blob: e29319c027eecaaeecd287041b07af513fc30638 [file] [log] [blame]
Willy Tarreau6a06a402007-07-15 20:15:28 +02001 ----------------------
2 HAProxy
3 Configuration Manual
4 ----------------------
Willy Tarreau21475e32010-05-23 08:46:08 +02005 version 1.5
Willy Tarreau6a06a402007-07-15 20:15:28 +02006 willy tarreau
Willy Tarreau37242fa2010-08-28 19:21:00 +02007 2010/08/28
Willy Tarreau6a06a402007-07-15 20:15:28 +02008
9
10This document covers the configuration language as implemented in the version
11specified above. It does not provide any hint, example or advice. For such
Willy Tarreau0ba27502007-12-24 16:55:16 +010012documentation, please refer to the Reference Manual or the Architecture Manual.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013The summary below is meant to help you search sections by name and navigate
14through the document.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015
Willy Tarreauc57f0e22009-05-10 13:12:33 +020016Note to documentation contributors :
17 This document is formated with 80 columns per line, with even number of
18 spaces for indentation and without tabs. Please follow these rules strictly
19 so that it remains easily printable everywhere. If a line needs to be
20 printed verbatim and does not fit, please end each line with a backslash
Willy Tarreau62a36c42010-08-17 15:53:10 +020021 ('\') and continue on next line, indented by two characters. It is also
22 sometimes useful to prefix all output lines (logs, console outs) with 3
23 closing angle brackets ('>>>') in order to help get the difference between
24 inputs and outputs when it can become ambiguous. If you add sections,
25 please update the summary below for easier searching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020026
27
28Summary
29-------
30
311. Quick reminder about HTTP
321.1. The HTTP transaction model
331.2. HTTP request
341.2.1. The Request line
351.2.2. The request headers
361.3. HTTP response
371.3.1. The Response line
381.3.2. The response headers
39
402. Configuring HAProxy
412.1. Configuration file format
422.2. Time format
Patrick Mezard35da19c2010-06-12 17:02:47 +0200432.3. Examples
Willy Tarreauc57f0e22009-05-10 13:12:33 +020044
453. Global parameters
463.1. Process management and security
473.2. Performance tuning
483.3. Debugging
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100493.4. Userlists
Willy Tarreauc57f0e22009-05-10 13:12:33 +020050
514. Proxies
524.1. Proxy keywords matrix
534.2. Alphabetically sorted keywords reference
54
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +0100555. Server and default-server options
Willy Tarreauc57f0e22009-05-10 13:12:33 +020056
576. HTTP header manipulation
58
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100597. Using ACLs and pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200607.1. Matching integers
617.2. Matching strings
627.3. Matching regular expressions (regexes)
637.4. Matching IPv4 addresses
647.5. Available matching criteria
657.5.1. Matching at Layer 4 and below
667.5.2. Matching contents at Layer 4
677.5.3. Matching at Layer 7
687.6. Pre-defined ACLs
697.7. Using ACLs to form conditions
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100707.8. Pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +020071
728. Logging
738.1. Log levels
748.2. Log formats
758.2.1. Default log format
768.2.2. TCP log format
778.2.3. HTTP log format
788.3. Advanced logging options
798.3.1. Disabling logging of external tests
808.3.2. Logging before waiting for the session to terminate
818.3.3. Raising log level upon errors
828.3.4. Disabling logging of successful connections
838.4. Timing events
848.5. Session state at disconnection
858.6. Non-printable characters
868.7. Capturing HTTP cookies
878.8. Capturing HTTP headers
888.9. Examples of logs
89
909. Statistics and monitoring
919.1. CSV format
929.2. Unix Socket commands
93
94
951. Quick reminder about HTTP
96----------------------------
97
98When haproxy is running in HTTP mode, both the request and the response are
99fully analyzed and indexed, thus it becomes possible to build matching criteria
100on almost anything found in the contents.
101
102However, it is important to understand how HTTP requests and responses are
103formed, and how HAProxy decomposes them. It will then become easier to write
104correct rules and to debug existing configurations.
105
106
1071.1. The HTTP transaction model
108-------------------------------
109
110The HTTP protocol is transaction-driven. This means that each request will lead
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100111to one and only one response. Traditionally, a TCP connection is established
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200112from the client to the server, a request is sent by the client on the
113connection, the server responds and the connection is closed. A new request
114will involve a new connection :
115
116 [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
117
118In this mode, called the "HTTP close" mode, there are as many connection
119establishments as there are HTTP transactions. Since the connection is closed
120by the server after the response, the client does not need to know the content
121length.
122
123Due to the transactional nature of the protocol, it was possible to improve it
124to avoid closing a connection between two subsequent transactions. In this mode
125however, it is mandatory that the server indicates the content length for each
126response so that the client does not wait indefinitely. For this, a special
127header is used: "Content-length". This mode is called the "keep-alive" mode :
128
129 [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ...
130
131Its advantages are a reduced latency between transactions, and less processing
132power required on the server side. It is generally better than the close mode,
133but not always because the clients often limit their concurrent connections to
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200134a smaller value.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200135
136A last improvement in the communications is the pipelining mode. It still uses
137keep-alive, but the client does not wait for the first response to send the
138second request. This is useful for fetching large number of images composing a
139page :
140
141 [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ...
142
143This can obviously have a tremendous benefit on performance because the network
144latency is eliminated between subsequent requests. Many HTTP agents do not
145correctly support pipelining since there is no way to associate a response with
146the corresponding request in HTTP. For this reason, it is mandatory for the
Cyril Bonté78caf842010-03-10 22:41:43 +0100147server to reply in the exact same order as the requests were received.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200148
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200149By default HAProxy operates in a tunnel-like mode with regards to persistent
150connections: for each connection it processes the first request and forwards
151everything else (including additional requests) to selected server. Once
152established, the connection is persisted both on the client and server
153sides. Use "option http-server-close" to preserve client persistent connections
154while handling every incoming request individually, dispatching them one after
155another to servers, in HTTP close mode. Use "option httpclose" to switch both
156sides to HTTP close mode. "option forceclose" and "option
157http-pretend-keepalive" help working around servers misbehaving in HTTP close
158mode.
159
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200160
1611.2. HTTP request
162-----------------
163
164First, let's consider this HTTP request :
165
166 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100167 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200168 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1
169 2 Host: www.mydomain.com
170 3 User-agent: my small browser
171 4 Accept: image/jpeg, image/gif
172 5 Accept: image/png
173
174
1751.2.1. The Request line
176-----------------------
177
178Line 1 is the "request line". It is always composed of 3 fields :
179
180 - a METHOD : GET
181 - a URI : /serv/login.php?lang=en&profile=2
182 - a version tag : HTTP/1.1
183
184All of them are delimited by what the standard calls LWS (linear white spaces),
185which are commonly spaces, but can also be tabs or line feeds/carriage returns
186followed by spaces/tabs. The method itself cannot contain any colon (':') and
187is limited to alphabetic letters. All those various combinations make it
188desirable that HAProxy performs the splitting itself rather than leaving it to
189the user to write a complex or inaccurate regular expression.
190
191The URI itself can have several forms :
192
193 - A "relative URI" :
194
195 /serv/login.php?lang=en&profile=2
196
197 It is a complete URL without the host part. This is generally what is
198 received by servers, reverse proxies and transparent proxies.
199
200 - An "absolute URI", also called a "URL" :
201
202 http://192.168.0.12:8080/serv/login.php?lang=en&profile=2
203
204 It is composed of a "scheme" (the protocol name followed by '://'), a host
205 name or address, optionally a colon (':') followed by a port number, then
206 a relative URI beginning at the first slash ('/') after the address part.
207 This is generally what proxies receive, but a server supporting HTTP/1.1
208 must accept this form too.
209
210 - a star ('*') : this form is only accepted in association with the OPTIONS
211 method and is not relayable. It is used to inquiry a next hop's
212 capabilities.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100213
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200214 - an address:port combination : 192.168.0.12:80
215 This is used with the CONNECT method, which is used to establish TCP
216 tunnels through HTTP proxies, generally for HTTPS, but sometimes for
217 other protocols too.
218
219In a relative URI, two sub-parts are identified. The part before the question
220mark is called the "path". It is typically the relative path to static objects
221on the server. The part after the question mark is called the "query string".
222It is mostly used with GET requests sent to dynamic scripts and is very
223specific to the language, framework or application in use.
224
225
2261.2.2. The request headers
227--------------------------
228
229The headers start at the second line. They are composed of a name at the
230beginning of the line, immediately followed by a colon (':'). Traditionally,
231an LWS is added after the colon but that's not required. Then come the values.
232Multiple identical headers may be folded into one single line, delimiting the
233values with commas, provided that their order is respected. This is commonly
234encountered in the "Cookie:" field. A header may span over multiple lines if
235the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5
236define a total of 3 values for the "Accept:" header.
237
238Contrary to a common mis-conception, header names are not case-sensitive, and
239their values are not either if they refer to other header names (such as the
240"Connection:" header).
241
242The end of the headers is indicated by the first empty line. People often say
243that it's a double line feed, which is not exact, even if a double line feed
244is one valid form of empty line.
245
246Fortunately, HAProxy takes care of all these complex combinations when indexing
247headers, checking values and counting them, so there is no reason to worry
248about the way they could be written, but it is important not to accuse an
249application of being buggy if it does unusual, valid things.
250
251Important note:
252 As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks
253 in the middle of headers by LWS in order to join multi-line headers. This
254 is necessary for proper analysis and helps less capable HTTP parsers to work
255 correctly and not to be fooled by such complex constructs.
256
257
2581.3. HTTP response
259------------------
260
261An HTTP response looks very much like an HTTP request. Both are called HTTP
262messages. Let's consider this HTTP response :
263
264 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100265 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200266 1 HTTP/1.1 200 OK
267 2 Content-length: 350
268 3 Content-Type: text/html
269
Willy Tarreau816b9792009-09-15 21:25:21 +0200270As a special case, HTTP supports so called "Informational responses" as status
271codes 1xx. These messages are special in that they don't convey any part of the
272response, they're just used as sort of a signaling message to ask a client to
Willy Tarreau5843d1a2010-02-01 15:13:32 +0100273continue to post its request for instance. In the case of a status 100 response
274the requested information will be carried by the next non-100 response message
275following the informational one. This implies that multiple responses may be
276sent to a single request, and that this only works when keep-alive is enabled
277(1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to
278correctly forward and skip them, and only process the next non-100 response. As
279such, these messages are neither logged nor transformed, unless explicitly
280state otherwise. Status 101 messages indicate that the protocol is changing
281over the same connection and that haproxy must switch to tunnel mode, just as
282if a CONNECT had occurred. Then the Upgrade header would contain additional
283information about the type of protocol the connection is switching to.
Willy Tarreau816b9792009-09-15 21:25:21 +0200284
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200285
2861.3.1. The Response line
287------------------------
288
289Line 1 is the "response line". It is always composed of 3 fields :
290
291 - a version tag : HTTP/1.1
292 - a status code : 200
293 - a reason : OK
294
295The status code is always 3-digit. The first digit indicates a general status :
Willy Tarreau816b9792009-09-15 21:25:21 +0200296 - 1xx = informational message to be skipped (eg: 100, 101)
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200297 - 2xx = OK, content is following (eg: 200, 206)
298 - 3xx = OK, no content following (eg: 302, 304)
299 - 4xx = error caused by the client (eg: 401, 403, 404)
300 - 5xx = error caused by the server (eg: 500, 502, 503)
301
302Please refer to RFC2616 for the detailed meaning of all such codes. The
Willy Tarreaud72758d2010-01-12 10:42:19 +0100303"reason" field is just a hint, but is not parsed by clients. Anything can be
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200304found there, but it's a common practice to respect the well-established
305messages. It can be composed of one or multiple words, such as "OK", "Found",
306or "Authentication Required".
307
308Haproxy may emit the following status codes by itself :
309
310 Code When / reason
311 200 access to stats page, and when replying to monitoring requests
312 301 when performing a redirection, depending on the configured code
313 302 when performing a redirection, depending on the configured code
314 303 when performing a redirection, depending on the configured code
315 400 for an invalid or too large request
316 401 when an authentication is required to perform the action (when
317 accessing the stats page)
318 403 when a request is forbidden by a "block" ACL or "reqdeny" filter
319 408 when the request timeout strikes before the request is complete
320 500 when haproxy encounters an unrecoverable internal error, such as a
321 memory allocation failure, which should never happen
322 502 when the server returns an empty, invalid or incomplete response, or
323 when an "rspdeny" filter blocks the response.
324 503 when no server was available to handle the request, or in response to
325 monitoring requests which match the "monitor fail" condition
326 504 when the response timeout strikes before the server responds
327
328The error 4xx and 5xx codes above may be customized (see "errorloc" in section
3294.2).
330
331
3321.3.2. The response headers
333---------------------------
334
335Response headers work exactly like request headers, and as such, HAProxy uses
336the same parsing function for both. Please refer to paragraph 1.2.2 for more
337details.
338
339
3402. Configuring HAProxy
341----------------------
342
3432.1. Configuration file format
344------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200345
346HAProxy's configuration process involves 3 major sources of parameters :
347
348 - the arguments from the command-line, which always take precedence
349 - the "global" section, which sets process-wide parameters
350 - the proxies sections which can take form of "defaults", "listen",
351 "frontend" and "backend".
352
Willy Tarreau0ba27502007-12-24 16:55:16 +0100353The configuration file syntax consists in lines beginning with a keyword
354referenced in this manual, optionally followed by one or several parameters
355delimited by spaces. If spaces have to be entered in strings, then they must be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100356preceded by a backslash ('\') to be escaped. Backslashes also have to be
Willy Tarreau0ba27502007-12-24 16:55:16 +0100357escaped by doubling them.
358
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200359
3602.2. Time format
361----------------
362
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100363Some parameters involve values representing time, such as timeouts. These
Willy Tarreau0ba27502007-12-24 16:55:16 +0100364values are generally expressed in milliseconds (unless explicitly stated
365otherwise) but may be expressed in any other unit by suffixing the unit to the
366numeric value. It is important to consider this because it will not be repeated
367for every keyword. Supported units are :
368
369 - us : microseconds. 1 microsecond = 1/1000000 second
370 - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
371 - s : seconds. 1s = 1000ms
372 - m : minutes. 1m = 60s = 60000ms
373 - h : hours. 1h = 60m = 3600s = 3600000ms
374 - d : days. 1d = 24h = 1440m = 86400s = 86400000ms
375
376
Patrick Mezard35da19c2010-06-12 17:02:47 +02003772.3. Examples
378-------------
379
380 # Simple configuration for an HTTP proxy listening on port 80 on all
381 # interfaces and forwarding requests to a single backend "servers" with a
382 # single server "server1" listening on 127.0.0.1:8000
383 global
384 daemon
385 maxconn 256
386
387 defaults
388 mode http
389 timeout connect 5000ms
390 timeout client 50000ms
391 timeout server 50000ms
392
393 frontend http-in
394 bind *:80
395 default_backend servers
396
397 backend servers
398 server server1 127.0.0.1:8000 maxconn 32
399
400
401 # The same configuration defined with a single listen block. Shorter but
402 # less expressive, especially in HTTP mode.
403 global
404 daemon
405 maxconn 256
406
407 defaults
408 mode http
409 timeout connect 5000ms
410 timeout client 50000ms
411 timeout server 50000ms
412
413 listen http-in
414 bind *:80
415 server server1 127.0.0.1:8000 maxconn 32
416
417
418Assuming haproxy is in $PATH, test these configurations in a shell with:
419
420 $ sudo haproxy -f configuration.conf -d
421
422
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004233. Global parameters
Willy Tarreau6a06a402007-07-15 20:15:28 +0200424--------------------
425
426Parameters in the "global" section are process-wide and often OS-specific. They
427are generally set once for all and do not need being changed once correct. Some
428of them have command-line equivalents.
429
430The following keywords are supported in the "global" section :
431
432 * Process management and security
433 - chroot
434 - daemon
435 - gid
436 - group
437 - log
438 - nbproc
439 - pidfile
440 - uid
441 - ulimit-n
442 - user
Willy Tarreaufbee7132007-10-18 13:53:22 +0200443 - stats
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200444 - node
445 - description
Willy Tarreaud72758d2010-01-12 10:42:19 +0100446
Willy Tarreau6a06a402007-07-15 20:15:28 +0200447 * Performance tuning
448 - maxconn
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100449 - maxpipes
Willy Tarreau6a06a402007-07-15 20:15:28 +0200450 - noepoll
451 - nokqueue
452 - nopoll
453 - nosepoll
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100454 - nosplice
Willy Tarreaufe255b72007-10-14 23:09:26 +0200455 - spread-checks
Willy Tarreau27a674e2009-08-17 07:23:33 +0200456 - tune.bufsize
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100457 - tune.maxaccept
458 - tune.maxpollevents
Willy Tarreau27a674e2009-08-17 07:23:33 +0200459 - tune.maxrewrite
Willy Tarreaue803de22010-01-21 17:43:04 +0100460 - tune.rcvbuf.client
461 - tune.rcvbuf.server
462 - tune.sndbuf.client
463 - tune.sndbuf.server
Willy Tarreaud72758d2010-01-12 10:42:19 +0100464
Willy Tarreau6a06a402007-07-15 20:15:28 +0200465 * Debugging
466 - debug
467 - quiet
Willy Tarreau6a06a402007-07-15 20:15:28 +0200468
469
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004703.1. Process management and security
Willy Tarreau6a06a402007-07-15 20:15:28 +0200471------------------------------------
472
473chroot <jail dir>
474 Changes current directory to <jail dir> and performs a chroot() there before
475 dropping privileges. This increases the security level in case an unknown
476 vulnerability would be exploited, since it would make it very hard for the
477 attacker to exploit the system. This only works when the process is started
478 with superuser privileges. It is important to ensure that <jail_dir> is both
479 empty and unwritable to anyone.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100480
Willy Tarreau6a06a402007-07-15 20:15:28 +0200481daemon
482 Makes the process fork into background. This is the recommended mode of
483 operation. It is equivalent to the command line "-D" argument. It can be
484 disabled by the command line "-db" argument.
485
486gid <number>
487 Changes the process' group ID to <number>. It is recommended that the group
488 ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
489 be started with a user belonging to this group, or with superuser privileges.
490 See also "group" and "uid".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100491
Willy Tarreau6a06a402007-07-15 20:15:28 +0200492group <group name>
493 Similar to "gid" but uses the GID of group name <group name> from /etc/group.
494 See also "gid" and "user".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100495
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200496log <address> <facility> [max level [min level]]
Willy Tarreau6a06a402007-07-15 20:15:28 +0200497 Adds a global syslog server. Up to two global servers can be defined. They
498 will receive logs for startups and exits, as well as all logs from proxies
Robert Tsai81ae1952007-12-05 10:47:29 +0100499 configured with "log global".
500
501 <address> can be one of:
502
Willy Tarreau2769aa02007-12-27 18:26:09 +0100503 - An IPv4 address optionally followed by a colon and a UDP port. If
Robert Tsai81ae1952007-12-05 10:47:29 +0100504 no port is specified, 514 is used by default (the standard syslog
505 port).
506
507 - A filesystem path to a UNIX domain socket, keeping in mind
508 considerations for chroot (be sure the path is accessible inside
509 the chroot) and uid/gid (be sure the path is appropriately
510 writeable).
511
512 <facility> must be one of the 24 standard syslog facilities :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200513
514 kern user mail daemon auth syslog lpr news
515 uucp cron auth2 ftp ntp audit alert cron2
516 local0 local1 local2 local3 local4 local5 local6 local7
517
518 An optional level can be specified to filter outgoing messages. By default,
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200519 all messages are sent. If a maximum level is specified, only messages with a
520 severity at least as important as this level will be sent. An optional minimum
521 level can be specified. If it is set, logs emitted with a more severe level
522 than this one will be capped to this level. This is used to avoid sending
523 "emerg" messages on all terminals on some default syslog configurations.
524 Eight levels are known :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200525
526 emerg alert crit err warning notice info debug
527
528nbproc <number>
529 Creates <number> processes when going daemon. This requires the "daemon"
530 mode. By default, only one process is created, which is the recommended mode
531 of operation. For systems limited to small sets of file descriptors per
532 process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES
533 IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon".
534
535pidfile <pidfile>
536 Writes pids of all daemons into file <pidfile>. This option is equivalent to
537 the "-p" command line argument. The file must be accessible to the user
538 starting the process. See also "daemon".
539
Willy Tarreaufbee7132007-10-18 13:53:22 +0200540stats socket <path> [{uid | user} <uid>] [{gid | group} <gid>] [mode <mode>]
Willy Tarreau6162db22009-10-10 17:13:00 +0200541 [level <level>]
542
Willy Tarreaufbee7132007-10-18 13:53:22 +0200543 Creates a UNIX socket in stream mode at location <path>. Any previously
544 existing socket will be backed up then replaced. Connections to this socket
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100545 will return various statistics outputs and even allow some commands to be
Willy Tarreau6162db22009-10-10 17:13:00 +0200546 issued. Please consult section 9.2 "Unix Socket commands" for more details.
547
548 An optional "level" parameter can be specified to restrict the nature of
549 the commands that can be issued on the socket :
550 - "user" is the least privileged level ; only non-sensitive stats can be
551 read, and no change is allowed. It would make sense on systems where it
552 is not easy to restrict access to the socket.
553
554 - "operator" is the default level and fits most common uses. All data can
555 be read, and only non-sensible changes are permitted (eg: clear max
556 counters).
557
558 - "admin" should be used with care, as everything is permitted (eg: clear
559 all counters).
Willy Tarreaua8efd362008-01-03 10:19:15 +0100560
561 On platforms which support it, it is possible to restrict access to this
562 socket by specifying numerical IDs after "uid" and "gid", or valid user and
563 group names after the "user" and "group" keywords. It is also possible to
564 restrict permissions on the socket by passing an octal value after the "mode"
565 keyword (same syntax as chmod). Depending on the platform, the permissions on
566 the socket will be inherited from the directory which hosts it, or from the
567 user the process is started with.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200568
569stats timeout <timeout, in milliseconds>
570 The default timeout on the stats socket is set to 10 seconds. It is possible
571 to change this value with "stats timeout". The value must be passed in
Willy Tarreaubefdff12007-12-02 22:27:38 +0100572 milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200573
574stats maxconn <connections>
575 By default, the stats socket is limited to 10 concurrent connections. It is
576 possible to change this value with "stats maxconn".
577
Willy Tarreau6a06a402007-07-15 20:15:28 +0200578uid <number>
579 Changes the process' user ID to <number>. It is recommended that the user ID
580 is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
581 be started with superuser privileges in order to be able to switch to another
582 one. See also "gid" and "user".
583
584ulimit-n <number>
585 Sets the maximum number of per-process file-descriptors to <number>. By
586 default, it is automatically computed, so it is recommended not to use this
587 option.
588
589user <user name>
590 Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
591 See also "uid" and "group".
592
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200593node <name>
594 Only letters, digits, hyphen and underscore are allowed, like in DNS names.
595
596 This statement is useful in HA configurations where two or more processes or
597 servers share the same IP address. By setting a different node-name on all
598 nodes, it becomes easy to immediately spot what server is handling the
599 traffic.
600
601description <text>
602 Add a text that describes the instance.
603
604 Please note that it is required to escape certain characters (# for example)
605 and this text is inserted into a html page so you should avoid using
606 "<" and ">" characters.
607
Willy Tarreau6a06a402007-07-15 20:15:28 +0200608
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006093.2. Performance tuning
Willy Tarreau6a06a402007-07-15 20:15:28 +0200610-----------------------
611
612maxconn <number>
613 Sets the maximum per-process number of concurrent connections to <number>. It
614 is equivalent to the command-line argument "-n". Proxies will stop accepting
615 connections when this limit is reached. The "ulimit-n" parameter is
616 automatically adjusted according to this value. See also "ulimit-n".
617
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100618maxpipes <number>
619 Sets the maximum per-process number of pipes to <number>. Currently, pipes
620 are only used by kernel-based tcp splicing. Since a pipe contains two file
621 descriptors, the "ulimit-n" value will be increased accordingly. The default
622 value is maxconn/4, which seems to be more than enough for most heavy usages.
623 The splice code dynamically allocates and releases pipes, and can fall back
624 to standard copy, so setting this value too low may only impact performance.
625
Willy Tarreau6a06a402007-07-15 20:15:28 +0200626noepoll
627 Disables the use of the "epoll" event polling system on Linux. It is
628 equivalent to the command-line argument "-de". The next polling system
629 used will generally be "poll". See also "nosepoll", and "nopoll".
630
631nokqueue
632 Disables the use of the "kqueue" event polling system on BSD. It is
633 equivalent to the command-line argument "-dk". The next polling system
634 used will generally be "poll". See also "nopoll".
635
636nopoll
637 Disables the use of the "poll" event polling system. It is equivalent to the
638 command-line argument "-dp". The next polling system used will be "select".
Willy Tarreau0ba27502007-12-24 16:55:16 +0100639 It should never be needed to disable "poll" since it's available on all
Willy Tarreau6a06a402007-07-15 20:15:28 +0200640 platforms supported by HAProxy. See also "nosepoll", and "nopoll" and
641 "nokqueue".
642
643nosepoll
644 Disables the use of the "speculative epoll" event polling system on Linux. It
645 is equivalent to the command-line argument "-ds". The next polling system
646 used will generally be "epoll". See also "nosepoll", and "nopoll".
647
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100648nosplice
649 Disables the use of kernel tcp splicing between sockets on Linux. It is
650 equivalent to the command line argument "-dS". Data will then be copied
651 using conventional and more portable recv/send calls. Kernel tcp splicing is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100652 limited to some very recent instances of kernel 2.6. Most versions between
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100653 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not
654 be used. This option makes it easier to globally disable kernel splicing in
655 case of doubt. See also "option splice-auto", "option splice-request" and
656 "option splice-response".
657
Willy Tarreaufe255b72007-10-14 23:09:26 +0200658spread-checks <0..50, in percent>
659 Sometimes it is desirable to avoid sending health checks to servers at exact
660 intervals, for instance when many logical servers are located on the same
661 physical server. With the help of this parameter, it becomes possible to add
662 some randomness in the check interval between 0 and +/- 50%. A value between
663 2 and 5 seems to show good results. The default value remains at 0.
664
Willy Tarreau27a674e2009-08-17 07:23:33 +0200665tune.bufsize <number>
666 Sets the buffer size to this size (in bytes). Lower values allow more
667 sessions to coexist in the same amount of RAM, and higher values allow some
668 applications with very large cookies to work. The default value is 16384 and
669 can be changed at build time. It is strongly recommended not to change this
670 from the default value, as very low values will break some services such as
671 statistics, and values larger than default size will increase memory usage,
672 possibly causing the system to run out of memory. At least the global maxconn
673 parameter should be decreased by the same factor as this one is increased.
674
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100675tune.maxaccept <number>
676 Sets the maximum number of consecutive accepts that a process may perform on
677 a single wake up. High values give higher priority to high connection rates,
678 while lower values give higher priority to already established connections.
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100679 This value is limited to 100 by default in single process mode. However, in
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100680 multi-process mode (nbproc > 1), it defaults to 8 so that when one process
681 wakes up, it does not take all incoming connections for itself and leaves a
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100682 part of them to other processes. Setting this value to -1 completely disables
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100683 the limitation. It should normally not be needed to tweak this value.
684
685tune.maxpollevents <number>
686 Sets the maximum amount of events that can be processed at once in a call to
687 the polling system. The default value is adapted to the operating system. It
688 has been noticed that reducing it below 200 tends to slightly decrease
689 latency at the expense of network bandwidth, and increasing it above 200
690 tends to trade latency for slightly increased bandwidth.
691
Willy Tarreau27a674e2009-08-17 07:23:33 +0200692tune.maxrewrite <number>
693 Sets the reserved buffer space to this size in bytes. The reserved space is
694 used for header rewriting or appending. The first reads on sockets will never
695 fill more than bufsize-maxrewrite. Historically it has defaulted to half of
696 bufsize, though that does not make much sense since there are rarely large
697 numbers of headers to add. Setting it too high prevents processing of large
698 requests or responses. Setting it too low prevents addition of new headers
699 to already large requests or to POST requests. It is generally wise to set it
700 to about 1024. It is automatically readjusted to half of bufsize if it is
701 larger than that. This means you don't have to worry about it when changing
702 bufsize.
703
Willy Tarreaue803de22010-01-21 17:43:04 +0100704tune.rcvbuf.client <number>
705tune.rcvbuf.server <number>
706 Forces the kernel socket receive buffer size on the client or the server side
707 to the specified value in bytes. This value applies to all TCP/HTTP frontends
708 and backends. It should normally never be set, and the default size (0) lets
709 the kernel autotune this value depending on the amount of available memory.
710 However it can sometimes help to set it to very low values (eg: 4096) in
711 order to save kernel memory by preventing it from buffering too large amounts
712 of received data. Lower values will significantly increase CPU usage though.
713
714tune.sndbuf.client <number>
715tune.sndbuf.server <number>
716 Forces the kernel socket send buffer size on the client or the server side to
717 the specified value in bytes. This value applies to all TCP/HTTP frontends
718 and backends. It should normally never be set, and the default size (0) lets
719 the kernel autotune this value depending on the amount of available memory.
720 However it can sometimes help to set it to very low values (eg: 4096) in
721 order to save kernel memory by preventing it from buffering too large amounts
722 of received data. Lower values will significantly increase CPU usage though.
723 Another use case is to prevent write timeouts with extremely slow clients due
724 to the kernel waiting for a large part of the buffer to be read before
725 notifying haproxy again.
726
Willy Tarreau6a06a402007-07-15 20:15:28 +0200727
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007283.3. Debugging
729--------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200730
731debug
732 Enables debug mode which dumps to stdout all exchanges, and disables forking
733 into background. It is the equivalent of the command-line argument "-d". It
734 should never be used in a production configuration since it may prevent full
735 system startup.
736
737quiet
738 Do not display any message during startup. It is equivalent to the command-
739 line argument "-q".
740
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01007413.4. Userlists
742--------------
743It is possible to control access to frontend/backend/listen sections or to
744http stats by allowing only authenticated and authorized users. To do this,
745it is required to create at least one userlist and to define users.
746
747userlist <listname>
Cyril Bonté78caf842010-03-10 22:41:43 +0100748 Creates new userlist with name <listname>. Many independent userlists can be
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100749 used to store authentication & authorization data for independent customers.
750
751group <groupname> [users <user>,<user>,(...)]
Cyril Bonté78caf842010-03-10 22:41:43 +0100752 Adds group <groupname> to the current userlist. It is also possible to
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100753 attach users to this group by using a comma separated list of names
754 proceeded by "users" keyword.
755
Cyril Bontéf0c60612010-02-06 14:44:47 +0100756user <username> [password|insecure-password <password>]
757 [groups <group>,<group>,(...)]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100758 Adds user <username> to the current userlist. Both secure (encrypted) and
759 insecure (unencrypted) passwords can be used. Encrypted passwords are
Cyril Bonté78caf842010-03-10 22:41:43 +0100760 evaluated using the crypt(3) function so depending of the system's
761 capabilities, different algorithms are supported. For example modern Glibc
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100762 based Linux system supports MD5, SHA-256, SHA-512 and of course classic,
763 DES-based method of crypting passwords.
764
765
766 Example:
Cyril Bontéf0c60612010-02-06 14:44:47 +0100767 userlist L1
768 group G1 users tiger,scott
769 group G2 users xdb,scott
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100770
Cyril Bontéf0c60612010-02-06 14:44:47 +0100771 user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91
772 user scott insecure-password elgato
773 user xdb insecure-password hello
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100774
Cyril Bontéf0c60612010-02-06 14:44:47 +0100775 userlist L2
776 group G1
777 group G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100778
Cyril Bontéf0c60612010-02-06 14:44:47 +0100779 user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1
780 user scott insecure-password elgato groups G1,G2
781 user xdb insecure-password hello groups G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100782
783 Please note that both lists are functionally identical.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200784
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007854. Proxies
Willy Tarreau6a06a402007-07-15 20:15:28 +0200786----------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100787
Willy Tarreau6a06a402007-07-15 20:15:28 +0200788Proxy configuration can be located in a set of sections :
789 - defaults <name>
790 - frontend <name>
791 - backend <name>
792 - listen <name>
793
794A "defaults" section sets default parameters for all other sections following
795its declaration. Those default parameters are reset by the next "defaults"
796section. See below for the list of parameters which can be set in a "defaults"
Willy Tarreau0ba27502007-12-24 16:55:16 +0100797section. The name is optional but its use is encouraged for better readability.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200798
799A "frontend" section describes a set of listening sockets accepting client
800connections.
801
802A "backend" section describes a set of servers to which the proxy will connect
803to forward incoming connections.
804
805A "listen" section defines a complete proxy with its frontend and backend
806parts combined in one section. It is generally useful for TCP-only traffic.
807
Willy Tarreau0ba27502007-12-24 16:55:16 +0100808All proxy names must be formed from upper and lower case letters, digits,
809'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
810case-sensitive, which means that "www" and "WWW" are two different proxies.
811
812Historically, all proxy names could overlap, it just caused troubles in the
813logs. Since the introduction of content switching, it is mandatory that two
814proxies with overlapping capabilities (frontend/backend) have different names.
815However, it is still permitted that a frontend and a backend share the same
816name, as this configuration seems to be commonly encountered.
817
818Right now, two major proxy modes are supported : "tcp", also known as layer 4,
819and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100820bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the
Willy Tarreau0ba27502007-12-24 16:55:16 +0100821protocol, and can interact with it by allowing, blocking, switching, adding,
822modifying, or removing arbitrary contents in requests or responses, based on
823arbitrary criteria.
824
Willy Tarreau0ba27502007-12-24 16:55:16 +0100825
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008264.1. Proxy keywords matrix
827--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100828
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200829The following list of keywords is supported. Most of them may only be used in a
830limited set of section types. Some of them are marked as "deprecated" because
831they are inherited from an old syntax which may be confusing or functionally
832limited, and there are new recommended keywords to replace them. Keywords
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100833marked with "(*)" can be optionally inverted using the "no" prefix, eg. "no
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200834option contstats". This makes sense when the option has been enabled by default
Willy Tarreau3842f002009-06-14 11:39:52 +0200835and must be disabled for a specific instance. Such options may also be prefixed
836with "default" in order to restore default settings regardless of what has been
837specified in a previous "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +0100838
Willy Tarreau6a06a402007-07-15 20:15:28 +0200839
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100840 keyword defaults frontend listen backend
841------------------------------------+----------+----------+---------+---------
842acl - X X X
843appsession - - X X
844backlog X X X -
845balance X - X X
846bind - X X -
847bind-process X X X X
848block - X X X
849capture cookie - X X -
850capture request header - X X -
851capture response header - X X -
852clitimeout (deprecated) X X X -
853contimeout (deprecated) X - X X
854cookie X - X X
855default-server X - X X
856default_backend X X X -
857description - X X X
858disabled X X X X
859dispatch - - X X
860enabled X X X X
861errorfile X X X X
862errorloc X X X X
863errorloc302 X X X X
864-- keyword -------------------------- defaults - frontend - listen -- backend -
865errorloc303 X X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +0200866force-persist - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100867fullconn X - X X
868grace X X X X
869hash-type X - X X
870http-check disable-on-404 X - X X
871http-request - X X X
872id - X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +0200873ignore-persist - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100874log X X X X
875maxconn X X X -
876mode X X X X
877monitor fail - X X -
878monitor-net X X X -
879monitor-uri X X X -
880option abortonclose (*) X - X X
881option accept-invalid-http-request (*) X X X -
882option accept-invalid-http-response (*) X - X X
883option allbackups (*) X - X X
884option checkcache (*) X - X X
885option clitcpka (*) X X X -
886option contstats (*) X X X -
887option dontlog-normal (*) X X X -
888option dontlognull (*) X X X -
889option forceclose (*) X X X X
890-- keyword -------------------------- defaults - frontend - listen -- backend -
891option forwardfor X X X X
Willy Tarreau8a8e1d92010-04-05 16:15:16 +0200892option http-pretend-keepalive (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100893option http-server-close (*) X X X X
894option http-use-proxy-header (*) X X X -
895option httpchk X - X X
896option httpclose (*) X X X X
897option httplog X X X X
898option http_proxy (*) X X X X
899option independant-streams (*) X X X X
900option log-health-checks (*) X - X X
901option log-separate-errors (*) X X X -
902option logasap (*) X X X -
903option mysql-check X - X X
904option nolinger (*) X X X X
905option originalto X X X X
906option persist (*) X - X X
907option redispatch (*) X - X X
908option smtpchk X - X X
909option socket-stats (*) X X X -
910option splice-auto (*) X X X X
911option splice-request (*) X X X X
912option splice-response (*) X X X X
913option srvtcpka (*) X - X X
914option ssl-hello-chk X - X X
915-- keyword -------------------------- defaults - frontend - listen -- backend -
916option tcp-smart-accept (*) X X X -
917option tcp-smart-connect (*) X - X X
918option tcpka X X X X
919option tcplog X X X X
920option transparent (*) X - X X
921persist rdp-cookie X - X X
922rate-limit sessions X X X -
923redirect - X X X
924redisp (deprecated) X - X X
925redispatch (deprecated) X - X X
926reqadd - X X X
927reqallow - X X X
928reqdel - X X X
929reqdeny - X X X
930reqiallow - X X X
931reqidel - X X X
932reqideny - X X X
933reqipass - X X X
934reqirep - X X X
935reqisetbe - X X X
936reqitarpit - X X X
937reqpass - X X X
938reqrep - X X X
939-- keyword -------------------------- defaults - frontend - listen -- backend -
940reqsetbe - X X X
941reqtarpit - X X X
942retries X - X X
943rspadd - X X X
944rspdel - X X X
945rspdeny - X X X
946rspidel - X X X
947rspideny - X X X
948rspirep - X X X
949rsprep - X X X
950server - - X X
951source X - X X
952srvtimeout (deprecated) X - X X
953stats auth X - X X
954stats enable X - X X
955stats hide-version X - X X
956stats realm X - X X
957stats refresh X - X X
958stats scope X - X X
959stats show-desc X - X X
960stats show-legends X - X X
961stats show-node X - X X
962stats uri X - X X
963-- keyword -------------------------- defaults - frontend - listen -- backend -
964stick match - - X X
965stick on - - X X
966stick store-request - - X X
967stick-table - - X X
Willy Tarreaue9656522010-08-17 15:40:09 +0200968tcp-request connection - X X -
969tcp-request content - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100970tcp-request inspect-delay - X X -
971timeout check X - X X
972timeout client X X X -
973timeout clitimeout (deprecated) X X X -
974timeout connect X - X X
975timeout contimeout (deprecated) X - X X
976timeout http-keep-alive X X X X
977timeout http-request X X X X
978timeout queue X - X X
979timeout server X - X X
980timeout srvtimeout (deprecated) X - X X
981timeout tarpit X X X X
982transparent (deprecated) X - X X
983use_backend - X X -
984------------------------------------+----------+----------+---------+---------
985 keyword defaults frontend listen backend
Willy Tarreau6a06a402007-07-15 20:15:28 +0200986
Willy Tarreau0ba27502007-12-24 16:55:16 +0100987
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009884.2. Alphabetically sorted keywords reference
989---------------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100990
991This section provides a description of each keyword and its usage.
