | FCL |
| 1251 | ----+-----+-----+-----+-----+---- |
| 1252 | SCL | SCL | SCL | FCL | SCL | FCL |
| 1253 | ----+-----+-----+-----+-----+---- |
| 1254 | FCL | FCL | FCL | FCL | FCL | FCL |
| 1255 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1256 | |
Willy Tarreau | 70dffda | 2014-01-30 03:07:23 +0100 | [diff] [blame] | 1257 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1258 | 4.1. Proxy keywords matrix |
| 1259 | -------------------------- |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1260 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1261 | The following list of keywords is supported. Most of them may only be used in a |
| 1262 | limited set of section types. Some of them are marked as "deprecated" because |
| 1263 | they are inherited from an old syntax which may be confusing or functionally |
| 1264 | limited, and there are new recommended keywords to replace them. Keywords |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1265 | marked with "(*)" can be optionally inverted using the "no" prefix, eg. "no |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1266 | option contstats". This makes sense when the option has been enabled by default |
Willy Tarreau | 3842f00 | 2009-06-14 11:39:52 +0200 | [diff] [blame] | 1267 | and must be disabled for a specific instance. Such options may also be prefixed |
| 1268 | with "default" in order to restore default settings regardless of what has been |
| 1269 | specified in a previous "defaults" section. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1270 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1271 | |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1272 | keyword defaults frontend listen backend |
| 1273 | ------------------------------------+----------+----------+---------+--------- |
| 1274 | acl - X X X |
| 1275 | appsession - - X X |
| 1276 | backlog X X X - |
| 1277 | balance X - X X |
| 1278 | bind - X X - |
| 1279 | bind-process X X X X |
| 1280 | block - X X X |
| 1281 | capture cookie - X X - |
| 1282 | capture request header - X X - |
| 1283 | capture response header - X X - |
| 1284 | clitimeout (deprecated) X X X - |
William Lallemand | 82fe75c | 2012-10-23 10:25:10 +0200 | [diff] [blame] | 1285 | compression X X X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1286 | contimeout (deprecated) X - X X |
| 1287 | cookie X - X X |
| 1288 | default-server X - X X |
| 1289 | default_backend X X X - |
| 1290 | description - X X X |
| 1291 | disabled X X X X |
| 1292 | dispatch - - X X |
| 1293 | enabled X X X X |
| 1294 | errorfile X X X X |
| 1295 | errorloc X X X X |
| 1296 | errorloc302 X X X X |
| 1297 | -- keyword -------------------------- defaults - frontend - listen -- backend - |
| 1298 | errorloc303 X X X X |
Cyril Bonté | 0d4bf01 | 2010-04-25 23:21:46 +0200 | [diff] [blame] | 1299 | force-persist - X X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1300 | fullconn X - X X |
| 1301 | grace X X X X |
| 1302 | hash-type X - X X |
| 1303 | http-check disable-on-404 X - X X |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 1304 | http-check expect - - X X |
Willy Tarreau | 7ab6aff | 2010-10-12 06:30:16 +0200 | [diff] [blame] | 1305 | http-check send-state X - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1306 | http-request - X X X |
Willy Tarreau | e365c0b | 2013-06-11 16:06:12 +0200 | [diff] [blame] | 1307 | http-response - X X X |
Baptiste Assmann | 2c42ef5 | 2013-10-09 21:57:02 +0200 | [diff] [blame] | 1308 | http-send-name-header - - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1309 | id - X X X |
Cyril Bonté | 0d4bf01 | 2010-04-25 23:21:46 +0200 | [diff] [blame] | 1310 | ignore-persist - X X X |
William Lallemand | 0f99e34 | 2011-10-12 17:50:54 +0200 | [diff] [blame] | 1311 | log (*) X X X X |
Willy Tarreau | c35362a | 2014-04-25 13:58:37 +0200 | [diff] [blame] | 1312 | max-keep-alive-queue X - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1313 | maxconn X X X - |
| 1314 | mode X X X X |
| 1315 | monitor fail - X X - |
| 1316 | monitor-net X X X - |
| 1317 | monitor-uri X X X - |
| 1318 | option abortonclose (*) X - X X |
| 1319 | option accept-invalid-http-request (*) X X X - |
| 1320 | option accept-invalid-http-response (*) X - X X |
| 1321 | option allbackups (*) X - X X |
| 1322 | option checkcache (*) X - X X |
| 1323 | option clitcpka (*) X X X - |
| 1324 | option contstats (*) X X X - |
| 1325 | option dontlog-normal (*) X X X - |
| 1326 | option dontlognull (*) X X X - |
| 1327 | option forceclose (*) X X X X |
| 1328 | -- keyword -------------------------- defaults - frontend - listen -- backend - |
| 1329 | option forwardfor X X X X |
Willy Tarreau | 16bfb02 | 2010-01-16 19:48:41 +0100 | [diff] [blame] | 1330 | option http-keep-alive (*) X X X X |
Willy Tarreau | 96e3121 | 2011-05-30 18:10:30 +0200 | [diff] [blame] | 1331 | option http-no-delay (*) X X X X |
Willy Tarreau | 8a8e1d9 | 2010-04-05 16:15:16 +0200 | [diff] [blame] | 1332 | option http-pretend-keepalive (*) X X X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1333 | option http-server-close (*) X X X X |
Willy Tarreau | 02bce8b | 2014-01-30 00:15:28 +0100 | [diff] [blame] | 1334 | option http-tunnel (*) X X X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1335 | option http-use-proxy-header (*) X X X - |
| 1336 | option httpchk X - X X |
| 1337 | option httpclose (*) X X X X |
| 1338 | option httplog X X X X |
| 1339 | option http_proxy (*) X X X X |
Jamie Gloudon | 801a0a3 | 2012-08-25 00:18:33 -0400 | [diff] [blame] | 1340 | option independent-streams (*) X X X X |
Gabor Lekeny | b4c81e4 | 2010-09-29 18:17:05 +0200 | [diff] [blame] | 1341 | option ldap-check X - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1342 | option log-health-checks (*) X - X X |
| 1343 | option log-separate-errors (*) X X X - |
| 1344 | option logasap (*) X X X - |
| 1345 | option mysql-check X - X X |
Rauf Kuliyev | 38b4156 | 2011-01-04 15:14:13 +0100 | [diff] [blame] | 1346 | option pgsql-check X - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1347 | option nolinger (*) X X X X |
| 1348 | option originalto X X X X |
| 1349 | option persist (*) X - X X |
| 1350 | option redispatch (*) X - X X |
Hervé COMMOWICK | ec032d6 | 2011-08-05 16:23:48 +0200 | [diff] [blame] | 1351 | option redis-check X - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1352 | option smtpchk X - X X |
| 1353 | option socket-stats (*) X X X - |
| 1354 | option splice-auto (*) X X X X |
| 1355 | option splice-request (*) X X X X |
| 1356 | option splice-response (*) X X X X |
| 1357 | option srvtcpka (*) X - X X |
| 1358 | option ssl-hello-chk X - X X |
| 1359 | -- keyword -------------------------- defaults - frontend - listen -- backend - |
Willy Tarreau | ed17985 | 2013-12-16 01:07:00 +0100 | [diff] [blame] | 1360 | option tcp-check X - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1361 | option tcp-smart-accept (*) X X X - |
| 1362 | option tcp-smart-connect (*) X - X X |
| 1363 | option tcpka X X X X |
| 1364 | option tcplog X X X X |
| 1365 | option transparent (*) X - X X |
| 1366 | persist rdp-cookie X - X X |
| 1367 | rate-limit sessions X X X - |
| 1368 | redirect - X X X |
| 1369 | redisp (deprecated) X - X X |
| 1370 | redispatch (deprecated) X - X X |
| 1371 | reqadd - X X X |
| 1372 | reqallow - X X X |
| 1373 | reqdel - X X X |
| 1374 | reqdeny - X X X |
| 1375 | reqiallow - X X X |
| 1376 | reqidel - X X X |
| 1377 | reqideny - X X X |
| 1378 | reqipass - X X X |
| 1379 | reqirep - X X X |
| 1380 | reqisetbe - X X X |
| 1381 | reqitarpit - X X X |
| 1382 | reqpass - X X X |
| 1383 | reqrep - X X X |
| 1384 | -- keyword -------------------------- defaults - frontend - listen -- backend - |
| 1385 | reqsetbe - X X X |
| 1386 | reqtarpit - X X X |
| 1387 | retries X - X X |
| 1388 | rspadd - X X X |
| 1389 | rspdel - X X X |
| 1390 | rspdeny - X X X |
| 1391 | rspidel - X X X |
| 1392 | rspideny - X X X |
| 1393 | rspirep - X X X |
| 1394 | rsprep - X X X |
| 1395 | server - - X X |
| 1396 | source X - X X |
| 1397 | srvtimeout (deprecated) X - X X |
Cyril Bonté | 66c327d | 2010-10-12 00:14:37 +0200 | [diff] [blame] | 1398 | stats admin - - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1399 | stats auth X - X X |
| 1400 | stats enable X - X X |
| 1401 | stats hide-version X - X X |
Cyril Bonté | 2be1b3f | 2010-09-30 23:46:30 +0200 | [diff] [blame] | 1402 | stats http-request - - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1403 | stats realm X - X X |
| 1404 | stats refresh X - X X |
| 1405 | stats scope X - X X |
| 1406 | stats show-desc X - X X |
| 1407 | stats show-legends X - X X |
| 1408 | stats show-node X - X X |
| 1409 | stats uri X - X X |
| 1410 | -- keyword -------------------------- defaults - frontend - listen -- backend - |
| 1411 | stick match - - X X |
| 1412 | stick on - - X X |
| 1413 | stick store-request - - X X |
Willy Tarreau | d8dc99f | 2011-07-01 11:33:25 +0200 | [diff] [blame] | 1414 | stick store-response - - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1415 | stick-table - - X X |
Willy Tarreau | 938c7fe | 2014-04-25 14:21:39 +0200 | [diff] [blame] | 1416 | tcp-check connect - - X X |
| 1417 | tcp-check expect - - X X |
| 1418 | tcp-check send - - X X |
| 1419 | tcp-check send-binary - - X X |
Willy Tarreau | e965652 | 2010-08-17 15:40:09 +0200 | [diff] [blame] | 1420 | tcp-request connection - X X - |
| 1421 | tcp-request content - X X X |
Willy Tarreau | a56235c | 2010-09-14 11:31:36 +0200 | [diff] [blame] | 1422 | tcp-request inspect-delay - X X X |
Emeric Brun | 0a3b67f | 2010-09-24 15:34:53 +0200 | [diff] [blame] | 1423 | tcp-response content - - X X |
| 1424 | tcp-response inspect-delay - - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1425 | timeout check X - X X |
| 1426 | timeout client X X X - |
Willy Tarreau | 05cdd96 | 2014-05-10 14:30:07 +0200 | [diff] [blame] | 1427 | timeout client-fin X X X - |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1428 | timeout clitimeout (deprecated) X X X - |
| 1429 | timeout connect X - X X |
| 1430 | timeout contimeout (deprecated) X - X X |
| 1431 | timeout http-keep-alive X X X X |
| 1432 | timeout http-request X X X X |
| 1433 | timeout queue X - X X |
| 1434 | timeout server X - X X |
Willy Tarreau | 05cdd96 | 2014-05-10 14:30:07 +0200 | [diff] [blame] | 1435 | timeout server-fin X - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1436 | timeout srvtimeout (deprecated) X - X X |
| 1437 | timeout tarpit X X X X |
Willy Tarreau | ce887fd | 2012-05-12 12:50:00 +0200 | [diff] [blame] | 1438 | timeout tunnel X - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1439 | transparent (deprecated) X - X X |
William Lallemand | a73203e | 2012-03-12 12:48:57 +0100 | [diff] [blame] | 1440 | unique-id-format X X X - |
| 1441 | unique-id-header X X X - |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1442 | use_backend - X X - |
Willy Tarreau | 4a5cade | 2012-04-05 21:09:48 +0200 | [diff] [blame] | 1443 | use-server - - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1444 | ------------------------------------+----------+----------+---------+--------- |