992
993
994acl <aclname> <criterion> [flags] [operator] <value> ...
995 Declare or complete an access list.
996 May be used in sections : defaults | frontend | listen | backend
997 no | yes | yes | yes
998 Example:
999 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1000 acl invalid_src src_port 0:1023
1001 acl local_dst hdr(host) -i localhost
1002
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001003 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001004
1005
Cyril Bontéb21570a2009-11-29 20:04:48 +01001006appsession <cookie> len <length> timeout <holdtime>
1007 [request-learn] [prefix] [mode <path-parameters|query-string>]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001008 Define session stickiness on an existing application cookie.
1009 May be used in sections : defaults | frontend | listen | backend
1010 no | no | yes | yes
1011 Arguments :
1012 <cookie> this is the name of the cookie used by the application and which
1013 HAProxy will have to learn for each new session.
1014
Cyril Bontéb21570a2009-11-29 20:04:48 +01001015 <length> this is the max number of characters that will be memorized and
Willy Tarreau0ba27502007-12-24 16:55:16 +01001016 checked in each cookie value.
1017
1018 <holdtime> this is the time after which the cookie will be removed from
1019 memory if unused. If no unit is specified, this time is in
1020 milliseconds.
1021
Cyril Bontébf47aeb2009-10-15 00:15:40 +02001022 request-learn
1023 If this option is specified, then haproxy will be able to learn
1024 the cookie found in the request in case the server does not
1025 specify any in response. This is typically what happens with
1026 PHPSESSID cookies, or when haproxy's session expires before
1027 the application's session and the correct server is selected.
1028 It is recommended to specify this option to improve reliability.
1029
Cyril Bontéb21570a2009-11-29 20:04:48 +01001030 prefix When this option is specified, haproxy will match on the cookie
1031 prefix (or URL parameter prefix). The appsession value is the
1032 data following this prefix.
1033
1034 Example :
1035 appsession ASPSESSIONID len 64 timeout 3h prefix
1036
1037 This will match the cookie ASPSESSIONIDXXXX=XXXXX,
1038 the appsession value will be XXXX=XXXXX.
1039
1040 mode This option allows to change the URL parser mode.
1041 2 modes are currently supported :
1042 - path-parameters :
1043 The parser looks for the appsession in the path parameters
1044 part (each parameter is separated by a semi-colon), which is
1045 convenient for JSESSIONID for example.
1046 This is the default mode if the option is not set.
1047 - query-string :
1048 In this mode, the parser will look for the appsession in the
1049 query string.
1050
Willy Tarreau0ba27502007-12-24 16:55:16 +01001051 When an application cookie is defined in a backend, HAProxy will check when
1052 the server sets such a cookie, and will store its value in a table, and
1053 associate it with the server's identifier. Up to <length> characters from
1054 the value will be retained. On each connection, haproxy will look for this
Cyril Bontéb21570a2009-11-29 20:04:48 +01001055 cookie both in the "Cookie:" headers, and as a URL parameter (depending on
1056 the mode used). If a known value is found, the client will be directed to the
1057 server associated with this value. Otherwise, the load balancing algorithm is
Willy Tarreau0ba27502007-12-24 16:55:16 +01001058 applied. Cookies are automatically removed from memory when they have been
1059 unused for a duration longer than <holdtime>.
1060
1061 The definition of an application cookie is limited to one per backend.
1062
1063 Example :
1064 appsession JSESSIONID len 52 timeout 3h
1065
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02001066 See also : "cookie", "capture cookie", "balance", "stick", "stick-table"
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001067 and "ignore-persist"
Willy Tarreau0ba27502007-12-24 16:55:16 +01001068
1069
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001070backlog <conns>
1071 Give hints to the system about the approximate listen backlog desired size
1072 May be used in sections : defaults | frontend | listen | backend
1073 yes | yes | yes | no
1074 Arguments :
1075 <conns> is the number of pending connections. Depending on the operating
1076 system, it may represent the number of already acknowledged
1077 connections, of non-acknowledged ones, or both.
1078
1079 In order to protect against SYN flood attacks, one solution is to increase
1080 the system's SYN backlog size. Depending on the system, sometimes it is just
1081 tunable via a system parameter, sometimes it is not adjustable at all, and
1082 sometimes the system relies on hints given by the application at the time of
1083 the listen() syscall. By default, HAProxy passes the frontend's maxconn value
1084 to the listen() syscall. On systems which can make use of this value, it can
1085 sometimes be useful to be able to specify a different value, hence this
1086 backlog parameter.
1087
1088 On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
1089 used as a hint and the system accepts up to the smallest greater power of
1090 two, and never more than some limits (usually 32768).
1091
1092 See also : "maxconn" and the target operating system's tuning guide.
1093
1094
Willy Tarreau0ba27502007-12-24 16:55:16 +01001095balance <algorithm> [ <arguments> ]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001096balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001097 Define the load balancing algorithm to be used in a backend.
1098 May be used in sections : defaults | frontend | listen | backend
1099 yes | no | yes | yes
1100 Arguments :
1101 <algorithm> is the algorithm used to select a server when doing load
1102 balancing. This only applies when no persistence information
1103 is available, or when a connection is redispatched to another
1104 server. <algorithm> may be one of the following :
1105
1106 roundrobin Each server is used in turns, according to their weights.
1107 This is the smoothest and fairest algorithm when the server's
1108 processing time remains equally distributed. This algorithm
1109 is dynamic, which means that server weights may be adjusted
Willy Tarreau9757a382009-10-03 12:56:50 +02001110 on the fly for slow starts for instance. It is limited by
1111 design to 4128 active servers per backend. Note that in some
1112 large farms, when a server becomes up after having been down
1113 for a very short time, it may sometimes take a few hundreds
1114 requests for it to be re-integrated into the farm and start
1115 receiving traffic. This is normal, though very rare. It is
1116 indicated here in case you would have the chance to observe
1117 it, so that you don't worry.
1118
1119 static-rr Each server is used in turns, according to their weights.
1120 This algorithm is as similar to roundrobin except that it is
1121 static, which means that changing a server's weight on the
1122 fly will have no effect. On the other hand, it has no design
1123 limitation on the number of servers, and when a server goes
1124 up, it is always immediately reintroduced into the farm, once
1125 the full map is recomputed. It also uses slightly less CPU to
1126 run (around -1%).
Willy Tarreau0ba27502007-12-24 16:55:16 +01001127
Willy Tarreau2d2a7f82008-03-17 12:07:56 +01001128 leastconn The server with the lowest number of connections receives the
1129 connection. Round-robin is performed within groups of servers
1130 of the same load to ensure that all servers will be used. Use
1131 of this algorithm is recommended where very long sessions are
1132 expected, such as LDAP, SQL, TSE, etc... but is not very well
1133 suited for protocols using short sessions such as HTTP. This
1134 algorithm is dynamic, which means that server weights may be
1135 adjusted on the fly for slow starts for instance.
1136
Willy Tarreau0ba27502007-12-24 16:55:16 +01001137 source The source IP address is hashed and divided by the total
1138 weight of the running servers to designate which server will
1139 receive the request. This ensures that the same client IP
1140 address will always reach the same server as long as no
1141 server goes down or up. If the hash result changes due to the
1142 number of running servers changing, many clients will be
1143 directed to a different server. This algorithm is generally
1144 used in TCP mode where no cookie may be inserted. It may also
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001145 be used on the Internet to provide a best-effort stickiness
Willy Tarreau0ba27502007-12-24 16:55:16 +01001146 to clients which refuse session cookies. This algorithm is
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001147 static by default, which means that changing a server's
1148 weight on the fly will have no effect, but this can be
1149 changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001150
1151 uri The left part of the URI (before the question mark) is hashed
1152 and divided by the total weight of the running servers. The
1153 result designates which server will receive the request. This
1154 ensures that a same URI will always be directed to the same
1155 server as long as no server goes up or down. This is used
1156 with proxy caches and anti-virus proxies in order to maximize
1157 the cache hit rate. Note that this algorithm may only be used
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001158 in an HTTP backend. This algorithm is static by default,
1159 which means that changing a server's weight on the fly will
1160 have no effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001161
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001162 This algorithm support two optional parameters "len" and
1163 "depth", both followed by a positive integer number. These
1164 options may be helpful when it is needed to balance servers
1165 based on the beginning of the URI only. The "len" parameter
1166 indicates that the algorithm should only consider that many
1167 characters at the beginning of the URI to compute the hash.
1168 Note that having "len" set to 1 rarely makes sense since most
1169 URIs start with a leading "/".
1170
1171 The "depth" parameter indicates the maximum directory depth
1172 to be used to compute the hash. One level is counted for each
1173 slash in the request. If both parameters are specified, the
1174 evaluation stops when either is reached.
1175
Willy Tarreau0ba27502007-12-24 16:55:16 +01001176 url_param The URL parameter specified in argument will be looked up in
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001177 the query string of each HTTP GET request.
1178
1179 If the modifier "check_post" is used, then an HTTP POST
1180 request entity will be searched for the parameter argument,
1181 when the question mark indicating a query string ('?') is not
1182 present in the URL. Optionally, specify a number of octets to
1183 wait for before attempting to search the message body. If the
1184 entity can not be searched, then round robin is used for each
1185 request. For instance, if your clients always send the LB
1186 parameter in the first 128 bytes, then specify that. The
1187 default is 48. The entity data will not be scanned until the
1188 required number of octets have arrived at the gateway, this
1189 is the minimum of: (default/max_wait, Content-Length or first
1190 chunk length). If Content-Length is missing or zero, it does
1191 not need to wait for more data than the client promised to
1192 send. When Content-Length is present and larger than
1193 <max_wait>, then waiting is limited to <max_wait> and it is
1194 assumed that this will be enough data to search for the
1195 presence of the parameter. In the unlikely event that
1196 Transfer-Encoding: chunked is used, only the first chunk is
1197 scanned. Parameter values separated by a chunk boundary, may
1198 be randomly balanced if at all.
1199
1200 If the parameter is found followed by an equal sign ('=') and
1201 a value, then the value is hashed and divided by the total
1202 weight of the running servers. The result designates which
1203 server will receive the request.
1204
1205 This is used to track user identifiers in requests and ensure
1206 that a same user ID will always be sent to the same server as
1207 long as no server goes up or down. If no value is found or if
1208 the parameter is not found, then a round robin algorithm is
1209 applied. Note that this algorithm may only be used in an HTTP
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001210 backend. This algorithm is static by default, which means
1211 that changing a server's weight on the fly will have no
1212 effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001213
Benoitaffb4812009-03-25 13:02:10 +01001214 hdr(name) The HTTP header <name> will be looked up in each HTTP request.
1215 Just as with the equivalent ACL 'hdr()' function, the header
1216 name in parenthesis is not case sensitive. If the header is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001217 absent or if it does not contain any value, the roundrobin
Benoitaffb4812009-03-25 13:02:10 +01001218 algorithm is applied instead.
1219
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001220 An optional 'use_domain_only' parameter is available, for
Benoitaffb4812009-03-25 13:02:10 +01001221 reducing the hash algorithm to the main domain part with some
1222 specific headers such as 'Host'. For instance, in the Host
1223 value "haproxy.1wt.eu", only "1wt" will be considered.
1224
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001225 This algorithm is static by default, which means that
1226 changing a server's weight on the fly will have no effect,
1227 but this can be changed using "hash-type".
1228
Emeric Brun736aa232009-06-30 17:56:00 +02001229 rdp-cookie
1230 rdp-cookie(name)
1231 The RDP cookie <name> (or "mstshash" if omitted) will be
1232 looked up and hashed for each incoming TCP request. Just as
1233 with the equivalent ACL 'req_rdp_cookie()' function, the name
1234 is not case-sensitive. This mechanism is useful as a degraded
1235 persistence mode, as it makes it possible to always send the
1236 same user (or the same session ID) to the same server. If the
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001237 cookie is not found, the normal roundrobin algorithm is
Emeric Brun736aa232009-06-30 17:56:00 +02001238 used instead.
1239
1240 Note that for this to work, the frontend must ensure that an
1241 RDP cookie is already present in the request buffer. For this
1242 you must use 'tcp-request content accept' rule combined with
1243 a 'req_rdp_cookie_cnt' ACL.
1244
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001245 This algorithm is static by default, which means that
1246 changing a server's weight on the fly will have no effect,
1247 but this can be changed using "hash-type".
1248
Willy Tarreau0ba27502007-12-24 16:55:16 +01001249 <arguments> is an optional list of arguments which may be needed by some
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001250 algorithms. Right now, only "url_param" and "uri" support an
1251 optional argument.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001252
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001253 balance uri [len <len>] [depth <depth>]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001254 balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001255
Willy Tarreau3cd9af22009-03-15 14:06:41 +01001256 The load balancing algorithm of a backend is set to roundrobin when no other
1257 algorithm, mode nor option have been set. The algorithm may only be set once
1258 for each backend.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001259
1260 Examples :
1261 balance roundrobin
1262 balance url_param userid
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001263 balance url_param session_id check_post 64
Benoitaffb4812009-03-25 13:02:10 +01001264 balance hdr(User-Agent)
1265 balance hdr(host)
1266 balance hdr(Host) use_domain_only
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001267
1268 Note: the following caveats and limitations on using the "check_post"
1269 extension with "url_param" must be considered :
1270
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001271 - all POST requests are eligible for consideration, because there is no way
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001272 to determine if the parameters will be found in the body or entity which
1273 may contain binary data. Therefore another method may be required to
1274 restrict consideration of POST requests that have no URL parameters in
1275 the body. (see acl reqideny http_end)
1276
1277 - using a <max_wait> value larger than the request buffer size does not
1278 make sense and is useless. The buffer size is set at build time, and
1279 defaults to 16 kB.
1280
1281 - Content-Encoding is not supported, the parameter search will probably
1282 fail; and load balancing will fall back to Round Robin.
1283
1284 - Expect: 100-continue is not supported, load balancing will fall back to
1285 Round Robin.
1286
1287 - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk.
1288 If the entire parameter value is not present in the first chunk, the
1289 selection of server is undefined (actually, defined by how little
1290 actually appeared in the first chunk).
1291
1292 - This feature does not support generation of a 100, 411 or 501 response.
1293
1294 - In some cases, requesting "check_post" MAY attempt to scan the entire
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001295 contents of a message body. Scanning normally terminates when linear
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001296 white space or control characters are found, indicating the end of what
1297 might be a URL parameter list. This is probably not a concern with SGML
1298 type message bodies.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001299
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001300 See also : "dispatch", "cookie", "appsession", "transparent", "hash-type" and
1301 "http_proxy".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001302
1303
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001304bind [<address>]:<port_range> [, ...]
1305bind [<address>]:<port_range> [, ...] interface <interface>
1306bind [<address>]:<port_range> [, ...] mss <maxseg>
1307bind [<address>]:<port_range> [, ...] transparent
1308bind [<address>]:<port_range> [, ...] id <id>
1309bind [<address>]:<port_range> [, ...] name <name>
1310bind [<address>]:<port_range> [, ...] defer-accept
Willy Tarreau0ba27502007-12-24 16:55:16 +01001311 Define one or several listening addresses and/or ports in a frontend.
1312 May be used in sections : defaults | frontend | listen | backend
1313 no | yes | yes | no
1314 Arguments :
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001315 <address> is optional and can be a host name, an IPv4 address, an IPv6
1316 address, or '*'. It designates the address the frontend will
1317 listen on. If unset, all IPv4 addresses of the system will be
1318 listened on. The same will apply for '*' or the system's
1319 special address "0.0.0.0".
1320
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001321 <port_range> is either a unique TCP port, or a port range for which the
1322 proxy will accept connections for the IP address specified
1323 above. The port is mandatory. Note that in the case of an
1324 IPv6 address, the port is always the number after the last
1325 colon (':'). A range can either be :
1326 - a numerical port (ex: '80')
1327 - a dash-delimited ports range explicitly stating the lower
1328 and upper bounds (ex: '2000-2100') which are included in
1329 the range.
1330
1331 Particular care must be taken against port ranges, because
1332 every <address:port> couple consumes one socket (= a file
1333 descriptor), so it's easy to consume lots of descriptors
1334 with a simple range, and to run out of sockets. Also, each
1335 <address:port> couple must be used only once among all
1336 instances running on a same system. Please note that binding
1337 to ports lower than 1024 generally require particular
1338 privileges to start the program, which are independant of
1339 the 'uid' parameter.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001340
Willy Tarreau5e6e2042009-02-04 17:19:29 +01001341 <interface> is an optional physical interface name. This is currently
1342 only supported on Linux. The interface must be a physical
1343 interface, not an aliased interface. When specified, all
1344 addresses on the same line will only be accepted if the
1345 incoming packet physically come through the designated
1346 interface. It is also possible to bind multiple frontends to
1347 the same address if they are bound to different interfaces.
1348 Note that binding to a physical interface requires root
1349 privileges.
1350
Willy Tarreaube1b9182009-06-14 18:48:19 +02001351 <maxseg> is an optional TCP Maximum Segment Size (MSS) value to be
1352 advertised on incoming connections. This can be used to force
1353 a lower MSS for certain specific ports, for instance for
1354 connections passing through a VPN. Note that this relies on a
1355 kernel feature which is theorically supported under Linux but
1356 was buggy in all versions prior to 2.6.28. It may or may not
1357 work on other operating systems. The commonly advertised
1358 value on Ethernet networks is 1460 = 1500(MTU) - 40(IP+TCP).
1359
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02001360 <id> is a persistent value for socket ID. Must be positive and
1361 unique in the proxy. An unused value will automatically be
1362 assigned if unset. Can only be used when defining only a
1363 single socket.
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02001364
1365 <name> is an optional name provided for stats
1366
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001367 transparent is an optional keyword which is supported only on certain
1368 Linux kernels. It indicates that the addresses will be bound
1369 even if they do not belong to the local machine. Any packet
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001370 targeting any of these addresses will be caught just as if
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001371 the address was locally configured. This normally requires
1372 that IP forwarding is enabled. Caution! do not use this with
1373 the default address '*', as it would redirect any traffic for
1374 the specified port. This keyword is available only when
1375 HAProxy is built with USE_LINUX_TPROXY=1.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001376
Willy Tarreau59f89202010-10-02 11:54:00 +02001377 defer-accept is an optional keyword which is supported only on certain
Willy Tarreaucb6cd432009-10-13 07:34:14 +02001378 Linux kernels. It states that a connection will only be
1379 accepted once some data arrive on it, or at worst after the
1380 first retransmit. This should be used only on protocols for
1381 which the client talks first (eg: HTTP). It can slightly
1382 improve performance by ensuring that most of the request is
1383 already available when the connection is accepted. On the
1384 other hand, it will not be able to detect connections which
1385 don't talk. It is important to note that this option is
1386 broken in all kernels up to 2.6.31, as the connection is
1387 never accepted until the client talks. This can cause issues
1388 with front firewalls which would see an established
1389 connection while the proxy will only see it in SYN_RECV.
1390
Willy Tarreau0ba27502007-12-24 16:55:16 +01001391 It is possible to specify a list of address:port combinations delimited by
1392 commas. The frontend will then listen on all of these addresses. There is no
1393 fixed limit to the number of addresses and ports which can be listened on in
1394 a frontend, as well as there is no limit to the number of "bind" statements
1395 in a frontend.
1396
1397 Example :
1398 listen http_proxy
1399 bind :80,:443
1400 bind 10.0.0.1:10080,10.0.0.1:10443
1401
1402 See also : "source".
1403
1404
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001405bind-process [ all | odd | even | <number 1-32> ] ...
1406 Limit visibility of an instance to a certain set of processes numbers.
1407 May be used in sections : defaults | frontend | listen | backend
1408 yes | yes | yes | yes
1409 Arguments :
1410 all All process will see this instance. This is the default. It
1411 may be used to override a default value.
1412
1413 odd This instance will be enabled on processes 1,3,5,...31. This
1414 option may be combined with other numbers.
1415
1416 even This instance will be enabled on processes 2,4,6,...32. This
1417 option may be combined with other numbers. Do not use it
1418 with less than 2 processes otherwise some instances might be
1419 missing from all processes.
1420
1421 number The instance will be enabled on this process number, between
1422 1 and 32. You must be careful not to reference a process
1423 number greater than the configured global.nbproc, otherwise
1424 some instances might be missing from all processes.
1425
1426 This keyword limits binding of certain instances to certain processes. This
1427 is useful in order not to have too many processes listening to the same
1428 ports. For instance, on a dual-core machine, it might make sense to set
1429 'nbproc 2' in the global section, then distributes the listeners among 'odd'
1430 and 'even' instances.
1431
1432 At the moment, it is not possible to reference more than 32 processes using
1433 this keyword, but this should be more than enough for most setups. Please
1434 note that 'all' really means all processes and is not limited to the first
1435 32.
1436
1437 If some backends are referenced by frontends bound to other processes, the
1438 backend automatically inherits the frontend's processes.
1439
1440 Example :
1441 listen app_ip1
1442 bind 10.0.0.1:80
1443 bind_process odd
1444
1445 listen app_ip2
1446 bind 10.0.0.2:80
1447 bind_process even
1448
1449 listen management
1450 bind 10.0.0.3:80
1451 bind_process 1 2 3 4
1452
1453 See also : "nbproc" in global section.
1454
1455
Willy Tarreau0ba27502007-12-24 16:55:16 +01001456block { if | unless } <condition>
1457 Block a layer 7 request if/unless a condition is matched
1458 May be used in sections : defaults | frontend | listen | backend
1459 no | yes | yes | yes
1460
1461 The HTTP request will be blocked very early in the layer 7 processing
1462 if/unless <condition> is matched. A 403 error will be returned if the request
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001463 is blocked. The condition has to reference ACLs (see section 7). This is
Willy Tarreau0ba27502007-12-24 16:55:16 +01001464 typically used to deny access to certain sensible resources if some
1465 conditions are met or not met. There is no fixed limit to the number of
1466 "block" statements per instance.
1467
1468 Example:
1469 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1470 acl invalid_src src_port 0:1023
1471 acl local_dst hdr(host) -i localhost
1472 block if invalid_src || local_dst
1473
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001474 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001475
1476
1477capture cookie <name> len <length>
1478 Capture and log a cookie in the request and in the response.
1479 May be used in sections : defaults | frontend | listen | backend
1480 no | yes | yes | no
1481 Arguments :
1482 <name> is the beginning of the name of the cookie to capture. In order
1483 to match the exact name, simply suffix the name with an equal
1484 sign ('='). The full name will appear in the logs, which is
1485 useful with application servers which adjust both the cookie name
1486 and value (eg: ASPSESSIONXXXXX).
1487
1488 <length> is the maximum number of characters to report in the logs, which
1489 include the cookie name, the equal sign and the value, all in the
1490 standard "name=value" form. The string will be truncated on the
1491 right if it exceeds <length>.
1492
1493 Only the first cookie is captured. Both the "cookie" request headers and the
1494 "set-cookie" response headers are monitored. This is particularly useful to
1495 check for application bugs causing session crossing or stealing between
1496 users, because generally the user's cookies can only change on a login page.
1497
1498 When the cookie was not presented by the client, the associated log column
1499 will report "-". When a request does not cause a cookie to be assigned by the
1500 server, a "-" is reported in the response column.
1501
1502 The capture is performed in the frontend only because it is necessary that
1503 the log format does not change for a given frontend depending on the
1504 backends. This may change in the future. Note that there can be only one
1505 "capture cookie" statement in a frontend. The maximum capture length is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001506 configured in the sources by default to 64 characters. It is not possible to
Willy Tarreau0ba27502007-12-24 16:55:16 +01001507 specify a capture in a "defaults" section.
1508
1509 Example:
1510 capture cookie ASPSESSION len 32
1511
1512 See also : "capture request header", "capture response header" as well as
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001513 section 8 about logging.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001514
1515
1516capture request header <name> len <length>
1517 Capture and log the first occurrence of the specified request header.
1518 May be used in sections : defaults | frontend | listen | backend
1519 no | yes | yes | no
1520 Arguments :
1521 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001522 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001523 appear in the requests, with the first letter of each word in
1524 upper case. The header name will not appear in the logs, only the
1525 value is reported, but the position in the logs is respected.
1526
1527 <length> is the maximum number of characters to extract from the value and
1528 report in the logs. The string will be truncated on the right if
1529 it exceeds <length>.
1530
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001531 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001532 value will be added to the logs between braces ('{}'). If multiple headers
1533 are captured, they will be delimited by a vertical bar ('|') and will appear
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001534 in the same order they were declared in the configuration. Non-existent
1535 headers will be logged just as an empty string. Common uses for request
1536 header captures include the "Host" field in virtual hosting environments, the
1537 "Content-length" when uploads are supported, "User-agent" to quickly
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001538 differentiate between real users and robots, and "X-Forwarded-For" in proxied
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001539 environments to find where the request came from.
1540
1541 Note that when capturing headers such as "User-agent", some spaces may be
1542 logged, making the log analysis more difficult. Thus be careful about what
1543 you log if you know your log parser is not smart enough to rely on the
1544 braces.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001545
1546 There is no limit to the number of captured request headers, but each capture
1547 is limited to 64 characters. In order to keep log format consistent for a
1548 same frontend, header captures can only be declared in a frontend. It is not
1549 possible to specify a capture in a "defaults" section.
1550
1551 Example:
1552 capture request header Host len 15
1553 capture request header X-Forwarded-For len 15
1554 capture request header Referrer len 15
1555
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001556 See also : "capture cookie", "capture response header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001557 about logging.
1558
1559
1560capture response header <name> len <length>
1561 Capture and log the first occurrence of the specified response header.
1562 May be used in sections : defaults | frontend | listen | backend
1563 no | yes | yes | no
1564 Arguments :
1565 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001566 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001567 appear in the response, with the first letter of each word in
1568 upper case. The header name will not appear in the logs, only the
1569 value is reported, but the position in the logs is respected.
1570
1571 <length> is the maximum number of characters to extract from the value and
1572 report in the logs. The string will be truncated on the right if
1573 it exceeds <length>.
1574
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001575 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001576 result will be added to the logs between braces ('{}') after the captured
1577 request headers. If multiple headers are captured, they will be delimited by
1578 a vertical bar ('|') and will appear in the same order they were declared in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001579 the configuration. Non-existent headers will be logged just as an empty
1580 string. Common uses for response header captures include the "Content-length"
1581 header which indicates how many bytes are expected to be returned, the
1582 "Location" header to track redirections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001583
1584 There is no limit to the number of captured response headers, but each
1585 capture is limited to 64 characters. In order to keep log format consistent
1586 for a same frontend, header captures can only be declared in a frontend. It
1587 is not possible to specify a capture in a "defaults" section.
1588
1589 Example:
1590 capture response header Content-length len 9
1591 capture response header Location len 15
1592
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001593 See also : "capture cookie", "capture request header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001594 about logging.
1595
1596
Cyril Bontéf0c60612010-02-06 14:44:47 +01001597clitimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01001598 Set the maximum inactivity time on the client side.
1599 May be used in sections : defaults | frontend | listen | backend
1600 yes | yes | yes | no
1601 Arguments :
1602 <timeout> is the timeout value is specified in milliseconds by default, but
1603 can be in any other unit if the number is suffixed by the unit,
1604 as explained at the top of this document.
1605
1606 The inactivity timeout applies when the client is expected to acknowledge or
1607 send data. In HTTP mode, this timeout is particularly important to consider
1608 during the first phase, when the client sends the request, and during the
1609 response while it is reading data sent by the server. The value is specified
1610 in milliseconds by default, but can be in any other unit if the number is
1611 suffixed by the unit, as specified at the top of this document. In TCP mode
1612 (and to a lesser extent, in HTTP mode), it is highly recommended that the
1613 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001614 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01001615 losses by specifying timeouts that are slightly above multiples of 3 seconds
1616 (eg: 4 or 5 seconds).
1617
1618 This parameter is specific to frontends, but can be specified once for all in
1619 "defaults" sections. This is in fact one of the easiest solutions not to
1620 forget about it. An unspecified timeout results in an infinite timeout, which
1621 is not recommended. Such a usage is accepted and works but reports a warning
1622 during startup because it may results in accumulation of expired sessions in
1623 the system if the system's timeouts are not configured either.
1624
1625 This parameter is provided for compatibility but is currently deprecated.
1626 Please use "timeout client" instead.
1627
Willy Tarreau036fae02008-01-06 13:24:40 +01001628 See also : "timeout client", "timeout http-request", "timeout server", and
1629 "srvtimeout".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001630
1631
Cyril Bontéf0c60612010-02-06 14:44:47 +01001632contimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01001633 Set the maximum time to wait for a connection attempt to a server to succeed.
1634 May be used in sections : defaults | frontend | listen | backend
1635 yes | no | yes | yes
1636 Arguments :
1637 <timeout> is the timeout value is specified in milliseconds by default, but
1638 can be in any other unit if the number is suffixed by the unit,
1639 as explained at the top of this document.
1640
1641 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001642 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01001643 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01001644 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
1645 connect timeout also presets the queue timeout to the same value if this one
1646 has not been specified. Historically, the contimeout was also used to set the
1647 tarpit timeout in a listen section, which is not possible in a pure frontend.
1648
1649 This parameter is specific to backends, but can be specified once for all in
1650 "defaults" sections. This is in fact one of the easiest solutions not to
1651 forget about it. An unspecified timeout results in an infinite timeout, which
1652 is not recommended. Such a usage is accepted and works but reports a warning
1653 during startup because it may results in accumulation of failed sessions in
1654 the system if the system's timeouts are not configured either.
1655
1656 This parameter is provided for backwards compatibility but is currently
1657 deprecated. Please use "timeout connect", "timeout queue" or "timeout tarpit"
1658 instead.
1659
1660 See also : "timeout connect", "timeout queue", "timeout tarpit",
1661 "timeout server", "contimeout".
1662
1663
Willy Tarreau55165fe2009-05-10 12:02:55 +02001664cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
Willy Tarreau68a897b2009-12-03 23:28:34 +01001665 [ postonly ] [ domain <domain> ]*
Willy Tarreau0ba27502007-12-24 16:55:16 +01001666 Enable cookie-based persistence in a backend.
1667 May be used in sections : defaults | frontend | listen | backend
1668 yes | no | yes | yes
1669 Arguments :
1670 <name> is the name of the cookie which will be monitored, modified or
1671 inserted in order to bring persistence. This cookie is sent to
1672 the client via a "Set-Cookie" header in the response, and is
1673 brought back by the client in a "Cookie" header in all requests.
1674 Special care should be taken to choose a name which does not
1675 conflict with any likely application cookie. Also, if the same
1676 backends are subject to be used by the same clients (eg:
1677 HTTP/HTTPS), care should be taken to use different cookie names
1678 between all backends if persistence between them is not desired.
1679
1680 rewrite This keyword indicates that the cookie will be provided by the
1681 server and that haproxy will have to modify its value to set the
1682 server's identifier in it. This mode is handy when the management
1683 of complex combinations of "Set-cookie" and "Cache-control"
1684 headers is left to the application. The application can then
1685 decide whether or not it is appropriate to emit a persistence
1686 cookie. Since all responses should be monitored, this mode only
1687 works in HTTP close mode. Unless the application behaviour is
1688 very complex and/or broken, it is advised not to start with this
1689 mode for new deployments. This keyword is incompatible with
1690 "insert" and "prefix".
1691
1692 insert This keyword indicates that the persistence cookie will have to
Willy Tarreaua79094d2010-08-31 22:54:15 +02001693 be inserted by haproxy in server responses if the client did not
1694 already have a cookie that would have permitted it to access this
1695 server. If the server emits a cookie with the same name, it will
1696 be remove before processing. For this reason, this mode can be
1697 used to upgrade existing configurations running in the "rewrite"
1698 mode. The cookie will only be a session cookie and will not be
1699 stored on the client's disk. By default, unless the "indirect"
1700 option is added, the server will see the cookies emitted by the
1701 client. Due to caching effects, it is generally wise to add the
Willy Tarreau0ba27502007-12-24 16:55:16 +01001702 "nocache" or "postonly" keywords (see below). The "insert"
1703 keyword is not compatible with "rewrite" and "prefix".
1704
1705 prefix This keyword indicates that instead of relying on a dedicated
1706 cookie for the persistence, an existing one will be completed.
1707 This may be needed in some specific environments where the client
1708 does not support more than one single cookie and the application
1709 already needs it. In this case, whenever the server sets a cookie
1710 named <name>, it will be prefixed with the server's identifier
1711 and a delimiter. The prefix will be removed from all client
1712 requests so that the server still finds the cookie it emitted.
1713 Since all requests and responses are subject to being modified,
1714 this mode requires the HTTP close mode. The "prefix" keyword is
1715 not compatible with "rewrite" and "insert".
1716
Willy Tarreaua79094d2010-08-31 22:54:15 +02001717 indirect When this option is specified, no cookie will be emitted to a
1718 client which already has a valid one for the server which has
1719 processed the request. If the server sets such a cookie itself,
1720 it will be removed. In "insert" mode, this will additionally
1721 remove cookies from requests transmitted to the server, making
1722 the persistence mechanism totally transparent from an application
1723 point of view.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001724
1725 nocache This option is recommended in conjunction with the insert mode
1726 when there is a cache between the client and HAProxy, as it
1727 ensures that a cacheable response will be tagged non-cacheable if
1728 a cookie needs to be inserted. This is important because if all
1729 persistence cookies are added on a cacheable home page for
1730 instance, then all customers will then fetch the page from an
1731 outer cache and will all share the same persistence cookie,
1732 leading to one server receiving much more traffic than others.
1733 See also the "insert" and "postonly" options.
1734
1735 postonly This option ensures that cookie insertion will only be performed
1736 on responses to POST requests. It is an alternative to the
1737 "nocache" option, because POST responses are not cacheable, so
1738 this ensures that the persistence cookie will never get cached.
1739 Since most sites do not need any sort of persistence before the
1740 first POST which generally is a login request, this is a very
1741 efficient method to optimize caching without risking to find a
1742 persistence cookie in the cache.
1743 See also the "insert" and "nocache" options.
1744
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02001745 domain This option allows to specify the domain at which a cookie is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001746 inserted. It requires exactly one parameter: a valid domain
Willy Tarreau68a897b2009-12-03 23:28:34 +01001747 name. If the domain begins with a dot, the browser is allowed to
1748 use it for any host ending with that name. It is also possible to
1749 specify several domain names by invoking this option multiple
1750 times. Some browsers might have small limits on the number of
1751 domains, so be careful when doing that. For the record, sending
1752 10 domains to MSIE 6 or Firefox 2 works as expected.
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02001753
Willy Tarreau0ba27502007-12-24 16:55:16 +01001754 There can be only one persistence cookie per HTTP backend, and it can be
1755 declared in a defaults section. The value of the cookie will be the value
1756 indicated after the "cookie" keyword in a "server" statement. If no cookie
1757 is declared for a given server, the cookie is not set.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001758
Willy Tarreau0ba27502007-12-24 16:55:16 +01001759 Examples :
1760 cookie JSESSIONID prefix
1761 cookie SRV insert indirect nocache
1762 cookie SRV insert postonly indirect
1763
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02001764 See also : "appsession", "balance source", "capture cookie", "server"
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001765 and "ignore-persist".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001766
Willy Tarreau983e01e2010-01-11 18:42:06 +01001767
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01001768default-server [param*]
1769 Change default options for a server in a backend
1770 May be used in sections : defaults | frontend | listen | backend
1771 yes | no | yes | yes
1772 Arguments:
Willy Tarreau983e01e2010-01-11 18:42:06 +01001773 <param*> is a list of parameters for this server. The "default-server"
1774 keyword accepts an important number of options and has a complete
1775 section dedicated to it. Please refer to section 5 for more
1776 details.
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01001777
Willy Tarreau983e01e2010-01-11 18:42:06 +01001778 Example :
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01001779 default-server inter 1000 weight 13
1780
1781 See also: "server" and section 5 about server options
Willy Tarreau0ba27502007-12-24 16:55:16 +01001782
Willy Tarreau983e01e2010-01-11 18:42:06 +01001783
Willy Tarreau0ba27502007-12-24 16:55:16 +01001784default_backend <backend>
1785 Specify the backend to use when no "use_backend" rule has been matched.
1786 May be used in sections : defaults | frontend | listen | backend
1787 yes | yes | yes | no
1788 Arguments :
1789 <backend> is the name of the backend to use.
1790
1791 When doing content-switching between frontend and backends using the
1792 "use_backend" keyword, it is often useful to indicate which backend will be
1793 used when no rule has matched. It generally is the dynamic backend which
1794 will catch all undetermined requests.
1795
Willy Tarreau0ba27502007-12-24 16:55:16 +01001796 Example :
1797
1798 use_backend dynamic if url_dyn
1799 use_backend static if url_css url_img extension_img
1800 default_backend dynamic
1801
Willy Tarreau2769aa02007-12-27 18:26:09 +01001802 See also : "use_backend", "reqsetbe", "reqisetbe"
1803
Willy Tarreau0ba27502007-12-24 16:55:16 +01001804
1805disabled
1806 Disable a proxy, frontend or backend.
1807 May be used in sections : defaults | frontend | listen | backend
1808 yes | yes | yes | yes
1809 Arguments : none
1810
1811 The "disabled" keyword is used to disable an instance, mainly in order to
1812 liberate a listening port or to temporarily disable a service. The instance
1813 will still be created and its configuration will be checked, but it will be
1814 created in the "stopped" state and will appear as such in the statistics. It
1815 will not receive any traffic nor will it send any health-checks or logs. It
1816 is possible to disable many instances at once by adding the "disabled"
1817 keyword in a "defaults" section.
1818
1819 See also : "enabled"
1820
1821
Willy Tarreau5ce94572010-06-07 14:35:41 +02001822dispatch <address>:<port>
1823 Set a default server address
1824 May be used in sections : defaults | frontend | listen | backend
1825 no | no | yes | yes
1826 Arguments : none
1827
1828 <address> is the IPv4 address of the default server. Alternatively, a
1829 resolvable hostname is supported, but this name will be resolved
1830 during start-up.
1831
1832 <ports> is a mandatory port specification. All connections will be sent
1833 to this port, and it is not permitted to use port offsets as is
1834 possible with normal servers.
1835
1836 The "disabled" keyword designates a default server for use when no other
1837 server can take the connection. In the past it was used to forward non
1838 persistent connections to an auxiliary load balancer. Due to its simple
1839 syntax, it has also been used for simple TCP relays. It is recommended not to
1840 use it for more clarity, and to use the "server" directive instead.
1841
1842 See also : "server"
1843
1844
Willy Tarreau0ba27502007-12-24 16:55:16 +01001845enabled
1846 Enable a proxy, frontend or backend.
1847 May be used in sections : defaults | frontend | listen | backend
1848 yes | yes | yes | yes
1849 Arguments : none
1850
1851 The "enabled" keyword is used to explicitly enable an instance, when the
1852 defaults has been set to "disabled". This is very rarely used.
1853
1854 See also : "disabled"
1855
1856
1857errorfile <code> <file>
1858 Return a file contents instead of errors generated by HAProxy
1859 May be used in sections : defaults | frontend | listen | backend
1860 yes | yes | yes | yes
1861 Arguments :
1862 <code> is the HTTP status code. Currently, HAProxy is capable of
1863 generating codes 400, 403, 408, 500, 502, 503, and 504.
1864
1865 <file> designates a file containing the full HTTP response. It is
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001866 recommended to follow the common practice of appending ".http" to
Willy Tarreau0ba27502007-12-24 16:55:16 +01001867 the filename so that people do not confuse the response with HTML
Willy Tarreau59140a22009-02-22 12:02:30 +01001868 error pages, and to use absolute paths, since files are read
1869 before any chroot is performed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001870
1871 It is important to understand that this keyword is not meant to rewrite
1872 errors returned by the server, but errors detected and returned by HAProxy.
1873 This is why the list of supported errors is limited to a small set.
1874
1875 The files are returned verbatim on the TCP socket. This allows any trick such
1876 as redirections to another URL or site, as well as tricks to clean cookies,
1877 force enable or disable caching, etc... The package provides default error
1878 files returning the same contents as default errors.
1879
Willy Tarreau59140a22009-02-22 12:02:30 +01001880 The files should not exceed the configured buffer size (BUFSIZE), which
1881 generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
1882 not to put any reference to local contents (eg: images) in order to avoid
1883 loops between the client and HAProxy when all servers are down, causing an
1884 error to be returned instead of an image. For better HTTP compliance, it is
1885 recommended that all header lines end with CR-LF and not LF alone.
1886
Willy Tarreau0ba27502007-12-24 16:55:16 +01001887 The files are read at the same time as the configuration and kept in memory.
1888 For this reason, the errors continue to be returned even when the process is
1889 chrooted, and no file change is considered while the process is running. A
Willy Tarreauc27debf2008-01-06 08:57:02 +01001890 simple method for developing those files consists in associating them to the
Willy Tarreau0ba27502007-12-24 16:55:16 +01001891 403 status code and interrogating a blocked URL.
1892
1893 See also : "errorloc", "errorloc302", "errorloc303"
1894
Willy Tarreau59140a22009-02-22 12:02:30 +01001895 Example :
1896 errorfile 400 /etc/haproxy/errorfiles/400badreq.http
1897 errorfile 403 /etc/haproxy/errorfiles/403forbid.http
1898 errorfile 503 /etc/haproxy/errorfiles/503sorry.http
1899
Willy Tarreau2769aa02007-12-27 18:26:09 +01001900
1901errorloc <code> <url>
1902errorloc302 <code> <url>
1903 Return an HTTP redirection to a URL instead of errors generated by HAProxy
1904 May be used in sections : defaults | frontend | listen | backend
1905 yes | yes | yes | yes
1906 Arguments :
1907 <code> is the HTTP status code. Currently, HAProxy is capable of
1908 generating codes 400, 403, 408, 500, 502, 503, and 504.
1909
1910 <url> it is the exact contents of the "Location" header. It may contain
1911 either a relative URI to an error page hosted on the same site,
1912 or an absolute URI designating an error page on another site.
1913 Special care should be given to relative URIs to avoid redirect
1914 loops if the URI itself may generate the same error (eg: 500).
1915
1916 It is important to understand that this keyword is not meant to rewrite
1917 errors returned by the server, but errors detected and returned by HAProxy.
1918 This is why the list of supported errors is limited to a small set.
1919
1920 Note that both keyword return the HTTP 302 status code, which tells the
1921 client to fetch the designated URL using the same HTTP method. This can be
1922 quite problematic in case of non-GET methods such as POST, because the URL
1923 sent to the client might not be allowed for something other than GET. To
1924 workaround this problem, please use "errorloc303" which send the HTTP 303
1925 status code, indicating to the client that the URL must be fetched with a GET
1926 request.
1927
1928 See also : "errorfile", "errorloc303"
1929
1930
1931errorloc303 <code> <url>
1932 Return an HTTP redirection to a URL instead of errors generated by HAProxy
1933 May be used in sections : defaults | frontend | listen | backend
1934 yes | yes | yes | yes
1935 Arguments :
1936 <code> is the HTTP status code. Currently, HAProxy is capable of
1937 generating codes 400, 403, 408, 500, 502, 503, and 504.
1938
1939 <url> it is the exact contents of the "Location" header. It may contain
1940 either a relative URI to an error page hosted on the same site,
1941 or an absolute URI designating an error page on another site.
1942 Special care should be given to relative URIs to avoid redirect
1943 loops if the URI itself may generate the same error (eg: 500).
1944
1945 It is important to understand that this keyword is not meant to rewrite
1946 errors returned by the server, but errors detected and returned by HAProxy.
1947 This is why the list of supported errors is limited to a small set.
1948
1949 Note that both keyword return the HTTP 303 status code, which tells the
1950 client to fetch the designated URL using the same HTTP GET method. This
1951 solves the usual problems associated with "errorloc" and the 302 code. It is
1952 possible that some very old browsers designed before HTTP/1.1 do not support
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001953 it, but no such problem has been reported till now.
Willy Tarreau2769aa02007-12-27 18:26:09 +01001954
1955 See also : "errorfile", "errorloc", "errorloc302"
1956
1957
Willy Tarreau4de91492010-01-22 19:10:05 +01001958force-persist { if | unless } <condition>
1959 Declare a condition to force persistence on down servers
1960 May be used in sections: defaults | frontend | listen | backend
1961 no | yes | yes | yes
1962
1963 By default, requests are not dispatched to down servers. It is possible to
1964 force this using "option persist", but it is unconditional and redispatches
1965 to a valid server if "option redispatch" is set. That leaves with very little
1966 possibilities to force some requests to reach a server which is artificially
1967 marked down for maintenance operations.
1968
1969 The "force-persist" statement allows one to declare various ACL-based
1970 conditions which, when met, will cause a request to ignore the down status of
1971 a server and still try to connect to it. That makes it possible to start a
1972 server, still replying an error to the health checks, and run a specially
1973 configured browser to test the service. Among the handy methods, one could
1974 use a specific source IP address, or a specific cookie. The cookie also has
1975 the advantage that it can easily be added/removed on the browser from a test
1976 page. Once the service is validated, it is then possible to open the service
1977 to the world by returning a valid response to health checks.
1978
1979 The forced persistence is enabled when an "if" condition is met, or unless an
1980 "unless" condition is met. The final redispatch is always disabled when this
1981 is used.
1982
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001983 See also : "option redispatch", "ignore-persist", "persist",
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02001984 and section 7 about ACL usage.
Willy Tarreau4de91492010-01-22 19:10:05 +01001985
1986
Willy Tarreau2769aa02007-12-27 18:26:09 +01001987fullconn <conns>
1988 Specify at what backend load the servers will reach their maxconn
1989 May be used in sections : defaults | frontend | listen | backend
1990 yes | no | yes | yes
1991 Arguments :
1992 <conns> is the number of connections on the backend which will make the
1993 servers use the maximal number of connections.
1994
Willy Tarreau198a7442008-01-17 12:05:32 +01001995 When a server has a "maxconn" parameter specified, it means that its number
Willy Tarreau2769aa02007-12-27 18:26:09 +01001996 of concurrent connections will never go higher. Additionally, if it has a
Willy Tarreau198a7442008-01-17 12:05:32 +01001997 "minconn" parameter, it indicates a dynamic limit following the backend's
Willy Tarreau2769aa02007-12-27 18:26:09 +01001998 load. The server will then always accept at least <minconn> connections,
1999 never more than <maxconn>, and the limit will be on the ramp between both
2000 values when the backend has less than <conns> concurrent connections. This
2001 makes it possible to limit the load on the servers during normal loads, but
2002 push it further for important loads without overloading the servers during
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002003 exceptional loads.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002004
2005 Example :
2006 # The servers will accept between 100 and 1000 concurrent connections each
2007 # and the maximum of 1000 will be reached when the backend reaches 10000
2008 # connections.
2009 backend dynamic
2010 fullconn 10000
2011 server srv1 dyn1:80 minconn 100 maxconn 1000
2012 server srv2 dyn2:80 minconn 100 maxconn 1000
2013
2014 See also : "maxconn", "server"
2015
2016
2017grace <time>
2018 Maintain a proxy operational for some time after a soft stop
2019 May be used in sections : defaults | frontend | listen | backend
Cyril Bonté99ed3272010-01-24 23:29:44 +01002020 yes | yes | yes | yes
Willy Tarreau2769aa02007-12-27 18:26:09 +01002021 Arguments :
2022 <time> is the time (by default in milliseconds) for which the instance
2023 will remain operational with the frontend sockets still listening
2024 when a soft-stop is received via the SIGUSR1 signal.
2025
2026 This may be used to ensure that the services disappear in a certain order.
2027 This was designed so that frontends which are dedicated to monitoring by an
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002028 external equipment fail immediately while other ones remain up for the time
Willy Tarreau2769aa02007-12-27 18:26:09 +01002029 needed by the equipment to detect the failure.
2030
2031 Note that currently, there is very little benefit in using this parameter,
2032 and it may in fact complicate the soft-reconfiguration process more than
2033 simplify it.
2034
Willy Tarreau0ba27502007-12-24 16:55:16 +01002035
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002036hash-type <method>
2037 Specify a method to use for mapping hashes to servers
2038 May be used in sections : defaults | frontend | listen | backend
2039 yes | no | yes | yes
2040 Arguments :
2041 map-based the hash table is a static array containing all alive servers.
2042 The hashes will be very smooth, will consider weights, but will
2043 be static in that weight changes while a server is up will be
2044 ignored. This means that there will be no slow start. Also,
2045 since a server is selected by its position in the array, most
2046 mappings are changed when the server count changes. This means
2047 that when a server goes up or down, or when a server is added
2048 to a farm, most connections will be redistributed to different
2049 servers. This can be inconvenient with caches for instance.
2050
2051 consistent the hash table is a tree filled with many occurrences of each
2052 server. The hash key is looked up in the tree and the closest
2053 server is chosen. This hash is dynamic, it supports changing
2054 weights while the servers are up, so it is compatible with the
2055 slow start feature. It has the advantage that when a server
2056 goes up or down, only its associations are moved. When a server
2057 is added to the farm, only a few part of the mappings are
2058 redistributed, making it an ideal algorithm for caches.
2059 However, due to its principle, the algorithm will never be very
2060 smooth and it may sometimes be necessary to adjust a server's
2061 weight or its ID to get a more balanced distribution. In order
2062 to get the same distribution on multiple load balancers, it is
2063 important that all servers have the same IDs.
2064
2065 The default hash type is "map-based" and is recommended for most usages.
2066
2067 See also : "balance", "server"
2068
2069
Willy Tarreau0ba27502007-12-24 16:55:16 +01002070http-check disable-on-404
2071 Enable a maintenance mode upon HTTP/404 response to health-checks
2072 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau2769aa02007-12-27 18:26:09 +01002073 yes | no | yes | yes
Willy Tarreau0ba27502007-12-24 16:55:16 +01002074 Arguments : none
2075
2076 When this option is set, a server which returns an HTTP code 404 will be
2077 excluded from further load-balancing, but will still receive persistent
2078 connections. This provides a very convenient method for Web administrators
2079 to perform a graceful shutdown of their servers. It is also important to note
2080 that a server which is detected as failed while it was in this mode will not
2081 generate an alert, just a notice. If the server responds 2xx or 3xx again, it
2082 will immediately be reinserted into the farm. The status on the stats page
2083 reports "NOLB" for a server in this mode. It is important to note that this
2084 option only works in conjunction with the "httpchk" option.
2085
Willy Tarreau2769aa02007-12-27 18:26:09 +01002086 See also : "option httpchk"
2087
2088
Willy Tarreauef781042010-01-27 11:53:01 +01002089http-check send-state
2090 Enable emission of a state header with HTTP health checks
2091 May be used in sections : defaults | frontend | listen | backend
2092 yes | no | yes | yes
2093 Arguments : none
2094
2095 When this option is set, haproxy will systematically send a special header
2096 "X-Haproxy-Server-State" with a list of parameters indicating to each server
2097 how they are seen by haproxy. This can be used for instance when a server is
2098 manipulated without access to haproxy and the operator needs to know whether
2099 haproxy still sees it up or not, or if the server is the last one in a farm.
2100
2101 The header is composed of fields delimited by semi-colons, the first of which
2102 is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid
2103 checks on the total number before transition, just as appears in the stats
2104 interface. Next headers are in the form "<variable>=<value>", indicating in
2105 no specific order some values available in the stats interface :
2106 - a variable "name", containing the name of the backend followed by a slash
2107 ("/") then the name of the server. This can be used when a server is
2108 checked in multiple backends.
2109
2110 - a variable "node" containing the name of the haproxy node, as set in the
2111 global "node" variable, otherwise the system's hostname if unspecified.
2112
2113 - a variable "weight" indicating the weight of the server, a slash ("/")
2114 and the total weight of the farm (just counting usable servers). This
2115 helps to know if other servers are available to handle the load when this
2116 one fails.
2117
2118 - a variable "scur" indicating the current number of concurrent connections
2119 on the server, followed by a slash ("/") then the total number of
2120 connections on all servers of the same backend.
2121
2122 - a variable "qcur" indicating the current number of requests in the
2123 server's queue.
2124
2125 Example of a header received by the application server :
2126 >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \
2127 scur=13/22; qcur=0
2128
2129 See also : "option httpchk", "http-check disable-on-404"
2130
Cyril Bontéf0c60612010-02-06 14:44:47 +01002131http-request { allow | deny | http-auth [realm <realm>] }
2132 [ { if | unless } <condition> ]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002133 Access control for Layer 7 requests
2134
2135 May be used in sections: defaults | frontend | listen | backend
2136 no | yes | yes | yes
2137
2138 These set of options allow to fine control access to a
2139 frontend/listen/backend. Each option may be followed by if/unless and acl.
2140 First option with matched condition (or option without condition) is final.
2141 For "block" a 403 error will be returned, for "allow" normal processing is
2142 performed, for "http-auth" a 401/407 error code is returned so the client
2143 should be asked to enter a username and password.
2144
2145 There is no fixed limit to the number of http-request statements per
2146 instance.
2147
2148 Example:
Cyril Bonté78caf842010-03-10 22:41:43 +01002149 acl nagios src 192.168.129.3
2150 acl local_net src 192.168.0.0/16
2151 acl auth_ok http_auth(L1)
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002152
Cyril Bonté78caf842010-03-10 22:41:43 +01002153 http-request allow if nagios
2154 http-request allow if local_net auth_ok
2155 http-request auth realm Gimme if local_net auth_ok
2156 http-request deny
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002157
Cyril Bonté78caf842010-03-10 22:41:43 +01002158 Example:
2159 acl auth_ok http_auth_group(L1) G1
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002160
Cyril Bonté78caf842010-03-10 22:41:43 +01002161 http-request auth unless auth_ok
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002162
2163 See section 3.4 about userlists and 7 about ACL usage.
Willy Tarreauef781042010-01-27 11:53:01 +01002164
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01002165id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02002166 Set a persistent ID to a proxy.
2167 May be used in sections : defaults | frontend | listen | backend
2168 no | yes | yes | yes
2169 Arguments : none
2170
2171 Set a persistent ID for the proxy. This ID must be unique and positive.
2172 An unused ID will automatically be assigned if unset. The first assigned
2173 value will be 1. This ID is currently only returned in statistics.
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01002174
2175
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002176ignore-persist { if | unless } <condition>
2177 Declare a condition to ignore persistence
2178 May be used in sections: defaults | frontend | listen | backend
2179 no | yes | yes | yes
2180
2181 By default, when cookie persistence is enabled, every requests containing
2182 the cookie are unconditionally persistent (assuming the target server is up
2183 and running).
2184
2185 The "ignore-persist" statement allows one to declare various ACL-based
2186 conditions which, when met, will cause a request to ignore persistence.
2187 This is sometimes useful to load balance requests for static files, which
2188 oftenly don't require persistence. This can also be used to fully disable
2189 persistence for a specific User-Agent (for example, some web crawler bots).
2190
2191 Combined with "appsession", it can also help reduce HAProxy memory usage, as
2192 the appsession table won't grow if persistence is ignored.
2193
2194 The persistence is ignored when an "if" condition is met, or unless an
2195 "unless" condition is met.
2196
2197 See also : "force-persist", "cookie", and section 7 about ACL usage.
2198
2199
Willy Tarreau2769aa02007-12-27 18:26:09 +01002200log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002201log <address> <facility> [<level> [<minlevel>]]
Willy Tarreau2769aa02007-12-27 18:26:09 +01002202 Enable per-instance logging of events and traffic.
2203 May be used in sections : defaults | frontend | listen | backend
2204 yes | yes | yes | yes
2205 Arguments :
2206 global should be used when the instance's logging parameters are the
2207 same as the global ones. This is the most common usage. "global"
2208 replaces <address>, <facility> and <level> with those of the log
2209 entries found in the "global" section. Only one "log global"
2210 statement may be used per instance, and this form takes no other
2211 parameter.
2212
2213 <address> indicates where to send the logs. It takes the same format as
2214 for the "global" section's logs, and can be one of :
2215
2216 - An IPv4 address optionally followed by a colon (':') and a UDP
2217 port. If no port is specified, 514 is used by default (the
2218 standard syslog port).
2219
2220 - A filesystem path to a UNIX domain socket, keeping in mind
2221 considerations for chroot (be sure the path is accessible
2222 inside the chroot) and uid/gid (be sure the path is
2223 appropriately writeable).
2224
2225 <facility> must be one of the 24 standard syslog facilities :
2226
2227 kern user mail daemon auth syslog lpr news
2228 uucp cron auth2 ftp ntp audit alert cron2
2229 local0 local1 local2 local3 local4 local5 local6 local7
2230
2231 <level> is optional and can be specified to filter outgoing messages. By
2232 default, all messages are sent. If a level is specified, only
2233 messages with a severity at least as important as this level
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002234 will be sent. An optional minimum level can be specified. If it
2235 is set, logs emitted with a more severe level than this one will
2236 be capped to this level. This is used to avoid sending "emerg"
2237 messages on all terminals on some default syslog configurations.
2238 Eight levels are known :
Willy Tarreau2769aa02007-12-27 18:26:09 +01002239
2240 emerg alert crit err warning notice info debug
2241
2242 Note that up to two "log" entries may be specified per instance. However, if
2243 "log global" is used and if the "global" section already contains 2 log
2244 entries, then additional log entries will be ignored.
2245
2246 Also, it is important to keep in mind that it is the frontend which decides
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002247 what to log from a connection, and that in case of content switching, the log
2248 entries from the backend will be ignored. Connections are logged at level
2249 "info".
2250
2251 However, backend log declaration define how and where servers status changes
2252 will be logged. Level "notice" will be used to indicate a server going up,
2253 "warning" will be used for termination signals and definitive service
2254 termination, and "alert" will be used for when a server goes down.
2255
2256 Note : According to RFC3164, messages are truncated to 1024 bytes before
2257 being emitted.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002258
2259 Example :
2260 log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002261 log 127.0.0.1:514 local0 notice # only send important events
2262 log 127.0.0.1:514 local0 notice notice # same but limit output level
Willy Tarreau2769aa02007-12-27 18:26:09 +01002263
2264
2265maxconn <conns>
2266 Fix the maximum number of concurrent connections on a frontend
2267 May be used in sections : defaults | frontend | listen | backend
2268 yes | yes | yes | no
2269 Arguments :
2270 <conns> is the maximum number of concurrent connections the frontend will
2271 accept to serve. Excess connections will be queued by the system
2272 in the socket's listen queue and will be served once a connection
2273 closes.
2274
2275 If the system supports it, it can be useful on big sites to raise this limit
2276 very high so that haproxy manages connection queues, instead of leaving the
2277 clients with unanswered connection attempts. This value should not exceed the
2278 global maxconn. Also, keep in mind that a connection contains two buffers
2279 of 8kB each, as well as some other data resulting in about 17 kB of RAM being
2280 consumed per established connection. That means that a medium system equipped
2281 with 1GB of RAM can withstand around 40000-50000 concurrent connections if
2282 properly tuned.
2283
2284 Also, when <conns> is set to large values, it is possible that the servers
2285 are not sized to accept such loads, and for this reason it is generally wise
2286 to assign them some reasonable connection limits.
2287
2288 See also : "server", global section's "maxconn", "fullconn"
2289
2290
2291mode { tcp|http|health }
2292 Set the running mode or protocol of the instance
2293 May be used in sections : defaults | frontend | listen | backend
2294 yes | yes | yes | yes
2295 Arguments :
2296 tcp The instance will work in pure TCP mode. A full-duplex connection
2297 will be established between clients and servers, and no layer 7
2298 examination will be performed. This is the default mode. It
2299 should be used for SSL, SSH, SMTP, ...
2300
2301 http The instance will work in HTTP mode. The client request will be
2302 analyzed in depth before connecting to any server. Any request
2303 which is not RFC-compliant will be rejected. Layer 7 filtering,
2304 processing and switching will be possible. This is the mode which
2305 brings HAProxy most of its value.
2306
2307 health The instance will work in "health" mode. It will just reply "OK"
2308 to incoming connections and close the connection. Nothing will be
2309 logged. This mode is used to reply to external components health
2310 checks. This mode is deprecated and should not be used anymore as
2311 it is possible to do the same and even better by combining TCP or
2312 HTTP modes with the "monitor" keyword.
2313
2314 When doing content switching, it is mandatory that the frontend and the
2315 backend are in the same mode (generally HTTP), otherwise the configuration
2316 will be refused.
2317
2318 Example :
2319 defaults http_instances
2320 mode http
2321
2322 See also : "monitor", "monitor-net"
2323
Willy Tarreau0ba27502007-12-24 16:55:16 +01002324
Cyril Bontéf0c60612010-02-06 14:44:47 +01002325monitor fail { if | unless } <condition>
Willy Tarreau2769aa02007-12-27 18:26:09 +01002326 Add a condition to report a failure to a monitor HTTP request.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002327 May be used in sections : defaults | frontend | listen | backend
2328 no | yes | yes | no
Willy Tarreau0ba27502007-12-24 16:55:16 +01002329 Arguments :
2330 if <cond> the monitor request will fail if the condition is satisfied,
2331 and will succeed otherwise. The condition should describe a
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002332 combined test which must induce a failure if all conditions
Willy Tarreau0ba27502007-12-24 16:55:16 +01002333 are met, for instance a low number of servers both in a
2334 backend and its backup.
2335
2336 unless <cond> the monitor request will succeed only if the condition is
2337 satisfied, and will fail otherwise. Such a condition may be
2338 based on a test on the presence of a minimum number of active
2339 servers in a list of backends.
2340
2341 This statement adds a condition which can force the response to a monitor
2342 request to report a failure. By default, when an external component queries
2343 the URI dedicated to monitoring, a 200 response is returned. When one of the
2344 conditions above is met, haproxy will return 503 instead of 200. This is
2345 very useful to report a site failure to an external component which may base
2346 routing advertisements between multiple sites on the availability reported by
2347 haproxy. In this case, one would rely on an ACL involving the "nbsrv"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002348 criterion. Note that "monitor fail" only works in HTTP mode.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002349
2350 Example:
2351 frontend www
Willy Tarreau2769aa02007-12-27 18:26:09 +01002352 mode http
Willy Tarreau0ba27502007-12-24 16:55:16 +01002353 acl site_dead nbsrv(dynamic) lt 2
2354 acl site_dead nbsrv(static) lt 2
2355 monitor-uri /site_alive
2356 monitor fail if site_dead
2357
Willy Tarreau2769aa02007-12-27 18:26:09 +01002358 See also : "monitor-net", "monitor-uri"
2359
2360
2361monitor-net <source>
2362 Declare a source network which is limited to monitor requests
2363 May be used in sections : defaults | frontend | listen | backend
2364 yes | yes | yes | no
2365 Arguments :
2366 <source> is the source IPv4 address or network which will only be able to
2367 get monitor responses to any request. It can be either an IPv4
2368 address, a host name, or an address followed by a slash ('/')
2369 followed by a mask.
2370
2371 In TCP mode, any connection coming from a source matching <source> will cause
2372 the connection to be immediately closed without any log. This allows another
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002373 equipment to probe the port and verify that it is still listening, without
Willy Tarreau2769aa02007-12-27 18:26:09 +01002374 forwarding the connection to a remote server.
2375
2376 In HTTP mode, a connection coming from a source matching <source> will be
2377 accepted, the following response will be sent without waiting for a request,
2378 then the connection will be closed : "HTTP/1.0 200 OK". This is normally
2379 enough for any front-end HTTP probe to detect that the service is UP and
2380 running without forwarding the request to a backend server.
2381
2382 Monitor requests are processed very early. It is not possible to block nor
2383 divert them using ACLs. They cannot be logged either, and it is the intended
2384 purpose. They are only used to report HAProxy's health to an upper component,
2385 nothing more. Right now, it is not possible to set failure conditions on
2386 requests caught by "monitor-net".
2387
Willy Tarreau95cd2832010-03-04 23:36:33 +01002388 Last, please note that only one "monitor-net" statement can be specified in
2389 a frontend. If more than one is found, only the last one will be considered.
2390
Willy Tarreau2769aa02007-12-27 18:26:09 +01002391 Example :
2392 # addresses .252 and .253 are just probing us.
2393 frontend www
2394 monitor-net 192.168.0.252/31
2395
2396 See also : "monitor fail", "monitor-uri"
2397
2398
2399monitor-uri <uri>
2400 Intercept a URI used by external components' monitor requests
2401 May be used in sections : defaults | frontend | listen | backend
2402 yes | yes | yes | no
2403 Arguments :
2404 <uri> is the exact URI which we want to intercept to return HAProxy's
2405 health status instead of forwarding the request.
2406
2407 When an HTTP request referencing <uri> will be received on a frontend,
2408 HAProxy will not forward it nor log it, but instead will return either
2409 "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
2410 conditions defined with "monitor fail". This is normally enough for any
2411 front-end HTTP probe to detect that the service is UP and running without
2412 forwarding the request to a backend server. Note that the HTTP method, the
2413 version and all headers are ignored, but the request must at least be valid
2414 at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
2415
2416 Monitor requests are processed very early. It is not possible to block nor
2417 divert them using ACLs. They cannot be logged either, and it is the intended
2418 purpose. They are only used to report HAProxy's health to an upper component,
2419 nothing more. However, it is possible to add any number of conditions using
2420 "monitor fail" and ACLs so that the result can be adjusted to whatever check
2421 can be imagined (most often the number of available servers in a backend).
2422
2423 Example :
2424 # Use /haproxy_test to report haproxy's status
2425 frontend www
2426 mode http
2427 monitor-uri /haproxy_test
2428
2429 See also : "monitor fail", "monitor-net"
2430
Willy Tarreau0ba27502007-12-24 16:55:16 +01002431
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002432option abortonclose
2433no option abortonclose
2434 Enable or disable early dropping of aborted requests pending in queues.
2435 May be used in sections : defaults | frontend | listen | backend
2436 yes | no | yes | yes
2437 Arguments : none
2438
2439 In presence of very high loads, the servers will take some time to respond.
2440 The per-instance connection queue will inflate, and the response time will
2441 increase respective to the size of the queue times the average per-session
2442 response time. When clients will wait for more than a few seconds, they will
Willy Tarreau198a7442008-01-17 12:05:32 +01002443 often hit the "STOP" button on their browser, leaving a useless request in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002444 the queue, and slowing down other users, and the servers as well, because the
2445 request will eventually be served, then aborted at the first error
2446 encountered while delivering the response.
2447
2448 As there is no way to distinguish between a full STOP and a simple output
2449 close on the client side, HTTP agents should be conservative and consider
2450 that the client might only have closed its output channel while waiting for
2451 the response. However, this introduces risks of congestion when lots of users
2452 do the same, and is completely useless nowadays because probably no client at
2453 all will close the session while waiting for the response. Some HTTP agents
Willy Tarreaud72758d2010-01-12 10:42:19 +01002454 support this behaviour (Squid, Apache, HAProxy), and others do not (TUX, most
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002455 hardware-based load balancers). So the probability for a closed input channel
Willy Tarreau198a7442008-01-17 12:05:32 +01002456 to represent a user hitting the "STOP" button is close to 100%, and the risk
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002457 of being the single component to break rare but valid traffic is extremely
2458 low, which adds to the temptation to be able to abort a session early while
2459 still not served and not pollute the servers.
2460
2461 In HAProxy, the user can choose the desired behaviour using the option
2462 "abortonclose". By default (without the option) the behaviour is HTTP
2463 compliant and aborted requests will be served. But when the option is
2464 specified, a session with an incoming channel closed will be aborted while
2465 it is still possible, either pending in the queue for a connection slot, or
2466 during the connection establishment if the server has not yet acknowledged
2467 the connection request. This considerably reduces the queue size and the load
2468 on saturated servers when users are tempted to click on STOP, which in turn
Willy Tarreaud72758d2010-01-12 10:42:19 +01002469 reduces the response time for other users.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002470
2471 If this option has been enabled in a "defaults" section, it can be disabled
2472 in a specific instance by prepending the "no" keyword before it.
2473
2474 See also : "timeout queue" and server's "maxconn" and "maxqueue" parameters
2475
2476
Willy Tarreau4076a152009-04-02 15:18:36 +02002477option accept-invalid-http-request
2478no option accept-invalid-http-request
2479 Enable or disable relaxing of HTTP request parsing
2480 May be used in sections : defaults | frontend | listen | backend
2481 yes | yes | yes | no
2482 Arguments : none
2483
2484 By default, HAProxy complies with RFC2616 in terms of message parsing. This
2485 means that invalid characters in header names are not permitted and cause an
2486 error to be returned to the client. This is the desired behaviour as such
2487 forbidden characters are essentially used to build attacks exploiting server
2488 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
2489 server will emit invalid header names for whatever reason (configuration,
2490 implementation) and the issue will not be immediately fixed. In such a case,
2491 it is possible to relax HAProxy's header name parser to accept any character
2492 even if that does not make sense, by specifying this option.
2493
2494 This option should never be enabled by default as it hides application bugs
2495 and open security breaches. It should only be deployed after a problem has
2496 been confirmed.
2497
2498 When this option is enabled, erroneous header names will still be accepted in
2499 requests, but the complete request will be captured in order to permit later
2500 analysis using the "show errors" request on the UNIX stats socket. Doing this
2501 also helps confirming that the issue has been solved.
2502
2503 If this option has been enabled in a "defaults" section, it can be disabled
2504 in a specific instance by prepending the "no" keyword before it.
2505
2506 See also : "option accept-invalid-http-response" and "show errors" on the
2507 stats socket.
2508
2509
2510option accept-invalid-http-response
2511no option accept-invalid-http-response
2512 Enable or disable relaxing of HTTP response parsing
2513 May be used in sections : defaults | frontend | listen | backend
2514 yes | no | yes | yes
2515 Arguments : none
2516
2517 By default, HAProxy complies with RFC2616 in terms of message parsing. This
2518 means that invalid characters in header names are not permitted and cause an
2519 error to be returned to the client. This is the desired behaviour as such
2520 forbidden characters are essentially used to build attacks exploiting server
2521 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
2522 server will emit invalid header names for whatever reason (configuration,
2523 implementation) and the issue will not be immediately fixed. In such a case,
2524 it is possible to relax HAProxy's header name parser to accept any character
2525 even if that does not make sense, by specifying this option.
2526
2527 This option should never be enabled by default as it hides application bugs
2528 and open security breaches. It should only be deployed after a problem has
2529 been confirmed.
2530
2531 When this option is enabled, erroneous header names will still be accepted in
2532 responses, but the complete response will be captured in order to permit
2533 later analysis using the "show errors" request on the UNIX stats socket.
2534 Doing this also helps confirming that the issue has been solved.
2535
2536 If this option has been enabled in a "defaults" section, it can be disabled
2537 in a specific instance by prepending the "no" keyword before it.
2538
2539 See also : "option accept-invalid-http-request" and "show errors" on the
2540 stats socket.
2541
2542
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002543option allbackups
2544no option allbackups
2545 Use either all backup servers at a time or only the first one
2546 May be used in sections : defaults | frontend | listen | backend
2547 yes | no | yes | yes
2548 Arguments : none
2549
2550 By default, the first operational backup server gets all traffic when normal
2551 servers are all down. Sometimes, it may be preferred to use multiple backups
2552 at once, because one will not be enough. When "option allbackups" is enabled,
2553 the load balancing will be performed among all backup servers when all normal
2554 ones are unavailable. The same load balancing algorithm will be used and the
2555 servers' weights will be respected. Thus, there will not be any priority
2556 order between the backup servers anymore.
2557
2558 This option is mostly used with static server farms dedicated to return a
2559 "sorry" page when an application is completely offline.
2560
2561 If this option has been enabled in a "defaults" section, it can be disabled
2562 in a specific instance by prepending the "no" keyword before it.
2563
2564
2565option checkcache
2566no option checkcache
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002567 Analyze all server responses and block requests with cacheable cookies
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002568 May be used in sections : defaults | frontend | listen | backend
2569 yes | no | yes | yes
2570 Arguments : none
2571
2572 Some high-level frameworks set application cookies everywhere and do not
2573 always let enough control to the developer to manage how the responses should
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002574 be cached. When a session cookie is returned on a cacheable object, there is a
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002575 high risk of session crossing or stealing between users traversing the same
2576 caches. In some situations, it is better to block the response than to let
2577 some sensible session information go in the wild.
2578
2579 The option "checkcache" enables deep inspection of all server responses for
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002580 strict compliance with HTTP specification in terms of cacheability. It
Willy Tarreau198a7442008-01-17 12:05:32 +01002581 carefully checks "Cache-control", "Pragma" and "Set-cookie" headers in server
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002582 response to check if there's a risk of caching a cookie on a client-side
2583 proxy. When this option is enabled, the only responses which can be delivered
Willy Tarreau198a7442008-01-17 12:05:32 +01002584 to the client are :
2585 - all those without "Set-Cookie" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002586 - all those with a return code other than 200, 203, 206, 300, 301, 410,
Willy Tarreau198a7442008-01-17 12:05:32 +01002587 provided that the server has not set a "Cache-control: public" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002588 - all those that come from a POST request, provided that the server has not
2589 set a 'Cache-Control: public' header ;
2590 - those with a 'Pragma: no-cache' header
2591 - those with a 'Cache-control: private' header
2592 - those with a 'Cache-control: no-store' header
2593 - those with a 'Cache-control: max-age=0' header
2594 - those with a 'Cache-control: s-maxage=0' header
2595 - those with a 'Cache-control: no-cache' header
2596 - those with a 'Cache-control: no-cache="set-cookie"' header
2597 - those with a 'Cache-control: no-cache="set-cookie,' header
2598 (allowing other fields after set-cookie)
2599
2600 If a response doesn't respect these requirements, then it will be blocked
Willy Tarreau198a7442008-01-17 12:05:32 +01002601 just as if it was from an "rspdeny" filter, with an "HTTP 502 bad gateway".
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002602 The session state shows "PH--" meaning that the proxy blocked the response
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002603 during headers processing. Additionally, an alert will be sent in the logs so
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002604 that admins are informed that there's something to be fixed.
2605
2606 Due to the high impact on the application, the application should be tested
2607 in depth with the option enabled before going to production. It is also a
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002608 good practice to always activate it during tests, even if it is not used in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002609 production, as it will report potentially dangerous application behaviours.
2610
2611 If this option has been enabled in a "defaults" section, it can be disabled
2612 in a specific instance by prepending the "no" keyword before it.
2613
2614
2615option clitcpka
2616no option clitcpka
2617 Enable or disable the sending of TCP keepalive packets on the client side
2618 May be used in sections : defaults | frontend | listen | backend
2619 yes | yes | yes | no
2620 Arguments : none
2621
2622 When there is a firewall or any session-aware component between a client and
2623 a server, and when the protocol involves very long sessions with long idle
2624 periods (eg: remote desktops), there is a risk that one of the intermediate
2625 components decides to expire a session which has remained idle for too long.
2626
2627 Enabling socket-level TCP keep-alives makes the system regularly send packets
2628 to the other end of the connection, leaving it active. The delay between
2629 keep-alive probes is controlled by the system only and depends both on the
2630 operating system and its tuning parameters.
2631
2632 It is important to understand that keep-alive packets are neither emitted nor
2633 received at the application level. It is only the network stacks which sees
2634 them. For this reason, even if one side of the proxy already uses keep-alives
2635 to maintain its connection alive, those keep-alive packets will not be
2636 forwarded to the other side of the proxy.
2637
2638 Please note that this has nothing to do with HTTP keep-alive.
2639
2640 Using option "clitcpka" enables the emission of TCP keep-alive probes on the
2641 client side of a connection, which should help when session expirations are
2642 noticed between HAProxy and a client.
2643
2644 If this option has been enabled in a "defaults" section, it can be disabled
2645 in a specific instance by prepending the "no" keyword before it.