| 1445 | keyword defaults frontend listen backend |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1446 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1447 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1448 | 4.2. Alphabetically sorted keywords reference |
| 1449 | --------------------------------------------- |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1450 | |
| 1451 | This section provides a description of each keyword and its usage. |
| 1452 | |
| 1453 | |
| 1454 | acl <aclname> <criterion> [flags] [operator] <value> ... |
| 1455 | Declare or complete an access list. |
| 1456 | May be used in sections : defaults | frontend | listen | backend |
| 1457 | no | yes | yes | yes |
| 1458 | Example: |
| 1459 | acl invalid_src src 0.0.0.0/7 224.0.0.0/3 |
| 1460 | acl invalid_src src_port 0:1023 |
| 1461 | acl local_dst hdr(host) -i localhost |
| 1462 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1463 | See section 7 about ACL usage. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1464 | |
| 1465 | |
Cyril Bonté | b21570a | 2009-11-29 20:04:48 +0100 | [diff] [blame] | 1466 | appsession <cookie> len <length> timeout <holdtime> |
| 1467 | [request-learn] [prefix] [mode <path-parameters|query-string>] |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1468 | Define session stickiness on an existing application cookie. |
| 1469 | May be used in sections : defaults | frontend | listen | backend |
| 1470 | no | no | yes | yes |
| 1471 | Arguments : |
| 1472 | <cookie> this is the name of the cookie used by the application and which |
| 1473 | HAProxy will have to learn for each new session. |
| 1474 | |
Cyril Bonté | b21570a | 2009-11-29 20:04:48 +0100 | [diff] [blame] | 1475 | <length> this is the max number of characters that will be memorized and |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1476 | checked in each cookie value. |
| 1477 | |
| 1478 | <holdtime> this is the time after which the cookie will be removed from |
| 1479 | memory if unused. If no unit is specified, this time is in |
| 1480 | milliseconds. |
| 1481 | |
Cyril Bonté | bf47aeb | 2009-10-15 00:15:40 +0200 | [diff] [blame] | 1482 | request-learn |
| 1483 | If this option is specified, then haproxy will be able to learn |
| 1484 | the cookie found in the request in case the server does not |
| 1485 | specify any in response. This is typically what happens with |
| 1486 | PHPSESSID cookies, or when haproxy's session expires before |
| 1487 | the application's session and the correct server is selected. |
| 1488 | It is recommended to specify this option to improve reliability. |
| 1489 | |
Cyril Bonté | b21570a | 2009-11-29 20:04:48 +0100 | [diff] [blame] | 1490 | prefix When this option is specified, haproxy will match on the cookie |
| 1491 | prefix (or URL parameter prefix). The appsession value is the |
| 1492 | data following this prefix. |
| 1493 | |
| 1494 | Example : |
| 1495 | appsession ASPSESSIONID len 64 timeout 3h prefix |
| 1496 | |
| 1497 | This will match the cookie ASPSESSIONIDXXXX=XXXXX, |
| 1498 | the appsession value will be XXXX=XXXXX. |
| 1499 | |
| 1500 | mode This option allows to change the URL parser mode. |
| 1501 | 2 modes are currently supported : |
| 1502 | - path-parameters : |
| 1503 | The parser looks for the appsession in the path parameters |
| 1504 | part (each parameter is separated by a semi-colon), which is |
| 1505 | convenient for JSESSIONID for example. |
| 1506 | This is the default mode if the option is not set. |
| 1507 | - query-string : |
| 1508 | In this mode, the parser will look for the appsession in the |
| 1509 | query string. |
| 1510 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1511 | When an application cookie is defined in a backend, HAProxy will check when |
| 1512 | the server sets such a cookie, and will store its value in a table, and |
| 1513 | associate it with the server's identifier. Up to <length> characters from |
| 1514 | the value will be retained. On each connection, haproxy will look for this |
Cyril Bonté | b21570a | 2009-11-29 20:04:48 +0100 | [diff] [blame] | 1515 | cookie both in the "Cookie:" headers, and as a URL parameter (depending on |
| 1516 | the mode used). If a known value is found, the client will be directed to the |
| 1517 | server associated with this value. Otherwise, the load balancing algorithm is |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1518 | applied. Cookies are automatically removed from memory when they have been |
| 1519 | unused for a duration longer than <holdtime>. |
| 1520 | |
| 1521 | The definition of an application cookie is limited to one per backend. |
| 1522 | |
Cyril Bonté | 02ff8ef | 2010-12-14 22:48:49 +0100 | [diff] [blame] | 1523 | Note : Consider not using this feature in multi-process mode (nbproc > 1) |
| 1524 | unless you know what you do : memory is not shared between the |
| 1525 | processes, which can result in random behaviours. |
| 1526 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1527 | Example : |
| 1528 | appsession JSESSIONID len 52 timeout 3h |
| 1529 | |
Cyril Bonté | 02ff8ef | 2010-12-14 22:48:49 +0100 | [diff] [blame] | 1530 | See also : "cookie", "capture cookie", "balance", "stick", "stick-table", |
| 1531 | "ignore-persist", "nbproc" and "bind-process". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1532 | |
| 1533 | |
Willy Tarreau | c73ce2b | 2008-01-06 10:55:10 +0100 | [diff] [blame] | 1534 | backlog <conns> |
| 1535 | Give hints to the system about the approximate listen backlog desired size |
| 1536 | May be used in sections : defaults | frontend | listen | backend |
| 1537 | yes | yes | yes | no |
| 1538 | Arguments : |
| 1539 | <conns> is the number of pending connections. Depending on the operating |
| 1540 | system, it may represent the number of already acknowledged |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 1541 | connections, of non-acknowledged ones, or both. |
Willy Tarreau | c73ce2b | 2008-01-06 10:55:10 +0100 | [diff] [blame] | 1542 | |
| 1543 | In order to protect against SYN flood attacks, one solution is to increase |
| 1544 | the system's SYN backlog size. Depending on the system, sometimes it is just |
| 1545 | tunable via a system parameter, sometimes it is not adjustable at all, and |
| 1546 | sometimes the system relies on hints given by the application at the time of |
| 1547 | the listen() syscall. By default, HAProxy passes the frontend's maxconn value |
| 1548 | to the listen() syscall. On systems which can make use of this value, it can |
| 1549 | sometimes be useful to be able to specify a different value, hence this |
| 1550 | backlog parameter. |
| 1551 | |
| 1552 | On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is |
| 1553 | used as a hint and the system accepts up to the smallest greater power of |
| 1554 | two, and never more than some limits (usually 32768). |
| 1555 | |
| 1556 | See also : "maxconn" and the target operating system's tuning guide. |
| 1557 | |
| 1558 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1559 | balance <algorithm> [ <arguments> ] |
Willy Tarreau | 226071e | 2014-04-10 11:55:45 +0200 | [diff] [blame] | 1560 | balance url_param <param> [check_post] |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1561 | Define the load balancing algorithm to be used in a backend. |
| 1562 | May be used in sections : defaults | frontend | listen | backend |
| 1563 | yes | no | yes | yes |
| 1564 | Arguments : |
| 1565 | <algorithm> is the algorithm used to select a server when doing load |
| 1566 | balancing. This only applies when no persistence information |
| 1567 | is available, or when a connection is redispatched to another |
| 1568 | server. <algorithm> may be one of the following : |
| 1569 | |
| 1570 | roundrobin Each server is used in turns, according to their weights. |
| 1571 | This is the smoothest and fairest algorithm when the server's |
| 1572 | processing time remains equally distributed. This algorithm |
| 1573 | is dynamic, which means that server weights may be adjusted |
Willy Tarreau | 9757a38 | 2009-10-03 12:56:50 +0200 | [diff] [blame] | 1574 | on the fly for slow starts for instance. It is limited by |
Godbach | a34bdc0 | 2013-07-22 07:44:53 +0800 | [diff] [blame] | 1575 | design to 4095 active servers per backend. Note that in some |
Willy Tarreau | 9757a38 | 2009-10-03 12:56:50 +0200 | [diff] [blame] | 1576 | large farms, when a server becomes up after having been down |
| 1577 | for a very short time, it may sometimes take a few hundreds |
| 1578 | requests for it to be re-integrated into the farm and start |
| 1579 | receiving traffic. This is normal, though very rare. It is |
| 1580 | indicated here in case you would have the chance to observe |
| 1581 | it, so that you don't worry. |
| 1582 | |
| 1583 | static-rr Each server is used in turns, according to their weights. |
| 1584 | This algorithm is as similar to roundrobin except that it is |
| 1585 | static, which means that changing a server's weight on the |
| 1586 | fly will have no effect. On the other hand, it has no design |
| 1587 | limitation on the number of servers, and when a server goes |
| 1588 | up, it is always immediately reintroduced into the farm, once |
| 1589 | the full map is recomputed. It also uses slightly less CPU to |
| 1590 | run (around -1%). |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1591 | |
Willy Tarreau | 2d2a7f8 | 2008-03-17 12:07:56 +0100 | [diff] [blame] | 1592 | leastconn The server with the lowest number of connections receives the |
| 1593 | connection. Round-robin is performed within groups of servers |
| 1594 | of the same load to ensure that all servers will be used. Use |
| 1595 | of this algorithm is recommended where very long sessions are |
| 1596 | expected, such as LDAP, SQL, TSE, etc... but is not very well |
| 1597 | suited for protocols using short sessions such as HTTP. This |
| 1598 | algorithm is dynamic, which means that server weights may be |
| 1599 | adjusted on the fly for slow starts for instance. |
| 1600 | |
Willy Tarreau | f09c660 | 2012-02-13 17:12:08 +0100 | [diff] [blame] | 1601 | first The first server with available connection slots receives the |
Jarno Huuskonen | 0e82b92 | 2014-04-12 18:22:19 +0300 | [diff] [blame] | 1602 | connection. The servers are chosen from the lowest numeric |
Willy Tarreau | f09c660 | 2012-02-13 17:12:08 +0100 | [diff] [blame] | 1603 | identifier to the highest (see server parameter "id"), which |
| 1604 | defaults to the server's position in the farm. Once a server |
Willy Tarreau | 64559c5 | 2012-04-07 09:08:45 +0200 | [diff] [blame] | 1605 | reaches its maxconn value, the next server is used. It does |
Willy Tarreau | f09c660 | 2012-02-13 17:12:08 +0100 | [diff] [blame] | 1606 | not make sense to use this algorithm without setting maxconn. |
| 1607 | The purpose of this algorithm is to always use the smallest |
| 1608 | number of servers so that extra servers can be powered off |
| 1609 | during non-intensive hours. This algorithm ignores the server |
| 1610 | weight, and brings more benefit to long session such as RDP |
Willy Tarreau | 64559c5 | 2012-04-07 09:08:45 +0200 | [diff] [blame] | 1611 | or IMAP than HTTP, though it can be useful there too. In |