2646
2647 See also : "option srvtcpka", "option tcpka"
2648
2649
Willy Tarreau0ba27502007-12-24 16:55:16 +01002650option contstats
2651 Enable continuous traffic statistics updates
2652 May be used in sections : defaults | frontend | listen | backend
2653 yes | yes | yes | no
2654 Arguments : none
2655
2656 By default, counters used for statistics calculation are incremented
2657 only when a session finishes. It works quite well when serving small
2658 objects, but with big ones (for example large images or archives) or
2659 with A/V streaming, a graph generated from haproxy counters looks like
2660 a hedgehog. With this option enabled counters get incremented continuously,
2661 during a whole session. Recounting touches a hotpath directly so
2662 it is not enabled by default, as it has small performance impact (~0.5%).
2663
2664
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02002665option dontlog-normal
2666no option dontlog-normal
2667 Enable or disable logging of normal, successful connections
2668 May be used in sections : defaults | frontend | listen | backend
2669 yes | yes | yes | no
2670 Arguments : none
2671
2672 There are large sites dealing with several thousand connections per second
2673 and for which logging is a major pain. Some of them are even forced to turn
2674 logs off and cannot debug production issues. Setting this option ensures that
2675 normal connections, those which experience no error, no timeout, no retry nor
2676 redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
2677 mode, the response status code is checked and return codes 5xx will still be
2678 logged.
2679
2680 It is strongly discouraged to use this option as most of the time, the key to
2681 complex issues is in the normal logs which will not be logged here. If you
2682 need to separate logs, see the "log-separate-errors" option instead.
2683
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002684 See also : "log", "dontlognull", "log-separate-errors" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02002685 logging.
2686
2687
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002688option dontlognull
2689no option dontlognull
2690 Enable or disable logging of null connections
2691 May be used in sections : defaults | frontend | listen | backend
2692 yes | yes | yes | no
2693 Arguments : none
2694
2695 In certain environments, there are components which will regularly connect to
2696 various systems to ensure that they are still alive. It can be the case from
2697 another load balancer as well as from monitoring systems. By default, even a
2698 simple port probe or scan will produce a log. If those connections pollute
2699 the logs too much, it is possible to enable option "dontlognull" to indicate
2700 that a connection on which no data has been transferred will not be logged,
2701 which typically corresponds to those probes.
2702
2703 It is generally recommended not to use this option in uncontrolled
2704 environments (eg: internet), otherwise scans and other malicious activities
2705 would not be logged.
2706
2707 If this option has been enabled in a "defaults" section, it can be disabled
2708 in a specific instance by prepending the "no" keyword before it.
2709
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002710 See also : "log", "monitor-net", "monitor-uri" and section 8 about logging.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002711
2712
2713option forceclose
2714no option forceclose
2715 Enable or disable active connection closing after response is transferred.
2716 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaua31e5df2009-12-30 01:10:35 +01002717 yes | yes | yes | yes
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002718 Arguments : none
2719
2720 Some HTTP servers do not necessarily close the connections when they receive
2721 the "Connection: close" set by "option httpclose", and if the client does not
2722 close either, then the connection remains open till the timeout expires. This
2723 causes high number of simultaneous connections on the servers and shows high
2724 global session times in the logs.
2725
2726 When this happens, it is possible to use "option forceclose". It will
Willy Tarreau82eeaf22009-12-29 12:09:05 +01002727 actively close the outgoing server channel as soon as the server has finished
Willy Tarreau0dfdf192010-01-05 11:33:11 +01002728 to respond. This option implicitly enables the "httpclose" option. Note that
2729 this option also enables the parsing of the full request and response, which
2730 means we can close the connection to the server very quickly, releasing some
2731 resources earlier than with httpclose.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002732
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02002733 This option may also be combined with "option http-pretend-keepalive", which
2734 will disable sending of the "Connection: close" header, but will still cause
2735 the connection to be closed once the whole response is received.
2736
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002737 If this option has been enabled in a "defaults" section, it can be disabled
2738 in a specific instance by prepending the "no" keyword before it.
2739
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02002740 See also : "option httpclose" and "option http-pretend-keepalive"
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002741
2742
Ross Westaf72a1d2008-08-03 10:51:45 +02002743option forwardfor [ except <network> ] [ header <name> ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01002744 Enable insertion of the X-Forwarded-For header to requests sent to servers
2745 May be used in sections : defaults | frontend | listen | backend
2746 yes | yes | yes | yes
2747 Arguments :
2748 <network> is an optional argument used to disable this option for sources
2749 matching <network>
Ross Westaf72a1d2008-08-03 10:51:45 +02002750 <name> an optional argument to specify a different "X-Forwarded-For"
Willy Tarreaud72758d2010-01-12 10:42:19 +01002751 header name.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002752
2753 Since HAProxy works in reverse-proxy mode, the servers see its IP address as
2754 their client address. This is sometimes annoying when the client's IP address
2755 is expected in server logs. To solve this problem, the well-known HTTP header
2756 "X-Forwarded-For" may be added by HAProxy to all requests sent to the server.
2757 This header contains a value representing the client's IP address. Since this
2758 header is always appended at the end of the existing header list, the server
2759 must be configured to always use the last occurrence of this header only. See
Ross Westaf72a1d2008-08-03 10:51:45 +02002760 the server's manual to find how to enable use of this standard header. Note
2761 that only the last occurrence of the header must be used, since it is really
2762 possible that the client has already brought one.
2763
Willy Tarreaud72758d2010-01-12 10:42:19 +01002764 The keyword "header" may be used to supply a different header name to replace
Ross Westaf72a1d2008-08-03 10:51:45 +02002765 the default "X-Forwarded-For". This can be useful where you might already
Willy Tarreaud72758d2010-01-12 10:42:19 +01002766 have a "X-Forwarded-For" header from a different application (eg: stunnel),
2767 and you need preserve it. Also if your backend server doesn't use the
Ross Westaf72a1d2008-08-03 10:51:45 +02002768 "X-Forwarded-For" header and requires different one (eg: Zeus Web Servers
2769 require "X-Cluster-Client-IP").
Willy Tarreauc27debf2008-01-06 08:57:02 +01002770
2771 Sometimes, a same HAProxy instance may be shared between a direct client
2772 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
2773 used to decrypt HTTPS traffic). It is possible to disable the addition of the
2774 header for a known source address or network by adding the "except" keyword
2775 followed by the network address. In this case, any source IP matching the
2776 network will not cause an addition of this header. Most common uses are with
2777 private networks or 127.0.0.1.
2778
2779 This option may be specified either in the frontend or in the backend. If at
Ross Westaf72a1d2008-08-03 10:51:45 +02002780 least one of them uses it, the header will be added. Note that the backend's
2781 setting of the header subargument takes precedence over the frontend's if
2782 both are defined.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002783
2784 It is important to note that as long as HAProxy does not support keep-alive
2785 connections, only the first request of a connection will receive the header.
2786 For this reason, it is important to ensure that "option httpclose" is set
2787 when using this option.
2788
Ross Westaf72a1d2008-08-03 10:51:45 +02002789 Examples :
Willy Tarreauc27debf2008-01-06 08:57:02 +01002790 # Public HTTP address also used by stunnel on the same machine
2791 frontend www
2792 mode http
2793 option forwardfor except 127.0.0.1 # stunnel already adds the header
2794
Ross Westaf72a1d2008-08-03 10:51:45 +02002795 # Those servers want the IP Address in X-Client
2796 backend www
2797 mode http
2798 option forwardfor header X-Client
2799
Willy Tarreauc27debf2008-01-06 08:57:02 +01002800 See also : "option httpclose"
2801
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02002802
2803option http-pretend-keepalive
2804no option http-pretend-keepalive
2805 Define whether haproxy will announce keepalive to the server or not
2806 May be used in sections : defaults | frontend | listen | backend
2807 yes | yes | yes | yes
2808 Arguments : none
2809
2810 When running with "option http-server-close" or "option forceclose", haproxy
2811 adds a "Connection: close" header to the request forwarded to the server.
2812 Unfortunately, when some servers see this header, they automatically refrain
2813 from using the chunked encoding for responses of unknown length, while this
2814 is totally unrelated. The immediate effect is that this prevents haproxy from
2815 maintaining the client connection alive. A second effect is that a client or
2816 a cache could receive an incomplete response without being aware of it, and
2817 consider the response complete.
2818
2819 By setting "option http-pretend-keepalive", haproxy will make the server
2820 believe it will keep the connection alive. The server will then not fall back
2821 to the abnormal undesired above. When haproxy gets the whole response, it
2822 will close the connection with the server just as it would do with the
2823 "forceclose" option. That way the client gets a normal response and the
2824 connection is correctly closed on the server side.
2825
2826 It is recommended not to enable this option by default, because most servers
2827 will more efficiently close the connection themselves after the last packet,
2828 and release its buffers slightly earlier. Also, the added packet on the
2829 network could slightly reduce the overall peak performance. However it is
2830 worth noting that when this option is enabled, haproxy will have slightly
2831 less work to do. So if haproxy is the bottleneck on the whole architecture,
2832 enabling this option might save a few CPU cycles.
2833
2834 This option may be set both in a frontend and in a backend. It is enabled if
2835 at least one of the frontend or backend holding a connection has it enabled.
2836 This option has no effect if it is combined with "option httpclose", which
2837 has precedence.
2838
2839 If this option has been enabled in a "defaults" section, it can be disabled
2840 in a specific instance by prepending the "no" keyword before it.
2841
2842 See also : "option forceclose" and "option http-server-close"
2843
Willy Tarreauc27debf2008-01-06 08:57:02 +01002844
Willy Tarreaub608feb2010-01-02 22:47:18 +01002845option http-server-close
2846no option http-server-close
2847 Enable or disable HTTP connection closing on the server side
2848 May be used in sections : defaults | frontend | listen | backend
2849 yes | yes | yes | yes
2850 Arguments : none
2851
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02002852 By default, when a client communicates with a server, HAProxy will only
2853 analyze, log, and process the first request of each connection. Setting
2854 "option http-server-close" enables HTTP connection-close mode on the server
2855 side while keeping the ability to support HTTP keep-alive and pipelining on
2856 the client side. This provides the lowest latency on the client side (slow
2857 network) and the fastest session reuse on the server side to save server
2858 resources, similarly to "option forceclose". It also permits non-keepalive
2859 capable servers to be served in keep-alive mode to the clients if they
2860 conform to the requirements of RFC2616. Please note that some servers do not
2861 always conform to those requirements when they see "Connection: close" in the
2862 request. The effect will be that keep-alive will never be used. A workaround
2863 consists in enabling "option http-pretend-keepalive".
Willy Tarreaub608feb2010-01-02 22:47:18 +01002864
2865 At the moment, logs will not indicate whether requests came from the same
2866 session or not. The accept date reported in the logs corresponds to the end
2867 of the previous request, and the request time corresponds to the time spent
2868 waiting for a new request. The keep-alive request time is still bound to the
Willy Tarreaub16a5742010-01-10 14:46:16 +01002869 timeout defined by "timeout http-keep-alive" or "timeout http-request" if
2870 not set.
Willy Tarreaub608feb2010-01-02 22:47:18 +01002871
2872 This option may be set both in a frontend and in a backend. It is enabled if
2873 at least one of the frontend or backend holding a connection has it enabled.
Willy Tarreau0dfdf192010-01-05 11:33:11 +01002874 It is worth noting that "option forceclose" has precedence over "option
2875 http-server-close" and that combining "http-server-close" with "httpclose"
2876 basically achieve the same result as "forceclose".
Willy Tarreaub608feb2010-01-02 22:47:18 +01002877
2878 If this option has been enabled in a "defaults" section, it can be disabled
2879 in a specific instance by prepending the "no" keyword before it.
2880
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02002881 See also : "option forceclose", "option http-pretend-keepalive",
2882 "option httpclose" and "1.1. The HTTP transaction model".
Willy Tarreaub608feb2010-01-02 22:47:18 +01002883
2884
Willy Tarreau88d349d2010-01-25 12:15:43 +01002885option http-use-proxy-header
Cyril Bontéf0c60612010-02-06 14:44:47 +01002886no option http-use-proxy-header
Willy Tarreau88d349d2010-01-25 12:15:43 +01002887 Make use of non-standard Proxy-Connection header instead of Connection
2888 May be used in sections : defaults | frontend | listen | backend
2889 yes | yes | yes | no
2890 Arguments : none
2891
2892 While RFC2616 explicitly states that HTTP/1.1 agents must use the
2893 Connection header to indicate their wish of persistent or non-persistent
2894 connections, both browsers and proxies ignore this header for proxied
2895 connections and make use of the undocumented, non-standard Proxy-Connection
2896 header instead. The issue begins when trying to put a load balancer between
2897 browsers and such proxies, because there will be a difference between what
2898 haproxy understands and what the client and the proxy agree on.
2899
2900 By setting this option in a frontend, haproxy can automatically switch to use
2901 that non-standard header if it sees proxied requests. A proxied request is
2902 defined here as one where the URI begins with neither a '/' nor a '*'. The
2903 choice of header only affects requests passing through proxies making use of
2904 one of the "httpclose", "forceclose" and "http-server-close" options. Note
2905 that this option can only be specified in a frontend and will affect the
2906 request along its whole life.
2907
Willy Tarreau844a7e72010-01-31 21:46:18 +01002908 Also, when this option is set, a request which requires authentication will
2909 automatically switch to use proxy authentication headers if it is itself a
2910 proxied request. That makes it possible to check or enforce authentication in
2911 front of an existing proxy.
2912
Willy Tarreau88d349d2010-01-25 12:15:43 +01002913 This option should normally never be used, except in front of a proxy.
2914
2915 See also : "option httpclose", "option forceclose" and "option
2916 http-server-close".
2917
2918
Willy Tarreaud63335a2010-02-26 12:56:52 +01002919option httpchk
2920option httpchk <uri>
2921option httpchk <method> <uri>
2922option httpchk <method> <uri> <version>
2923 Enable HTTP protocol to check on the servers health
2924 May be used in sections : defaults | frontend | listen | backend
2925 yes | no | yes | yes
2926 Arguments :
2927 <method> is the optional HTTP method used with the requests. When not set,
2928 the "OPTIONS" method is used, as it generally requires low server
2929 processing and is easy to filter out from the logs. Any method
2930 may be used, though it is not recommended to invent non-standard
2931 ones.
2932
2933 <uri> is the URI referenced in the HTTP requests. It defaults to " / "
2934 which is accessible by default on almost any server, but may be
2935 changed to any other URI. Query strings are permitted.
2936
2937 <version> is the optional HTTP version string. It defaults to "HTTP/1.0"
2938 but some servers might behave incorrectly in HTTP 1.0, so turning
2939 it to HTTP/1.1 may sometimes help. Note that the Host field is
2940 mandatory in HTTP/1.1, and as a trick, it is possible to pass it
2941 after "\r\n" following the version string.
2942
2943 By default, server health checks only consist in trying to establish a TCP
2944 connection. When "option httpchk" is specified, a complete HTTP request is
2945 sent once the TCP connection is established, and responses 2xx and 3xx are
2946 considered valid, while all other ones indicate a server failure, including
2947 the lack of any response.
2948
2949 The port and interval are specified in the server configuration.
2950
2951 This option does not necessarily require an HTTP backend, it also works with
2952 plain TCP backends. This is particularly useful to check simple scripts bound
2953 to some dedicated ports using the inetd daemon.
2954
2955 Examples :
2956 # Relay HTTPS traffic to Apache instance and check service availability
2957 # using HTTP request "OPTIONS * HTTP/1.1" on port 80.
2958 backend https_relay
2959 mode tcp
2960 option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
2961 server apache1 192.168.1.1:443 check port 80
2962
2963 See also : "option ssl-hello-chk", "option smtpchk", "option mysql-check",
2964 "http-check" and the "check", "port" and "inter" server options.
2965
2966
Willy Tarreauc27debf2008-01-06 08:57:02 +01002967option httpclose
2968no option httpclose
2969 Enable or disable passive HTTP connection closing
2970 May be used in sections : defaults | frontend | listen | backend
2971 yes | yes | yes | yes
2972 Arguments : none
2973
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02002974 By default, when a client communicates with a server, HAProxy will only
2975 analyze, log, and process the first request of each connection. If "option
2976 httpclose" is set, it will check if a "Connection: close" header is already
2977 set in each direction, and will add one if missing. Each end should react to
2978 this by actively closing the TCP connection after each transfer, thus
2979 resulting in a switch to the HTTP close mode. Any "Connection" header
2980 different from "close" will also be removed.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002981
2982 It seldom happens that some servers incorrectly ignore this header and do not
Willy Tarreau0dfdf192010-01-05 11:33:11 +01002983 close the connection eventhough they reply "Connection: close". For this
2984 reason, they are not compatible with older HTTP 1.0 browsers. If this happens
2985 it is possible to use the "option forceclose" which actively closes the
2986 request connection once the server responds. Option "forceclose" also
2987 releases the server connection earlier because it does not have to wait for
2988 the client to acknowledge it.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002989
2990 This option may be set both in a frontend and in a backend. It is enabled if
2991 at least one of the frontend or backend holding a connection has it enabled.
2992 If "option forceclose" is specified too, it has precedence over "httpclose".
Willy Tarreau0dfdf192010-01-05 11:33:11 +01002993 If "option http-server-close" is enabled at the same time as "httpclose", it
2994 basically achieves the same result as "option forceclose".
Willy Tarreauc27debf2008-01-06 08:57:02 +01002995
2996 If this option has been enabled in a "defaults" section, it can be disabled
2997 in a specific instance by prepending the "no" keyword before it.
2998
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02002999 See also : "option forceclose", "option http-server-close" and
3000 "1.1. The HTTP transaction model".
Willy Tarreauc27debf2008-01-06 08:57:02 +01003001
3002
Emeric Brun3a058f32009-06-30 18:26:00 +02003003option httplog [ clf ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01003004 Enable logging of HTTP request, session state and timers
3005 May be used in sections : defaults | frontend | listen | backend
3006 yes | yes | yes | yes
Emeric Brun3a058f32009-06-30 18:26:00 +02003007 Arguments :
3008 clf if the "clf" argument is added, then the output format will be
3009 the CLF format instead of HAProxy's default HTTP format. You can
3010 use this when you need to feed HAProxy's logs through a specific
3011 log analyser which only support the CLF format and which is not
3012 extensible.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003013
3014 By default, the log output format is very poor, as it only contains the
3015 source and destination addresses, and the instance name. By specifying
3016 "option httplog", each log line turns into a much richer format including,
3017 but not limited to, the HTTP request, the connection timers, the session
3018 status, the connections numbers, the captured headers and cookies, the
3019 frontend, backend and server name, and of course the source address and
3020 ports.
3021
3022 This option may be set either in the frontend or the backend.
3023
Emeric Brun3a058f32009-06-30 18:26:00 +02003024 If this option has been enabled in a "defaults" section, it can be disabled
3025 in a specific instance by prepending the "no" keyword before it. Specifying
3026 only "option httplog" will automatically clear the 'clf' mode if it was set
3027 by default.
3028
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003029 See also : section 8 about logging.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003030
Willy Tarreau55165fe2009-05-10 12:02:55 +02003031
3032option http_proxy
3033no option http_proxy
3034 Enable or disable plain HTTP proxy mode
3035 May be used in sections : defaults | frontend | listen | backend
3036 yes | yes | yes | yes
3037 Arguments : none
3038
3039 It sometimes happens that people need a pure HTTP proxy which understands
3040 basic proxy requests without caching nor any fancy feature. In this case,
3041 it may be worth setting up an HAProxy instance with the "option http_proxy"
3042 set. In this mode, no server is declared, and the connection is forwarded to
3043 the IP address and port found in the URL after the "http://" scheme.
3044
3045 No host address resolution is performed, so this only works when pure IP
3046 addresses are passed. Since this option's usage perimeter is rather limited,
3047 it will probably be used only by experts who know they need exactly it. Last,
3048 if the clients are susceptible of sending keep-alive requests, it will be
3049 needed to add "option http_close" to ensure that all requests will correctly
3050 be analyzed.
3051
3052 If this option has been enabled in a "defaults" section, it can be disabled
3053 in a specific instance by prepending the "no" keyword before it.
3054
3055 Example :
3056 # this backend understands HTTP proxy requests and forwards them directly.
3057 backend direct_forward
3058 option httpclose
3059 option http_proxy
3060
3061 See also : "option httpclose"
3062
Willy Tarreau211ad242009-10-03 21:45:07 +02003063
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02003064option ignore-persist { if | unless } <condition>
3065 Declare a condition to ignore persistence
3066 May be used in sections: defaults | frontend | listen | backend
3067 no | yes | yes | yes
3068
3069 By default, when cookie persistence is enabled, every requests containing
3070 the cookie are unconditionally persistent (assuming the target server is up
3071 and running).
3072
3073 The "ignore-persist" statement allows one to declare various ACL-based
3074 conditions which, when met, will cause a request to ignore persistence.
3075 This is sometimes useful to load balance requests for static files, which
3076 oftenly don't require persistence. This can also be used to fully disable
3077 persistence for a specific User-Agent (for example, some web crawler bots).
3078
3079 Combined with "appsession", it can also help reduce HAProxy memory usage, as
3080 the appsession table won't grow if persistence is ignored.
3081
3082 The persistence is ignored when an "if" condition is met, or unless an
3083 "unless" condition is met.
3084
3085 See also : "option force-persist", "cookie", and section 7 about ACL usage.
3086
3087
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02003088option independant-streams
3089no option independant-streams
3090 Enable or disable independant timeout processing for both directions
3091 May be used in sections : defaults | frontend | listen | backend
3092 yes | yes | yes | yes
3093 Arguments : none
3094
3095 By default, when data is sent over a socket, both the write timeout and the
3096 read timeout for that socket are refreshed, because we consider that there is
3097 activity on that socket, and we have no other means of guessing if we should
3098 receive data or not.
3099
3100 While this default behaviour is desirable for almost all applications, there
3101 exists a situation where it is desirable to disable it, and only refresh the
3102 read timeout if there are incoming data. This happens on sessions with large
3103 timeouts and low amounts of exchanged data such as telnet session. If the
3104 server suddenly disappears, the output data accumulates in the system's
3105 socket buffers, both timeouts are correctly refreshed, and there is no way
3106 to know the server does not receive them, so we don't timeout. However, when
3107 the underlying protocol always echoes sent data, it would be enough by itself
3108 to detect the issue using the read timeout. Note that this problem does not
3109 happen with more verbose protocols because data won't accumulate long in the
3110 socket buffers.
3111
3112 When this option is set on the frontend, it will disable read timeout updates
3113 on data sent to the client. There probably is little use of this case. When
3114 the option is set on the backend, it will disable read timeout updates on
3115 data sent to the server. Doing so will typically break large HTTP posts from
3116 slow lines, so use it with caution.
3117
3118 See also : "timeout client" and "timeout server"
3119
3120
Willy Tarreau211ad242009-10-03 21:45:07 +02003121option log-health-checks
3122no option log-health-checks
3123 Enable or disable logging of health checks
3124 May be used in sections : defaults | frontend | listen | backend
3125 yes | no | yes | yes
3126 Arguments : none
3127
3128 Enable health checks logging so it possible to check for example what
3129 was happening before a server crash. Failed health check are logged if
3130 server is UP and succeeded health checks if server is DOWN, so the amount
3131 of additional information is limited.
3132
3133 If health check logging is enabled no health check status is printed
3134 when servers is set up UP/DOWN/ENABLED/DISABLED.
3135
3136 See also: "log" and section 8 about logging.
3137
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003138
3139option log-separate-errors
3140no option log-separate-errors
3141 Change log level for non-completely successful connections
3142 May be used in sections : defaults | frontend | listen | backend
3143 yes | yes | yes | no
3144 Arguments : none
3145
3146 Sometimes looking for errors in logs is not easy. This option makes haproxy
3147 raise the level of logs containing potentially interesting information such
3148 as errors, timeouts, retries, redispatches, or HTTP status codes 5xx. The
3149 level changes from "info" to "err". This makes it possible to log them
3150 separately to a different file with most syslog daemons. Be careful not to
3151 remove them from the original file, otherwise you would lose ordering which
3152 provides very important information.
3153
3154 Using this option, large sites dealing with several thousand connections per
3155 second may log normal traffic to a rotating buffer and only archive smaller
3156 error logs.
3157
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003158 See also : "log", "dontlognull", "dontlog-normal" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003159 logging.
3160
Willy Tarreauc27debf2008-01-06 08:57:02 +01003161
3162option logasap
3163no option logasap
3164 Enable or disable early logging of HTTP requests
3165 May be used in sections : defaults | frontend | listen | backend
3166 yes | yes | yes | no
3167 Arguments : none
3168
3169 By default, HTTP requests are logged upon termination so that the total
3170 transfer time and the number of bytes appear in the logs. When large objects
3171 are being transferred, it may take a while before the request appears in the
3172 logs. Using "option logasap", the request gets logged as soon as the server
3173 sends the complete headers. The only missing information in the logs will be
3174 the total number of bytes which will indicate everything except the amount
3175 of data transferred, and the total time which will not take the transfer
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01003176 time into account. In such a situation, it's a good practice to capture the
Willy Tarreauc27debf2008-01-06 08:57:02 +01003177 "Content-Length" response header so that the logs at least indicate how many
3178 bytes are expected to be transferred.
3179
Willy Tarreaucc6c8912009-02-22 10:53:55 +01003180 Examples :
3181 listen http_proxy 0.0.0.0:80
3182 mode http
3183 option httplog
3184 option logasap
3185 log 192.168.2.200 local3
3186
3187 >>> Feb 6 12:14:14 localhost \
3188 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
3189 static/srv1 9/10/7/14/+30 200 +243 - - ---- 3/1/1/1/0 1/0 \
3190 "GET /image.iso HTTP/1.0"
3191
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003192 See also : "option httplog", "capture response header", and section 8 about
Willy Tarreauc27debf2008-01-06 08:57:02 +01003193 logging.
3194
3195
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01003196option mysql-check
3197 Use Mysql health checks for server testing
3198 May be used in sections : defaults | frontend | listen | backend
3199 yes | no | yes | yes
3200 Arguments : none
3201
3202 The check consists in parsing Mysql Handshake Initialisation packet or Error
3203 packet, which is sent by MySQL server on connect. It is a basic but useful
3204 test which does not produce any logging on the server. However, it does not
3205 check database presence nor database consistency, nor user permission to
3206 access. To do this, you can use an external check with xinetd for example.
3207
3208 Most often, an incoming MySQL server needs to see the client's IP address for
3209 various purposes, including IP privilege matching and connection logging.
3210 When possible, it is often wise to masquerade the client's IP address when
3211 connecting to the server using the "usesrc" argument of the "source" keyword,
3212 which requires the cttproxy feature to be compiled in, and the MySQL server
3213 to route the client via the machine hosting haproxy.
3214
3215 See also: "option httpchk"
3216
3217
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003218option nolinger
3219no option nolinger
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003220 Enable or disable immediate session resource cleaning after close
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003221 May be used in sections: defaults | frontend | listen | backend
3222 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003223 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003224
3225 When clients or servers abort connections in a dirty way (eg: they are
3226 physically disconnected), the session timeouts triggers and the session is
3227 closed. But it will remain in FIN_WAIT1 state for some time in the system,
3228 using some resources and possibly limiting the ability to establish newer
3229 connections.
3230
3231 When this happens, it is possible to activate "option nolinger" which forces
3232 the system to immediately remove any socket's pending data on close. Thus,
3233 the session is instantly purged from the system's tables. This usually has
3234 side effects such as increased number of TCP resets due to old retransmits
3235 getting immediately rejected. Some firewalls may sometimes complain about
3236 this too.
3237
3238 For this reason, it is not recommended to use this option when not absolutely
3239 needed. You know that you need it when you have thousands of FIN_WAIT1
3240 sessions on your system (TIME_WAIT ones do not count).
3241
3242 This option may be used both on frontends and backends, depending on the side
3243 where it is required. Use it on the frontend for clients, and on the backend
3244 for servers.
3245
3246 If this option has been enabled in a "defaults" section, it can be disabled
3247 in a specific instance by prepending the "no" keyword before it.
3248
3249
Willy Tarreau55165fe2009-05-10 12:02:55 +02003250option originalto [ except <network> ] [ header <name> ]
3251 Enable insertion of the X-Original-To header to requests sent to servers
3252 May be used in sections : defaults | frontend | listen | backend
3253 yes | yes | yes | yes
3254 Arguments :
3255 <network> is an optional argument used to disable this option for sources
3256 matching <network>
3257 <name> an optional argument to specify a different "X-Original-To"
3258 header name.
3259
3260 Since HAProxy can work in transparent mode, every request from a client can
3261 be redirected to the proxy and HAProxy itself can proxy every request to a
3262 complex SQUID environment and the destination host from SO_ORIGINAL_DST will
3263 be lost. This is annoying when you want access rules based on destination ip
3264 addresses. To solve this problem, a new HTTP header "X-Original-To" may be
3265 added by HAProxy to all requests sent to the server. This header contains a
3266 value representing the original destination IP address. Since this must be
3267 configured to always use the last occurrence of this header only. Note that
3268 only the last occurrence of the header must be used, since it is really
3269 possible that the client has already brought one.
3270
3271 The keyword "header" may be used to supply a different header name to replace
3272 the default "X-Original-To". This can be useful where you might already
3273 have a "X-Original-To" header from a different application, and you need
3274 preserve it. Also if your backend server doesn't use the "X-Original-To"
3275 header and requires different one.
3276
3277 Sometimes, a same HAProxy instance may be shared between a direct client
3278 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
3279 used to decrypt HTTPS traffic). It is possible to disable the addition of the
3280 header for a known source address or network by adding the "except" keyword
3281 followed by the network address. In this case, any source IP matching the
3282 network will not cause an addition of this header. Most common uses are with
3283 private networks or 127.0.0.1.
3284
3285 This option may be specified either in the frontend or in the backend. If at
3286 least one of them uses it, the header will be added. Note that the backend's
3287 setting of the header subargument takes precedence over the frontend's if
3288 both are defined.
3289
3290 It is important to note that as long as HAProxy does not support keep-alive
3291 connections, only the first request of a connection will receive the header.
3292 For this reason, it is important to ensure that "option httpclose" is set
3293 when using this option.
3294
3295 Examples :
3296 # Original Destination address
3297 frontend www
3298 mode http
3299 option originalto except 127.0.0.1
3300
3301 # Those servers want the IP Address in X-Client-Dst
3302 backend www
3303 mode http
3304 option originalto header X-Client-Dst
3305
3306 See also : "option httpclose"
3307
3308
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003309option persist
3310no option persist
3311 Enable or disable forced persistence on down servers
3312 May be used in sections: defaults | frontend | listen | backend
3313 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003314 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003315
3316 When an HTTP request reaches a backend with a cookie which references a dead
3317 server, by default it is redispatched to another server. It is possible to
3318 force the request to be sent to the dead server first using "option persist"
3319 if absolutely needed. A common use case is when servers are under extreme
3320 load and spend their time flapping. In this case, the users would still be
3321 directed to the server they opened the session on, in the hope they would be
3322 correctly served. It is recommended to use "option redispatch" in conjunction
3323 with this option so that in the event it would not be possible to connect to
3324 the server at all (server definitely dead), the client would finally be
3325 redirected to another valid server.
3326
3327 If this option has been enabled in a "defaults" section, it can be disabled
3328 in a specific instance by prepending the "no" keyword before it.
3329
Willy Tarreau4de91492010-01-22 19:10:05 +01003330 See also : "option redispatch", "retries", "force-persist"
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003331
3332
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003333option redispatch
3334no option redispatch
3335 Enable or disable session redistribution in case of connection failure
3336 May be used in sections: defaults | frontend | listen | backend
3337 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003338 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003339
3340 In HTTP mode, if a server designated by a cookie is down, clients may
3341 definitely stick to it because they cannot flush the cookie, so they will not
3342 be able to access the service anymore.
3343
3344 Specifying "option redispatch" will allow the proxy to break their
3345 persistence and redistribute them to a working server.
3346
3347 It also allows to retry last connection to another server in case of multiple
3348 connection failures. Of course, it requires having "retries" set to a nonzero
3349 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01003350
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003351 This form is the preferred form, which replaces both the "redispatch" and
3352 "redisp" keywords.
3353
3354 If this option has been enabled in a "defaults" section, it can be disabled
3355 in a specific instance by prepending the "no" keyword before it.
3356
Willy Tarreau4de91492010-01-22 19:10:05 +01003357 See also : "redispatch", "retries", "force-persist"
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003358
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003359
3360option smtpchk
3361option smtpchk <hello> <domain>
3362 Use SMTP health checks for server testing
3363 May be used in sections : defaults | frontend | listen | backend
3364 yes | no | yes | yes
Willy Tarreaud72758d2010-01-12 10:42:19 +01003365 Arguments :
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003366 <hello> is an optional argument. It is the "hello" command to use. It can
3367 be either "HELO" (for SMTP) or "EHLO" (for ESTMP). All other
3368 values will be turned into the default command ("HELO").
3369
3370 <domain> is the domain name to present to the server. It may only be
3371 specified (and is mandatory) if the hello command has been
3372 specified. By default, "localhost" is used.
3373
3374 When "option smtpchk" is set, the health checks will consist in TCP
3375 connections followed by an SMTP command. By default, this command is
3376 "HELO localhost". The server's return code is analyzed and only return codes
3377 starting with a "2" will be considered as valid. All other responses,
3378 including a lack of response will constitute an error and will indicate a
3379 dead server.
3380
3381 This test is meant to be used with SMTP servers or relays. Depending on the
3382 request, it is possible that some servers do not log each connection attempt,
3383 so you may want to experiment to improve the behaviour. Using telnet on port
3384 25 is often easier than adjusting the configuration.
3385
3386 Most often, an incoming SMTP server needs to see the client's IP address for
3387 various purposes, including spam filtering, anti-spoofing and logging. When
3388 possible, it is often wise to masquerade the client's IP address when
3389 connecting to the server using the "usesrc" argument of the "source" keyword,
3390 which requires the cttproxy feature to be compiled in.
3391
3392 Example :
3393 option smtpchk HELO mydomain.org
3394
3395 See also : "option httpchk", "source"
3396
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003397
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02003398option socket-stats
3399no option socket-stats
3400
3401 Enable or disable collecting & providing separate statistics for each socket.
3402 May be used in sections : defaults | frontend | listen | backend
3403 yes | yes | yes | no
3404
3405 Arguments : none
3406
3407
Willy Tarreauff4f82d2009-02-06 11:28:13 +01003408option splice-auto
3409no option splice-auto
3410 Enable or disable automatic kernel acceleration on sockets in both directions
3411 May be used in sections : defaults | frontend | listen | backend
3412 yes | yes | yes | yes
3413 Arguments : none
3414
3415 When this option is enabled either on a frontend or on a backend, haproxy
3416 will automatically evaluate the opportunity to use kernel tcp splicing to
3417 forward data between the client and the server, in either direction. Haproxy
3418 uses heuristics to estimate if kernel splicing might improve performance or
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003419 not. Both directions are handled independently. Note that the heuristics used
Willy Tarreauff4f82d2009-02-06 11:28:13 +01003420 are not much aggressive in order to limit excessive use of splicing. This
3421 option requires splicing to be enabled at compile time, and may be globally
3422 disabled with the global option "nosplice". Since splice uses pipes, using it
3423 requires that there are enough spare pipes.
3424
3425 Important note: kernel-based TCP splicing is a Linux-specific feature which
3426 first appeared in kernel 2.6.25. It offers kernel-based acceleration to
3427 transfer data between sockets without copying these data to user-space, thus
3428 providing noticeable performance gains and CPU cycles savings. Since many
3429 early implementations are buggy, corrupt data and/or are inefficient, this
3430 feature is not enabled by default, and it should be used with extreme care.
3431 While it is not possible to detect the correctness of an implementation,
3432 2.6.29 is the first version offering a properly working implementation. In
3433 case of doubt, splicing may be globally disabled using the global "nosplice"
3434 keyword.
3435
3436 Example :
3437 option splice-auto
3438
3439 If this option has been enabled in a "defaults" section, it can be disabled
3440 in a specific instance by prepending the "no" keyword before it.
3441
3442 See also : "option splice-request", "option splice-response", and global
3443 options "nosplice" and "maxpipes"
3444
3445
3446option splice-request
3447no option splice-request
3448 Enable or disable automatic kernel acceleration on sockets for requests
3449 May be used in sections : defaults | frontend | listen | backend
3450 yes | yes | yes | yes
3451 Arguments : none
3452
3453 When this option is enabled either on a frontend or on a backend, haproxy
3454 will user kernel tcp splicing whenever possible to forward data going from
3455 the client to the server. It might still use the recv/send scheme if there
3456 are no spare pipes left. This option requires splicing to be enabled at
3457 compile time, and may be globally disabled with the global option "nosplice".
3458 Since splice uses pipes, using it requires that there are enough spare pipes.
3459
3460 Important note: see "option splice-auto" for usage limitations.
3461
3462 Example :
3463 option splice-request
3464
3465 If this option has been enabled in a "defaults" section, it can be disabled
3466 in a specific instance by prepending the "no" keyword before it.
3467
3468 See also : "option splice-auto", "option splice-response", and global options
3469 "nosplice" and "maxpipes"
3470
3471
3472option splice-response
3473no option splice-response
3474 Enable or disable automatic kernel acceleration on sockets for responses
3475 May be used in sections : defaults | frontend | listen | backend
3476 yes | yes | yes | yes
3477 Arguments : none
3478
3479 When this option is enabled either on a frontend or on a backend, haproxy
3480 will user kernel tcp splicing whenever possible to forward data going from
3481 the server to the client. It might still use the recv/send scheme if there
3482 are no spare pipes left. This option requires splicing to be enabled at
3483 compile time, and may be globally disabled with the global option "nosplice".
3484 Since splice uses pipes, using it requires that there are enough spare pipes.
3485
3486 Important note: see "option splice-auto" for usage limitations.
3487
3488 Example :
3489 option splice-response
3490
3491 If this option has been enabled in a "defaults" section, it can be disabled
3492 in a specific instance by prepending the "no" keyword before it.