| 1612 | order to use this algorithm efficiently, it is recommended |
| 1613 | that a cloud controller regularly checks server usage to turn |
| 1614 | them off when unused, and regularly checks backend queue to |
| 1615 | turn new servers on when the queue inflates. Alternatively, |
| 1616 | using "http-check send-state" may inform servers on the load. |
Willy Tarreau | f09c660 | 2012-02-13 17:12:08 +0100 | [diff] [blame] | 1617 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1618 | source The source IP address is hashed and divided by the total |
| 1619 | weight of the running servers to designate which server will |
| 1620 | receive the request. This ensures that the same client IP |
| 1621 | address will always reach the same server as long as no |
| 1622 | server goes down or up. If the hash result changes due to the |
| 1623 | number of running servers changing, many clients will be |
| 1624 | directed to a different server. This algorithm is generally |
| 1625 | used in TCP mode where no cookie may be inserted. It may also |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1626 | be used on the Internet to provide a best-effort stickiness |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1627 | to clients which refuse session cookies. This algorithm is |
Willy Tarreau | 6b2e11b | 2009-10-01 07:52:15 +0200 | [diff] [blame] | 1628 | static by default, which means that changing a server's |
| 1629 | weight on the fly will have no effect, but this can be |
| 1630 | changed using "hash-type". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1631 | |
Oskar Stolc | 8dc4184 | 2012-05-19 10:19:54 +0100 | [diff] [blame] | 1632 | uri This algorithm hashes either the left part of the URI (before |
| 1633 | the question mark) or the whole URI (if the "whole" parameter |
| 1634 | is present) and divides the hash value by the total weight of |
| 1635 | the running servers. The result designates which server will |
| 1636 | receive the request. This ensures that the same URI will |
| 1637 | always be directed to the same server as long as no server |
| 1638 | goes up or down. This is used with proxy caches and |
| 1639 | anti-virus proxies in order to maximize the cache hit rate. |
| 1640 | Note that this algorithm may only be used in an HTTP backend. |
| 1641 | This algorithm is static by default, which means that |
| 1642 | changing a server's weight on the fly will have no effect, |
| 1643 | but this can be changed using "hash-type". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1644 | |
Oskar Stolc | 8dc4184 | 2012-05-19 10:19:54 +0100 | [diff] [blame] | 1645 | This algorithm supports two optional parameters "len" and |
Marek Majkowski | 9c30fc1 | 2008-04-27 23:25:55 +0200 | [diff] [blame] | 1646 | "depth", both followed by a positive integer number. These |
| 1647 | options may be helpful when it is needed to balance servers |
| 1648 | based on the beginning of the URI only. The "len" parameter |
| 1649 | indicates that the algorithm should only consider that many |
| 1650 | characters at the beginning of the URI to compute the hash. |
| 1651 | Note that having "len" set to 1 rarely makes sense since most |
| 1652 | URIs start with a leading "/". |
| 1653 | |
| 1654 | The "depth" parameter indicates the maximum directory depth |
| 1655 | to be used to compute the hash. One level is counted for each |
| 1656 | slash in the request. If both parameters are specified, the |
| 1657 | evaluation stops when either is reached. |
| 1658 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1659 | url_param The URL parameter specified in argument will be looked up in |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1660 | the query string of each HTTP GET request. |
| 1661 | |
| 1662 | If the modifier "check_post" is used, then an HTTP POST |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 1663 | request entity will be searched for the parameter argument, |
| 1664 | when it is not found in a query string after a question mark |
Willy Tarreau | 226071e | 2014-04-10 11:55:45 +0200 | [diff] [blame] | 1665 | ('?') in the URL. The message body will only start to be |
| 1666 | analyzed once either the advertised amount of data has been |
| 1667 | received or the request buffer is full. In the unlikely event |
| 1668 | that chunked encoding is used, only the first chunk is |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 1669 | scanned. Parameter values separated by a chunk boundary, may |
Willy Tarreau | 226071e | 2014-04-10 11:55:45 +0200 | [diff] [blame] | 1670 | be randomly balanced if at all. This keyword used to support |
| 1671 | an optional <max_wait> parameter which is now ignored. |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1672 | |
| 1673 | If the parameter is found followed by an equal sign ('=') and |
| 1674 | a value, then the value is hashed and divided by the total |
| 1675 | weight of the running servers. The result designates which |
| 1676 | server will receive the request. |
| 1677 | |
| 1678 | This is used to track user identifiers in requests and ensure |
| 1679 | that a same user ID will always be sent to the same server as |
| 1680 | long as no server goes up or down. If no value is found or if |
| 1681 | the parameter is not found, then a round robin algorithm is |
| 1682 | applied. Note that this algorithm may only be used in an HTTP |
Willy Tarreau | 6b2e11b | 2009-10-01 07:52:15 +0200 | [diff] [blame] | 1683 | backend. This algorithm is static by default, which means |
| 1684 | that changing a server's weight on the fly will have no |
| 1685 | effect, but this can be changed using "hash-type". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1686 | |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 1687 | hdr(<name>) The HTTP header <name> will be looked up in each HTTP |
| 1688 | request. Just as with the equivalent ACL 'hdr()' function, |
| 1689 | the header name in parenthesis is not case sensitive. If the |
| 1690 | header is absent or if it does not contain any value, the |
| 1691 | roundrobin algorithm is applied instead. |
Benoit | affb481 | 2009-03-25 13:02:10 +0100 | [diff] [blame] | 1692 | |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1693 | An optional 'use_domain_only' parameter is available, for |
Benoit | affb481 | 2009-03-25 13:02:10 +0100 | [diff] [blame] | 1694 | reducing the hash algorithm to the main domain part with some |
| 1695 | specific headers such as 'Host'. For instance, in the Host |
| 1696 | value "haproxy.1wt.eu", only "1wt" will be considered. |
| 1697 | |
Willy Tarreau | 6b2e11b | 2009-10-01 07:52:15 +0200 | [diff] [blame] | 1698 | This algorithm is static by default, which means that |
| 1699 | changing a server's weight on the fly will have no effect, |
| 1700 | but this can be changed using "hash-type". |
| 1701 | |
Emeric Brun | 736aa23 | 2009-06-30 17:56:00 +0200 | [diff] [blame] | 1702 | rdp-cookie |
Hervé COMMOWICK | a3eb39c | 2011-08-05 18:48:51 +0200 | [diff] [blame] | 1703 | rdp-cookie(<name>) |
Emeric Brun | 736aa23 | 2009-06-30 17:56:00 +0200 | [diff] [blame] | 1704 | The RDP cookie <name> (or "mstshash" if omitted) will be |
| 1705 | looked up and hashed for each incoming TCP request. Just as |
| 1706 | with the equivalent ACL 'req_rdp_cookie()' function, the name |
| 1707 | is not case-sensitive. This mechanism is useful as a degraded |
| 1708 | persistence mode, as it makes it possible to always send the |
| 1709 | same user (or the same session ID) to the same server. If the |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1710 | cookie is not found, the normal roundrobin algorithm is |
Emeric Brun | 736aa23 | 2009-06-30 17:56:00 +0200 | [diff] [blame] | 1711 | used instead. |
| 1712 | |
| 1713 | Note that for this to work, the frontend must ensure that an |
| 1714 | RDP cookie is already present in the request buffer. For this |
| 1715 | you must use 'tcp-request content accept' rule combined with |
| 1716 | a 'req_rdp_cookie_cnt' ACL. |
| 1717 | |
Willy Tarreau | 6b2e11b | 2009-10-01 07:52:15 +0200 | [diff] [blame] | 1718 | This algorithm is static by default, which means that |
| 1719 | changing a server's weight on the fly will have no effect, |
| 1720 | but this can be changed using "hash-type". |
| 1721 | |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 1722 | See also the rdp_cookie pattern fetch function. |
Simon Horman | ab814e0 | 2011-06-24 14:50:20 +0900 | [diff] [blame] | 1723 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1724 | <arguments> is an optional list of arguments which may be needed by some |
Marek Majkowski | 9c30fc1 | 2008-04-27 23:25:55 +0200 | [diff] [blame] | 1725 | algorithms. Right now, only "url_param" and "uri" support an |
| 1726 | optional argument. |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1727 | |
Willy Tarreau | 3cd9af2 | 2009-03-15 14:06:41 +0100 | [diff] [blame] | 1728 | The load balancing algorithm of a backend is set to roundrobin when no other |
| 1729 | algorithm, mode nor option have been set. The algorithm may only be set once |
| 1730 | for each backend. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1731 | |
| 1732 | Examples : |
| 1733 | balance roundrobin |
| 1734 | balance url_param userid |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1735 | balance url_param session_id check_post 64 |
Benoit | affb481 | 2009-03-25 13:02:10 +0100 | [diff] [blame] | 1736 | balance hdr(User-Agent) |
| 1737 | balance hdr(host) |
| 1738 | balance hdr(Host) use_domain_only |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1739 | |
| 1740 | Note: the following caveats and limitations on using the "check_post" |
| 1741 | extension with "url_param" must be considered : |
| 1742 | |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1743 | - all POST requests are eligible for consideration, because there is no way |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1744 | to determine if the parameters will be found in the body or entity which |
| 1745 | may contain binary data. Therefore another method may be required to |
| 1746 | restrict consideration of POST requests that have no URL parameters in |
| 1747 | the body. (see acl reqideny http_end) |
| 1748 | |
| 1749 | - using a <max_wait> value larger than the request buffer size does not |
| 1750 | make sense and is useless. The buffer size is set at build time, and |
| 1751 | defaults to 16 kB. |
| 1752 | |
| 1753 | - Content-Encoding is not supported, the parameter search will probably |
| 1754 | fail; and load balancing will fall back to Round Robin. |
| 1755 | |
| 1756 | - Expect: 100-continue is not supported, load balancing will fall back to |
| 1757 | Round Robin. |
| 1758 | |
| 1759 | - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk. |
| 1760 | If the entire parameter value is not present in the first chunk, the |
| 1761 | selection of server is undefined (actually, defined by how little |
| 1762 | actually appeared in the first chunk). |
| 1763 | |
| 1764 | - This feature does not support generation of a 100, 411 or 501 response. |
| 1765 | |