3493
3494 See also : "option splice-auto", "option splice-request", and global options
3495 "nosplice" and "maxpipes"
3496
3497
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003498option srvtcpka
3499no option srvtcpka
3500 Enable or disable the sending of TCP keepalive packets on the server side
3501 May be used in sections : defaults | frontend | listen | backend
3502 yes | no | yes | yes
3503 Arguments : none
3504
3505 When there is a firewall or any session-aware component between a client and
3506 a server, and when the protocol involves very long sessions with long idle
3507 periods (eg: remote desktops), there is a risk that one of the intermediate
3508 components decides to expire a session which has remained idle for too long.
3509
3510 Enabling socket-level TCP keep-alives makes the system regularly send packets
3511 to the other end of the connection, leaving it active. The delay between
3512 keep-alive probes is controlled by the system only and depends both on the
3513 operating system and its tuning parameters.
3514
3515 It is important to understand that keep-alive packets are neither emitted nor
3516 received at the application level. It is only the network stacks which sees
3517 them. For this reason, even if one side of the proxy already uses keep-alives
3518 to maintain its connection alive, those keep-alive packets will not be
3519 forwarded to the other side of the proxy.
3520
3521 Please note that this has nothing to do with HTTP keep-alive.
3522
3523 Using option "srvtcpka" enables the emission of TCP keep-alive probes on the
3524 server side of a connection, which should help when session expirations are
3525 noticed between HAProxy and a server.
3526
3527 If this option has been enabled in a "defaults" section, it can be disabled
3528 in a specific instance by prepending the "no" keyword before it.
3529
3530 See also : "option clitcpka", "option tcpka"
3531
3532
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003533option ssl-hello-chk
3534 Use SSLv3 client hello health checks for server testing
3535 May be used in sections : defaults | frontend | listen | backend
3536 yes | no | yes | yes
3537 Arguments : none
3538
3539 When some SSL-based protocols are relayed in TCP mode through HAProxy, it is
3540 possible to test that the server correctly talks SSL instead of just testing
3541 that it accepts the TCP connection. When "option ssl-hello-chk" is set, pure
3542 SSLv3 client hello messages are sent once the connection is established to
3543 the server, and the response is analyzed to find an SSL server hello message.
3544 The server is considered valid only when the response contains this server
3545 hello message.
3546
3547 All servers tested till there correctly reply to SSLv3 client hello messages,
3548 and most servers tested do not even log the requests containing only hello
3549 messages, which is appreciable.
3550
3551 See also: "option httpchk"
3552
3553
Willy Tarreau9ea05a72009-06-14 12:07:01 +02003554option tcp-smart-accept
3555no option tcp-smart-accept
3556 Enable or disable the saving of one ACK packet during the accept sequence
3557 May be used in sections : defaults | frontend | listen | backend
3558 yes | yes | yes | no
3559 Arguments : none
3560
3561 When an HTTP connection request comes in, the system acknowledges it on
3562 behalf of HAProxy, then the client immediately sends its request, and the
3563 system acknowledges it too while it is notifying HAProxy about the new
3564 connection. HAProxy then reads the request and responds. This means that we
3565 have one TCP ACK sent by the system for nothing, because the request could
3566 very well be acknowledged by HAProxy when it sends its response.
3567
3568 For this reason, in HTTP mode, HAProxy automatically asks the system to avoid
3569 sending this useless ACK on platforms which support it (currently at least
3570 Linux). It must not cause any problem, because the system will send it anyway
3571 after 40 ms if the response takes more time than expected to come.
3572
3573 During complex network debugging sessions, it may be desirable to disable
3574 this optimization because delayed ACKs can make troubleshooting more complex
3575 when trying to identify where packets are delayed. It is then possible to
3576 fall back to normal behaviour by specifying "no option tcp-smart-accept".
3577
3578 It is also possible to force it for non-HTTP proxies by simply specifying
3579 "option tcp-smart-accept". For instance, it can make sense with some services
3580 such as SMTP where the server speaks first.
3581
3582 It is recommended to avoid forcing this option in a defaults section. In case
3583 of doubt, consider setting it back to automatic values by prepending the
3584 "default" keyword before it, or disabling it using the "no" keyword.
3585
Willy Tarreaud88edf22009-06-14 15:48:17 +02003586 See also : "option tcp-smart-connect"
3587
3588
3589option tcp-smart-connect
3590no option tcp-smart-connect
3591 Enable or disable the saving of one ACK packet during the connect sequence
3592 May be used in sections : defaults | frontend | listen | backend
3593 yes | no | yes | yes
3594 Arguments : none
3595
3596 On certain systems (at least Linux), HAProxy can ask the kernel not to
3597 immediately send an empty ACK upon a connection request, but to directly
3598 send the buffer request instead. This saves one packet on the network and
3599 thus boosts performance. It can also be useful for some servers, because they
3600 immediately get the request along with the incoming connection.
3601
3602 This feature is enabled when "option tcp-smart-connect" is set in a backend.
3603 It is not enabled by default because it makes network troubleshooting more
3604 complex.
3605
3606 It only makes sense to enable it with protocols where the client speaks first
3607 such as HTTP. In other situations, if there is no data to send in place of
3608 the ACK, a normal ACK is sent.
3609
3610 If this option has been enabled in a "defaults" section, it can be disabled
3611 in a specific instance by prepending the "no" keyword before it.
3612
3613 See also : "option tcp-smart-accept"
3614
Willy Tarreau9ea05a72009-06-14 12:07:01 +02003615
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003616option tcpka
3617 Enable or disable the sending of TCP keepalive packets on both sides
3618 May be used in sections : defaults | frontend | listen | backend
3619 yes | yes | yes | yes
3620 Arguments : none
3621
3622 When there is a firewall or any session-aware component between a client and
3623 a server, and when the protocol involves very long sessions with long idle
3624 periods (eg: remote desktops), there is a risk that one of the intermediate
3625 components decides to expire a session which has remained idle for too long.
3626
3627 Enabling socket-level TCP keep-alives makes the system regularly send packets
3628 to the other end of the connection, leaving it active. The delay between
3629 keep-alive probes is controlled by the system only and depends both on the
3630 operating system and its tuning parameters.
3631
3632 It is important to understand that keep-alive packets are neither emitted nor
3633 received at the application level. It is only the network stacks which sees
3634 them. For this reason, even if one side of the proxy already uses keep-alives
3635 to maintain its connection alive, those keep-alive packets will not be
3636 forwarded to the other side of the proxy.
3637
3638 Please note that this has nothing to do with HTTP keep-alive.
3639
3640 Using option "tcpka" enables the emission of TCP keep-alive probes on both
3641 the client and server sides of a connection. Note that this is meaningful
3642 only in "defaults" or "listen" sections. If this option is used in a
3643 frontend, only the client side will get keep-alives, and if this option is
3644 used in a backend, only the server side will get keep-alives. For this
3645 reason, it is strongly recommended to explicitly use "option clitcpka" and
3646 "option srvtcpka" when the configuration is split between frontends and
3647 backends.
3648
3649 See also : "option clitcpka", "option srvtcpka"
3650
Willy Tarreau844e3c52008-01-11 16:28:18 +01003651
3652option tcplog
3653 Enable advanced logging of TCP connections with session state and timers
3654 May be used in sections : defaults | frontend | listen | backend
3655 yes | yes | yes | yes
3656 Arguments : none
3657
3658 By default, the log output format is very poor, as it only contains the
3659 source and destination addresses, and the instance name. By specifying
3660 "option tcplog", each log line turns into a much richer format including, but
3661 not limited to, the connection timers, the session status, the connections
3662 numbers, the frontend, backend and server name, and of course the source
3663 address and ports. This option is useful for pure TCP proxies in order to
3664 find which of the client or server disconnects or times out. For normal HTTP
3665 proxies, it's better to use "option httplog" which is even more complete.
3666
3667 This option may be set either in the frontend or the backend.
3668
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003669 See also : "option httplog", and section 8 about logging.
Willy Tarreau844e3c52008-01-11 16:28:18 +01003670
3671
Willy Tarreau844e3c52008-01-11 16:28:18 +01003672option transparent
3673no option transparent
3674 Enable client-side transparent proxying
3675 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01003676 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01003677 Arguments : none
3678
3679 This option was introduced in order to provide layer 7 persistence to layer 3
3680 load balancers. The idea is to use the OS's ability to redirect an incoming
3681 connection for a remote address to a local process (here HAProxy), and let
3682 this process know what address was initially requested. When this option is
3683 used, sessions without cookies will be forwarded to the original destination
3684 IP address of the incoming request (which should match that of another
3685 equipment), while requests with cookies will still be forwarded to the
3686 appropriate server.
3687
3688 Note that contrary to a common belief, this option does NOT make HAProxy
3689 present the client's IP to the server when establishing the connection.
3690
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003691 See also: the "usersrc" argument of the "source" keyword, and the
3692 "transparent" option of the "bind" keyword.
Willy Tarreau844e3c52008-01-11 16:28:18 +01003693
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003694
Emeric Brun647caf12009-06-30 17:57:00 +02003695persist rdp-cookie
3696persist rdp-cookie(name)
3697 Enable RDP cookie-based persistence
3698 May be used in sections : defaults | frontend | listen | backend
3699 yes | no | yes | yes
3700 Arguments :
3701 <name> is the optional name of the RDP cookie to check. If omitted, the
Willy Tarreau61e28f22010-05-16 22:31:05 +02003702 default cookie name "msts" will be used. There currently is no
3703 valid reason to change this name.
Emeric Brun647caf12009-06-30 17:57:00 +02003704
3705 This statement enables persistence based on an RDP cookie. The RDP cookie
3706 contains all information required to find the server in the list of known
3707 servers. So when this option is set in the backend, the request is analysed
3708 and if an RDP cookie is found, it is decoded. If it matches a known server
3709 which is still UP (or if "option persist" is set), then the connection is
3710 forwarded to this server.
3711
3712 Note that this only makes sense in a TCP backend, but for this to work, the
3713 frontend must have waited long enough to ensure that an RDP cookie is present
3714 in the request buffer. This is the same requirement as with the "rdp-cookie"
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003715 load-balancing method. Thus it is highly recommended to put all statements in
Emeric Brun647caf12009-06-30 17:57:00 +02003716 a single "listen" section.
3717
Willy Tarreau61e28f22010-05-16 22:31:05 +02003718 Also, it is important to understand that the terminal server will emit this
3719 RDP cookie only if it is configured for "token redirection mode", which means
3720 that the "IP address redirection" option is disabled.
3721
Emeric Brun647caf12009-06-30 17:57:00 +02003722 Example :
3723 listen tse-farm
3724 bind :3389
3725 # wait up to 5s for an RDP cookie in the request
3726 tcp-request inspect-delay 5s
3727 tcp-request content accept if RDP_COOKIE
3728 # apply RDP cookie persistence
3729 persist rdp-cookie
3730 # if server is unknown, let's balance on the same cookie.
3731 # alternatively, "balance leastconn" may be useful too.
3732 balance rdp-cookie
3733 server srv1 1.1.1.1:3389
3734 server srv2 1.1.1.2:3389
3735
3736 See also : "balance rdp-cookie", "tcp-request" and the "req_rdp_cookie" ACL.
3737
3738
Willy Tarreau3a7d2072009-03-05 23:48:25 +01003739rate-limit sessions <rate>
3740 Set a limit on the number of new sessions accepted per second on a frontend
3741 May be used in sections : defaults | frontend | listen | backend
3742 yes | yes | yes | no
3743 Arguments :
3744 <rate> The <rate> parameter is an integer designating the maximum number
3745 of new sessions per second to accept on the frontend.
3746
3747 When the frontend reaches the specified number of new sessions per second, it
3748 stops accepting new connections until the rate drops below the limit again.
3749 During this time, the pending sessions will be kept in the socket's backlog
3750 (in system buffers) and haproxy will not even be aware that sessions are
3751 pending. When applying very low limit on a highly loaded service, it may make
3752 sense to increase the socket's backlog using the "backlog" keyword.
3753
3754 This feature is particularly efficient at blocking connection-based attacks
3755 or service abuse on fragile servers. Since the session rate is measured every
3756 millisecond, it is extremely accurate. Also, the limit applies immediately,
3757 no delay is needed at all to detect the threshold.
3758
3759 Example : limit the connection rate on SMTP to 10 per second max
3760 listen smtp
3761 mode tcp
3762 bind :25
3763 rate-limit sessions 10
3764 server 127.0.0.1:1025
3765
3766 Note : when the maximum rate is reached, the frontend's status appears as
3767 "FULL" in the statistics, exactly as when it is saturated.
3768
3769 See also : the "backlog" keyword and the "fe_sess_rate" ACL criterion.
3770
3771
Willy Tarreauf285f542010-01-03 20:03:03 +01003772redirect location <to> [code <code>] <option> [{if | unless} <condition>]
3773redirect prefix <to> [code <code>] <option> [{if | unless} <condition>]
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003774 Return an HTTP redirection if/unless a condition is matched
3775 May be used in sections : defaults | frontend | listen | backend
3776 no | yes | yes | yes
3777
3778 If/unless the condition is matched, the HTTP request will lead to a redirect
Willy Tarreauf285f542010-01-03 20:03:03 +01003779 response. If no condition is specified, the redirect applies unconditionally.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003780
Willy Tarreau0140f252008-11-19 21:07:09 +01003781 Arguments :
3782 <to> With "redirect location", the exact value in <to> is placed into
3783 the HTTP "Location" header. In case of "redirect prefix", the
3784 "Location" header is built from the concatenation of <to> and the
3785 complete URI, including the query string, unless the "drop-query"
Willy Tarreaufe651a52008-11-19 21:15:17 +01003786 option is specified (see below). As a special case, if <to>
3787 equals exactly "/" in prefix mode, then nothing is inserted
3788 before the original URI. It allows one to redirect to the same
3789 URL.
Willy Tarreau0140f252008-11-19 21:07:09 +01003790
3791 <code> The code is optional. It indicates which type of HTTP redirection
3792 is desired. Only codes 301, 302 and 303 are supported, and 302 is
3793 used if no code is specified. 301 means "Moved permanently", and
3794 a browser may cache the Location. 302 means "Moved permanently"
3795 and means that the browser should not cache the redirection. 303
3796 is equivalent to 302 except that the browser will fetch the
3797 location with a GET method.
3798
3799 <option> There are several options which can be specified to adjust the
3800 expected behaviour of a redirection :
3801
3802 - "drop-query"
3803 When this keyword is used in a prefix-based redirection, then the
3804 location will be set without any possible query-string, which is useful
3805 for directing users to a non-secure page for instance. It has no effect
3806 with a location-type redirect.
3807
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01003808 - "append-slash"
3809 This keyword may be used in conjunction with "drop-query" to redirect
3810 users who use a URL not ending with a '/' to the same one with the '/'.
3811 It can be useful to ensure that search engines will only see one URL.
3812 For this, a return code 301 is preferred.
3813
Willy Tarreau0140f252008-11-19 21:07:09 +01003814 - "set-cookie NAME[=value]"
3815 A "Set-Cookie" header will be added with NAME (and optionally "=value")
3816 to the response. This is sometimes used to indicate that a user has
3817 been seen, for instance to protect against some types of DoS. No other
3818 cookie option is added, so the cookie will be a session cookie. Note
3819 that for a browser, a sole cookie name without an equal sign is
3820 different from a cookie with an equal sign.
3821
3822 - "clear-cookie NAME[=]"
3823 A "Set-Cookie" header will be added with NAME (and optionally "="), but
3824 with the "Max-Age" attribute set to zero. This will tell the browser to
3825 delete this cookie. It is useful for instance on logout pages. It is
3826 important to note that clearing the cookie "NAME" will not remove a
3827 cookie set with "NAME=value". You have to clear the cookie "NAME=" for
3828 that, because the browser makes the difference.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003829
3830 Example: move the login URL only to HTTPS.
3831 acl clear dst_port 80
3832 acl secure dst_port 8080
3833 acl login_page url_beg /login
Willy Tarreau0140f252008-11-19 21:07:09 +01003834 acl logout url_beg /logout
Willy Tarreau79da4692008-11-19 20:03:04 +01003835 acl uid_given url_reg /login?userid=[^&]+
Willy Tarreau0140f252008-11-19 21:07:09 +01003836 acl cookie_set hdr_sub(cookie) SEEN=1
3837
3838 redirect prefix https://mysite.com set-cookie SEEN=1 if !cookie_set
Willy Tarreau79da4692008-11-19 20:03:04 +01003839 redirect prefix https://mysite.com if login_page !secure
3840 redirect prefix http://mysite.com drop-query if login_page !uid_given
3841 redirect location http://mysite.com/ if !login_page secure
Willy Tarreau0140f252008-11-19 21:07:09 +01003842 redirect location / clear-cookie USERID= if logout
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003843
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01003844 Example: send redirects for request for articles without a '/'.
3845 acl missing_slash path_reg ^/article/[^/]*$
3846 redirect code 301 prefix / drop-query append-slash if missing_slash
3847
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003848 See section 7 about ACL usage.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003849
3850
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003851redisp (deprecated)
3852redispatch (deprecated)
3853 Enable or disable session redistribution in case of connection failure
3854 May be used in sections: defaults | frontend | listen | backend
3855 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003856 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003857
3858 In HTTP mode, if a server designated by a cookie is down, clients may
3859 definitely stick to it because they cannot flush the cookie, so they will not
3860 be able to access the service anymore.
3861
3862 Specifying "redispatch" will allow the proxy to break their persistence and
3863 redistribute them to a working server.
3864
3865 It also allows to retry last connection to another server in case of multiple
3866 connection failures. Of course, it requires having "retries" set to a nonzero
3867 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01003868
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003869 This form is deprecated, do not use it in any new configuration, use the new
3870 "option redispatch" instead.
3871
3872 See also : "option redispatch"
3873
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003874
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01003875reqadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01003876 Add a header at the end of the HTTP request
3877 May be used in sections : defaults | frontend | listen | backend
3878 no | yes | yes | yes
3879 Arguments :
3880 <string> is the complete line to be added. Any space or known delimiter
3881 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003882 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01003883
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01003884 <cond> is an optional matching condition built from ACLs. It makes it
3885 possible to ignore this rule when other conditions are not met.
3886
Willy Tarreau303c0352008-01-17 19:01:39 +01003887 A new line consisting in <string> followed by a line feed will be added after
3888 the last header of an HTTP request.
3889
3890 Header transformations only apply to traffic which passes through HAProxy,
3891 and not to traffic generated by HAProxy, such as health-checks or error
3892 responses.
3893
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01003894 Example : add "X-Proto: SSL" to requests coming via port 81
3895 acl is-ssl dst_port 81
3896 reqadd X-Proto:\ SSL if is-ssl
3897
3898 See also: "rspadd", section 6 about HTTP header manipulation, and section 7
3899 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01003900
3901
Willy Tarreau5321c422010-01-28 20:35:13 +01003902reqallow <search> [{if | unless} <cond>]
3903reqiallow <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01003904 Definitely allow an HTTP request if a line matches a regular expression
3905 May be used in sections : defaults | frontend | listen | backend
3906 no | yes | yes | yes
3907 Arguments :
3908 <search> is the regular expression applied to HTTP headers and to the
3909 request line. This is an extended regular expression. Parenthesis
3910 grouping is supported and no preliminary backslash is required.
3911 Any space or known delimiter must be escaped using a backslash
3912 ('\'). The pattern applies to a full line at a time. The
3913 "reqallow" keyword strictly matches case while "reqiallow"
3914 ignores case.
3915
Willy Tarreau5321c422010-01-28 20:35:13 +01003916 <cond> is an optional matching condition built from ACLs. It makes it
3917 possible to ignore this rule when other conditions are not met.
3918
Willy Tarreau303c0352008-01-17 19:01:39 +01003919 A request containing any line which matches extended regular expression
3920 <search> will mark the request as allowed, even if any later test would
3921 result in a deny. The test applies both to the request line and to request
3922 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01003923 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01003924
3925 It is easier, faster and more powerful to use ACLs to write access policies.
3926 Reqdeny, reqallow and reqpass should be avoided in new designs.
3927
3928 Example :
3929 # allow www.* but refuse *.local
3930 reqiallow ^Host:\ www\.
3931 reqideny ^Host:\ .*\.local
3932
Willy Tarreau5321c422010-01-28 20:35:13 +01003933 See also: "reqdeny", "block", section 6 about HTTP header manipulation, and
3934 section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01003935
3936
Willy Tarreau5321c422010-01-28 20:35:13 +01003937reqdel <search> [{if | unless} <cond>]
3938reqidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01003939 Delete all headers matching a regular expression in an HTTP request
3940 May be used in sections : defaults | frontend | listen | backend
3941 no | yes | yes | yes
3942 Arguments :
3943 <search> is the regular expression applied to HTTP headers and to the
3944 request line. This is an extended regular expression. Parenthesis
3945 grouping is supported and no preliminary backslash is required.
3946 Any space or known delimiter must be escaped using a backslash
3947 ('\'). The pattern applies to a full line at a time. The "reqdel"
3948 keyword strictly matches case while "reqidel" ignores case.
3949
Willy Tarreau5321c422010-01-28 20:35:13 +01003950 <cond> is an optional matching condition built from ACLs. It makes it
3951 possible to ignore this rule when other conditions are not met.
3952
Willy Tarreau303c0352008-01-17 19:01:39 +01003953 Any header line matching extended regular expression <search> in the request
3954 will be completely deleted. Most common use of this is to remove unwanted
3955 and/or dangerous headers or cookies from a request before passing it to the
3956 next servers.
3957
3958 Header transformations only apply to traffic which passes through HAProxy,
3959 and not to traffic generated by HAProxy, such as health-checks or error
3960 responses. Keep in mind that header names are not case-sensitive.
3961
3962 Example :
3963 # remove X-Forwarded-For header and SERVER cookie
3964 reqidel ^X-Forwarded-For:.*
3965 reqidel ^Cookie:.*SERVER=
3966
Willy Tarreau5321c422010-01-28 20:35:13 +01003967 See also: "reqadd", "reqrep", "rspdel", section 6 about HTTP header
3968 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01003969
3970
Willy Tarreau5321c422010-01-28 20:35:13 +01003971reqdeny <search> [{if | unless} <cond>]
3972reqideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01003973 Deny an HTTP request if a line matches a regular expression
3974 May be used in sections : defaults | frontend | listen | backend
3975 no | yes | yes | yes
3976 Arguments :
3977 <search> is the regular expression applied to HTTP headers and to the
3978 request line. This is an extended regular expression. Parenthesis
3979 grouping is supported and no preliminary backslash is required.
3980 Any space or known delimiter must be escaped using a backslash
3981 ('\'). The pattern applies to a full line at a time. The
3982 "reqdeny" keyword strictly matches case while "reqideny" ignores
3983 case.
3984
Willy Tarreau5321c422010-01-28 20:35:13 +01003985 <cond> is an optional matching condition built from ACLs. It makes it
3986 possible to ignore this rule when other conditions are not met.
3987
Willy Tarreau303c0352008-01-17 19:01:39 +01003988 A request containing any line which matches extended regular expression
3989 <search> will mark the request as denied, even if any later test would
3990 result in an allow. The test applies both to the request line and to request
3991 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01003992 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01003993
Willy Tarreauced27012008-01-17 20:35:34 +01003994 A denied request will generate an "HTTP 403 forbidden" response once the
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01003995 complete request has been parsed. This is consistent with what is practiced
Willy Tarreaud72758d2010-01-12 10:42:19 +01003996 using ACLs.
Willy Tarreauced27012008-01-17 20:35:34 +01003997
Willy Tarreau303c0352008-01-17 19:01:39 +01003998 It is easier, faster and more powerful to use ACLs to write access policies.
3999 Reqdeny, reqallow and reqpass should be avoided in new designs.
4000
4001 Example :
4002 # refuse *.local, then allow www.*
4003 reqideny ^Host:\ .*\.local
4004 reqiallow ^Host:\ www\.
4005
Willy Tarreau5321c422010-01-28 20:35:13 +01004006 See also: "reqallow", "rspdeny", "block", section 6 about HTTP header
4007 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004008
4009
Willy Tarreau5321c422010-01-28 20:35:13 +01004010reqpass <search> [{if | unless} <cond>]
4011reqipass <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004012 Ignore any HTTP request line matching a regular expression in next rules
4013 May be used in sections : defaults | frontend | listen | backend
4014 no | yes | yes | yes
4015 Arguments :
4016 <search> is the regular expression applied to HTTP headers and to the
4017 request line. This is an extended regular expression. Parenthesis
4018 grouping is supported and no preliminary backslash is required.
4019 Any space or known delimiter must be escaped using a backslash
4020 ('\'). The pattern applies to a full line at a time. The
4021 "reqpass" keyword strictly matches case while "reqipass" ignores
4022 case.
4023
Willy Tarreau5321c422010-01-28 20:35:13 +01004024 <cond> is an optional matching condition built from ACLs. It makes it
4025 possible to ignore this rule when other conditions are not met.
4026
Willy Tarreau303c0352008-01-17 19:01:39 +01004027 A request containing any line which matches extended regular expression
4028 <search> will skip next rules, without assigning any deny or allow verdict.
4029 The test applies both to the request line and to request headers. Keep in
4030 mind that URLs in request line are case-sensitive while header names are not.
4031
4032 It is easier, faster and more powerful to use ACLs to write access policies.
4033 Reqdeny, reqallow and reqpass should be avoided in new designs.
4034
4035 Example :
4036 # refuse *.local, then allow www.*, but ignore "www.private.local"
4037 reqipass ^Host:\ www.private\.local
4038 reqideny ^Host:\ .*\.local
4039 reqiallow ^Host:\ www\.
4040
Willy Tarreau5321c422010-01-28 20:35:13 +01004041 See also: "reqallow", "reqdeny", "block", section 6 about HTTP header
4042 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004043
4044
Willy Tarreau5321c422010-01-28 20:35:13 +01004045reqrep <search> <string> [{if | unless} <cond>]
4046reqirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004047 Replace a regular expression with a string in an HTTP request line
4048 May be used in sections : defaults | frontend | listen | backend
4049 no | yes | yes | yes
4050 Arguments :
4051 <search> is the regular expression applied to HTTP headers and to the
4052 request line. This is an extended regular expression. Parenthesis
4053 grouping is supported and no preliminary backslash is required.
4054 Any space or known delimiter must be escaped using a backslash
4055 ('\'). The pattern applies to a full line at a time. The "reqrep"
4056 keyword strictly matches case while "reqirep" ignores case.
4057
4058 <string> is the complete line to be added. Any space or known delimiter
4059 must be escaped using a backslash ('\'). References to matched
4060 pattern groups are possible using the common \N form, with N
4061 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004062 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004063
Willy Tarreau5321c422010-01-28 20:35:13 +01004064 <cond> is an optional matching condition built from ACLs. It makes it
4065 possible to ignore this rule when other conditions are not met.
4066
Willy Tarreau303c0352008-01-17 19:01:39 +01004067 Any line matching extended regular expression <search> in the request (both
4068 the request line and header lines) will be completely replaced with <string>.
4069 Most common use of this is to rewrite URLs or domain names in "Host" headers.
4070
4071 Header transformations only apply to traffic which passes through HAProxy,
4072 and not to traffic generated by HAProxy, such as health-checks or error
4073 responses. Note that for increased readability, it is suggested to add enough
4074 spaces between the request and the response. Keep in mind that URLs in
4075 request line are case-sensitive while header names are not.
4076
4077 Example :
4078 # replace "/static/" with "/" at the beginning of any request path.
4079 reqrep ^([^\ ]*)\ /static/(.*) \1\ /\2
4080 # replace "www.mydomain.com" with "www" in the host name.
4081 reqirep ^Host:\ www.mydomain.com Host:\ www
4082
Willy Tarreau5321c422010-01-28 20:35:13 +01004083 See also: "reqadd", "reqdel", "rsprep", section 6 about HTTP header
4084 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004085
4086
Willy Tarreau5321c422010-01-28 20:35:13 +01004087reqtarpit <search> [{if | unless} <cond>]
4088reqitarpit <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004089 Tarpit an HTTP request containing a line matching a regular expression
4090 May be used in sections : defaults | frontend | listen | backend
4091 no | yes | yes | yes
4092 Arguments :
4093 <search> is the regular expression applied to HTTP headers and to the
4094 request line. This is an extended regular expression. Parenthesis
4095 grouping is supported and no preliminary backslash is required.
4096 Any space or known delimiter must be escaped using a backslash
4097 ('\'). The pattern applies to a full line at a time. The
4098 "reqtarpit" keyword strictly matches case while "reqitarpit"
4099 ignores case.
4100
Willy Tarreau5321c422010-01-28 20:35:13 +01004101 <cond> is an optional matching condition built from ACLs. It makes it
4102 possible to ignore this rule when other conditions are not met.
4103
Willy Tarreau303c0352008-01-17 19:01:39 +01004104 A request containing any line which matches extended regular expression
4105 <search> will be tarpitted, which means that it will connect to nowhere, will
Willy Tarreauced27012008-01-17 20:35:34 +01004106 be kept open for a pre-defined time, then will return an HTTP error 500 so
4107 that the attacker does not suspect it has been tarpitted. The status 500 will
4108 be reported in the logs, but the completion flags will indicate "PT". The
Willy Tarreau303c0352008-01-17 19:01:39 +01004109 delay is defined by "timeout tarpit", or "timeout connect" if the former is
4110 not set.
4111
4112 The goal of the tarpit is to slow down robots attacking servers with
4113 identifiable requests. Many robots limit their outgoing number of connections
4114 and stay connected waiting for a reply which can take several minutes to
4115 come. Depending on the environment and attack, it may be particularly
4116 efficient at reducing the load on the network and firewalls.
4117
Willy Tarreau5321c422010-01-28 20:35:13 +01004118 Examples :
Willy Tarreau303c0352008-01-17 19:01:39 +01004119 # ignore user-agents reporting any flavour of "Mozilla" or "MSIE", but
4120 # block all others.
4121 reqipass ^User-Agent:\.*(Mozilla|MSIE)
4122 reqitarpit ^User-Agent:
4123
Willy Tarreau5321c422010-01-28 20:35:13 +01004124 # block bad guys
4125 acl badguys src 10.1.0.3 172.16.13.20/28
4126 reqitarpit . if badguys
4127
4128 See also: "reqallow", "reqdeny", "reqpass", section 6 about HTTP header
4129 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004130
4131
Willy Tarreaue5c5ce92008-06-20 17:27:19 +02004132retries <value>
4133 Set the number of retries to perform on a server after a connection failure
4134 May be used in sections: defaults | frontend | listen | backend
4135 yes | no | yes | yes
4136 Arguments :
4137 <value> is the number of times a connection attempt should be retried on
4138 a server when a connection either is refused or times out. The
4139 default value is 3.
4140
4141 It is important to understand that this value applies to the number of
4142 connection attempts, not full requests. When a connection has effectively
4143 been established to a server, there will be no more retry.
4144
4145 In order to avoid immediate reconnections to a server which is restarting,
4146 a turn-around timer of 1 second is applied before a retry occurs.
4147
4148 When "option redispatch" is set, the last retry may be performed on another
4149 server even if a cookie references a different server.
4150
4151 See also : "option redispatch"
4152
4153
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004154rspadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01004155 Add a header at the end of the HTTP response
4156 May be used in sections : defaults | frontend | listen | backend
4157 no | yes | yes | yes
4158 Arguments :
4159 <string> is the complete line to be added. Any space or known delimiter
4160 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004161 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004162
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004163 <cond> is an optional matching condition built from ACLs. It makes it
4164 possible to ignore this rule when other conditions are not met.
4165
Willy Tarreau303c0352008-01-17 19:01:39 +01004166 A new line consisting in <string> followed by a line feed will be added after
4167 the last header of an HTTP response.
4168
4169 Header transformations only apply to traffic which passes through HAProxy,
4170 and not to traffic generated by HAProxy, such as health-checks or error
4171 responses.
4172
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004173 See also: "reqadd", section 6 about HTTP header manipulation, and section 7
4174 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004175
4176
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004177rspdel <search> [{if | unless} <cond>]
4178rspidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004179 Delete all headers matching a regular expression in an HTTP response
4180 May be used in sections : defaults | frontend | listen | backend
4181 no | yes | yes | yes
4182 Arguments :
4183 <search> is the regular expression applied to HTTP headers and to the
4184 response line. This is an extended regular expression, so
4185 parenthesis grouping is supported and no preliminary backslash
4186 is required. Any space or known delimiter must be escaped using
4187 a backslash ('\'). The pattern applies to a full line at a time.
4188 The "rspdel" keyword strictly matches case while "rspidel"
4189 ignores case.
4190
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004191 <cond> is an optional matching condition built from ACLs. It makes it
4192 possible to ignore this rule when other conditions are not met.
4193
Willy Tarreau303c0352008-01-17 19:01:39 +01004194 Any header line matching extended regular expression <search> in the response
4195 will be completely deleted. Most common use of this is to remove unwanted
4196 and/or sensible headers or cookies from a response before passing it to the
4197 client.
4198
4199 Header transformations only apply to traffic which passes through HAProxy,
4200 and not to traffic generated by HAProxy, such as health-checks or error
4201 responses. Keep in mind that header names are not case-sensitive.
4202
4203 Example :
4204 # remove the Server header from responses
4205 reqidel ^Server:.*
4206
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004207 See also: "rspadd", "rsprep", "reqdel", section 6 about HTTP header
4208 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004209
4210
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004211rspdeny <search> [{if | unless} <cond>]
4212rspideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004213 Block an HTTP response if a line matches a regular expression
4214 May be used in sections : defaults | frontend | listen | backend
4215 no | yes | yes | yes
4216 Arguments :
4217 <search> is the regular expression applied to HTTP headers and to the
4218 response line. This is an extended regular expression, so
4219 parenthesis grouping is supported and no preliminary backslash
4220 is required. Any space or known delimiter must be escaped using
4221 a backslash ('\'). The pattern applies to a full line at a time.
4222 The "rspdeny" keyword strictly matches case while "rspideny"
4223 ignores case.
4224
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004225 <cond> is an optional matching condition built from ACLs. It makes it
4226 possible to ignore this rule when other conditions are not met.
4227
Willy Tarreau303c0352008-01-17 19:01:39 +01004228 A response containing any line which matches extended regular expression
4229 <search> will mark the request as denied. The test applies both to the
4230 response line and to response headers. Keep in mind that header names are not
4231 case-sensitive.
4232
4233 Main use of this keyword is to prevent sensitive information leak and to
Willy Tarreauced27012008-01-17 20:35:34 +01004234 block the response before it reaches the client. If a response is denied, it
4235 will be replaced with an HTTP 502 error so that the client never retrieves
4236 any sensitive data.
Willy Tarreau303c0352008-01-17 19:01:39 +01004237
4238 It is easier, faster and more powerful to use ACLs to write access policies.
4239 Rspdeny should be avoided in new designs.
4240
4241 Example :
4242 # Ensure that no content type matching ms-word will leak
4243 rspideny ^Content-type:\.*/ms-word
4244
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004245 See also: "reqdeny", "acl", "block", section 6 about HTTP header manipulation
4246 and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004247
4248
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004249rsprep <search> <string> [{if | unless} <cond>]
4250rspirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004251 Replace a regular expression with a string in an HTTP response line
4252 May be used in sections : defaults | frontend | listen | backend
4253 no | yes | yes | yes
4254 Arguments :
4255 <search> is the regular expression applied to HTTP headers and to the
4256 response line. This is an extended regular expression, so
4257 parenthesis grouping is supported and no preliminary backslash
4258 is required. Any space or known delimiter must be escaped using
4259 a backslash ('\'). The pattern applies to a full line at a time.
4260 The "rsprep" keyword strictly matches case while "rspirep"
4261 ignores case.
4262
4263 <string> is the complete line to be added. Any space or known delimiter
4264 must be escaped using a backslash ('\'). References to matched
4265 pattern groups are possible using the common \N form, with N
4266 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004267 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004268
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004269 <cond> is an optional matching condition built from ACLs. It makes it
4270 possible to ignore this rule when other conditions are not met.
4271
Willy Tarreau303c0352008-01-17 19:01:39 +01004272 Any line matching extended regular expression <search> in the response (both
4273 the response line and header lines) will be completely replaced with
4274 <string>. Most common use of this is to rewrite Location headers.
4275
4276 Header transformations only apply to traffic which passes through HAProxy,
4277 and not to traffic generated by HAProxy, such as health-checks or error
4278 responses. Note that for increased readability, it is suggested to add enough
4279 spaces between the request and the response. Keep in mind that header names
4280 are not case-sensitive.
4281
4282 Example :
4283 # replace "Location: 127.0.0.1:8080" with "Location: www.mydomain.com"
4284 rspirep ^Location:\ 127.0.0.1:8080 Location:\ www.mydomain.com
4285
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004286 See also: "rspadd", "rspdel", "reqrep", section 6 about HTTP header
4287 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004288
4289
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004290server <name> <address>[:port] [param*]
4291 Declare a server in a backend
4292 May be used in sections : defaults | frontend | listen | backend
4293 no | no | yes | yes
4294 Arguments :
4295 <name> is the internal name assigned to this server. This name will
4296 appear in logs and alerts.
4297
4298 <address> is the IPv4 address of the server. Alternatively, a resolvable
4299 hostname is supported, but this name will be resolved during
Willy Tarreaud669a4f2010-07-13 14:49:50 +02004300 start-up. Address "0.0.0.0" or "*" has a special meaning. It
4301 indicates that the connection will be forwarded to the same IP
4302 address as the one from the client connection. This is useful in
4303 transparent proxy architectures where the client's connection is
4304 intercepted and haproxy must forward to the original destination
4305 address. This is more or less what the "transparent" keyword does
4306 except that with a server it's possible to limit concurrency and
4307 to report statistics.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004308
4309 <ports> is an optional port specification. If set, all connections will
4310 be sent to this port. If unset, the same port the client
4311 connected to will be used. The port may also be prefixed by a "+"
4312 or a "-". In this case, the server's port will be determined by
4313 adding this value to the client's port.
4314
4315 <param*> is a list of parameters for this server. The "server" keywords
4316 accepts an important number of options and has a complete section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004317 dedicated to it. Please refer to section 5 for more details.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004318
4319 Examples :
4320 server first 10.1.1.1:1080 cookie first check inter 1000
4321 server second 10.1.1.2:1080 cookie second check inter 1000
4322
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01004323 See also: "default-server" and section 5 about server options
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004324
4325
4326source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02004327source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreaud53f96b2009-02-04 18:46:54 +01004328source <addr>[:<port>] [interface <name>]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004329 Set the source address for outgoing connections
4330 May be used in sections : defaults | frontend | listen | backend
4331 yes | no | yes | yes
4332 Arguments :
4333 <addr> is the IPv4 address HAProxy will bind to before connecting to a
4334 server. This address is also used as a source for health checks.
4335 The default value of 0.0.0.0 means that the system will select
4336 the most appropriate address to reach its destination.
4337
4338 <port> is an optional port. It is normally not needed but may be useful
4339 in some very specific contexts. The default value of zero means
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02004340 the system will select a free port. Note that port ranges are not
4341 supported in the backend. If you want to force port ranges, you
4342 have to specify them on each "server" line.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004343
4344 <addr2> is the IP address to present to the server when connections are
4345 forwarded in full transparent proxy mode. This is currently only
4346 supported on some patched Linux kernels. When this address is
4347 specified, clients connecting to the server will be presented
4348 with this address, while health checks will still use the address
4349 <addr>.
4350
4351 <port2> is the optional port to present to the server when connections
4352 are forwarded in full transparent proxy mode (see <addr2> above).
4353 The default value of zero means the system will select a free
4354 port.
4355
Willy Tarreaubce70882009-09-07 11:51:47 +02004356 <hdr> is the name of a HTTP header in which to fetch the IP to bind to.
4357 This is the name of a comma-separated header list which can
4358 contain multiple IP addresses. By default, the last occurrence is
4359 used. This is designed to work with the X-Forwarded-For header
4360 and to automatically bind to the the client's IP address as seen
4361 by previous proxy, typically Stunnel. In order to use another
4362 occurrence from the last one, please see the <occ> parameter
4363 below. When the header (or occurrence) is not found, no binding
4364 is performed so that the proxy's default IP address is used. Also
4365 keep in mind that the header name is case insensitive, as for any
4366 HTTP header.
4367
4368 <occ> is the occurrence number of a value to be used in a multi-value
4369 header. This is to be used in conjunction with "hdr_ip(<hdr>)",
4370 in order to specificy which occurrence to use for the source IP
4371 address. Positive values indicate a position from the first
4372 occurrence, 1 being the first one. Negative values indicate
4373 positions relative to the last one, -1 being the last one. This
4374 is helpful for situations where an X-Forwarded-For header is set
4375 at the entry point of an infrastructure and must be used several
4376 proxy layers away. When this value is not specified, -1 is
4377 assumed. Passing a zero here disables the feature.
4378
Willy Tarreaud53f96b2009-02-04 18:46:54 +01004379 <name> is an optional interface name to which to bind to for outgoing
4380 traffic. On systems supporting this features (currently, only
4381 Linux), this allows one to bind all traffic to the server to
4382 this interface even if it is not the one the system would select
4383 based on routing tables. This should be used with extreme care.
4384 Note that using this option requires root privileges.
4385
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004386 The "source" keyword is useful in complex environments where a specific
4387 address only is allowed to connect to the servers. It may be needed when a
4388 private address must be used through a public gateway for instance, and it is
4389 known that the system cannot determine the adequate source address by itself.
4390
4391 An extension which is available on certain patched Linux kernels may be used
4392 through the "usesrc" optional keyword. It makes it possible to connect to the
4393 servers with an IP address which does not belong to the system itself. This
4394 is called "full transparent proxy mode". For this to work, the destination
4395 servers have to route their traffic back to this address through the machine
4396 running HAProxy, and IP forwarding must generally be enabled on this machine.
4397
4398 In this "full transparent proxy" mode, it is possible to force a specific IP
4399 address to be presented to the servers. This is not much used in fact. A more
4400 common use is to tell HAProxy to present the client's IP address. For this,
4401 there are two methods :
4402
4403 - present the client's IP and port addresses. This is the most transparent
4404 mode, but it can cause problems when IP connection tracking is enabled on
4405 the machine, because a same connection may be seen twice with different
4406 states. However, this solution presents the huge advantage of not
4407 limiting the system to the 64k outgoing address+port couples, because all
4408 of the client ranges may be used.
4409
4410 - present only the client's IP address and select a spare port. This
4411 solution is still quite elegant but slightly less transparent (downstream
4412 firewalls logs will not match upstream's). It also presents the downside
4413 of limiting the number of concurrent connections to the usual 64k ports.
4414 However, since the upstream and downstream ports are different, local IP
4415 connection tracking on the machine will not be upset by the reuse of the
4416 same session.
4417
4418 Note that depending on the transparent proxy technology used, it may be
4419 required to force the source address. In fact, cttproxy version 2 requires an
4420 IP address in <addr> above, and does not support setting of "0.0.0.0" as the
4421 IP address because it creates NAT entries which much match the exact outgoing
4422 address. Tproxy version 4 and some other kernel patches which work in pure
4423 forwarding mode generally will not have this limitation.
4424
4425 This option sets the default source for all servers in the backend. It may
4426 also be specified in a "defaults" section. Finer source address specification
4427 is possible at the server level using the "source" server option. Refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004428 section 5 for more information.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004429
4430 Examples :
4431 backend private
4432 # Connect to the servers using our 192.168.1.200 source address
4433 source 192.168.1.200
4434
4435 backend transparent_ssl1
4436 # Connect to the SSL farm from the client's source address
4437 source 192.168.1.200 usesrc clientip
4438
4439 backend transparent_ssl2
4440 # Connect to the SSL farm from the client's source address and port
4441 # not recommended if IP conntrack is present on the local machine.
4442 source 192.168.1.200 usesrc client
4443
4444 backend transparent_ssl3
4445 # Connect to the SSL farm from the client's source address. It
4446 # is more conntrack-friendly.
4447 source 192.168.1.200 usesrc clientip
4448
4449 backend transparent_smtp
4450 # Connect to the SMTP farm from the client's source address/port
4451 # with Tproxy version 4.
4452 source 0.0.0.0 usesrc clientip
4453
Willy Tarreaubce70882009-09-07 11:51:47 +02004454 backend transparent_http
4455 # Connect to the servers using the client's IP as seen by previous
4456 # proxy.
4457 source 0.0.0.0 usesrc hdr_ip(x-forwarded-for,-1)
4458
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004459 See also : the "source" server option in section 5, the Tproxy patches for
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004460 the Linux kernel on www.balabit.com, the "bind" keyword.
4461
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004462
Willy Tarreau844e3c52008-01-11 16:28:18 +01004463srvtimeout <timeout> (deprecated)
4464 Set the maximum inactivity time on the server side.
4465 May be used in sections : defaults | frontend | listen | backend
4466 yes | no | yes | yes
4467 Arguments :
4468 <timeout> is the timeout value specified in milliseconds by default, but
4469 can be in any other unit if the number is suffixed by the unit,
4470 as explained at the top of this document.
4471
4472 The inactivity timeout applies when the server is expected to acknowledge or
4473 send data. In HTTP mode, this timeout is particularly important to consider
4474 during the first phase of the server's response, when it has to send the
4475 headers, as it directly represents the server's processing time for the
4476 request. To find out what value to put there, it's often good to start with
4477 what would be considered as unacceptable response times, then check the logs
4478 to observe the response time distribution, and adjust the value accordingly.
4479
4480 The value is specified in milliseconds by default, but can be in any other
4481 unit if the number is suffixed by the unit, as specified at the top of this
4482 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
4483 recommended that the client timeout remains equal to the server timeout in
4484 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004485 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01004486 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreaud72758d2010-01-12 10:42:19 +01004487 seconds (eg: 4 or 5 seconds minimum).
Willy Tarreau844e3c52008-01-11 16:28:18 +01004488
4489 This parameter is specific to backends, but can be specified once for all in
4490 "defaults" sections. This is in fact one of the easiest solutions not to
4491 forget about it. An unspecified timeout results in an infinite timeout, which
4492 is not recommended. Such a usage is accepted and works but reports a warning
4493 during startup because it may results in accumulation of expired sessions in
4494 the system if the system's timeouts are not configured either.
4495
4496 This parameter is provided for compatibility but is currently deprecated.
4497 Please use "timeout server" instead.
4498
4499 See also : "timeout server", "timeout client" and "clitimeout".
4500
4501
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004502stats auth <user>:<passwd>
4503 Enable statistics with authentication and grant access to an account
4504 May be used in sections : defaults | frontend | listen | backend
4505 yes | no | yes | yes
4506 Arguments :
4507 <user> is a user name to grant access to
4508
4509 <passwd> is the cleartext password associated to this user
4510
4511 This statement enables statistics with default settings, and restricts access
4512 to declared users only. It may be repeated as many times as necessary to
4513 allow as many users as desired. When a user tries to access the statistics
4514 without a valid account, a "401 Forbidden" response will be returned so that
4515 the browser asks the user to provide a valid user and password. The real
4516 which will be returned to the browser is configurable using "stats realm".
4517
4518 Since the authentication method is HTTP Basic Authentication, the passwords
4519 circulate in cleartext on the network. Thus, it was decided that the
4520 configuration file would also use cleartext passwords to remind the users
4521 that those ones should not be sensible and not shared with any other account.
4522
4523 It is also possible to reduce the scope of the proxies which appear in the
4524 report using "stats scope".
4525
4526 Though this statement alone is enough to enable statistics reporting, it is
4527 recommended to set all other settings in order to avoid relying on default
4528 unobvious parameters.
4529
4530 Example :
4531 # public access (limited to this backend only)
4532 backend public_www
4533 server srv1 192.168.0.1:80
4534 stats enable
4535 stats hide-version
4536 stats scope .
4537 stats uri /admin?stats
4538 stats realm Haproxy\ Statistics
4539 stats auth admin1:AdMiN123
4540 stats auth admin2:AdMiN321
4541
4542 # internal monitoring access (unlimited)
4543 backend private_monitoring
4544 stats enable
4545 stats uri /admin?stats
4546 stats refresh 5s
4547
4548 See also : "stats enable", "stats realm", "stats scope", "stats uri"
4549
4550
4551stats enable
4552 Enable statistics reporting with default settings
4553 May be used in sections : defaults | frontend | listen | backend
4554 yes | no | yes | yes
4555 Arguments : none
4556
4557 This statement enables statistics reporting with default settings defined
4558 at build time. Unless stated otherwise, these settings are used :
4559 - stats uri : /haproxy?stats
4560 - stats realm : "HAProxy Statistics"
4561 - stats auth : no authentication
4562 - stats scope : no restriction
4563
4564 Though this statement alone is enough to enable statistics reporting, it is
4565 recommended to set all other settings in order to avoid relying on default
4566 unobvious parameters.
4567
4568 Example :
4569 # public access (limited to this backend only)
4570 backend public_www
4571 server srv1 192.168.0.1:80
4572 stats enable
4573 stats hide-version
4574 stats scope .
4575 stats uri /admin?stats
4576 stats realm Haproxy\ Statistics
4577 stats auth admin1:AdMiN123
4578 stats auth admin2:AdMiN321
4579
4580 # internal monitoring access (unlimited)
4581 backend private_monitoring
4582 stats enable
4583 stats uri /admin?stats
4584 stats refresh 5s
4585
4586 See also : "stats auth", "stats realm", "stats uri"
4587
4588
Willy Tarreaud63335a2010-02-26 12:56:52 +01004589stats hide-version
4590 Enable statistics and hide HAProxy version reporting
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004591 May be used in sections : defaults | frontend | listen | backend
4592 yes | no | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +01004593 Arguments : none
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004594
Willy Tarreaud63335a2010-02-26 12:56:52 +01004595 By default, the stats page reports some useful status information along with
4596 the statistics. Among them is HAProxy's version. However, it is generally
4597 considered dangerous to report precise version to anyone, as it can help them
4598 target known weaknesses with specific attacks. The "stats hide-version"
4599 statement removes the version from the statistics report. This is recommended
4600 for public sites or any site with a weak login/password.
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004601
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02004602 Though this statement alone is enough to enable statistics reporting, it is
4603 recommended to set all other settings in order to avoid relying on default
4604 unobvious parameters.
4605
Willy Tarreaud63335a2010-02-26 12:56:52 +01004606 Example :
4607 # public access (limited to this backend only)
4608 backend public_www
4609 server srv1 192.168.0.1:80
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02004610 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01004611 stats hide-version
4612 stats scope .
4613 stats uri /admin?stats
4614 stats realm Haproxy\ Statistics
4615 stats auth admin1:AdMiN123
4616 stats auth admin2:AdMiN321
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004617
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004618 # internal monitoring access (unlimited)
4619 backend private_monitoring
4620 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01004621 stats uri /admin?stats
4622 stats refresh 5s
Krzysztof Piotr Oledzki15514c22010-01-04 16:03:09 +01004623
Willy Tarreaud63335a2010-02-26 12:56:52 +01004624 See also : "stats auth", "stats enable", "stats realm", "stats uri"
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004625
Willy Tarreau983e01e2010-01-11 18:42:06 +01004626
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004627stats realm <realm>
4628 Enable statistics and set authentication realm
4629 May be used in sections : defaults | frontend | listen | backend
4630 yes | no | yes | yes
4631 Arguments :
4632 <realm> is the name of the HTTP Basic Authentication realm reported to
4633 the browser. The browser uses it to display it in the pop-up
4634 inviting the user to enter a valid username and password.
4635
4636 The realm is read as a single word, so any spaces in it should be escaped
4637 using a backslash ('\').
4638
4639 This statement is useful only in conjunction with "stats auth" since it is
4640 only related to authentication.
4641
4642 Though this statement alone is enough to enable statistics reporting, it is
4643 recommended to set all other settings in order to avoid relying on default
4644 unobvious parameters.
4645
4646 Example :
4647 # public access (limited to this backend only)
4648 backend public_www
4649 server srv1 192.168.0.1:80
4650 stats enable
4651 stats hide-version
4652 stats scope .
4653 stats uri /admin?stats
4654 stats realm Haproxy\ Statistics
4655 stats auth admin1:AdMiN123
4656 stats auth admin2:AdMiN321
4657
4658 # internal monitoring access (unlimited)
4659 backend private_monitoring
4660 stats enable
4661 stats uri /admin?stats
4662 stats refresh 5s
4663
4664 See also : "stats auth", "stats enable", "stats uri"
4665
4666
4667stats refresh <delay>
4668 Enable statistics with automatic refresh
4669 May be used in sections : defaults | frontend | listen | backend
4670 yes | no | yes | yes
4671 Arguments :
4672 <delay> is the suggested refresh delay, specified in seconds, which will
4673 be returned to the browser consulting the report page. While the
4674 browser is free to apply any delay, it will generally respect it
4675 and refresh the page this every seconds. The refresh interval may
4676 be specified in any other non-default time unit, by suffixing the
4677 unit after the value, as explained at the top of this document.
4678
4679 This statement is useful on monitoring displays with a permanent page
4680 reporting the load balancer's activity. When set, the HTML report page will
4681 include a link "refresh"/"stop refresh" so that the user can select whether
4682 he wants automatic refresh of the page or not.
4683
4684 Though this statement alone is enough to enable statistics reporting, it is
4685 recommended to set all other settings in order to avoid relying on default
4686 unobvious parameters.
4687
4688 Example :
4689 # public access (limited to this backend only)
4690 backend public_www
4691 server srv1 192.168.0.1:80
4692 stats enable
4693 stats hide-version
4694 stats scope .
4695 stats uri /admin?stats
4696 stats realm Haproxy\ Statistics
4697 stats auth admin1:AdMiN123
4698 stats auth admin2:AdMiN321
4699
4700 # internal monitoring access (unlimited)
4701 backend private_monitoring
4702 stats enable
4703 stats uri /admin?stats
4704 stats refresh 5s
4705
4706 See also : "stats auth", "stats enable", "stats realm", "stats uri"
4707
4708
4709stats scope { <name> | "." }
4710 Enable statistics and limit access scope
4711 May be used in sections : defaults | frontend | listen | backend
4712 yes | no | yes | yes
4713 Arguments :
4714 <name> is the name of a listen, frontend or backend section to be
4715 reported. The special name "." (a single dot) designates the
4716 section in which the statement appears.
4717
4718 When this statement is specified, only the sections enumerated with this
4719 statement will appear in the report. All other ones will be hidden. This
4720 statement may appear as many times as needed if multiple sections need to be
4721 reported. Please note that the name checking is performed as simple string
4722 comparisons, and that it is never checked that a give section name really
4723 exists.
4724
4725 Though this statement alone is enough to enable statistics reporting, it is
4726 recommended to set all other settings in order to avoid relying on default
4727 unobvious parameters.
4728
4729 Example :
4730 # public access (limited to this backend only)
4731 backend public_www
4732 server srv1 192.168.0.1:80
4733 stats enable
4734 stats hide-version
4735 stats scope .
4736 stats uri /admin?stats
4737 stats realm Haproxy\ Statistics
4738 stats auth admin1:AdMiN123
4739 stats auth admin2:AdMiN321
4740
4741 # internal monitoring access (unlimited)
4742 backend private_monitoring
4743 stats enable
4744 stats uri /admin?stats
4745 stats refresh 5s
4746
4747 See also : "stats auth", "stats enable", "stats realm", "stats uri"
4748
Willy Tarreaud63335a2010-02-26 12:56:52 +01004749
Willy Tarreauc9705a12010-07-27 20:05:50 +02004750stats show-desc [ <desc> ]
Willy Tarreaud63335a2010-02-26 12:56:52 +01004751 Enable reporting of a description on the statistics page.
4752 May be used in sections : defaults | frontend | listen | backend
4753 yes | no | yes | yes
4754
Willy Tarreauc9705a12010-07-27 20:05:50 +02004755 <desc> is an optional description to be reported. If unspecified, the
Willy Tarreaud63335a2010-02-26 12:56:52 +01004756 description from global section is automatically used instead.
4757
4758 This statement is useful for users that offer shared services to their
4759 customers, where node or description should be different for each customer.
4760
4761 Though this statement alone is enough to enable statistics reporting, it is
4762 recommended to set all other settings in order to avoid relying on default
4763 unobvious parameters.
4764
4765 Example :
4766 # internal monitoring access (unlimited)
4767 backend private_monitoring
4768 stats enable
4769 stats show-desc Master node for Europe, Asia, Africa
4770 stats uri /admin?stats
4771 stats refresh 5s
4772
4773 See also: "show-node", "stats enable", "stats uri" and "description" in
4774 global section.
4775
4776
4777stats show-legends
4778 Enable reporting additional informations on the statistics page :
4779 - cap: capabilities (proxy)
4780 - mode: one of tcp, http or health (proxy)
4781 - id: SNMP ID (proxy, socket, server)
4782 - IP (socket, server)
4783 - cookie (backend, server)
4784
4785 Though this statement alone is enough to enable statistics reporting, it is
4786 recommended to set all other settings in order to avoid relying on default
4787 unobvious parameters.
4788
4789 See also: "stats enable", "stats uri".
4790
4791
4792stats show-node [ <name> ]
4793 Enable reporting of a host name on the statistics page.
4794 May be used in sections : defaults | frontend | listen | backend
4795 yes | no | yes | yes
4796 Arguments:
4797 <name> is an optional name to be reported. If unspecified, the
4798 node name from global section is automatically used instead.
4799
4800 This statement is useful for users that offer shared services to their
4801 customers, where node or description might be different on a stats page
4802 provided for each customer.
4803
4804 Though this statement alone is enough to enable statistics reporting, it is
4805 recommended to set all other settings in order to avoid relying on default
4806 unobvious parameters.
4807
4808 Example:
4809 # internal monitoring access (unlimited)
4810 backend private_monitoring
4811 stats enable
4812 stats show-node Europe-1
4813 stats uri /admin?stats
4814 stats refresh 5s
4815
4816 See also: "show-desc", "stats enable", "stats uri", and "node" in global
4817 section.
4818
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004819
4820stats uri <prefix>
4821 Enable statistics and define the URI prefix to access them
4822 May be used in sections : defaults | frontend | listen | backend
4823 yes | no | yes | yes
4824 Arguments :
4825 <prefix> is the prefix of any URI which will be redirected to stats. This
4826 prefix may contain a question mark ('?') to indicate part of a
4827 query string.
4828
4829 The statistics URI is intercepted on the relayed traffic, so it appears as a
4830 page within the normal application. It is strongly advised to ensure that the
4831 selected URI will never appear in the application, otherwise it will never be
4832 possible to reach it in the application.
4833
4834 The default URI compiled in haproxy is "/haproxy?stats", but this may be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004835 changed at build time, so it's better to always explicitly specify it here.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004836 It is generally a good idea to include a question mark in the URI so that
4837 intermediate proxies refrain from caching the results. Also, since any string
4838 beginning with the prefix will be accepted as a stats request, the question
4839 mark helps ensuring that no valid URI will begin with the same words.
4840
4841 It is sometimes very convenient to use "/" as the URI prefix, and put that
4842 statement in a "listen" instance of its own. That makes it easy to dedicate
4843 an address or a port to statistics only.
4844
4845 Though this statement alone is enough to enable statistics reporting, it is
4846 recommended to set all other settings in order to avoid relying on default
4847 unobvious parameters.
4848
4849 Example :
4850 # public access (limited to this backend only)
4851 backend public_www
4852 server srv1 192.168.0.1:80
4853 stats enable
4854 stats hide-version
4855 stats scope .
4856 stats uri /admin?stats
4857 stats realm Haproxy\ Statistics
4858 stats auth admin1:AdMiN123
4859 stats auth admin2:AdMiN321
4860
4861 # internal monitoring access (unlimited)
4862 backend private_monitoring
4863 stats enable
4864 stats uri /admin?stats
4865 stats refresh 5s
4866
4867 See also : "stats auth", "stats enable", "stats realm"
4868
4869
Willy Tarreaud63335a2010-02-26 12:56:52 +01004870stick match <pattern> [table <table>] [{if | unless} <cond>]
4871 Define a request pattern matching condition to stick a user to a server
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004872 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaud63335a2010-02-26 12:56:52 +01004873 no | no | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01004874
4875 Arguments :
4876 <pattern> is a pattern extraction rule as described in section 7.8. It
4877 describes what elements of the incoming request or connection
4878 will be analysed in the hope to find a matching entry in a
4879 stickiness table. This rule is mandatory.
4880
4881 <table> is an optional stickiness table name. If unspecified, the same
4882 backend's table is used. A stickiness table is declared using
4883 the "stick-table" statement.
4884
4885 <cond> is an optional matching condition. It makes it possible to match
4886 on a certain criterion only when other conditions are met (or
4887 not met). For instance, it could be used to match on a source IP
4888 address except when a request passes through a known proxy, in
4889 which case we'd match on a header containing that IP address.
4890
4891 Some protocols or applications require complex stickiness rules and cannot
4892 always simply rely on cookies nor hashing. The "stick match" statement
4893 describes a rule to extract the stickiness criterion from an incoming request
4894 or connection. See section 7 for a complete list of possible patterns and
4895 transformation rules.
4896
4897 The table has to be declared using the "stick-table" statement. It must be of
4898 a type compatible with the pattern. By default it is the one which is present
4899 in the same backend. It is possible to share a table with other backends by
4900 referencing it using the "table" keyword. If another table is referenced,
4901 the server's ID inside the backends are used. By default, all server IDs
4902 start at 1 in each backend, so the server ordering is enough. But in case of
4903 doubt, it is highly recommended to force server IDs using their "id" setting.
4904
4905 It is possible to restrict the conditions where a "stick match" statement
4906 will apply, using "if" or "unless" followed by a condition. See section 7 for
4907 ACL based conditions.
4908
4909 There is no limit on the number of "stick match" statements. The first that
4910 applies and matches will cause the request to be directed to the same server
4911 as was used for the request which created the entry. That way, multiple
4912 matches can be used as fallbacks.
4913
4914 The stick rules are checked after the persistence cookies, so they will not
4915 affect stickiness if a cookie has already been used to select a server. That
4916 way, it becomes very easy to insert cookies and match on IP addresses in
4917 order to maintain stickiness between HTTP and HTTPS.
4918
4919 Example :
4920 # forward SMTP users to the same server they just used for POP in the
4921 # last 30 minutes
4922 backend pop
4923 mode tcp
4924 balance roundrobin
4925 stick store-request src
4926 stick-table type ip size 200k expire 30m
4927 server s1 192.168.1.1:110
4928 server s2 192.168.1.1:110
4929
4930 backend smtp
4931 mode tcp
4932 balance roundrobin
4933 stick match src table pop
4934 server s1 192.168.1.1:25
4935 server s2 192.168.1.1:25
4936
4937 See also : "stick-table", "stick on", and section 7 about ACLs and pattern
4938 extraction.
4939
4940
4941stick on <pattern> [table <table>] [{if | unless} <condition>]
4942 Define a request pattern to associate a user to a server
4943 May be used in sections : defaults | frontend | listen | backend
4944 no | no | yes | yes
4945
4946 Note : This form is exactly equivalent to "stick match" followed by
4947 "stick store-request", all with the same arguments. Please refer
4948 to both keywords for details. It is only provided as a convenience
4949 for writing more maintainable configurations.
4950
4951 Examples :
4952 # The following form ...
Willy Tarreauec579d82010-02-26 19:15:04 +01004953 stick on src table pop if !localhost
Willy Tarreaub937b7e2010-01-12 15:27:54 +01004954
4955 # ...is strictly equivalent to this one :
4956 stick match src table pop if !localhost
4957 stick store-request src table pop if !localhost
4958
4959
4960 # Use cookie persistence for HTTP, and stick on source address for HTTPS as
4961 # well as HTTP without cookie. Share the same table between both accesses.
4962 backend http
4963 mode http
4964 balance roundrobin
4965 stick on src table https
4966 cookie SRV insert indirect nocache
4967 server s1 192.168.1.1:80 cookie s1
4968 server s2 192.168.1.1:80 cookie s2
4969
4970 backend https
4971 mode tcp
4972 balance roundrobin
4973 stick-table type ip size 200k expire 30m
4974 stick on src
4975 server s1 192.168.1.1:443
4976 server s2 192.168.1.1:443
4977
4978 See also : "stick match" and "stick store-request"
4979
4980
4981stick store-request <pattern> [table <table>] [{if | unless} <condition>]
4982 Define a request pattern used to create an entry in a stickiness table
4983 May be used in sections : defaults | frontend | listen | backend
4984 no | no | yes | yes
4985
4986 Arguments :
4987 <pattern> is a pattern extraction rule as described in section 7.8. It
4988 describes what elements of the incoming request or connection
4989 will be analysed, extracted and stored in the table once a
4990 server is selected.
4991
4992 <table> is an optional stickiness table name. If unspecified, the same
4993 backend's table is used. A stickiness table is declared using
4994 the "stick-table" statement.
4995
4996 <cond> is an optional storage condition. It makes it possible to store
4997 certain criteria only when some conditions are met (or not met).
4998 For instance, it could be used to store the source IP address
4999 except when the request passes through a known proxy, in which
5000 case we'd store a converted form of a header containing that IP
5001 address.
5002
5003 Some protocols or applications require complex stickiness rules and cannot
5004 always simply rely on cookies nor hashing. The "stick store-request" statement
5005 describes a rule to decide what to extract from the request and when to do
5006 it, in order to store it into a stickiness table for further requests to
5007 match it using the "stick match" statement. Obviously the extracted part must
5008 make sense and have a chance to be matched in a further request. Storing a
5009 client's IP address for instance often makes sense. Storing an ID found in a
5010 URL parameter also makes sense. Storing a source port will almost never make
5011 any sense because it will be randomly matched. See section 7 for a complete
5012 list of possible patterns and transformation rules.
5013
5014 The table has to be declared using the "stick-table" statement. It must be of
5015 a type compatible with the pattern. By default it is the one which is present
5016 in the same backend. It is possible to share a table with other backends by
5017 referencing it using the "table" keyword. If another table is referenced,
5018 the server's ID inside the backends are used. By default, all server IDs
5019 start at 1 in each backend, so the server ordering is enough. But in case of
5020 doubt, it is highly recommended to force server IDs using their "id" setting.
5021
5022 It is possible to restrict the conditions where a "stick store-request"
5023 statement will apply, using "if" or "unless" followed by a condition. This
5024 condition will be evaluated while parsing the request, so any criteria can be
5025 used. See section 7 for ACL based conditions.
5026
5027 There is no limit on the number of "stick store-request" statements, but
5028 there is a limit of 8 simultaneous stores per request or response. This
5029 makes it possible to store up to 8 criteria, all extracted from either the
5030 request or the response, regardless of the number of rules. Only the 8 first
5031 ones which match will be kept. Using this, it is possible to feed multiple
5032 tables at once in the hope to increase the chance to recognize a user on
5033 another protocol or access method.
5034
5035 The "store-request" rules are evaluated once the server connection has been
5036 established, so that the table will contain the real server that processed
5037 the request.
5038
5039 Example :
5040 # forward SMTP users to the same server they just used for POP in the
5041 # last 30 minutes
5042 backend pop
5043 mode tcp
5044 balance roundrobin
5045 stick store-request src
5046 stick-table type ip size 200k expire 30m
5047 server s1 192.168.1.1:110
5048 server s2 192.168.1.1:110
5049
5050 backend smtp
5051 mode tcp
5052 balance roundrobin
5053 stick match src table pop
5054 server s1 192.168.1.1:25
5055 server s2 192.168.1.1:25
5056
5057 See also : "stick-table", "stick on", and section 7 about ACLs and pattern
5058 extraction.
5059
5060
5061stick-table type {ip | integer | string [len <length>] } size <size>
Willy Tarreau08d5f982010-06-06 13:34:54 +02005062 [expire <expire>] [nopurge] [store <data_type>]*
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005063 Configure the stickiness table for the current backend
5064 May be used in sections : defaults | frontend | listen | backend
Willy Tarreauc00cdc22010-06-06 16:48:26 +02005065 no | yes | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005066
5067 Arguments :
5068 ip a table declared with "type ip" will only store IPv4 addresses.
5069 This form is very compact (about 50 bytes per entry) and allows
5070 very fast entry lookup and stores with almost no overhead. This
5071 is mainly used to store client source IP addresses.
5072
5073 integer a table declared with "type integer" will store 32bit integers
5074 which can represent a client identifier found in a request for
5075 instance.
5076
5077 string a table declared with "type string" will store substrings of up
5078 to <len> characters. If the string provided by the pattern
5079 extractor is larger than <len>, it will be truncated before
5080 being stored. During matching, at most <len> characters will be
5081 compared between the string in the table and the extracted
5082 pattern. When not specified, the string is automatically limited
5083 to 31 characters.
5084
5085 <length> is the maximum number of characters that will be stored in a
5086 "string" type table. See type "string" above. Be careful when
5087 changing this parameter as memory usage will proportionally
5088 increase.
5089
5090 <size> is the maximum number of entries that can fit in the table. This
Cyril Bonté78caf842010-03-10 22:41:43 +01005091 value directly impacts memory usage. Count approximately
5092 50 bytes per entry, plus the size of a string if any. The size
5093 supports suffixes "k", "m", "g" for 2^10, 2^20 and 2^30 factors.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005094
5095 [nopurge] indicates that we refuse to purge older entries when the table
5096 is full. When not specified and the table is full when haproxy
5097 wants to store an entry in it, it will flush a few of the oldest
5098 entries in order to release some space for the new ones. This is
5099 most often the desired behaviour. In some specific cases, it
5100 be desirable to refuse new entries instead of purging the older
5101 ones. That may be the case when the amount of data to store is
5102 far above the hardware limits and we prefer not to offer access
5103 to new clients than to reject the ones already connected. When
5104 using this parameter, be sure to properly set the "expire"
5105 parameter (see below).
5106
5107 <expire> defines the maximum duration of an entry in the table since it
5108 was last created, refreshed or matched. The expiration delay is
5109 defined using the standard time format, similarly as the various
5110 timeouts. The maximum duration is slightly above 24 days. See
5111 section 2.2 for more information. If this delay is not specified,
5112 the session won't automatically expire, but older entries will
5113 be removed once full. Be sure not to use the "nopurge" parameter
5114 if not expiration delay is specified.
5115
Willy Tarreau08d5f982010-06-06 13:34:54 +02005116 <data_type> is used to store additional information in the stick-table. This
5117 may be used by ACLs in order to control various criteria related
5118 to the activity of the client matching the stick-table. For each
5119 item specified here, the size of each entry will be inflated so
Willy Tarreauc9705a12010-07-27 20:05:50 +02005120 that the additional data can fit. Several data types may be
5121 stored with an entry. Multiple data types may be specified after
5122 the "store" keyword, as a comma-separated list. Alternatively,
5123 it is possible to repeat the "store" keyword followed by one or
5124 several data types. Except for the "server_id" type which is
5125 automatically detected and enabled, all data types must be
5126 explicitly declared to be stored. If an ACL references a data
5127 type which is not stored, the ACL will simply not match. Some
5128 data types require an argument which must be passed just after
5129 the type between parenthesis. See below for the supported data
5130 types and their arguments.
5131
5132 The data types that can be stored with an entry are the following :
5133 - server_id : this is an integer which holds the numeric ID of the server a
5134 request was assigned to. It is used by the "stick match", "stick store",
5135 and "stick on" rules. It is automatically enabled when referenced.
5136
5137 - gpc0 : first General Purpose Counter. It is a positive 32-bit integer
5138 integer which may be used for anything. Most of the time it will be used
5139 to put a special tag on some entries, for instance to note that a
5140 specific behaviour was detected and must be known for future matches.
5141
5142 - conn_cnt : Connection Count. It is a positive 32-bit integer which counts
5143 the absolute number of connections received from clients which matched
5144 this entry. It does not mean the connections were accepted, just that
5145 they were received.
5146
5147 - conn_cur : Current Connections. It is a positive 32-bit integer which
5148 stores the concurrent connection counts for the entry. It is incremented
5149 once an incoming connection matches the entry, and decremented once the
5150 connection leaves. That way it is possible to know at any time the exact
5151 number of concurrent connections for an entry.
5152
5153 - conn_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5154 integer parameter <period> which indicates in milliseconds the length
5155 of the period over which the average is measured. It reports the average
5156 incoming connection rate over that period, in connections per period. The
5157 result is an integer which can be matched using ACLs.
5158
5159 - sess_cnt : Session Count. It is a positive 32-bit integer which counts
5160 the absolute number of sessions received from clients which matched this
5161 entry. A session is a connection that was accepted by the layer 4 rules.
5162
5163 - sess_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5164 integer parameter <period> which indicates in milliseconds the length
5165 of the period over which the average is measured. It reports the average
5166 incoming session rate over that period, in sessions per period. The
5167 result is an integer which can be matched using ACLs.
5168
5169 - http_req_cnt : HTTP request Count. It is a positive 32-bit integer which
5170 counts the absolute number of HTTP requests received from clients which
5171 matched this entry. It does not matter whether they are valid requests or
5172 not. Note that this is different from sessions when keep-alive is used on
5173 the client side.
5174
5175 - http_req_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5176 integer parameter <period> which indicates in milliseconds the length
5177 of the period over which the average is measured. It reports the average
5178 HTTP request rate over that period, in requests per period. The result is
5179 an integer which can be matched using ACLs. It does not matter whether
5180 they are valid requests or not. Note that this is different from sessions
5181 when keep-alive is used on the client side.
5182
5183 - http_err_cnt : HTTP Error Count. It is a positive 32-bit integer which
5184 counts the absolute number of HTTP requests errors induced by clients
5185 which matched this entry. Errors are counted on invalid and truncated
5186 requests, as well as on denied or tarpitted requests, and on failed
5187 authentications. If the server responds with 4xx, then the request is
5188 also counted as an error since it's an error triggered by the client
5189 (eg: vulnerability scan).
5190
5191 - http_err_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5192 integer parameter <period> which indicates in milliseconds the length
5193 of the period over which the average is measured. It reports the average
5194 HTTP request error rate over that period, in requests per period (see
5195 http_err_cnt above for what is accounted as an error). The result is an
5196 integer which can be matched using ACLs.
5197
5198 - bytes_in_cnt : client to server byte count. It is a positive 64-bit
5199 integer which counts the cumulated amount of bytes received from clients
5200 which matched this entry. Headers are included in the count. This may be
5201 used to limit abuse of upload features on photo or video servers.
5202
5203 - bytes_in_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5204 integer parameter <period> which indicates in milliseconds the length
5205 of the period over which the average is measured. It reports the average
5206 incoming bytes rate over that period, in bytes per period. It may be used
5207 to detect users which upload too much and too fast. Warning: with large
5208 uploads, it is possible that the amount of uploaded data will be counted
5209 once upon termination, thus causing spikes in the average transfer speed
5210 instead of having a smooth one. This may partially be smoothed with
5211 "option contstats" though this is not perfect yet. Use of byte_in_cnt is
5212 recommended for better fairness.
5213
5214 - bytes_out_cnt : server to client byte count. It is a positive 64-bit
5215 integer which counts the cumulated amount of bytes sent to clients which
5216 matched this entry. Headers are included in the count. This may be used
5217 to limit abuse of bots sucking the whole site.
5218
5219 - bytes_out_rate(<period>) : frequency counter (takes 12 bytes). It takes
5220 an integer parameter <period> which indicates in milliseconds the length
5221 of the period over which the average is measured. It reports the average
5222 outgoing bytes rate over that period, in bytes per period. It may be used
5223 to detect users which download too much and too fast. Warning: with large
5224 transfers, it is possible that the amount of transferred data will be
5225 counted once upon termination, thus causing spikes in the average
5226 transfer speed instead of having a smooth one. This may partially be
5227 smoothed with "option contstats" though this is not perfect yet. Use of
5228 byte_out_cnt is recommended for better fairness.
Willy Tarreau08d5f982010-06-06 13:34:54 +02005229
Willy Tarreauc00cdc22010-06-06 16:48:26 +02005230 There is only one stick-table per proxy. At the moment of writing this doc,
5231 it does not seem useful to have multiple tables per proxy. If this happens
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005232 to be required, simply create a dummy backend with a stick-table in it and
5233 reference it.
5234
5235 It is important to understand that stickiness based on learning information
5236 has some limitations, including the fact that all learned associations are
5237 lost upon restart. In general it can be good as a complement but not always
5238 as an exclusive stickiness.
5239
Willy Tarreauc9705a12010-07-27 20:05:50 +02005240 Last, memory requirements may be important when storing many data types.
5241 Indeed, storing all indicators above at once in each entry requires 116 bytes
5242 per entry, or 116 MB for a 1-million entries table. This is definitely not
5243 something that can be ignored.
5244
5245 Example:
5246 # Keep track of counters of up to 1 million IP addresses over 5 minutes
5247 # and store a general purpose counter and the average connection rate
5248 # computed over a sliding window of 30 seconds.