| 1766 | - In some cases, requesting "check_post" MAY attempt to scan the entire |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1767 | contents of a message body. Scanning normally terminates when linear |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1768 | white space or control characters are found, indicating the end of what |
| 1769 | might be a URL parameter list. This is probably not a concern with SGML |
| 1770 | type message bodies. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1771 | |
Willy Tarreau | 6b2e11b | 2009-10-01 07:52:15 +0200 | [diff] [blame] | 1772 | See also : "dispatch", "cookie", "appsession", "transparent", "hash-type" and |
| 1773 | "http_proxy". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1774 | |
| 1775 | |
Willy Tarreau | b6205fd | 2012-09-24 12:27:33 +0200 | [diff] [blame] | 1776 | bind [<address>]:<port_range> [, ...] [param*] |
| 1777 | bind /<path> [, ...] [param*] |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1778 | Define one or several listening addresses and/or ports in a frontend. |
| 1779 | May be used in sections : defaults | frontend | listen | backend |
| 1780 | no | yes | yes | no |
| 1781 | Arguments : |
Willy Tarreau | b1e52e8 | 2008-01-13 14:49:51 +0100 | [diff] [blame] | 1782 | <address> is optional and can be a host name, an IPv4 address, an IPv6 |
| 1783 | address, or '*'. It designates the address the frontend will |
| 1784 | listen on. If unset, all IPv4 addresses of the system will be |
| 1785 | listened on. The same will apply for '*' or the system's |
David du Colombier | 9c938da | 2011-03-17 10:40:27 +0100 | [diff] [blame] | 1786 | special address "0.0.0.0". The IPv6 equivalent is '::'. |
Willy Tarreau | 2470928 | 2013-03-10 21:32:12 +0100 | [diff] [blame] | 1787 | Optionally, an address family prefix may be used before the |
| 1788 | address to force the family regardless of the address format, |
| 1789 | which can be useful to specify a path to a unix socket with |
| 1790 | no slash ('/'). Currently supported prefixes are : |
| 1791 | - 'ipv4@' -> address is always IPv4 |
| 1792 | - 'ipv6@' -> address is always IPv6 |
| 1793 | - 'unix@' -> address is a path to a local unix socket |
Willy Tarreau | b4fca5d | 2014-07-08 00:37:50 +0200 | [diff] [blame] | 1794 | - 'abns@' -> address is in abstract namespace (Linux only). |
| 1795 | Note: since abstract sockets are not "rebindable", they |
| 1796 | do not cope well with multi-process mode during |
| 1797 | soft-restart, so it is better to avoid them if |
| 1798 | nbproc is greater than 1. The effect is that if the |
| 1799 | new process fails to start, only one of the old ones |
| 1800 | will be able to rebind to the socket. |
Willy Tarreau | 40aa070 | 2013-03-10 23:51:38 +0100 | [diff] [blame] | 1801 | - 'fd@<n>' -> use file descriptor <n> inherited from the |
| 1802 | parent. The fd must be bound and may or may not already |
| 1803 | be listening. |
Willy Tarreau | dad36a3 | 2013-03-11 01:20:04 +0100 | [diff] [blame] | 1804 | Any part of the address string may reference any number of |
| 1805 | environment variables by preceding their name with a dollar |
| 1806 | sign ('$') and optionally enclosing them with braces ('{}'), |
| 1807 | similarly to what is done in Bourne shell. |
Willy Tarreau | b1e52e8 | 2008-01-13 14:49:51 +0100 | [diff] [blame] | 1808 | |
Willy Tarreau | c5011ca | 2010-03-22 11:53:56 +0100 | [diff] [blame] | 1809 | <port_range> is either a unique TCP port, or a port range for which the |
| 1810 | proxy will accept connections for the IP address specified |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 1811 | above. The port is mandatory for TCP listeners. Note that in |
| 1812 | the case of an IPv6 address, the port is always the number |
| 1813 | after the last colon (':'). A range can either be : |
Willy Tarreau | c5011ca | 2010-03-22 11:53:56 +0100 | [diff] [blame] | 1814 | - a numerical port (ex: '80') |
| 1815 | - a dash-delimited ports range explicitly stating the lower |
| 1816 | and upper bounds (ex: '2000-2100') which are included in |
| 1817 | the range. |
| 1818 | |
| 1819 | Particular care must be taken against port ranges, because |
| 1820 | every <address:port> couple consumes one socket (= a file |
| 1821 | descriptor), so it's easy to consume lots of descriptors |
| 1822 | with a simple range, and to run out of sockets. Also, each |
| 1823 | <address:port> couple must be used only once among all |
| 1824 | instances running on a same system. Please note that binding |
| 1825 | to ports lower than 1024 generally require particular |
Jamie Gloudon | 801a0a3 | 2012-08-25 00:18:33 -0400 | [diff] [blame] | 1826 | privileges to start the program, which are independent of |
Willy Tarreau | c5011ca | 2010-03-22 11:53:56 +0100 | [diff] [blame] | 1827 | the 'uid' parameter. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1828 | |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 1829 | <path> is a UNIX socket path beginning with a slash ('/'). This is |
| 1830 | alternative to the TCP listening port. Haproxy will then |
| 1831 | receive UNIX connections on the socket located at this place. |
| 1832 | The path must begin with a slash and by default is absolute. |
| 1833 | It can be relative to the prefix defined by "unix-bind" in |
| 1834 | the global section. Note that the total length of the prefix |
| 1835 | followed by the socket path cannot exceed some system limits |
| 1836 | for UNIX sockets, which commonly are set to 107 characters. |
| 1837 | |
Willy Tarreau | b6205fd | 2012-09-24 12:27:33 +0200 | [diff] [blame] | 1838 | <param*> is a list of parameters common to all sockets declared on the |
| 1839 | same line. These numerous parameters depend on OS and build |
| 1840 | options and have a complete section dedicated to them. Please |
| 1841 | refer to section 5 to for more details. |
Willy Tarreau | a0ee1d0 | 2012-09-10 09:01:23 +0200 | [diff] [blame] | 1842 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1843 | It is possible to specify a list of address:port combinations delimited by |
| 1844 | commas. The frontend will then listen on all of these addresses. There is no |
| 1845 | fixed limit to the number of addresses and ports which can be listened on in |
| 1846 | a frontend, as well as there is no limit to the number of "bind" statements |
| 1847 | in a frontend. |
| 1848 | |
| 1849 | Example : |
| 1850 | listen http_proxy |
| 1851 | bind :80,:443 |
| 1852 | bind 10.0.0.1:10080,10.0.0.1:10443 |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 1853 | bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1854 | |
Willy Tarreau | a0ee1d0 | 2012-09-10 09:01:23 +0200 | [diff] [blame] | 1855 | listen http_https_proxy |
| 1856 | bind :80 |
Cyril Bonté | 0d44fc6 | 2012-10-09 22:45:33 +0200 | [diff] [blame] | 1857 | bind :443 ssl crt /etc/haproxy/site.pem |
Willy Tarreau | a0ee1d0 | 2012-09-10 09:01:23 +0200 | [diff] [blame] | 1858 | |
Willy Tarreau | 2470928 | 2013-03-10 21:32:12 +0100 | [diff] [blame] | 1859 | listen http_https_proxy_explicit |
| 1860 | bind ipv6@:80 |
| 1861 | bind ipv4@public_ssl:443 ssl crt /etc/haproxy/site.pem |
| 1862 | bind unix@ssl-frontend.sock user root mode 600 accept-proxy |
| 1863 | |
Willy Tarreau | dad36a3 | 2013-03-11 01:20:04 +0100 | [diff] [blame] | 1864 | listen external_bind_app1 |
| 1865 | bind fd@${FD_APP1} |
| 1866 | |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 1867 | See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol |
Willy Tarreau | b6205fd | 2012-09-24 12:27:33 +0200 | [diff] [blame] | 1868 | documentation, and section 5 about bind options. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1869 | |
| 1870 | |
Willy Tarreau | a9db57e | 2013-01-18 11:29:29 +0100 | [diff] [blame] | 1871 | bind-process [ all | odd | even | <number 1-64>[-<number 1-64>] ] ... |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1872 | Limit visibility of an instance to a certain set of processes numbers. |
| 1873 | May be used in sections : defaults | frontend | listen | backend |
| 1874 | yes | yes | yes | yes |
| 1875 | Arguments : |
| 1876 | all All process will see this instance. This is the default. It |
| 1877 | may be used to override a default value. |
| 1878 | |
Willy Tarreau | a9db57e | 2013-01-18 11:29:29 +0100 | [diff] [blame] | 1879 | odd This instance will be enabled on processes 1,3,5,...63. This |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1880 | option may be combined with other numbers. |
| 1881 | |
Willy Tarreau | a9db57e | 2013-01-18 11:29:29 +0100 | [diff] [blame] | 1882 | even This instance will be enabled on processes 2,4,6,...64. This |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1883 | option may be combined with other numbers. Do not use it |
| 1884 | with less than 2 processes otherwise some instances might be |
| 1885 | missing from all processes. |
| 1886 | |
Willy Tarreau | 110ecc1 | 2012-11-15 17:50:01 +0100 | [diff] [blame] | 1887 | number The instance will be enabled on this process number or range, |
Willy Tarreau | a9db57e | 2013-01-18 11:29:29 +0100 | [diff] [blame] | 1888 | whose values must all be between 1 and 32 or 64 depending on |
Willy Tarreau | 102df61 | 2014-05-07 23:56:38 +0200 | [diff] [blame] | 1889 | the machine's word size. If a proxy is bound to process |
| 1890 | numbers greater than the configured global.nbproc, it will |
| 1891 | either be forced to process #1 if a single process was |
| 1892 | specified, or to all processes otherwise. |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1893 | |
| 1894 | This keyword limits binding of certain instances to certain processes. This |
| 1895 | is useful in order not to have too many processes listening to the same |
| 1896 | ports. For instance, on a dual-core machine, it might make sense to set |
| 1897 | 'nbproc 2' in the global section, then distributes the listeners among 'odd' |
| 1898 | and 'even' instances. |
| 1899 | |
Willy Tarreau | a9db57e | 2013-01-18 11:29:29 +0100 | [diff] [blame] | 1900 | At the moment, it is not possible to reference more than 32 or 64 processes |
| 1901 | using this keyword, but this should be more than enough for most setups. |
| 1902 | Please note that 'all' really means all processes regardless of the machine's |
| 1903 | word size, and is not limited to the first 32 or 64. |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1904 | |
Willy Tarreau | 6ae1ba6 | 2014-05-07 19:01:58 +0200 | [diff] [blame] | 1905 | Each "bind" line may further be limited to a subset of the proxy's processes, |
| 1906 | please consult the "process" bind keyword in section 5.1. |
| 1907 | |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1908 | If some backends are referenced by frontends bound to other processes, the |
| 1909 | backend automatically inherits the frontend's processes. |
| 1910 | |
| 1911 | Example : |
| 1912 | listen app_ip1 |
| 1913 | bind 10.0.0.1:80 |
Willy Tarreau | bfcd311 | 2010-10-23 11:22:08 +0200 | [diff] [blame] | 1914 | bind-process odd |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1915 | |
| 1916 | listen app_ip2 |
| 1917 | bind 10.0.0.2:80 |
Willy Tarreau | bfcd311 | 2010-10-23 11:22:08 +0200 | [diff] [blame] | 1918 | bind-process even |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1919 | |