5249 stick-table type ip size 1m expire 5m store gpc0,conn_rate(30s)
5250
5251 See also : "stick match", "stick on", "stick store-request", section 2.2
5252 about time format and section 7 avoud ACLs.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005253
5254
Willy Tarreaue9656522010-08-17 15:40:09 +02005255tcp-request connection <action> [{if | unless} <condition>]
5256 Perform an action on an incoming connection depending on a layer 4 condition
Willy Tarreau1a687942010-05-23 22:40:30 +02005257 May be used in sections : defaults | frontend | listen | backend
5258 no | yes | yes | no
Willy Tarreaue9656522010-08-17 15:40:09 +02005259 Arguments :
5260 <action> defines the action to perform if the condition applies. Valid
5261 actions include : "accept", "reject", "track-sc1", "track-sc2".
5262 See below for more details.
Willy Tarreau1a687942010-05-23 22:40:30 +02005263
Willy Tarreaue9656522010-08-17 15:40:09 +02005264 <condition> is a standard layer4-only ACL-based condition (see section 7).
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005265
5266 Immediately after acceptance of a new incoming connection, it is possible to
5267 evaluate some conditions to decide whether this connection must be accepted
Willy Tarreaue9656522010-08-17 15:40:09 +02005268 or dropped or have its counters tracked. Those conditions cannot make use of
5269 any data contents because the connection has not been read from yet, and the
5270 buffers are not yet allocated. This is used to selectively and very quickly
5271 accept or drop connections from various sources with a very low overhead. If
5272 some contents need to be inspected in order to take the decision, the
5273 "tcp-request content" statements must be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005274
Willy Tarreaue9656522010-08-17 15:40:09 +02005275 The "tcp-request connection" rules are evaluated in their exact declaration
5276 order. If no rule matches or if there is no rule, the default action is to
5277 accept the incoming connection. There is no specific limit to the number of
5278 rules which may be inserted.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005279
Willy Tarreaue9656522010-08-17 15:40:09 +02005280 Three types of actions are supported :
5281 - accept :
5282 accepts the connection if the condition is true (when used with "if")
5283 or false (when used with "unless"). The first such rule executed ends
5284 the rules evaluation.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005285
Willy Tarreaue9656522010-08-17 15:40:09 +02005286 - reject :
5287 rejects the connection if the condition is true (when used with "if")
5288 or false (when used with "unless"). The first such rule executed ends
5289 the rules evaluation. Rejected connections do not even become a
5290 session, which is why they are accounted separately for in the stats,
5291 as "denied connections". They are not considered for the session
5292 rate-limit and are not logged either. The reason is that these rules
5293 should only be used to filter extremely high connection rates such as
5294 the ones encountered during a massive DDoS attack. Under these extreme
5295 conditions, the simple action of logging each event would make the
5296 system collapse and would considerably lower the filtering capacity. If
5297 logging is absolutely desired, then "tcp-request content" rules should
5298 be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005299
Willy Tarreaue9656522010-08-17 15:40:09 +02005300 - { track-sc1 | track-sc2 } <key> [table <table>] :
5301 enables tracking of sticky counters from current connection. These
5302 rules do not stop evaluation and do not change default action. Two sets
5303 of counters may be simultaneously tracked by the same connection. The
5304 first "track-sc1" rule executed enables tracking of the counters of the
5305 specified table as the first set. The first "track-sc2" rule executed
5306 enables tracking of the counters of the specified table as the second
5307 set. It is a recommended practice to use the first set of counters for
5308 the per-frontend counters and the second set for the per-backend ones.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005309
Willy Tarreaue9656522010-08-17 15:40:09 +02005310 These actions take one or two arguments :
5311 <key> is mandatory, and defines the criterion the tracking key will
5312 be derived from. At the moment, only "src" is supported. With
5313 it, the key will be the connection's source IPv4 address.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005314
Willy Tarreaue9656522010-08-17 15:40:09 +02005315 <table> is an optional table to be used instead of the default one,
5316 which is the stick-table declared in the current proxy. All
5317 the counters for the matches and updates for the key will
5318 then be performed in that table until the session ends.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005319
Willy Tarreaue9656522010-08-17 15:40:09 +02005320 Once a "track-sc*" rule is executed, the key is looked up in the table
5321 and if it is not found, an entry is allocated for it. Then a pointer to
5322 that entry is kept during all the session's life, and this entry's
5323 counters are updated as often as possible, every time the session's
5324 counters are updated, and also systematically when the session ends.
5325 If the entry tracks concurrent connection counters, one connection is
5326 counted for as long as the entry is tracked, and the entry will not
5327 expire during that time. Tracking counters also provides a performance
5328 advantage over just checking the keys, because only one table lookup is
5329 performed for all ACL checks that make use of it.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005330
Willy Tarreaue9656522010-08-17 15:40:09 +02005331 Note that the "if/unless" condition is optional. If no condition is set on
5332 the action, it is simply performed unconditionally. That can be useful for
5333 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005334
Willy Tarreaue9656522010-08-17 15:40:09 +02005335 Example: accept all connections from white-listed hosts, reject too fast
5336 connection without counting them, and track accepted connections.
5337 This results in connection rate being capped from abusive sources.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005338
Willy Tarreaue9656522010-08-17 15:40:09 +02005339 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005340 tcp-request connection reject if { src_conn_rate gt 10 }
Willy Tarreaue9656522010-08-17 15:40:09 +02005341 tcp-request connection track-sc1 src
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005342
Willy Tarreaue9656522010-08-17 15:40:09 +02005343 Example: accept all connections from white-listed hosts, count all other
5344 connections and reject too fast ones. This results in abusive ones
5345 being blocked as long as they don't slow down.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005346
Willy Tarreaue9656522010-08-17 15:40:09 +02005347 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
5348 tcp-request connection track-sc1 src
5349 tcp-request connection reject if { sc1_conn_rate gt 10 }
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005350
5351 See section 7 about ACL usage.
5352
Willy Tarreaue9656522010-08-17 15:40:09 +02005353 See also : "tcp-request content", "stick-table"
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005354
5355
Willy Tarreaue9656522010-08-17 15:40:09 +02005356tcp-request content <action> [{if | unless} <condition>]
5357 Perform an action on a new session depending on a layer 4-7 condition
Willy Tarreau62644772008-07-16 18:36:06 +02005358 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02005359 no | yes | yes | yes
Willy Tarreaue9656522010-08-17 15:40:09 +02005360 Arguments :
5361 <action> defines the action to perform if the condition applies. Valid
5362 actions include : "accept", "reject", "track-sc1", "track-sc2".
5363 See "tcp-request connection" above for their signification.
Willy Tarreau62644772008-07-16 18:36:06 +02005364
Willy Tarreaue9656522010-08-17 15:40:09 +02005365 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
Willy Tarreau62644772008-07-16 18:36:06 +02005366
Willy Tarreaue9656522010-08-17 15:40:09 +02005367 A request's contents can be analysed at an early stage of request processing
5368 called "TCP content inspection". During this stage, ACL-based rules are
5369 evaluated every time the request contents are updated, until either an
5370 "accept" or a "reject" rule matches, or the TCP request inspection delay
5371 expires with no matching rule.
Willy Tarreau62644772008-07-16 18:36:06 +02005372
Willy Tarreaue9656522010-08-17 15:40:09 +02005373 The first difference between these rules and "tcp-request connection" rules
5374 is that "tcp-request content" rules can make use of contents to take a
5375 decision. Most often, these decisions will consider a protocol recognition or
5376 validity. The second difference is that content-based rules can be used in
5377 both frontends and backends. In frontends, they will be evaluated upon new
5378 connections. In backends, they will be evaluated once a session is assigned
5379 a backend. This means that a single frontend connection may be evaluated
5380 several times by one or multiple backends when a session gets reassigned
5381 (for instance after a client-side HTTP keep-alive request).
Willy Tarreau62644772008-07-16 18:36:06 +02005382
Willy Tarreaue9656522010-08-17 15:40:09 +02005383 Content-based rules are evaluated in their exact declaration order. If no
5384 rule matches or if there is no rule, the default action is to accept the
5385 contents. There is no specific limit to the number of rules which may be
5386 inserted.
Willy Tarreau62644772008-07-16 18:36:06 +02005387
Willy Tarreaue9656522010-08-17 15:40:09 +02005388 Three types of actions are supported :
5389 - accept :
5390 - reject :
5391 - { track-sc1 | track-sc2 } <key> [table <table>]
Willy Tarreau62644772008-07-16 18:36:06 +02005392
Willy Tarreaue9656522010-08-17 15:40:09 +02005393 They have the same meaning as their counter-parts in "tcp-request connection"
5394 so please refer to that section for a complete description.
Willy Tarreau62644772008-07-16 18:36:06 +02005395
Willy Tarreaue9656522010-08-17 15:40:09 +02005396 Also, it is worth noting that if sticky counters are tracked from a rule
5397 defined in a backend, this tracking will automatically end when the session
5398 releases the backend. That allows per-backend counter tracking even in case
5399 of HTTP keep-alive requests when the backend changes. While there is nothing
5400 mandatory about it, it is recommended to use the track-sc1 pointer to track
5401 per-frontend counters and track-sc2 to track per-backend counters.
Willy Tarreau62644772008-07-16 18:36:06 +02005402
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005403 Note that the "if/unless" condition is optional. If no condition is set on
Willy Tarreaue9656522010-08-17 15:40:09 +02005404 the action, it is simply performed unconditionally. That can be useful for
5405 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau62644772008-07-16 18:36:06 +02005406
Willy Tarreaue9656522010-08-17 15:40:09 +02005407 It is perfectly possible to match layer 7 contents with "tcp-request content"
5408 rules, but then it is important to ensure that a full request has been
5409 buffered, otherwise no contents will match. In order to achieve this, the
5410 best solution involves detecting the HTTP protocol during the inspection
5411 period.
Willy Tarreau62644772008-07-16 18:36:06 +02005412
5413 Example:
Willy Tarreaue9656522010-08-17 15:40:09 +02005414 # Accept HTTP requests containing a Host header saying "example.com"
5415 # and reject everything else.
5416 acl is_host_com hdr(Host) -i example.com
5417 tcp-request inspect-delay 30s
5418 tcp-request content accept if HTTP is_host_com
5419 tcp-request content reject
5420
5421 Example:
Willy Tarreau62644772008-07-16 18:36:06 +02005422 # reject SMTP connection if client speaks first
5423 tcp-request inspect-delay 30s
5424 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005425 tcp-request content reject if content_present
Willy Tarreau62644772008-07-16 18:36:06 +02005426
5427 # Forward HTTPS connection only if client speaks
5428 tcp-request inspect-delay 30s
5429 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005430 tcp-request content accept if content_present
Willy Tarreaue9656522010-08-17 15:40:09 +02005431 tcp-request content reject
5432
5433 Example: track per-frontend and per-backend counters, block abusers at the
5434 frontend when the backend detects abuse.
5435
5436 frontend http
5437 # Use General Purpose Couter 0 in SC1 as a global abuse counter
5438 # protecting all our sites
5439 stick-table type ip size 1m expire 5m store gpc0
5440 tcp-request connection track-sc1 src
5441 tcp-request connection reject if { sc1_get_gpc0 gt 0 }
5442 ...
5443 use_backend http_dynamic if { path_end .php }
5444
5445 backend http_dynamic
5446 # if a source makes too fast requests to this dynamic site (tracked
5447 # by SC2), block it globally in the frontend.
5448 stick-table type ip size 1m expire 5m store http_req_rate(10s)
5449 acl click_too_fast sc2_http_req_rate gt 10
5450 acl mark_as_abuser sc1_inc_gpc0
5451 tcp-request content track-sc2 src
5452 tcp-request content reject if click_too_fast mark_as_abuser
Willy Tarreau62644772008-07-16 18:36:06 +02005453
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005454 See section 7 about ACL usage.
Willy Tarreau62644772008-07-16 18:36:06 +02005455
Willy Tarreaue9656522010-08-17 15:40:09 +02005456 See also : "tcp-request connection", "tcp-request inspect-delay"
Willy Tarreau62644772008-07-16 18:36:06 +02005457
5458
5459tcp-request inspect-delay <timeout>
5460 Set the maximum allowed time to wait for data during content inspection
5461 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02005462 no | yes | yes | yes
Willy Tarreau62644772008-07-16 18:36:06 +02005463 Arguments :
5464 <timeout> is the timeout value specified in milliseconds by default, but
5465 can be in any other unit if the number is suffixed by the unit,
5466 as explained at the top of this document.
5467
5468 People using haproxy primarily as a TCP relay are often worried about the
5469 risk of passing any type of protocol to a server without any analysis. In
5470 order to be able to analyze the request contents, we must first withhold
5471 the data then analyze them. This statement simply enables withholding of
5472 data for at most the specified amount of time.
5473
Willy Tarreaufb356202010-08-03 14:02:05 +02005474 TCP content inspection applies very early when a connection reaches a
5475 frontend, then very early when the connection is forwarded to a backend. This
5476 means that a connection may experience a first delay in the frontend and a
5477 second delay in the backend if both have tcp-request rules.
5478
Willy Tarreau62644772008-07-16 18:36:06 +02005479 Note that when performing content inspection, haproxy will evaluate the whole
5480 rules for every new chunk which gets in, taking into account the fact that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005481 those data are partial. If no rule matches before the aforementioned delay,
Willy Tarreau62644772008-07-16 18:36:06 +02005482 a last check is performed upon expiration, this time considering that the
Willy Tarreaud869b242009-03-15 14:43:58 +01005483 contents are definitive. If no delay is set, haproxy will not wait at all
5484 and will immediately apply a verdict based on the available information.
5485 Obviously this is unlikely to be very useful and might even be racy, so such
5486 setups are not recommended.
Willy Tarreau62644772008-07-16 18:36:06 +02005487
5488 As soon as a rule matches, the request is released and continues as usual. If
5489 the timeout is reached and no rule matches, the default policy will be to let
5490 it pass through unaffected.
5491
5492 For most protocols, it is enough to set it to a few seconds, as most clients
5493 send the full request immediately upon connection. Add 3 or more seconds to
5494 cover TCP retransmits but that's all. For some protocols, it may make sense
Willy Tarreaud72758d2010-01-12 10:42:19 +01005495 to use large values, for instance to ensure that the client never talks
Willy Tarreau62644772008-07-16 18:36:06 +02005496 before the server (eg: SMTP), or to wait for a client to talk before passing
5497 data to the server (eg: SSL). Note that the client timeout must cover at
5498 least the inspection delay, otherwise it will expire first.
5499
Willy Tarreau55165fe2009-05-10 12:02:55 +02005500 See also : "tcp-request content accept", "tcp-request content reject",
Willy Tarreau62644772008-07-16 18:36:06 +02005501 "timeout client".
5502
5503
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01005504timeout check <timeout>
5505 Set additional check timeout, but only after a connection has been already
5506 established.
5507
5508 May be used in sections: defaults | frontend | listen | backend
5509 yes | no | yes | yes
5510 Arguments:
5511 <timeout> is the timeout value specified in milliseconds by default, but
5512 can be in any other unit if the number is suffixed by the unit,
5513 as explained at the top of this document.
5514
5515 If set, haproxy uses min("timeout connect", "inter") as a connect timeout
5516 for check and "timeout check" as an additional read timeout. The "min" is
5517 used so that people running with *very* long "timeout connect" (eg. those
5518 who needed this due to the queue or tarpit) do not slow down their checks.
Willy Tarreaud7550a22010-02-10 05:10:19 +01005519 (Please also note that there is no valid reason to have such long connect
5520 timeouts, because "timeout queue" and "timeout tarpit" can always be used to
5521 avoid that).
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01005522
5523 If "timeout check" is not set haproxy uses "inter" for complete check
5524 timeout (connect + read) exactly like all <1.3.15 version.
5525
5526 In most cases check request is much simpler and faster to handle than normal
5527 requests and people may want to kick out laggy servers so this timeout should
Willy Tarreau41a340d2008-01-22 12:25:31 +01005528 be smaller than "timeout server".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01005529
5530 This parameter is specific to backends, but can be specified once for all in
5531 "defaults" sections. This is in fact one of the easiest solutions not to
5532 forget about it.
5533
Willy Tarreau41a340d2008-01-22 12:25:31 +01005534 See also: "timeout connect", "timeout queue", "timeout server",
5535 "timeout tarpit".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01005536
5537
Willy Tarreau0ba27502007-12-24 16:55:16 +01005538timeout client <timeout>
5539timeout clitimeout <timeout> (deprecated)
5540 Set the maximum inactivity time on the client side.
5541 May be used in sections : defaults | frontend | listen | backend
5542 yes | yes | yes | no
5543 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01005544 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01005545 can be in any other unit if the number is suffixed by the unit,
5546 as explained at the top of this document.
5547
5548 The inactivity timeout applies when the client is expected to acknowledge or
5549 send data. In HTTP mode, this timeout is particularly important to consider
5550 during the first phase, when the client sends the request, and during the
5551 response while it is reading data sent by the server. The value is specified
5552 in milliseconds by default, but can be in any other unit if the number is
5553 suffixed by the unit, as specified at the top of this document. In TCP mode
5554 (and to a lesser extent, in HTTP mode), it is highly recommended that the
5555 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01005556 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01005557 losses by specifying timeouts that are slightly above multiples of 3 seconds
5558 (eg: 4 or 5 seconds).
5559
5560 This parameter is specific to frontends, but can be specified once for all in
5561 "defaults" sections. This is in fact one of the easiest solutions not to
5562 forget about it. An unspecified timeout results in an infinite timeout, which
5563 is not recommended. Such a usage is accepted and works but reports a warning
5564 during startup because it may results in accumulation of expired sessions in
5565 the system if the system's timeouts are not configured either.
5566
5567 This parameter replaces the old, deprecated "clitimeout". It is recommended
5568 to use it to write new configurations. The form "timeout clitimeout" is
5569 provided only by backwards compatibility but its use is strongly discouraged.
5570
5571 See also : "clitimeout", "timeout server".
5572
5573
5574timeout connect <timeout>
5575timeout contimeout <timeout> (deprecated)
5576 Set the maximum time to wait for a connection attempt to a server to succeed.
5577 May be used in sections : defaults | frontend | listen | backend
5578 yes | no | yes | yes
5579 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01005580 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01005581 can be in any other unit if the number is suffixed by the unit,
5582 as explained at the top of this document.
5583
5584 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01005585 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01005586 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01005587 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01005588 connect timeout also presets both queue and tarpit timeouts to the same value
5589 if these have not been specified.
Willy Tarreau0ba27502007-12-24 16:55:16 +01005590
5591 This parameter is specific to backends, but can be specified once for all in
5592 "defaults" sections. This is in fact one of the easiest solutions not to
5593 forget about it. An unspecified timeout results in an infinite timeout, which
5594 is not recommended. Such a usage is accepted and works but reports a warning
5595 during startup because it may results in accumulation of failed sessions in
5596 the system if the system's timeouts are not configured either.
5597
5598 This parameter replaces the old, deprecated "contimeout". It is recommended
5599 to use it to write new configurations. The form "timeout contimeout" is
5600 provided only by backwards compatibility but its use is strongly discouraged.
5601
Willy Tarreau41a340d2008-01-22 12:25:31 +01005602 See also: "timeout check", "timeout queue", "timeout server", "contimeout",
5603 "timeout tarpit".
Willy Tarreau0ba27502007-12-24 16:55:16 +01005604
5605
Willy Tarreaub16a5742010-01-10 14:46:16 +01005606timeout http-keep-alive <timeout>
5607 Set the maximum allowed time to wait for a new HTTP request to appear
5608 May be used in sections : defaults | frontend | listen | backend
5609 yes | yes | yes | yes
5610 Arguments :
5611 <timeout> is the timeout value specified in milliseconds by default, but
5612 can be in any other unit if the number is suffixed by the unit,
5613 as explained at the top of this document.
5614
5615 By default, the time to wait for a new request in case of keep-alive is set
5616 by "timeout http-request". However this is not always convenient because some
5617 people want very short keep-alive timeouts in order to release connections
5618 faster, and others prefer to have larger ones but still have short timeouts
5619 once the request has started to present itself.
5620
5621 The "http-keep-alive" timeout covers these needs. It will define how long to
5622 wait for a new HTTP request to start coming after a response was sent. Once
5623 the first byte of request has been seen, the "http-request" timeout is used
5624 to wait for the complete request to come. Note that empty lines prior to a
5625 new request do not refresh the timeout and are not counted as a new request.
5626
5627 There is also another difference between the two timeouts : when a connection
5628 expires during timeout http-keep-alive, no error is returned, the connection
5629 just closes. If the connection expires in "http-request" while waiting for a
5630 connection to complete, a HTTP 408 error is returned.
5631
5632 In general it is optimal to set this value to a few tens to hundreds of
5633 milliseconds, to allow users to fetch all objects of a page at once but
5634 without waiting for further clicks. Also, if set to a very small value (eg:
5635 1 millisecond) it will probably only accept pipelined requests but not the
5636 non-pipelined ones. It may be a nice trade-off for very large sites running
Patrick Mézard2382ad62010-05-09 10:43:32 +02005637 with tens to hundreds of thousands of clients.
Willy Tarreaub16a5742010-01-10 14:46:16 +01005638
5639 If this parameter is not set, the "http-request" timeout applies, and if both
5640 are not set, "timeout client" still applies at the lower level. It should be
5641 set in the frontend to take effect, unless the frontend is in TCP mode, in
5642 which case the HTTP backend's timeout will be used.
5643
5644 See also : "timeout http-request", "timeout client".
5645
5646
Willy Tarreau036fae02008-01-06 13:24:40 +01005647timeout http-request <timeout>
5648 Set the maximum allowed time to wait for a complete HTTP request
5649 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaucd7afc02009-07-12 10:03:17 +02005650 yes | yes | yes | yes
Willy Tarreau036fae02008-01-06 13:24:40 +01005651 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01005652 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau036fae02008-01-06 13:24:40 +01005653 can be in any other unit if the number is suffixed by the unit,
5654 as explained at the top of this document.
5655
5656 In order to offer DoS protection, it may be required to lower the maximum
5657 accepted time to receive a complete HTTP request without affecting the client
5658 timeout. This helps protecting against established connections on which
5659 nothing is sent. The client timeout cannot offer a good protection against
5660 this abuse because it is an inactivity timeout, which means that if the
5661 attacker sends one character every now and then, the timeout will not
5662 trigger. With the HTTP request timeout, no matter what speed the client
5663 types, the request will be aborted if it does not complete in time.
5664
5665 Note that this timeout only applies to the header part of the request, and
5666 not to any data. As soon as the empty line is received, this timeout is not
Willy Tarreaub16a5742010-01-10 14:46:16 +01005667 used anymore. It is used again on keep-alive connections to wait for a second
5668 request if "timeout http-keep-alive" is not set.
Willy Tarreau036fae02008-01-06 13:24:40 +01005669
5670 Generally it is enough to set it to a few seconds, as most clients send the
5671 full request immediately upon connection. Add 3 or more seconds to cover TCP
5672 retransmits but that's all. Setting it to very low values (eg: 50 ms) will
5673 generally work on local networks as long as there are no packet losses. This
5674 will prevent people from sending bare HTTP requests using telnet.
5675
5676 If this parameter is not set, the client timeout still applies between each
Willy Tarreaucd7afc02009-07-12 10:03:17 +02005677 chunk of the incoming request. It should be set in the frontend to take
5678 effect, unless the frontend is in TCP mode, in which case the HTTP backend's
5679 timeout will be used.
Willy Tarreau036fae02008-01-06 13:24:40 +01005680
Willy Tarreaub16a5742010-01-10 14:46:16 +01005681 See also : "timeout http-keep-alive", "timeout client".
Willy Tarreau036fae02008-01-06 13:24:40 +01005682
Willy Tarreau844e3c52008-01-11 16:28:18 +01005683
5684timeout queue <timeout>
5685 Set the maximum time to wait in the queue for a connection slot to be free
5686 May be used in sections : defaults | frontend | listen | backend
5687 yes | no | yes | yes
5688 Arguments :
5689 <timeout> is the timeout value specified in milliseconds by default, but
5690 can be in any other unit if the number is suffixed by the unit,
5691 as explained at the top of this document.
5692
5693 When a server's maxconn is reached, connections are left pending in a queue
5694 which may be server-specific or global to the backend. In order not to wait
5695 indefinitely, a timeout is applied to requests pending in the queue. If the
5696 timeout is reached, it is considered that the request will almost never be
5697 served, so it is dropped and a 503 error is returned to the client.
5698
5699 The "timeout queue" statement allows to fix the maximum time for a request to
5700 be left pending in a queue. If unspecified, the same value as the backend's
5701 connection timeout ("timeout connect") is used, for backwards compatibility
5702 with older versions with no "timeout queue" parameter.
5703
5704 See also : "timeout connect", "contimeout".
5705
5706
5707timeout server <timeout>
5708timeout srvtimeout <timeout> (deprecated)
5709 Set the maximum inactivity time on the server side.
5710 May be used in sections : defaults | frontend | listen | backend
5711 yes | no | yes | yes
5712 Arguments :
5713 <timeout> is the timeout value specified in milliseconds by default, but
5714 can be in any other unit if the number is suffixed by the unit,
5715 as explained at the top of this document.
5716
5717 The inactivity timeout applies when the server is expected to acknowledge or
5718 send data. In HTTP mode, this timeout is particularly important to consider
5719 during the first phase of the server's response, when it has to send the
5720 headers, as it directly represents the server's processing time for the
5721 request. To find out what value to put there, it's often good to start with
5722 what would be considered as unacceptable response times, then check the logs
5723 to observe the response time distribution, and adjust the value accordingly.
5724
5725 The value is specified in milliseconds by default, but can be in any other
5726 unit if the number is suffixed by the unit, as specified at the top of this
5727 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
5728 recommended that the client timeout remains equal to the server timeout in
5729 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01005730 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01005731 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreaud72758d2010-01-12 10:42:19 +01005732 seconds (eg: 4 or 5 seconds minimum).
Willy Tarreau844e3c52008-01-11 16:28:18 +01005733
5734 This parameter is specific to backends, but can be specified once for all in
5735 "defaults" sections. This is in fact one of the easiest solutions not to
5736 forget about it. An unspecified timeout results in an infinite timeout, which
5737 is not recommended. Such a usage is accepted and works but reports a warning
5738 during startup because it may results in accumulation of expired sessions in
5739 the system if the system's timeouts are not configured either.
5740
5741 This parameter replaces the old, deprecated "srvtimeout". It is recommended
5742 to use it to write new configurations. The form "timeout srvtimeout" is
5743 provided only by backwards compatibility but its use is strongly discouraged.
5744
5745 See also : "srvtimeout", "timeout client".
5746
5747
5748timeout tarpit <timeout>
Cyril Bonté78caf842010-03-10 22:41:43 +01005749 Set the duration for which tarpitted connections will be maintained
Willy Tarreau844e3c52008-01-11 16:28:18 +01005750 May be used in sections : defaults | frontend | listen | backend
5751 yes | yes | yes | yes
5752 Arguments :
5753 <timeout> is the tarpit duration specified in milliseconds by default, but
5754 can be in any other unit if the number is suffixed by the unit,
5755 as explained at the top of this document.
5756
5757 When a connection is tarpitted using "reqtarpit", it is maintained open with
5758 no activity for a certain amount of time, then closed. "timeout tarpit"
5759 defines how long it will be maintained open.
5760
5761 The value is specified in milliseconds by default, but can be in any other
5762 unit if the number is suffixed by the unit, as specified at the top of this
5763 document. If unspecified, the same value as the backend's connection timeout
5764 ("timeout connect") is used, for backwards compatibility with older versions
Cyril Bonté78caf842010-03-10 22:41:43 +01005765 with no "timeout tarpit" parameter.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005766
5767 See also : "timeout connect", "contimeout".
5768
5769
5770transparent (deprecated)
5771 Enable client-side transparent proxying
5772 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01005773 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01005774 Arguments : none
5775
5776 This keyword was introduced in order to provide layer 7 persistence to layer
5777 3 load balancers. The idea is to use the OS's ability to redirect an incoming
5778 connection for a remote address to a local process (here HAProxy), and let
5779 this process know what address was initially requested. When this option is
5780 used, sessions without cookies will be forwarded to the original destination
5781 IP address of the incoming request (which should match that of another
5782 equipment), while requests with cookies will still be forwarded to the
5783 appropriate server.
5784
5785 The "transparent" keyword is deprecated, use "option transparent" instead.
5786
5787 Note that contrary to a common belief, this option does NOT make HAProxy
5788 present the client's IP to the server when establishing the connection.
5789
Willy Tarreau844e3c52008-01-11 16:28:18 +01005790 See also: "option transparent"
5791
5792
5793use_backend <backend> if <condition>
5794use_backend <backend> unless <condition>
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02005795 Switch to a specific backend if/unless an ACL-based condition is matched.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005796 May be used in sections : defaults | frontend | listen | backend
5797 no | yes | yes | no
5798 Arguments :
5799 <backend> is the name of a valid backend or "listen" section.
5800
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005801 <condition> is a condition composed of ACLs, as described in section 7.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005802
5803 When doing content-switching, connections arrive on a frontend and are then
5804 dispatched to various backends depending on a number of conditions. The
5805 relation between the conditions and the backends is described with the
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02005806 "use_backend" keyword. While it is normally used with HTTP processing, it can
5807 also be used in pure TCP, either without content using stateless ACLs (eg:
5808 source address validation) or combined with a "tcp-request" rule to wait for
5809 some payload.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005810
5811 There may be as many "use_backend" rules as desired. All of these rules are
5812 evaluated in their declaration order, and the first one which matches will
5813 assign the backend.
5814
5815 In the first form, the backend will be used if the condition is met. In the
5816 second form, the backend will be used if the condition is not met. If no
5817 condition is valid, the backend defined with "default_backend" will be used.
5818 If no default backend is defined, either the servers in the same section are
5819 used (in case of a "listen" section) or, in case of a frontend, no server is
5820 used and a 503 service unavailable response is returned.
5821
Willy Tarreau51aecc72009-07-12 09:47:04 +02005822 Note that it is possible to switch from a TCP frontend to an HTTP backend. In
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005823 this case, either the frontend has already checked that the protocol is HTTP,
Willy Tarreau51aecc72009-07-12 09:47:04 +02005824 and backend processing will immediately follow, or the backend will wait for
5825 a complete HTTP request to get in. This feature is useful when a frontend
5826 must decode several protocols on a unique port, one of them being HTTP.
5827
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02005828 See also: "default_backend", "tcp-request", and section 7 about ACLs.
Willy Tarreaud72758d2010-01-12 10:42:19 +01005829
Willy Tarreau036fae02008-01-06 13:24:40 +01005830
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +010058315. Server and default-server options
Cyril Bontéf0c60612010-02-06 14:44:47 +01005832------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02005833
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01005834The "server" and "default-server" keywords support a certain number of settings
5835which are all passed as arguments on the server line. The order in which those
5836arguments appear does not count, and they are all optional. Some of those
5837settings are single words (booleans) while others expect one or several values
5838after them. In this case, the values must immediately follow the setting name.
5839Except default-server, all those settings must be specified after the server's
5840address if they are used:
Willy Tarreau6a06a402007-07-15 20:15:28 +02005841
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005842 server <name> <address>[:port] [settings ...]
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01005843 default-server [settings ...]
Willy Tarreau6a06a402007-07-15 20:15:28 +02005844
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005845The currently supported settings are the following ones.
Willy Tarreau0ba27502007-12-24 16:55:16 +01005846
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005847addr <ipv4>
5848 Using the "addr" parameter, it becomes possible to use a different IP address
5849 to send health-checks. On some servers, it may be desirable to dedicate an IP
5850 address to specific component able to perform complex tests which are more
5851 suitable to health-checks than the application. This parameter is ignored if
5852 the "check" parameter is not set. See also the "port" parameter.
Willy Tarreau6a06a402007-07-15 20:15:28 +02005853
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005854 Supported in default-server: No
5855
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005856backup
5857 When "backup" is present on a server line, the server is only used in load
5858 balancing when all other non-backup servers are unavailable. Requests coming
5859 with a persistence cookie referencing the server will always be served
5860 though. By default, only the first operational backup server is used, unless
5861 the "allbackups" option is set in the backend. See also the "allbackups"
5862 option.
Willy Tarreau6a06a402007-07-15 20:15:28 +02005863
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005864 Supported in default-server: No
5865
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005866check
5867 This option enables health checks on the server. By default, a server is
5868 always considered available. If "check" is set, the server will receive
5869 periodic health checks to ensure that it is really able to serve requests.
5870 The default address and port to send the tests to are those of the server,
5871 and the default source is the same as the one defined in the backend. It is
5872 possible to change the address using the "addr" parameter, the port using the
5873 "port" parameter, the source address using the "source" address, and the
5874 interval and timers using the "inter", "rise" and "fall" parameters. The
5875 request method is define in the backend using the "httpchk", "smtpchk",
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01005876 "mysql-check" and "ssl-hello-chk" options. Please refer to those options and
5877 parameters for more information.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005878
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005879 Supported in default-server: No
5880
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005881cookie <value>
5882 The "cookie" parameter sets the cookie value assigned to the server to
5883 <value>. This value will be checked in incoming requests, and the first
5884 operational server possessing the same value will be selected. In return, in
5885 cookie insertion or rewrite modes, this value will be assigned to the cookie
5886 sent to the client. There is nothing wrong in having several servers sharing
5887 the same cookie value, and it is in fact somewhat common between normal and
5888 backup servers. See also the "cookie" keyword in backend section.
5889
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005890 Supported in default-server: No
5891
Willy Tarreau96839092010-03-29 10:02:24 +02005892disabled
5893 The "disabled" keyword starts the server in the "disabled" state. That means
5894 that it is marked down in maintenance mode, and no connection other than the
5895 ones allowed by persist mode will reach it. It is very well suited to setup
5896 new servers, because normal traffic will never reach them, while it is still
5897 possible to test the service by making use of the force-persist mechanism.
5898
5899 Supported in default-server: No
5900
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005901error-limit <count>
Willy Tarreau983e01e2010-01-11 18:42:06 +01005902 If health observing is enabled, the "error-limit" parameter specifies the
5903 number of consecutive errors that triggers event selected by the "on-error"
5904 option. By default it is set to 10 consecutive errors.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005905
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005906 Supported in default-server: Yes
5907
5908 See also the "check", "error-limit" and "on-error".
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005909
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005910fall <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005911 The "fall" parameter states that a server will be considered as dead after
5912 <count> consecutive unsuccessful health checks. This value defaults to 3 if
5913 unspecified. See also the "check", "inter" and "rise" parameters.
5914
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005915 Supported in default-server: Yes
5916
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005917id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02005918 Set a persistent ID for the server. This ID must be positive and unique for
5919 the proxy. An unused ID will automatically be assigned if unset. The first
5920 assigned value will be 1. This ID is currently only returned in statistics.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005921
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005922 Supported in default-server: No
5923
5924inter <delay>
5925fastinter <delay>
5926downinter <delay>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005927 The "inter" parameter sets the interval between two consecutive health checks
5928 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
5929 It is also possible to use "fastinter" and "downinter" to optimize delays
5930 between checks depending on the server state :
5931
5932 Server state | Interval used
5933 ---------------------------------+-----------------------------------------
5934 UP 100% (non-transitional) | "inter"
5935 ---------------------------------+-----------------------------------------
5936 Transitionally UP (going down), |
5937 Transitionally DOWN (going up), | "fastinter" if set, "inter" otherwise.
5938 or yet unchecked. |
5939 ---------------------------------+-----------------------------------------
5940 DOWN 100% (non-transitional) | "downinter" if set, "inter" otherwise.
5941 ---------------------------------+-----------------------------------------
Willy Tarreaud72758d2010-01-12 10:42:19 +01005942
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005943 Just as with every other time-based parameter, they can be entered in any
5944 other explicit unit among { us, ms, s, m, h, d }. The "inter" parameter also
5945 serves as a timeout for health checks sent to servers if "timeout check" is
5946 not set. In order to reduce "resonance" effects when multiple servers are
5947 hosted on the same hardware, the health-checks of all servers are started
5948 with a small time offset between them. It is also possible to add some random
5949 noise in the health checks interval using the global "spread-checks"
5950 keyword. This makes sense for instance when a lot of backends use the same
5951 servers.
5952
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005953 Supported in default-server: Yes
5954
5955maxconn <maxconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005956 The "maxconn" parameter specifies the maximal number of concurrent
5957 connections that will be sent to this server. If the number of incoming
5958 concurrent requests goes higher than this value, they will be queued, waiting
5959 for a connection to be released. This parameter is very important as it can
5960 save fragile servers from going down under extreme loads. If a "minconn"
5961 parameter is specified, the limit becomes dynamic. The default value is "0"
5962 which means unlimited. See also the "minconn" and "maxqueue" parameters, and
5963 the backend's "fullconn" keyword.
5964
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005965 Supported in default-server: Yes
5966
5967maxqueue <maxqueue>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005968 The "maxqueue" parameter specifies the maximal number of connections which
5969 will wait in the queue for this server. If this limit is reached, next
5970 requests will be redispatched to other servers instead of indefinitely
5971 waiting to be served. This will break persistence but may allow people to
5972 quickly re-log in when the server they try to connect to is dying. The
5973 default value is "0" which means the queue is unlimited. See also the
5974 "maxconn" and "minconn" parameters.
5975
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005976 Supported in default-server: Yes
5977
5978minconn <minconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005979 When the "minconn" parameter is set, the maxconn limit becomes a dynamic
5980 limit following the backend's load. The server will always accept at least
5981 <minconn> connections, never more than <maxconn>, and the limit will be on
5982 the ramp between both values when the backend has less than <fullconn>
5983 concurrent connections. This makes it possible to limit the load on the
5984 server during normal loads, but push it further for important loads without
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005985 overloading the server during exceptional loads. See also the "maxconn"
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005986 and "maxqueue" parameters, as well as the "fullconn" backend keyword.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005987
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005988 Supported in default-server: Yes
5989
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005990observe <mode>
5991 This option enables health adjusting based on observing communication with
5992 the server. By default this functionality is disabled and enabling it also
5993 requires to enable health checks. There are two supported modes: "layer4" and
5994 "layer7". In layer4 mode, only successful/unsuccessful tcp connections are
5995 significant. In layer7, which is only allowed for http proxies, responses
5996 received from server are verified, like valid/wrong http code, unparsable
5997 headers, a timeout, etc.