| 1920 | listen management |
| 1921 | bind 10.0.0.3:80 |
Willy Tarreau | bfcd311 | 2010-10-23 11:22:08 +0200 | [diff] [blame] | 1922 | bind-process 1 2 3 4 |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1923 | |
Willy Tarreau | 110ecc1 | 2012-11-15 17:50:01 +0100 | [diff] [blame] | 1924 | listen management |
| 1925 | bind 10.0.0.4:80 |
| 1926 | bind-process 1-4 |
| 1927 | |
Willy Tarreau | 6ae1ba6 | 2014-05-07 19:01:58 +0200 | [diff] [blame] | 1928 | See also : "nbproc" in global section, and "process" in section 5.1. |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1929 | |
| 1930 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1931 | block { if | unless } <condition> |
| 1932 | Block a layer 7 request if/unless a condition is matched |
| 1933 | May be used in sections : defaults | frontend | listen | backend |
| 1934 | no | yes | yes | yes |
| 1935 | |
| 1936 | The HTTP request will be blocked very early in the layer 7 processing |
| 1937 | if/unless <condition> is matched. A 403 error will be returned if the request |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1938 | is blocked. The condition has to reference ACLs (see section 7). This is |
Willy Tarreau | 3c92c5f | 2011-08-28 09:45:47 +0200 | [diff] [blame] | 1939 | typically used to deny access to certain sensitive resources if some |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1940 | conditions are met or not met. There is no fixed limit to the number of |
| 1941 | "block" statements per instance. |
| 1942 | |
| 1943 | Example: |
| 1944 | acl invalid_src src 0.0.0.0/7 224.0.0.0/3 |
| 1945 | acl invalid_src src_port 0:1023 |
| 1946 | acl local_dst hdr(host) -i localhost |
| 1947 | block if invalid_src || local_dst |
| 1948 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1949 | See section 7 about ACL usage. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1950 | |
| 1951 | |
| 1952 | capture cookie <name> len <length> |
| 1953 | Capture and log a cookie in the request and in the response. |
| 1954 | May be used in sections : defaults | frontend | listen | backend |
| 1955 | no | yes | yes | no |
| 1956 | Arguments : |
| 1957 | <name> is the beginning of the name of the cookie to capture. In order |
| 1958 | to match the exact name, simply suffix the name with an equal |
| 1959 | sign ('='). The full name will appear in the logs, which is |
| 1960 | useful with application servers which adjust both the cookie name |
| 1961 | and value (eg: ASPSESSIONXXXXX). |
| 1962 | |
| 1963 | <length> is the maximum number of characters to report in the logs, which |
| 1964 | include the cookie name, the equal sign and the value, all in the |
| 1965 | standard "name=value" form. The string will be truncated on the |
| 1966 | right if it exceeds <length>. |
| 1967 | |
| 1968 | Only the first cookie is captured. Both the "cookie" request headers and the |
| 1969 | "set-cookie" response headers are monitored. This is particularly useful to |
| 1970 | check for application bugs causing session crossing or stealing between |
| 1971 | users, because generally the user's cookies can only change on a login page. |
| 1972 | |
| 1973 | When the cookie was not presented by the client, the associated log column |
| 1974 | will report "-". When a request does not cause a cookie to be assigned by the |
| 1975 | server, a "-" is reported in the response column. |
| 1976 | |
| 1977 | The capture is performed in the frontend only because it is necessary that |
| 1978 | the log format does not change for a given frontend depending on the |
| 1979 | backends. This may change in the future. Note that there can be only one |
Willy Tarreau | 193b8c6 | 2012-11-22 00:17:38 +0100 | [diff] [blame] | 1980 | "capture cookie" statement in a frontend. The maximum capture length is set |
| 1981 | by the global "tune.http.cookielen" setting and defaults to 63 characters. It |
| 1982 | is not possible to specify a capture in a "defaults" section. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1983 | |
| 1984 | Example: |
| 1985 | capture cookie ASPSESSION len 32 |
| 1986 | |
| 1987 | See also : "capture request header", "capture response header" as well as |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1988 | section 8 about logging. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1989 | |
| 1990 | |
| 1991 | capture request header <name> len <length> |
Willy Tarreau | 4460d03 | 2012-11-21 23:37:37 +0100 | [diff] [blame] | 1992 | Capture and log the last occurrence of the specified request header. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1993 | May be used in sections : defaults | frontend | listen | backend |
| 1994 | no | yes | yes | no |
| 1995 | Arguments : |
| 1996 | <name> is the name of the header to capture. The header names are not |
Willy Tarreau | d2a4aa2 | 2008-01-31 15:28:22 +0100 | [diff] [blame] | 1997 | case-sensitive, but it is a common practice to write them as they |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1998 | appear in the requests, with the first letter of each word in |
| 1999 | upper case. The header name will not appear in the logs, only the |
| 2000 | value is reported, but the position in the logs is respected. |
| 2001 | |
| 2002 | <length> is the maximum number of characters to extract from the value and |
| 2003 | report in the logs. The string will be truncated on the right if |
| 2004 | it exceeds <length>. |
| 2005 | |
Willy Tarreau | 4460d03 | 2012-11-21 23:37:37 +0100 | [diff] [blame] | 2006 | The complete value of the last occurrence of the header is captured. The |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2007 | value will be added to the logs between braces ('{}'). If multiple headers |
| 2008 | are captured, they will be delimited by a vertical bar ('|') and will appear |
Willy Tarreau | cc6c891 | 2009-02-22 10:53:55 +0100 | [diff] [blame] | 2009 | in the same order they were declared in the configuration. Non-existent |
| 2010 | headers will be logged just as an empty string. Common uses for request |
| 2011 | header captures include the "Host" field in virtual hosting environments, the |
| 2012 | "Content-length" when uploads are supported, "User-agent" to quickly |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 2013 | differentiate between real users and robots, and "X-Forwarded-For" in proxied |
Willy Tarreau | cc6c891 | 2009-02-22 10:53:55 +0100 | [diff] [blame] | 2014 | environments to find where the request came from. |
| 2015 | |
| 2016 | Note that when capturing headers such as "User-agent", some spaces may be |
| 2017 | logged, making the log analysis more difficult. Thus be careful about what |
| 2018 | you log if you know your log parser is not smart enough to rely on the |
| 2019 | braces. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2020 | |
Willy Tarreau | 0900abb | 2012-11-22 00:21:46 +0100 | [diff] [blame] | 2021 | There is no limit to the number of captured request headers nor to their |
| 2022 | length, though it is wise to keep them low to limit memory usage per session. |
| 2023 | In order to keep log format consistent for a same frontend, header captures |
| 2024 | can only be declared in a frontend. It is not possible to specify a capture |
| 2025 | in a "defaults" section. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2026 | |
| 2027 | Example: |
| 2028 | capture request header Host len 15 |
| 2029 | capture request header X-Forwarded-For len 15 |
| 2030 | capture request header Referrer len 15 |
| 2031 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 2032 | See also : "capture cookie", "capture response header" as well as section 8 |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2033 | about logging. |
| 2034 | |
| 2035 | |
| 2036 | capture response header <name> len <length> |
Willy Tarreau | 4460d03 | 2012-11-21 23:37:37 +0100 | [diff] [blame] | 2037 | Capture and log the last occurrence of the specified response header. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2038 | May be used in sections : defaults | frontend | listen | backend |
| 2039 | no | yes | yes | no |
| 2040 | Arguments : |
| 2041 | <name> is the name of the header to capture. The header names are not |
Willy Tarreau | d2a4aa2 | 2008-01-31 15:28:22 +0100 | [diff] [blame] | 2042 | case-sensitive, but it is a common practice to write them as they |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2043 | appear in the response, with the first letter of each word in |
| 2044 | upper case. The header name will not appear in the logs, only the |
| 2045 | value is reported, but the position in the logs is respected. |
| 2046 | |
| 2047 | <length> is the maximum number of characters to extract from the value and |
| 2048 | report in the logs. The string will be truncated on the right if |
| 2049 | it exceeds <length>. |
| 2050 | |
Willy Tarreau | 4460d03 | 2012-11-21 23:37:37 +0100 | [diff] [blame] | 2051 | The complete value of the last occurrence of the header is captured. The |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2052 | result will be added to the logs between braces ('{}') after the captured |
| 2053 | request headers. If multiple headers are captured, they will be delimited by |
| 2054 | a vertical bar ('|') and will appear in the same order they were declared in |
Willy Tarreau | cc6c891 | 2009-02-22 10:53:55 +0100 | [diff] [blame] | 2055 | the configuration. Non-existent headers will be logged just as an empty |
| 2056 | string. Common uses for response header captures include the "Content-length" |
| 2057 | header which indicates how many bytes are expected to be returned, the |
| 2058 | "Location" header to track redirections. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2059 | |
Willy Tarreau | 0900abb | 2012-11-22 00:21:46 +0100 | [diff] [blame] | 2060 | There is no limit to the number of captured response headers nor to their |
| 2061 | length, though it is wise to keep them low to limit memory usage per session. |
| 2062 | In order to keep log format consistent for a same frontend, header captures |
| 2063 | can only be declared in a frontend. It is not possible to specify a capture |
| 2064 | in a "defaults" section. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2065 | |
| 2066 | Example: |
| 2067 | capture response header Content-length len 9 |
| 2068 | capture response header Location len 15 |
| 2069 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 2070 | See also : "capture cookie", "capture request header" as well as section 8 |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2071 | about logging. |
| 2072 | |
| 2073 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 2074 | clitimeout <timeout> (deprecated) |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2075 | Set the maximum inactivity time on the client side. |
| 2076 | May be used in sections : defaults | frontend | listen | backend |
| 2077 | yes | yes | yes | no |
| 2078 | Arguments : |
| 2079 | <timeout> is the timeout value is specified in milliseconds by default, but |
| 2080 | can be in any other unit if the number is suffixed by the unit, |
| 2081 | as explained at the top of this document. |
| 2082 | |
| 2083 | The inactivity timeout applies when the client is expected to acknowledge or |
| 2084 | send data. In HTTP mode, this timeout is particularly important to consider |
| 2085 | during the first phase, when the client sends the request, and during the |
| 2086 | response while it is reading data sent by the server. The value is specified |
| 2087 | in milliseconds by default, but can be in any other unit if the number is |
| 2088 | suffixed by the unit, as specified at the top of this document. In TCP mode |
| 2089 | (and to a lesser extent, in HTTP mode), it is highly recommended that the |
| 2090 | client timeout remains equal to the server timeout in order to avoid complex |
Willy Tarreau | d2a4aa2 | 2008-01-31 15:28:22 +0100 | [diff] [blame] | 2091 | situations to debug. It is a good practice to cover one or several TCP packet |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2092 | losses by specifying timeouts that are slightly above multiples of 3 seconds |
| 2093 | (eg: 4 or 5 seconds). |
| 2094 | |
| 2095 | This parameter is specific to frontends, but can be specified once for all in |
| 2096 | "defaults" sections. This is in fact one of the easiest solutions not to |
| 2097 | forget about it. An unspecified timeout results in an infinite timeout, which |
| 2098 | is not recommended. Such a usage is accepted and works but reports a warning |
| 2099 | during startup because it may results in accumulation of expired sessions in |
| 2100 | the system if the system's timeouts are not configured either. |
| 2101 | |
| 2102 | This parameter is provided for compatibility but is currently deprecated. |
| 2103 | Please use "timeout client" instead. |
| 2104 | |
Willy Tarreau | 036fae0 | 2008-01-06 13:24:40 +0100 | [diff] [blame] | 2105 | See also : "timeout client", "timeout http-request", "timeout server", and |
| 2106 | "srvtimeout". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2107 | |
Cyril Bonté | 316a8cf | 2012-11-11 13:38:27 +0100 | [diff] [blame] | 2108 | compression algo <algorithm> ... |
| 2109 | compression type <mime type> ... |
Willy Tarreau | 70737d1 | 2012-10-27 00:34:28 +0200 | [diff] [blame] | 2110 | compression offload |
William Lallemand | 82fe75c | 2012-10-23 10:25:10 +0200 | [diff] [blame] | 2111 | Enable HTTP compression. |
| 2112 | May be used in sections : defaults | frontend | listen | backend |
| 2113 | yes | yes | yes | yes |
| 2114 | Arguments : |
Cyril Bonté | 316a8cf | 2012-11-11 13:38:27 +0100 | [diff] [blame] | 2115 | algo is followed by the list of supported compression algorithms. |
| 2116 | type is followed by the list of MIME types that will be compressed. |
| 2117 | offload makes haproxy work as a compression offloader only (see notes). |
| 2118 | |
| 2119 | The currently supported algorithms are : |
Dmitry Sivachenko | 87c208b | 2012-11-22 20:03:26 +0400 | [diff] [blame] | 2120 | identity this is mostly for debugging, and it was useful for developing |
Cyril Bonté | 316a8cf | 2012-11-11 13:38:27 +0100 | [diff] [blame] | 2121 | the compression feature. Identity does not apply any change on |
| 2122 | data. |
| 2123 | |
| 2124 | gzip applies gzip compression. This setting is only available when |
| 2125 | support for zlib was built in. |
| 2126 | |
| 2127 | deflate same as gzip, but with deflate algorithm and zlib format. |
| 2128 | Note that this algorithm has ambiguous support on many browsers |
| 2129 | and no support at all from recent ones. It is strongly |
| 2130 | recommended not to use it for anything else than experimentation. |
| 2131 | This setting is only available when support for zlib was built |
| 2132 | in. |
| 2133 | |
Dmitry Sivachenko | 87c208b | 2012-11-22 20:03:26 +0400 | [diff] [blame] | 2134 | Compression will be activated depending on the Accept-Encoding request |
Cyril Bonté | 316a8cf | 2012-11-11 13:38:27 +0100 | [diff] [blame] | 2135 | header. With identity, it does not take care of that header. |
Dmitry Sivachenko | c9f3b45 | 2012-11-28 17:47:11 +0400 | [diff] [blame] | 2136 | If backend servers support HTTP compression, these directives |
| 2137 | will be no-op: haproxy will see the compressed response and will not |
| 2138 | compress again. If backend servers do not support HTTP compression and |
| 2139 | there is Accept-Encoding header in request, haproxy will compress the |
| 2140 | matching response. |
Willy Tarreau | 70737d1 | 2012-10-27 00:34:28 +0200 | [diff] [blame] | 2141 | |
| 2142 | The "offload" setting makes haproxy remove the Accept-Encoding header to |
| 2143 | prevent backend servers from compressing responses. It is strongly |
| 2144 | recommended not to do this because this means that all the compression work |
| 2145 | will be done on the single point where haproxy is located. However in some |
| 2146 | deployment scenarios, haproxy may be installed in front of a buggy gateway |
Dmitry Sivachenko | c9f3b45 | 2012-11-28 17:47:11 +0400 | [diff] [blame] | 2147 | with broken HTTP compression implementation which can't be turned off. |
| 2148 | In that case haproxy can be used to prevent that gateway from emitting |
| 2149 | invalid payloads. In this case, simply removing the header in the |
| 2150 | configuration does not work because it applies before the header is parsed, |
| 2151 | so that prevents haproxy from compressing. The "offload" setting should |
| 2152 | then be used for such scenarios. |
William Lallemand | 82fe75c | 2012-10-23 10:25:10 +0200 | [diff] [blame] | 2153 | |
William Lallemand | 0509744 | 2012-11-20 12:14:28 +0100 | [diff] [blame] | 2154 | Compression is disabled when: |
Baptiste Assmann | 650d53d | 2013-01-05 15:44:44 +0100 | [diff] [blame] | 2155 | * the request does not advertise a supported compression algorithm in the |
| 2156 | "Accept-Encoding" header |
| 2157 | * the response message is not HTTP/1.1 |
William Lallemand | d300261 | 2012-11-26 14:34:47 +0100 | [diff] [blame] | 2158 | * HTTP status code is not 200 |
William Lallemand | 8bb4e34 | 2013-12-10 17:28:48 +0100 | [diff] [blame] | 2159 | * response header "Transfer-Encoding" contains "chunked" (Temporary |
| 2160 | Workaround) |
Baptiste Assmann | 650d53d | 2013-01-05 15:44:44 +0100 | [diff] [blame] | 2161 | * response contain neither a "Content-Length" header nor a |
| 2162 | "Transfer-Encoding" whose last value is "chunked" |
| 2163 | * response contains a "Content-Type" header whose first value starts with |
| 2164 | "multipart" |
| 2165 | * the response contains the "no-transform" value in the "Cache-control" |
| 2166 | header |
| 2167 | * User-Agent matches "Mozilla/4" unless it is MSIE 6 with XP SP2, or MSIE 7 |
| 2168 | and later |
| 2169 | * The response contains a "Content-Encoding" header, indicating that the |
| 2170 | response is already compressed (see compression offload) |
William Lallemand | 0509744 | 2012-11-20 12:14:28 +0100 | [diff] [blame] | 2171 | |
Baptiste Assmann | 650d53d | 2013-01-05 15:44:44 +0100 | [diff] [blame] | 2172 | Note: The compression does not rewrite Etag headers, and does not emit the |
| 2173 | Warning header. |
William Lallemand | 0509744 | 2012-11-20 12:14:28 +0100 | [diff] [blame] | 2174 | |
William Lallemand | 82fe75c | 2012-10-23 10:25:10 +0200 | [diff] [blame] | 2175 | Examples : |
| 2176 | compression algo gzip |
| 2177 | compression type text/html text/plain |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2178 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 2179 | contimeout <timeout> (deprecated) |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2180 | Set the maximum time to wait for a connection attempt to a server to succeed. |
| 2181 | May be used in sections : defaults | frontend | listen | backend |
| 2182 | yes | no | yes | yes |
| 2183 | Arguments : |
| 2184 | <timeout> is the timeout value is specified in milliseconds by default, but |
| 2185 | can be in any other unit if the number is suffixed by the unit, |
| 2186 | as explained at the top of this document. |
| 2187 | |
| 2188 | If the server is located on the same LAN as haproxy, the connection should be |
Willy Tarreau | d2a4aa2 | 2008-01-31 15:28:22 +0100 | [diff] [blame] | 2189 | immediate (less than a few milliseconds). Anyway, it is a good practice to |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 2190 | cover one or several TCP packet losses by specifying timeouts that are |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2191 | slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the |
| 2192 | connect timeout also presets the queue timeout to the same value if this one |
| 2193 | has not been specified. Historically, the contimeout was also used to set the |
| 2194 | tarpit timeout in a listen section, which is not possible in a pure frontend. |
| 2195 | |
| 2196 | This parameter is specific to backends, but can be specified once for all in |
| 2197 | "defaults" sections. This is in fact one of the easiest solutions not to |
| 2198 | forget about it. An unspecified timeout results in an infinite timeout, which |
| 2199 | is not recommended. Such a usage is accepted and works but reports a warning |
| 2200 | during startup because it may results in accumulation of failed sessions in |
| 2201 | the system if the system's timeouts are not configured either. |
| 2202 | |
| 2203 | This parameter is provided for backwards compatibility but is currently |
| 2204 | deprecated. Please use "timeout connect", "timeout queue" or "timeout tarpit" |
| 2205 | instead. |
| 2206 | |
| 2207 | See also : "timeout connect", "timeout queue", "timeout tarpit", |
| 2208 | "timeout server", "contimeout". |
| 2209 | |
| 2210 | |
Willy Tarreau | 55165fe | 2009-05-10 12:02:55 +0200 | [diff] [blame] | 2211 | cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ] |
Willy Tarreau | 4992dd2 | 2012-05-31 21:02:17 +0200 | [diff] [blame] | 2212 | [ postonly ] [ preserve ] [ httponly ] [ secure ] |
| 2213 | [ domain <domain> ]* [ maxidle <idle> ] [ maxlife <life> ] |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2214 | Enable cookie-based persistence in a backend. |
| 2215 | May be used in sections : defaults | frontend | listen | backend |
| 2216 | yes | no | yes | yes |
| 2217 | Arguments : |
| 2218 | <name> is the name of the cookie which will be monitored, modified or |
| 2219 | inserted in order to bring persistence. This cookie is sent to |
| 2220 | the client via a "Set-Cookie" header in the response, and is |
| 2221 | brought back by the client in a "Cookie" header in all requests. |
| 2222 | Special care should be taken to choose a name which does not |
| 2223 | conflict with any likely application cookie. Also, if the same |
| 2224 | backends are subject to be used by the same clients (eg: |
| 2225 | HTTP/HTTPS), care should be taken to use different cookie names |
| 2226 | between all backends if persistence between them is not desired. |
| 2227 | |
| 2228 | rewrite This keyword indicates that the cookie will be provided by the |
| 2229 | server and that haproxy will have to modify its value to set the |
| 2230 | server's identifier in it. This mode is handy when the management |
| 2231 | of complex combinations of "Set-cookie" and "Cache-control" |
| 2232 | headers is left to the application. The application can then |
| 2233 | decide whether or not it is appropriate to emit a persistence |
| 2234 | cookie. Since all responses should be monitored, this mode only |
| 2235 | works in HTTP close mode. Unless the application behaviour is |
| 2236 | very complex and/or broken, it is advised not to start with this |
| 2237 | mode for new deployments. This keyword is incompatible with |
| 2238 | "insert" and "prefix". |
| 2239 | |
| 2240 | insert This keyword indicates that the persistence cookie will have to |
Willy Tarreau | a79094d | 2010-08-31 22:54:15 +0200 | [diff] [blame] | 2241 | be inserted by haproxy in server responses if the client did not |
Willy Tarreau | ba4c5be | 2010-10-23 12:46:42 +0200 | [diff] [blame] | 2242 | |
Willy Tarreau | a79094d | 2010-08-31 22:54:15 +0200 | [diff] [blame] | 2243 | already have a cookie that would have permitted it to access this |
Willy Tarreau | ba4c5be | 2010-10-23 12:46:42 +0200 | [diff] [blame] | 2244 | server. When used without the "preserve" option, if the server |
| 2245 | emits a cookie with the same name, it will be remove before |
| 2246 | processing. For this reason, this mode can be used to upgrade |
| 2247 | existing configurations running in the "rewrite" mode. The cookie |
| 2248 | will only be a session cookie and will not be stored on the |
| 2249 | client's disk. By default, unless the "indirect" option is added, |
| 2250 | the server will see the cookies emitted by the client. Due to |
| 2251 | caching effects, it is generally wise to add the "nocache" or |
| 2252 | "postonly" keywords (see below). The "insert" keyword is not |
| 2253 | compatible with "rewrite" and "prefix". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2254 | |
| 2255 | prefix This keyword indicates that instead of relying on a dedicated |
| 2256 | cookie for the persistence, an existing one will be completed. |
| 2257 | This may be needed in some specific environments where the client |
| 2258 | does not support more than one single cookie and the application |
| 2259 | already needs it. In this case, whenever the server sets a cookie |
| 2260 | named <name>, it will be prefixed with the server's identifier |
| 2261 | and a delimiter. The prefix will be removed from all client |
| 2262 | requests so that the server still finds the cookie it emitted. |
| 2263 | Since all requests and responses are subject to being modified, |
| 2264 | this mode requires the HTTP close mode. The "prefix" keyword is |
Willy Tarreau | 37229df | 2011-10-17 12:24:55 +0200 | [diff] [blame] | 2265 | not compatible with "rewrite" and "insert". Note: it is highly |
| 2266 | recommended not to use "indirect" with "prefix", otherwise server |
| 2267 | cookie updates would not be sent to clients. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2268 | |
Willy Tarreau | a79094d | 2010-08-31 22:54:15 +0200 | [diff] [blame] | 2269 | indirect When this option is specified, no cookie will be emitted to a |
| 2270 | client which already has a valid one for the server which has |
| 2271 | processed the request. If the server sets such a cookie itself, |
Willy Tarreau | ba4c5be | 2010-10-23 12:46:42 +0200 | [diff] [blame] | 2272 | it will be removed, unless the "preserve" option is also set. In |
| 2273 | "insert" mode, this will additionally remove cookies from the |
| 2274 | requests transmitted to the server, making the persistence |
| 2275 | mechanism totally transparent from an application point of view. |
Willy Tarreau | 37229df | 2011-10-17 12:24:55 +0200 | [diff] [blame] | 2276 | Note: it is highly recommended not to use "indirect" with |
| 2277 | "prefix", otherwise server cookie updates would not be sent to |
| 2278 | clients. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2279 | |
| 2280 | nocache This option is recommended in conjunction with the insert mode |
| 2281 | when there is a cache between the client and HAProxy, as it |
| 2282 | ensures that a cacheable response will be tagged non-cacheable if |
| 2283 | a cookie needs to be inserted. This is important because if all |
| 2284 | persistence cookies are added on a cacheable home page for |
| 2285 | instance, then all customers will then fetch the page from an |
| 2286 | outer cache and will all share the same persistence cookie, |
| 2287 | leading to one server receiving much more traffic than others. |
| 2288 | See also the "insert" and "postonly" options. |
| 2289 | |
| 2290 | postonly This option ensures that cookie insertion will only be performed |
| 2291 | on responses to POST requests. It is an alternative to the |
| 2292 | "nocache" option, because POST responses are not cacheable, so |
| 2293 | this ensures that the persistence cookie will never get cached. |
| 2294 | Since most sites do not need any sort of persistence before the |
| 2295 | first POST which generally is a login request, this is a very |
| 2296 | efficient method to optimize caching without risking to find a |
| 2297 | persistence cookie in the cache. |
| 2298 | See also the "insert" and "nocache" options. |
| 2299 | |
Willy Tarreau | ba4c5be | 2010-10-23 12:46:42 +0200 | [diff] [blame] | 2300 | preserve This option may only be used with "insert" and/or "indirect". It |
| 2301 | allows the server to emit the persistence cookie itself. In this |
| 2302 | case, if a cookie is found in the response, haproxy will leave it |
| 2303 | untouched. This is useful in order to end persistence after a |
| 2304 | logout request for instance. For this, the server just has to |
| 2305 | emit a cookie with an invalid value (eg: empty) or with a date in |
| 2306 | the past. By combining this mechanism with the "disable-on-404" |
| 2307 | check option, it is possible to perform a completely graceful |
| 2308 | shutdown because users will definitely leave the server after |
| 2309 | they logout. |
| 2310 | |
Willy Tarreau | 4992dd2 | 2012-05-31 21:02:17 +0200 | [diff] [blame] | 2311 | httponly This option tells haproxy to add an "HttpOnly" cookie attribute |
| 2312 | when a cookie is inserted. This attribute is used so that a |
| 2313 | user agent doesn't share the cookie with non-HTTP components. |
| 2314 | Please check RFC6265 for more information on this attribute. |
| 2315 | |
| 2316 | secure This option tells haproxy to add a "Secure" cookie attribute when |
| 2317 | a cookie is inserted. This attribute is used so that a user agent |
| 2318 | never emits this cookie over non-secure channels, which means |
| 2319 | that a cookie learned with this flag will be presented only over |
| 2320 | SSL/TLS connections. Please check RFC6265 for more information on |
| 2321 | this attribute. |
| 2322 | |
Krzysztof Piotr Oledzki | efe3b6f | 2008-05-23 23:49:32 +0200 | [diff] [blame] | 2323 | domain This option allows to specify the domain at which a cookie is |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 2324 | inserted. It requires exactly one parameter: a valid domain |
Willy Tarreau | 68a897b | 2009-12-03 23:28:34 +0100 | [diff] [blame] | 2325 | name. If the domain begins with a dot, the browser is allowed to |
| 2326 | use it for any host ending with that name. It is also possible to |
| 2327 | specify several domain names by invoking this option multiple |
| 2328 | times. Some browsers might have small limits on the number of |
| 2329 | domains, so be careful when doing that. For the record, sending |
| 2330 | 10 domains to MSIE 6 or Firefox 2 works as expected. |
Krzysztof Piotr Oledzki | efe3b6f | 2008-05-23 23:49:32 +0200 | [diff] [blame] | 2331 | |
Willy Tarreau | 996a92c | 2010-10-13 19:30:47 +0200 | [diff] [blame] | 2332 | maxidle This option allows inserted cookies to be ignored after some idle |
| 2333 | time. It only works with insert-mode cookies. When a cookie is |
| 2334 | sent to the client, the date this cookie was emitted is sent too. |
| 2335 | Upon further presentations of this cookie, if the date is older |
| 2336 | than the delay indicated by the parameter (in seconds), it will |
| 2337 | be ignored. Otherwise, it will be refreshed if needed when the |
| 2338 | response is sent to the client. This is particularly useful to |
| 2339 | prevent users who never close their browsers from remaining for |
| 2340 | too long on the same server (eg: after a farm size change). When |
| 2341 | this option is set and a cookie has no date, it is always |
| 2342 | accepted, but gets refreshed in the response. This maintains the |
| 2343 | ability for admins to access their sites. Cookies that have a |
| 2344 | date in the future further than 24 hours are ignored. Doing so |
| 2345 | lets admins fix timezone issues without risking kicking users off |
| 2346 | the site. |
| 2347 | |
| 2348 | maxlife This option allows inserted cookies to be ignored after some life |
| 2349 | time, whether they're in use or not. It only works with insert |
| 2350 | mode cookies. When a cookie is first sent to the client, the date |
| 2351 | this cookie was emitted is sent too. Upon further presentations |
| 2352 | of this cookie, if the date is older than the delay indicated by |
| 2353 | the parameter (in seconds), it will be ignored. If the cookie in |
| 2354 | the request has no date, it is accepted and a date will be set. |
| 2355 | Cookies that have a date in the future further than 24 hours are |
| 2356 | ignored. Doing so lets admins fix timezone issues without risking |
| 2357 | kicking users off the site. Contrary to maxidle, this value is |
| 2358 | not refreshed, only the first visit date counts. Both maxidle and |
| 2359 | maxlife may be used at the time. This is particularly useful to |
| 2360 | prevent users who never close their browsers from remaining for |
| 2361 | too long on the same server (eg: after a farm size change). This |
| 2362 | is stronger than the maxidle method in that it forces a |
| 2363 | redispatch after some absolute delay. |
| 2364 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2365 | There can be only one persistence cookie per HTTP backend, and it can be |
| 2366 | declared in a defaults section. The value of the cookie will be the value |
| 2367 | indicated after the "cookie" keyword in a "server" statement. If no cookie |
| 2368 | is declared for a given server, the cookie is not set. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 2369 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2370 | Examples : |
| 2371 | cookie JSESSIONID prefix |
| 2372 | cookie SRV insert indirect nocache |
| 2373 | cookie SRV insert postonly indirect |
Willy Tarreau | 996a92c | 2010-10-13 19:30:47 +0200 | [diff] [blame] | 2374 | cookie SRV insert indirect nocache maxidle 30m maxlife 8h |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2375 | |
Cyril Bonté | a8e7bbc | 2010-04-25 22:29:29 +0200 | [diff] [blame] | 2376 | See also : "appsession", "balance source", "capture cookie", "server" |
Cyril Bonté | 0d4bf01 | 2010-04-25 23:21:46 +0200 | [diff] [blame] | 2377 | and "ignore-persist". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2378 | |
Willy Tarreau | 983e01e | 2010-01-11 18:42:06 +0100 | [diff] [blame] | 2379 | |
Krzysztof Piotr Oledzki | c6df066 | 2010-01-05 16:38:49 +0100 | [diff] [blame] | 2380 | default-server [param*] |
| 2381 | Change default options for a server in a backend |
| 2382 | May be used in sections : defaults | frontend | listen | backend |
| 2383 | yes | no | yes | yes |
| 2384 | Arguments: |
Willy Tarreau | 983e01e | 2010-01-11 18:42:06 +0100 | [diff] [blame] | 2385 | <param*> is a list of parameters for this server. The "default-server" |
| 2386 | keyword accepts an important number of options and has a complete |
| 2387 | section dedicated to it. Please refer to section 5 for more |
| 2388 | details. |
Krzysztof Piotr Oledzki | c6df066 | 2010-01-05 16:38:49 +0100 | [diff] [blame] | 2389 | |
Willy Tarreau | 983e01e | 2010-01-11 18:42:06 +0100 | [diff] [blame] | 2390 | Example : |
Krzysztof Piotr Oledzki | c6df066 | 2010-01-05 16:38:49 +0100 | [diff] [blame] | 2391 | default-server inter 1000 weight 13 |
| 2392 | |
| 2393 | See also: "server" and section 5 about server options |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2394 | |
Willy Tarreau | 983e01e | 2010-01-11 18:42:06 +0100 | [diff] [blame] | 2395 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2396 | default_backend <backend> |
| 2397 | Specify the backend to use when no "use_backend" rule has been matched. |
| 2398 | May be used in sections : defaults | frontend | listen | backend |
| 2399 | yes | yes | yes | no |
| 2400 | Arguments : |
| 2401 | <backend> is the name of the backend to use. |
| 2402 | |
| 2403 | When doing content-switching between frontend and backends using the |
| 2404 | "use_backend" keyword, it is often useful to indicate which backend will be |
| 2405 | used when no rule has matched. It generally is the dynamic backend which |
| 2406 | will catch all undetermined requests. |
| 2407 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2408 | Example : |
| 2409 | |
| 2410 | use_backend dynamic if url_dyn |
| 2411 | use_backend static if url_css url_img extension_img |
| 2412 | default_backend dynamic |
| 2413 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2414 | See also : "use_backend", "reqsetbe", "reqisetbe" |
| 2415 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2416 | |
Baptiste Assmann | 27f5134 | 2013-10-09 06:51:49 +0200 | [diff] [blame] | 2417 | description <string> |
| 2418 | Describe a listen, frontend or backend. |
| 2419 | May be used in sections : defaults | frontend | listen | backend |
| 2420 | no | yes | yes | yes |
| 2421 | Arguments : string |
| 2422 | |
| 2423 | Allows to add a sentence to describe the related object in the HAProxy HTML |
| 2424 | stats page. The description will be printed on the right of the object name |
| 2425 | it describes. |
| 2426 | No need to backslash spaces in the <string> arguments. |
| 2427 | |
| 2428 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2429 | disabled |
| 2430 | Disable a proxy, frontend or backend. |
| 2431 | May be used in sections : defaults | frontend | listen | backend |
| 2432 | yes | yes | yes | yes |
| 2433 | Arguments : none |
| 2434 | |
| 2435 | The "disabled" keyword is used to disable an instance, mainly in order to |
| 2436 | liberate a listening port or to temporarily disable a service. The instance |
| 2437 | will still be created and its configuration will be checked, but it will be |
| 2438 | created in the "stopped" state and will appear as such in the statistics. It |
| 2439 | will not receive any traffic nor will it send any health-checks or logs. It |
| 2440 | is possible to disable many instances at once by adding the "disabled" |
| 2441 | keyword in a "defaults" section. |
| 2442 | |
| 2443 | See also : "enabled" |
| 2444 | |
| 2445 | |
Willy Tarreau | 5ce9457 | 2010-06-07 14:35:41 +0200 | [diff] [blame] | 2446 | dispatch <address>:<port> |
| 2447 | Set a default server address |
| 2448 | May be used in sections : defaults | frontend | listen | backend |
| 2449 | no | no | yes | yes |
Cyril Bonté | 108cf6e | 2012-04-21 23:30:29 +0200 | [diff] [blame] | 2450 | Arguments : |
Willy Tarreau | 5ce9457 | 2010-06-07 14:35:41 +0200 | [diff] [blame] | 2451 | |
| 2452 | <address> is the IPv4 address of the default server. Alternatively, a |
| 2453 | resolvable hostname is supported, but this name will be resolved |
| 2454 | during start-up. |
| 2455 | |
| 2456 | <ports> is a mandatory port specification. All connections will be sent |
| 2457 | to this port, and it is not permitted to use port offsets as is |
| 2458 | possible with normal servers. |
| 2459 | |
Willy Tarreau | 787aed5 | 2011-04-15 06:45:37 +0200 | [diff] [blame] | 2460 | The "dispatch" keyword designates a default server for use when no other |
Willy Tarreau | 5ce9457 | 2010-06-07 14:35:41 +0200 | [diff] [blame] | 2461 | server can take the connection. In the past it was used to forward non |
| 2462 | persistent connections to an auxiliary load balancer. Due to its simple |
| 2463 | syntax, it has also been used for simple TCP relays. It is recommended not to |
| 2464 | use it for more clarity, and to use the "server" directive instead. |
| 2465 | |
| 2466 | See also : "server" |
| 2467 | |
| 2468 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2469 | enabled |
| 2470 | Enable a proxy, frontend or backend. |
| 2471 | May be used in sections : defaults | frontend | listen | backend |
| 2472 | yes | yes | yes | yes |
| 2473 | Arguments : none |
| 2474 | |
| 2475 | The "enabled" keyword is used to explicitly enable an instance, when the |
| 2476 | defaults has been set to "disabled". This is very rarely used. |
| 2477 | |
| 2478 | See also : "disabled" |
| 2479 | |
| 2480 | |
| 2481 | errorfile <code> <file> |
| 2482 | Return a file contents instead of errors generated by HAProxy |
| 2483 | May be used in sections : defaults | frontend | listen | backend |
| 2484 | yes | yes | yes | yes |
| 2485 | Arguments : |
| 2486 | <code> is the HTTP status code. Currently, HAProxy is capable of |
Willy Tarreau | ae94d4d | 2011-05-11 16:28:49 +0200 | [diff] [blame] | 2487 | generating codes 200, 400, 403, 408, 500, 502, 503, and 504. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2488 | |
| 2489 | <file> designates a file containing the full HTTP response. It is |
Willy Tarreau | d2a4aa2 | 2008-01-31 15:28:22 +0100 | [diff] [blame] | 2490 | recommended to follow the common practice of appending ".http" to |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2491 | the filename so that people do not confuse the response with HTML |
Willy Tarreau | 59140a2 | 2009-02-22 12:02:30 +0100 | [diff] [blame] | 2492 | error pages, and to use absolute paths, since files are read |
| 2493 | before any chroot is performed. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2494 | |
| 2495 | It is important to understand that this keyword is not meant to rewrite |
| 2496 | errors returned by the server, but errors detected and returned by HAProxy. |
| 2497 | This is why the list of supported errors is limited to a small set. |
| 2498 | |
Willy Tarreau | ae94d4d | 2011-05-11 16:28:49 +0200 | [diff] [blame] | 2499 | Code 200 is emitted in response to requests matching a "monitor-uri" rule. |
| 2500 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2501 | The files are returned verbatim on the TCP socket. This allows any trick such |
| 2502 | as redirections to another URL or site, as well as tricks to clean cookies, |
| 2503 | force enable or disable caching, etc... The package provides default error |
| 2504 | files returning the same contents as default errors. |
| 2505 | |
Willy Tarreau | 59140a2 | 2009-02-22 12:02:30 +0100 | [diff] [blame] | 2506 | The files should not exceed the configured buffer size (BUFSIZE), which |
| 2507 | generally is 8 or 16 kB, otherwise they will be truncated. It is also wise |
| 2508 | not to put any reference to local contents (eg: images) in order to avoid |
| 2509 | loops between the client and HAProxy when all servers are down, causing an |
| 2510 | error to be returned instead of an image. For better HTTP compliance, it is |
| 2511 | recommended that all header lines end with CR-LF and not LF alone. |
| 2512 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2513 | The files are read at the same time as the configuration and kept in memory. |
| 2514 | For this reason, the errors continue to be returned even when the process is |
| 2515 | chrooted, and no file change is considered while the process is running. A |
Willy Tarreau | c27debf | 2008-01-06 08:57:02 +0100 | [diff] [blame] | 2516 | simple method for developing those files consists in associating them to the |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2517 | 403 status code and interrogating a blocked URL. |
| 2518 | |
| 2519 | See also : "errorloc", "errorloc302", "errorloc303" |
| 2520 | |
Willy Tarreau | 59140a2 | 2009-02-22 12:02:30 +0100 | [diff] [blame] | 2521 | Example : |
| 2522 | errorfile 400 /etc/haproxy/errorfiles/400badreq.http |
Willy Tarreau | 2705a61 | 2014-05-23 17:38:34 +0200 | [diff] [blame] | 2523 | errorfile 408 /dev/null # workaround Chrome pre-connect bug |
Willy Tarreau | 59140a2 | 2009-02-22 12:02:30 +0100 | [diff] [blame] | 2524 | errorfile 403 /etc/haproxy/errorfiles/403forbid.http |
| 2525 | errorfile 503 /etc/haproxy/errorfiles/503sorry.http |
| 2526 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2527 | |
| 2528 | errorloc <code> <url> |
| 2529 | errorloc302 <code> <url> |
| 2530 | Return an HTTP redirection to a URL instead of errors generated by HAProxy |
| 2531 | May be used in sections : defaults | frontend | listen | backend |
| 2532 | yes | yes | yes | yes |
| 2533 | Arguments : |
| 2534 | <code> is the HTTP status code. Currently, HAProxy is capable of |
Willy Tarreau | ae94d4d | 2011-05-11 16:28:49 +0200 | [diff] [blame] | 2535 | generating codes 200, 400, 403, 408, 500, 502, 503, and 504. |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2536 | |
| 2537 | <url> it is the exact contents of the "Location" header. It may contain |
| 2538 | either a relative URI to an error page hosted on the same site, |
| 2539 | or an absolute URI designating an error page on another site. |
| 2540 | Special care should be given to relative URIs to avoid redirect |
| 2541 | loops if the URI itself may generate the same error (eg: 500). |
| 2542 | |
| 2543 | It is important to understand that this keyword is not meant to rewrite |
| 2544 | errors returned by the server, but errors detected and returned by HAProxy. |
| 2545 | This is why the list of supported errors is limited to a small set. |
| 2546 | |
Willy Tarreau | ae94d4d | 2011-05-11 16:28:49 +0200 | [diff] [blame] | 2547 | Code 200 is emitted in response to requests matching a "monitor-uri" rule. |
| 2548 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2549 | Note that both keyword return the HTTP 302 status code, which tells the |
| 2550 | client to fetch the designated URL using the same HTTP method. This can be |
| 2551 | quite problematic in case of non-GET methods such as POST, because the URL |
| 2552 | sent to the client might not be allowed for something other than GET. To |
| 2553 | workaround this problem, please use "errorloc303" which send the HTTP 303 |
| 2554 | status code, indicating to the client that the URL must be fetched with a GET |
| 2555 | request. |
| 2556 | |
| |