5998
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005999 Supported in default-server: No
6000
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006001 See also the "check", "on-error" and "error-limit".
6002
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006003on-error <mode>
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006004 Select what should happen when enough consecutive errors are detected.
6005 Currently, four modes are available:
6006 - fastinter: force fastinter
6007 - fail-check: simulate a failed check, also forces fastinter (default)
6008 - sudden-death: simulate a pre-fatal failed health check, one more failed
6009 check will mark a server down, forces fastinter
6010 - mark-down: mark the server immediately down and force fastinter
6011
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006012 Supported in default-server: Yes
6013
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006014 See also the "check", "observe" and "error-limit".
6015
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006016port <port>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006017 Using the "port" parameter, it becomes possible to use a different port to
6018 send health-checks. On some servers, it may be desirable to dedicate a port
6019 to a specific component able to perform complex tests which are more suitable
6020 to health-checks than the application. It is common to run a simple script in
6021 inetd for instance. This parameter is ignored if the "check" parameter is not
6022 set. See also the "addr" parameter.
6023
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006024 Supported in default-server: Yes
6025
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006026redir <prefix>
6027 The "redir" parameter enables the redirection mode for all GET and HEAD
6028 requests addressing this server. This means that instead of having HAProxy
6029 forward the request to the server, it will send an "HTTP 302" response with
6030 the "Location" header composed of this prefix immediately followed by the
6031 requested URI beginning at the leading '/' of the path component. That means
6032 that no trailing slash should be used after <prefix>. All invalid requests
6033 will be rejected, and all non-GET or HEAD requests will be normally served by
6034 the server. Note that since the response is completely forged, no header
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006035 mangling nor cookie insertion is possible in the response. However, cookies in
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006036 requests are still analysed, making this solution completely usable to direct
6037 users to a remote location in case of local disaster. Main use consists in
6038 increasing bandwidth for static servers by having the clients directly
6039 connect to them. Note: never use a relative location here, it would cause a
6040 loop between the client and HAProxy!
6041
6042 Example : server srv1 192.168.1.1:80 redir http://image1.mydomain.com check
6043
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006044 Supported in default-server: No
6045
6046rise <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006047 The "rise" parameter states that a server will be considered as operational
6048 after <count> consecutive successful health checks. This value defaults to 2
6049 if unspecified. See also the "check", "inter" and "fall" parameters.
6050
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006051 Supported in default-server: Yes
6052
6053slowstart <start_time_in_ms>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006054 The "slowstart" parameter for a server accepts a value in milliseconds which
6055 indicates after how long a server which has just come back up will run at
6056 full speed. Just as with every other time-based parameter, it can be entered
6057 in any other explicit unit among { us, ms, s, m, h, d }. The speed grows
6058 linearly from 0 to 100% during this time. The limitation applies to two
6059 parameters :
6060
6061 - maxconn: the number of connections accepted by the server will grow from 1
6062 to 100% of the usual dynamic limit defined by (minconn,maxconn,fullconn).
6063
6064 - weight: when the backend uses a dynamic weighted algorithm, the weight
6065 grows linearly from 1 to 100%. In this case, the weight is updated at every
6066 health-check. For this reason, it is important that the "inter" parameter
6067 is smaller than the "slowstart", in order to maximize the number of steps.
6068
6069 The slowstart never applies when haproxy starts, otherwise it would cause
6070 trouble to running servers. It only applies when a server has been previously
6071 seen as failed.
6072
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006073 Supported in default-server: Yes
6074
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02006075source <addr>[:<pl>[-<ph>]] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02006076source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02006077source <addr>[:<pl>[-<ph>]] [interface <name>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006078 The "source" parameter sets the source address which will be used when
6079 connecting to the server. It follows the exact same parameters and principle
6080 as the backend "source" keyword, except that it only applies to the server
6081 referencing it. Please consult the "source" keyword for details.
6082
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02006083 Additionally, the "source" statement on a server line allows one to specify a
6084 source port range by indicating the lower and higher bounds delimited by a
6085 dash ('-'). Some operating systems might require a valid IP address when a
6086 source port range is specified. It is permitted to have the same IP/range for
6087 several servers. Doing so makes it possible to bypass the maximum of 64k
6088 total concurrent connections. The limit will then reach 64k connections per
6089 server.
6090
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006091 Supported in default-server: No
6092
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006093track [<proxy>/]<server>
6094 This option enables ability to set the current state of the server by
6095 tracking another one. Only a server with checks enabled can be tracked
6096 so it is not possible for example to track a server that tracks another
6097 one. If <proxy> is omitted the current one is used. If disable-on-404 is
6098 used, it has to be enabled on both proxies.
6099
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006100 Supported in default-server: No
6101
6102weight <weight>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006103 The "weight" parameter is used to adjust the server's weight relative to
6104 other servers. All servers will receive a load proportional to their weight
6105 relative to the sum of all weights, so the higher the weight, the higher the
Willy Tarreau6704d672009-06-15 10:56:05 +02006106 load. The default weight is 1, and the maximal value is 256. A value of 0
6107 means the server will not participate in load-balancing but will still accept
6108 persistent connections. If this parameter is used to distribute the load
6109 according to server's capacity, it is recommended to start with values which
6110 can both grow and shrink, for instance between 10 and 100 to leave enough
6111 room above and below for later adjustments.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006112
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006113 Supported in default-server: Yes
6114
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006115
61166. HTTP header manipulation
6117---------------------------
6118
6119In HTTP mode, it is possible to rewrite, add or delete some of the request and
6120response headers based on regular expressions. It is also possible to block a
6121request or a response if a particular header matches a regular expression,
6122which is enough to stop most elementary protocol attacks, and to protect
6123against information leak from the internal network. But there is a limitation
6124to this : since HAProxy's HTTP engine does not support keep-alive, only headers
6125passed during the first request of a TCP session will be seen. All subsequent
6126headers will be considered data only and not analyzed. Furthermore, HAProxy
6127never touches data contents, it stops analysis at the end of headers.
6128
Willy Tarreau816b9792009-09-15 21:25:21 +02006129There is an exception though. If HAProxy encounters an "Informational Response"
6130(status code 1xx), it is able to process all rsp* rules which can allow, deny,
6131rewrite or delete a header, but it will refuse to add a header to any such
6132messages as this is not HTTP-compliant. The reason for still processing headers
6133in such responses is to stop and/or fix any possible information leak which may
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006134happen, for instance because another downstream equipment would unconditionally
Willy Tarreau816b9792009-09-15 21:25:21 +02006135add a header, or if a server name appears there. When such messages are seen,
6136normal processing still occurs on the next non-informational messages.
6137
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006138This section covers common usage of the following keywords, described in detail
6139in section 4.2 :
6140
6141 - reqadd <string>
6142 - reqallow <search>
6143 - reqiallow <search>
6144 - reqdel <search>
6145 - reqidel <search>
6146 - reqdeny <search>
6147 - reqideny <search>
6148 - reqpass <search>
6149 - reqipass <search>
6150 - reqrep <search> <replace>
6151 - reqirep <search> <replace>
6152 - reqtarpit <search>
6153 - reqitarpit <search>
6154 - rspadd <string>
6155 - rspdel <search>
6156 - rspidel <search>
6157 - rspdeny <search>
6158 - rspideny <search>
6159 - rsprep <search> <replace>
6160 - rspirep <search> <replace>
6161
6162With all these keywords, the same conventions are used. The <search> parameter
6163is a POSIX extended regular expression (regex) which supports grouping through
6164parenthesis (without the backslash). Spaces and other delimiters must be
6165prefixed with a backslash ('\') to avoid confusion with a field delimiter.
6166Other characters may be prefixed with a backslash to change their meaning :
6167
6168 \t for a tab
6169 \r for a carriage return (CR)
6170 \n for a new line (LF)
6171 \ to mark a space and differentiate it from a delimiter
6172 \# to mark a sharp and differentiate it from a comment
6173 \\ to use a backslash in a regex
6174 \\\\ to use a backslash in the text (*2 for regex, *2 for haproxy)
6175 \xXX to write the ASCII hex code XX as in the C language
6176
6177The <replace> parameter contains the string to be used to replace the largest
6178portion of text matching the regex. It can make use of the special characters
6179above, and can reference a substring which is delimited by parenthesis in the
6180regex, by writing a backslash ('\') immediately followed by one digit from 0 to
61819 indicating the group position (0 designating the entire line). This practice
6182is very common to users of the "sed" program.
6183
6184The <string> parameter represents the string which will systematically be added
6185after the last header line. It can also use special character sequences above.
6186
6187Notes related to these keywords :
6188---------------------------------
6189 - these keywords are not always convenient to allow/deny based on header
6190 contents. It is strongly recommended to use ACLs with the "block" keyword
6191 instead, resulting in far more flexible and manageable rules.
6192
6193 - lines are always considered as a whole. It is not possible to reference
6194 a header name only or a value only. This is important because of the way
6195 headers are written (notably the number of spaces after the colon).
6196
6197 - the first line is always considered as a header, which makes it possible to
6198 rewrite or filter HTTP requests URIs or response codes, but in turn makes
6199 it harder to distinguish between headers and request line. The regex prefix
6200 ^[^\ \t]*[\ \t] matches any HTTP method followed by a space, and the prefix
6201 ^[^ \t:]*: matches any header name followed by a colon.
6202
6203 - for performances reasons, the number of characters added to a request or to
6204 a response is limited at build time to values between 1 and 4 kB. This
6205 should normally be far more than enough for most usages. If it is too short
6206 on occasional usages, it is possible to gain some space by removing some
6207 useless headers before adding new ones.
6208
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006209 - keywords beginning with "reqi" and "rspi" are the same as their counterpart
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006210 without the 'i' letter except that they ignore case when matching patterns.
6211
6212 - when a request passes through a frontend then a backend, all req* rules
6213 from the frontend will be evaluated, then all req* rules from the backend
6214 will be evaluated. The reverse path is applied to responses.
6215
6216 - req* statements are applied after "block" statements, so that "block" is
6217 always the first one, but before "use_backend" in order to permit rewriting
Willy Tarreaud72758d2010-01-12 10:42:19 +01006218 before switching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006219
6220
Willy Tarreaub937b7e2010-01-12 15:27:54 +010062217. Using ACLs and pattern extraction
6222------------------------------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006223
6224The use of Access Control Lists (ACL) provides a flexible solution to perform
6225content switching and generally to take decisions based on content extracted
6226from the request, the response or any environmental status. The principle is
6227simple :
6228
6229 - define test criteria with sets of values
6230 - perform actions only if a set of tests is valid
6231
6232The actions generally consist in blocking the request, or selecting a backend.
6233
6234In order to define a test, the "acl" keyword is used. The syntax is :
6235
6236 acl <aclname> <criterion> [flags] [operator] <value> ...
6237
6238This creates a new ACL <aclname> or completes an existing one with new tests.
6239Those tests apply to the portion of request/response specified in <criterion>
6240and may be adjusted with optional flags [flags]. Some criteria also support
6241an operator which may be specified before the set of values. The values are
6242of the type supported by the criterion, and are separated by spaces.
6243
6244ACL names must be formed from upper and lower case letters, digits, '-' (dash),
6245'_' (underscore) , '.' (dot) and ':' (colon). ACL names are case-sensitive,
6246which means that "my_acl" and "My_Acl" are two different ACLs.
6247
6248There is no enforced limit to the number of ACLs. The unused ones do not affect
6249performance, they just consume a small amount of memory.
6250
6251The following ACL flags are currently supported :
6252
Willy Tarreau2b5285d2010-05-09 23:45:24 +02006253 -i : ignore case during matching of all subsequent patterns.
6254 -f : load patterns from a file.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006255 -- : force end of flags. Useful when a string looks like one of the flags.
6256
Willy Tarreau2b5285d2010-05-09 23:45:24 +02006257The "-f" flag is special as it loads all of the lines it finds in the file
6258specified in argument and loads all of them before continuing. It is even
6259possible to pass multiple "-f" arguments if the patterns are to be loaded from
Willy Tarreau58215a02010-05-13 22:07:43 +02006260multiple files. Empty lines as well as lines beginning with a sharp ('#') will
6261be ignored. All leading spaces and tabs will be stripped. If it is absolutely
6262needed to insert a valid pattern beginning with a sharp, just prefix it with a
6263space so that it is not taken for a comment. Depending on the data type and
6264match method, haproxy may load the lines into a binary tree, allowing very fast
6265lookups. This is true for IPv4 and exact string matching. In this case,
6266duplicates will automatically be removed. Also, note that the "-i" flag applies
6267to subsequent entries and not to entries loaded from files preceeding it. For
6268instance :
Willy Tarreau2b5285d2010-05-09 23:45:24 +02006269
6270 acl valid-ua hdr(user-agent) -f exact-ua.lst -i -f generic-ua.lst test
6271
6272In this example, each line of "exact-ua.lst" will be exactly matched against
6273the "user-agent" header of the request. Then each line of "generic-ua" will be
6274case-insensitively matched. Then the word "test" will be insensitively matched
6275too.
6276
6277Note that right now it is difficult for the ACL parsers to report errors, so if
6278a file is unreadable or unparsable, the most you'll get is a parse error in the
6279ACL. Thus, file-based ACLs should only be produced by reliable processes.
6280
Willy Tarreau6a06a402007-07-15 20:15:28 +02006281Supported types of values are :
Willy Tarreau0ba27502007-12-24 16:55:16 +01006282
Willy Tarreau6a06a402007-07-15 20:15:28 +02006283 - integers or integer ranges
6284 - strings
6285 - regular expressions
6286 - IP addresses and networks
6287
6288
Willy Tarreauc57f0e22009-05-10 13:12:33 +020062897.1. Matching integers
6290----------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02006291
6292Matching integers is special in that ranges and operators are permitted. Note
6293that integer matching only applies to positive values. A range is a value
6294expressed with a lower and an upper bound separated with a colon, both of which
6295may be omitted.
6296
6297For instance, "1024:65535" is a valid range to represent a range of
6298unprivileged ports, and "1024:" would also work. "0:1023" is a valid
6299representation of privileged ports, and ":1023" would also work.
6300
Willy Tarreau62644772008-07-16 18:36:06 +02006301As a special case, some ACL functions support decimal numbers which are in fact
6302two integers separated by a dot. This is used with some version checks for
6303instance. All integer properties apply to those decimal numbers, including
6304ranges and operators.
6305
Willy Tarreau6a06a402007-07-15 20:15:28 +02006306For an easier usage, comparison operators are also supported. Note that using
Willy Tarreau0ba27502007-12-24 16:55:16 +01006307operators with ranges does not make much sense and is strongly discouraged.
6308Similarly, it does not make much sense to perform order comparisons with a set
6309of values.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006310
Willy Tarreau0ba27502007-12-24 16:55:16 +01006311Available operators for integer matching are :
Willy Tarreau6a06a402007-07-15 20:15:28 +02006312
6313 eq : true if the tested value equals at least one value
6314 ge : true if the tested value is greater than or equal to at least one value
6315 gt : true if the tested value is greater than at least one value
6316 le : true if the tested value is less than or equal to at least one value
6317 lt : true if the tested value is less than at least one value
6318
Willy Tarreau0ba27502007-12-24 16:55:16 +01006319For instance, the following ACL matches any negative Content-Length header :
Willy Tarreau6a06a402007-07-15 20:15:28 +02006320
6321 acl negative-length hdr_val(content-length) lt 0
6322
Willy Tarreau62644772008-07-16 18:36:06 +02006323This one matches SSL versions between 3.0 and 3.1 (inclusive) :
6324
6325 acl sslv3 req_ssl_ver 3:3.1
6326
Willy Tarreau6a06a402007-07-15 20:15:28 +02006327
Willy Tarreauc57f0e22009-05-10 13:12:33 +020063287.2. Matching strings
6329---------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02006330
6331String matching applies to verbatim strings as they are passed, with the
6332exception of the backslash ("\") which makes it possible to escape some
6333characters such as the space. If the "-i" flag is passed before the first
6334string, then the matching will be performed ignoring the case. In order
6335to match the string "-i", either set it second, or pass the "--" flag
Willy Tarreau0ba27502007-12-24 16:55:16 +01006336before the first string. Same applies of course to match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02006337
6338
Willy Tarreauc57f0e22009-05-10 13:12:33 +020063397.3. Matching regular expressions (regexes)
6340-------------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02006341
6342Just like with string matching, regex matching applies to verbatim strings as
6343they are passed, with the exception of the backslash ("\") which makes it
6344possible to escape some characters such as the space. If the "-i" flag is
6345passed before the first regex, then the matching will be performed ignoring
6346the case. In order to match the string "-i", either set it second, or pass
Willy Tarreau0ba27502007-12-24 16:55:16 +01006347the "--" flag before the first string. Same principle applies of course to
6348match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02006349
6350
Willy Tarreauc57f0e22009-05-10 13:12:33 +020063517.4. Matching IPv4 addresses
6352----------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02006353
6354IPv4 addresses values can be specified either as plain addresses or with a
6355netmask appended, in which case the IPv4 address matches whenever it is
6356within the network. Plain addresses may also be replaced with a resolvable
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01006357host name, but this practice is generally discouraged as it makes it more
Willy Tarreau0ba27502007-12-24 16:55:16 +01006358difficult to read and debug configurations. If hostnames are used, you should
6359at least ensure that they are present in /etc/hosts so that the configuration
6360does not depend on any random DNS match at the moment the configuration is
6361parsed.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006362
6363
Willy Tarreauc57f0e22009-05-10 13:12:33 +020063647.5. Available matching criteria
6365--------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02006366
Willy Tarreauc57f0e22009-05-10 13:12:33 +020063677.5.1. Matching at Layer 4 and below
6368------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01006369
6370A first set of criteria applies to information which does not require any
6371analysis of the request or response contents. Those generally include TCP/IP
6372addresses and ports, as well as internal values independant on the stream.
6373
Willy Tarreau6a06a402007-07-15 20:15:28 +02006374always_false
6375 This one never matches. All values and flags are ignored. It may be used as
6376 a temporary replacement for another one when adjusting configurations.
6377
6378always_true
6379 This one always matches. All values and flags are ignored. It may be used as
6380 a temporary replacement for another one when adjusting configurations.
6381
Willy Tarreaud63335a2010-02-26 12:56:52 +01006382avg_queue <integer>
Willy Tarreau6cbd6472010-09-08 19:06:18 +02006383avg_queue(backend) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01006384 Returns the total number of queued connections of the designated backend
6385 divided by the number of active servers. This is very similar to "queue"
6386 except that the size of the farm is considered, in order to give a more
6387 accurate measurement of the time it may take for a new connection to be
6388 processed. The main usage is to return a sorry page to new users when it
6389 becomes certain they will get a degraded service. Note that in the event
6390 there would not be any active server anymore, we would consider twice the
6391 number of queued connections as the measured value. This is a fair estimate,
6392 as we expect one server to get back soon anyway, but we still prefer to send
6393 new traffic to another backend if in better shape. See also the "queue",
6394 "be_conn", and "be_sess_rate" criteria.
Krzysztof Piotr Oledzki346f76d2010-01-12 21:59:30 +01006395
Willy Tarreaua36af912009-10-10 12:02:45 +02006396be_conn <integer>
Willy Tarreau6cbd6472010-09-08 19:06:18 +02006397be_conn(backend) <integer>
Willy Tarreaua36af912009-10-10 12:02:45 +02006398 Applies to the number of currently established connections on the backend,
6399 possibly including the connection being evaluated. If no backend name is
6400 specified, the current one is used. But it is also possible to check another
6401 backend. It can be used to use a specific farm when the nominal one is full.
6402 See also the "fe_conn", "queue" and "be_sess_rate" criteria.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006403
Willy Tarreaud63335a2010-02-26 12:56:52 +01006404be_sess_rate <integer>
6405be_sess_rate(backend) <integer>
6406 Returns true when the sessions creation rate on the backend matches the
6407 specified values or ranges, in number of new sessions per second. This is
6408 used to switch to an alternate backend when an expensive or fragile one
6409 reaches too high a session rate, or to limit abuse of service (eg. prevent
6410 sucking of an online dictionary).
6411
6412 Example :
6413 # Redirect to an error page if the dictionary is requested too often
6414 backend dynamic
6415 mode http
6416 acl being_scanned be_sess_rate gt 100
6417 redirect location /denied.html if being_scanned
Willy Tarreau0ba27502007-12-24 16:55:16 +01006418
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08006419connslots <integer>
6420connslots(backend) <integer>
6421 The basic idea here is to be able to measure the number of connection "slots"
Willy Tarreau55165fe2009-05-10 12:02:55 +02006422 still available (connection + queue), so that anything beyond that (intended
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08006423 usage; see "use_backend" keyword) can be redirected to a different backend.
6424
Willy Tarreau55165fe2009-05-10 12:02:55 +02006425 'connslots' = number of available server connection slots, + number of
6426 available server queue slots.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08006427
Willy Tarreaua36af912009-10-10 12:02:45 +02006428 Note that while "fe_conn" may be used, "connslots" comes in especially
Willy Tarreau55165fe2009-05-10 12:02:55 +02006429 useful when you have a case of traffic going to one single ip, splitting into
6430 multiple backends (perhaps using acls to do name-based load balancing) and
6431 you want to be able to differentiate between different backends, and their
6432 available "connslots". Also, whereas "nbsrv" only measures servers that are
6433 actually *down*, this acl is more fine-grained and looks into the number of
Willy Tarreaua36af912009-10-10 12:02:45 +02006434 available connection slots as well. See also "queue" and "avg_queue".
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08006435
Willy Tarreau55165fe2009-05-10 12:02:55 +02006436 OTHER CAVEATS AND NOTES: at this point in time, the code does not take care
6437 of dynamic connections. Also, if any of the server maxconn, or maxqueue is 0,
6438 then this acl clearly does not make sense, in which case the value returned
6439 will be -1.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08006440
Willy Tarreaud63335a2010-02-26 12:56:52 +01006441dst <ip_address>
6442 Applies to the local IPv4 address the client connected to. It can be used to
6443 switch to a different backend for some alternative addresses.
Willy Tarreaua36af912009-10-10 12:02:45 +02006444
Willy Tarreaud63335a2010-02-26 12:56:52 +01006445dst_conn <integer>
6446 Applies to the number of currently established connections on the same socket
6447 including the one being evaluated. It can be used to either return a sorry
6448 page before hard-blocking, or to use a specific backend to drain new requests
6449 when the socket is considered saturated. This offers the ability to assign
6450 different limits to different listening ports or addresses. See also the
6451 "fe_conn" and "be_conn" criteria.
6452
6453dst_port <integer>
6454 Applies to the local port the client connected to. It can be used to switch
6455 to a different backend for some alternative ports.
6456
6457fe_conn <integer>
6458fe_conn(frontend) <integer>
6459 Applies to the number of currently established connections on the frontend,
6460 possibly including the connection being evaluated. If no frontend name is
6461 specified, the current one is used. But it is also possible to check another
6462 frontend. It can be used to either return a sorry page before hard-blocking,
6463 or to use a specific backend to drain new requests when the farm is
6464 considered saturated. See also the "dst_conn", "be_conn" and "fe_sess_rate"
6465 criteria.
6466
6467fe_id <integer>
Cyril Bonté78caf842010-03-10 22:41:43 +01006468 Applies to the frontend's id. Can be used in backends to check from which
Willy Tarreaud63335a2010-02-26 12:56:52 +01006469 frontend it was called.
Willy Tarreaua36af912009-10-10 12:02:45 +02006470
Willy Tarreau079ff0a2009-03-05 21:34:28 +01006471fe_sess_rate <integer>
6472fe_sess_rate(frontend) <integer>
6473 Returns true when the session creation rate on the current or the named
6474 frontend matches the specified values or ranges, expressed in new sessions
6475 per second. This is used to limit the connection rate to acceptable ranges in
6476 order to prevent abuse of service at the earliest moment. This can be
6477 combined with layer 4 ACLs in order to force the clients to wait a bit for
6478 the rate to go down below the limit.
6479
6480 Example :
6481 # This frontend limits incoming mails to 10/s with a max of 100
6482 # concurrent connections. We accept any connection below 10/s, and
6483 # force excess clients to wait for 100 ms. Since clients are limited to
6484 # 100 max, there cannot be more than 10 incoming mails per second.
6485 frontend mail
6486 bind :25
6487 mode tcp
6488 maxconn 100
6489 acl too_fast fe_sess_rate ge 10
6490 tcp-request inspect-delay 100ms
6491 tcp-request content accept if ! too_fast
6492 tcp-request content accept if WAIT_END
Willy Tarreaud72758d2010-01-12 10:42:19 +01006493
Willy Tarreaud63335a2010-02-26 12:56:52 +01006494nbsrv <integer>
6495nbsrv(backend) <integer>
6496 Returns true when the number of usable servers of either the current backend
6497 or the named backend matches the values or ranges specified. This is used to
6498 switch to an alternate backend when the number of servers is too low to
6499 to handle some load. It is useful to report a failure when combined with
6500 "monitor fail".
Willy Tarreau079ff0a2009-03-05 21:34:28 +01006501
Willy Tarreaud63335a2010-02-26 12:56:52 +01006502queue <integer>
Willy Tarreauf5a526f2010-09-01 08:06:18 +02006503queue(backend) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01006504 Returns the total number of queued connections of the designated backend,
6505 including all the connections in server queues. If no backend name is
6506 specified, the current one is used, but it is also possible to check another
6507 one. This can be used to take actions when queuing goes above a known level,
6508 generally indicating a surge of traffic or a massive slowdown on the servers.
6509 One possible action could be to reject new users but still accept old ones.
6510 See also the "avg_queue", "be_conn", and "be_sess_rate" criteria.
6511
Willy Tarreaue9656522010-08-17 15:40:09 +02006512sc1_bytes_in_rate
6513sc2_bytes_in_rate
6514 Returns the average client-to-server bytes rate from the currently tracked
6515 counters, measured in amount of bytes over the period configured in the
6516 table. See also src_bytes_in_rate.
6517
6518sc1_bytes_out_rate
6519sc2_bytes_out_rate
6520 Returns the average server-to-client bytes rate from the currently tracked
6521 counters, measured in amount of bytes over the period configured in the
6522 table. See also src_bytes_out_rate.
6523
6524sc1_conn_cnt
6525sc2_conn_cnt
6526 Returns the cumulated number of incoming connections from currently tracked
6527 counters. See also src_conn_cnt.
6528
6529sc1_conn_cur
6530sc2_conn_cur
6531 Returns the current amount of concurrent connections tracking the same
6532 tracked counters. This number is automatically incremented when tracking
6533 begins and decremented when tracking stops. See also src_conn_cur.
6534
6535sc1_conn_rate
6536sc2_conn_rate
6537 Returns the average connection rate from the currently tracked counters,
6538 measured in amount of connections over the period configured in the table.
6539 See also src_conn_rate.
6540
6541sc1_get_gpc0
6542sc2_get_gpc0
6543 Returns the value of the first General Purpose Counter associated to the
6544 currently tracked counters. See also src_get_gpc0 and sc1/sc2_inc_gpc0.
6545
6546sc1_http_err_cnt
6547sc2_http_err_cnt
6548 Returns the cumulated number of HTTP errors from the currently tracked
6549 counters. This includes the both request errors and 4xx error responses.
6550 See also src_http_err_cnt.
6551
6552sc1_http_err_rate
6553sc2_http_err_rate
6554 Returns the average rate of HTTP errors from the currently tracked counters,
6555 measured in amount of errors over the period configured in the table. This
6556 includes the both request errors and 4xx error responses. See also
6557 src_http_err_rate.
6558
6559sc1_http_req_cnt
6560sc2_http_req_cnt
6561 Returns the cumulated number of HTTP requests from the currently tracked
6562 counters. This includes every started request, valid or not. See also
6563 src_http_req_cnt.
6564
6565sc1_http_req_rate
6566sc2_http_req_rate
6567 Returns the average rate of HTTP requests from the currently tracked
6568 counters, measured in amount of requests over the period configured in
6569 the table. This includes every started request, valid or not. See also
6570 src_http_req_rate.
6571
6572sc1_inc_gpc0
6573sc2_inc_gpc0
6574 Increments the first General Purpose Counter associated to the currently
6575 tracked counters, and returns its value. Before the first invocation, the
6576 stored value is zero, so first invocation will increase it to 1 and will
6577 return 1. The test can also be used alone and always returns true. This is
6578 typically used as a second ACL in an expression in order to mark a connection
6579 when a first ACL was verified :
6580
6581 acl abuse sc1_http_req_rate gt 10
6582 acl kill sc1_inc_gpc0
6583 tcp-request connection reject if abuse kill
6584
6585sc1_kbytes_in
6586sc2_kbytes_in
6587 Returns the amount of client-to-server data from the currently tracked
6588 counters, measured in kilobytes over the period configured in the table. The
6589 test is currently performed on 32-bit integers, which limits values to 4
6590 terabytes. See also src_kbytes_in.
6591
6592sc1_kbytes_out
6593sc2_kbytes_out
6594 Returns the amount of server-to-client data from the currently tracked
6595 counters, measured in kilobytes over the period configured in the table. The
6596 test is currently performed on 32-bit integers, which limits values to 4
6597 terabytes. See also src_kbytes_out.
6598
6599sc1_sess_cnt
6600sc2_sess_cnt
6601 Returns the cumulated number of incoming connections that were transformed
6602 into sessions, which means that they were accepted by a "tcp-request
6603 connection" rule, from the currently tracked counters. A backend may count
6604 more sessions than connections because each connection could result in many
6605 backend sessions if some HTTP keep-alive is performend over the connection
6606 with the client. See also src_sess_cnt.
6607
6608sc1_sess_rate
6609sc2_sess_rate
6610 Returns the average session rate from the currently tracked counters,
6611 measured in amount of sessions over the period configured in the table. A
6612 session is a connection that got past the early "tcp-request connection"
6613 rules. A backend may count more sessions than connections because each
6614 connection could result in many backend sessions if some HTTP keep-alive is
6615 performend over the connection with the client. See also src_sess_rate.
6616
Willy Tarreaud63335a2010-02-26 12:56:52 +01006617so_id <integer>
6618 Applies to the socket's id. Useful in frontends with many bind keywords.
6619
6620src <ip_address>
6621 Applies to the client's IPv4 address. It is usually used to limit access to
6622 certain resources such as statistics. Note that it is the TCP-level source
6623 address which is used, and not the address of a client behind a proxy.
6624
Willy Tarreauc9705a12010-07-27 20:05:50 +02006625src_bytes_in_rate <integer>
6626src_bytes_in_rate(table) <integer>
6627 Returns the average bytes rate from the connection's source IPv4 address in
6628 the current proxy's stick-table or in the designated stick-table, measured in
6629 amount of bytes over the period configured in the table. If the address is
Willy Tarreaue9656522010-08-17 15:40:09 +02006630 not found, zero is returned. See also sc1/sc2_bytes_in_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006631
6632src_bytes_out_rate <integer>
6633src_bytes_out_rate(table) <integer>
6634 Returns the average bytes rate to the connection's source IPv4 address in the
6635 current proxy's stick-table or in the designated stick-table, measured in
6636 amount of bytes over the period configured in the table. If the address is
Willy Tarreaue9656522010-08-17 15:40:09 +02006637 not found, zero is returned. See also sc1/sc2_bytes_out_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006638
6639src_conn_cnt <integer>
6640src_conn_cnt(table) <integer>
6641 Returns the cumulated number of connections initiated from the current
6642 connection's source IPv4 address in the current proxy's stick-table or in
6643 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreaue9656522010-08-17 15:40:09 +02006644 See also sc1/sc2_conn_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006645
6646src_conn_cur <integer>
6647src_conn_cur(table) <integer>
6648 Returns the current amount of concurrent connections initiated from the
6649 current connection's source IPv4 address in the current proxy's stick-table
6650 or in the designated stick-table. If the address is not found, zero is
Willy Tarreaue9656522010-08-17 15:40:09 +02006651 returned. See also sc1/sc2_conn_cur.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006652
6653src_conn_rate <integer>
6654src_conn_rate(table) <integer>
6655 Returns the average connection rate from the connection's source IPv4 address
6656 in the current proxy's stick-table or in the designated stick-table, measured
6657 in amount of connections over the period configured in the table. If the
Willy Tarreaue9656522010-08-17 15:40:09 +02006658 address is not found, zero is returned. See also sc1/sc2_conn_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006659
6660src_get_gpc0 <integer>
6661src_get_gpc0(table) <integer>
6662 Returns the value of the first General Purpose Counter associated to the
6663 connection's source IPv4 address in the current proxy's stick-table or in
6664 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreaue9656522010-08-17 15:40:09 +02006665 See also sc1/sc2_get_gpc0 and src_inc_gpc0.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006666
6667src_http_err_cnt <integer>
6668src_http_err_cnt(table) <integer>
6669 Returns the cumulated number of HTTP errors from the current connection's
6670 source IPv4 address in the current proxy's stick-table or in the designated
6671 stick-table. This includes the both request errors and 4xx error responses.
Willy Tarreaue9656522010-08-17 15:40:09 +02006672 If the address is not found, zero is returned. See also sc1/sc2_http_err_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006673
6674src_http_err_rate <integer>
6675src_http_err_rate(table) <integer>
6676 Returns the average rate of HTTP errors from the current connection's source
6677 IPv4 address in the current proxy's stick-table or in the designated stick-
6678 table, measured in amount of errors over the period configured in the table.
6679 This includes the both request errors and 4xx error responses. If the address
Willy Tarreaue9656522010-08-17 15:40:09 +02006680 is not found, zero is returned. See also sc1/sc2_http_err_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006681
6682src_http_req_cnt <integer>
6683src_http_req_cnt(table) <integer>
6684 Returns the cumulated number of HTTP requests from the current connection's
6685 source IPv4 address in the current proxy's stick-table or in the designated
6686 stick-table. This includes every started request, valid or not. If the
Willy Tarreaue9656522010-08-17 15:40:09 +02006687 address is not found, zero is returned. See also sc1/sc2_http_req_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006688
6689src_http_req_rate <integer>
6690src_http_req_rate(table) <integer>
6691 Returns the average rate of HTTP requests from the current connection's
6692 source IPv4 address in the current proxy's stick-table or in the designated
6693 stick-table, measured in amount of requests over the period configured in the
6694 table. This includes every started request, valid or not. If the address is
Willy Tarreaue9656522010-08-17 15:40:09 +02006695 not found, zero is returned. See also sc1/sc2_http_req_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006696
6697src_inc_gpc0 <integer>
6698src_inc_gpc0(table) <integer>
6699 Increments the first General Purpose Counter associated to the connection's
6700 source IPv4 address in the current proxy's stick-table or in the designated
6701 stick-table, and returns its value. If the address is not found, an entry is
6702 created and 1 is returned. The test can also be used alone and always returns
6703 true. This is typically used as a second ACL in an expression in order to
6704 mark a connection when a first ACL was verified :
6705
6706 acl abuse src_http_req_rate gt 10
6707 acl kill src_inc_gpc0
Willy Tarreaue9656522010-08-17 15:40:09 +02006708 tcp-request connection reject if abuse kill
Willy Tarreauc9705a12010-07-27 20:05:50 +02006709
6710src_kbytes_in <integer>
6711src_kbytes_in(table) <integer>
6712 Returns the amount of data received from the connection's source IPv4 address
6713 in the current proxy's stick-table or in the designated stick-table, measured
6714 in kilobytes over the period configured in the table. If the address is not
6715 found, zero is returned. The test is currently performed on 32-bit integers,
Willy Tarreaue9656522010-08-17 15:40:09 +02006716 which limits values to 4 terabytes. See also sc1/sc2_kbytes_in.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006717
6718src_kbytes_out <integer>
6719src_kbytes_out(table) <integer>
6720 Returns the amount of data sent to the connection's source IPv4 address in
6721 the current proxy's stick-table or in the designated stick-table, measured
6722 in kilobytes over the period configured in the table. If the address is not
6723 found, zero is returned. The test is currently performed on 32-bit integers,
Willy Tarreaue9656522010-08-17 15:40:09 +02006724 which limits values to 4 terabytes. See also sc1/sc2_kbytes_out.
Willy Tarreaua975b8f2010-06-05 19:13:27 +02006725
Willy Tarreaud63335a2010-02-26 12:56:52 +01006726src_port <integer>
6727 Applies to the client's TCP source port. This has a very limited usage.
Willy Tarreau079ff0a2009-03-05 21:34:28 +01006728
Willy Tarreauc9705a12010-07-27 20:05:50 +02006729src_sess_cnt <integer>
6730src_sess_cnt(table) <integer>
6731 Returns the cumulated number of connections initiated from the current
6732 connection's source IPv4 address in the current proxy's stick-table or in the
6733 designated stick-table, that were transformed into sessions, which means that
6734 they were accepted by "tcp-request" rules. If the address is not found, zero
Willy Tarreaue9656522010-08-17 15:40:09 +02006735 is returned. See also sc1/sc2_sess_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006736
6737src_sess_rate <integer>
6738src_sess_rate(table) <integer>
6739 Returns the average session rate from the connection's source IPv4 address in
6740 the current proxy's stick-table or in the designated stick-table, measured in
6741 amount of sessions over the period configured in the table. A session is a
6742 connection that got past the early "tcp-request" rules. If the address is not
Willy Tarreaue9656522010-08-17 15:40:09 +02006743 found, zero is returned. See also sc1/sc2_sess_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006744
6745src_updt_conn_cnt <integer>
6746src_updt_conn_cnt(table) <integer>
Willy Tarreaua975b8f2010-06-05 19:13:27 +02006747 Creates or updates the entry associated to the source IPv4 address in the
Willy Tarreauc9705a12010-07-27 20:05:50 +02006748 current proxy's stick-table or in the designated stick-table. This table
6749 must be configured to store the "conn_cnt" data type, otherwise the match
Willy Tarreaua975b8f2010-06-05 19:13:27 +02006750 will be ignored. The current count is incremented by one, and the expiration
6751 timer refreshed. The updated count is returned, so this match can't return
6752 zero. This is used to reject service abusers based on their source address.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006753 Note: it is recommended to use the more complete "track-counters" instead.
Willy Tarreaua975b8f2010-06-05 19:13:27 +02006754
6755 Example :
6756 # This frontend limits incoming SSH connections to 3 per 10 second for
6757 # each source address, and rejects excess connections until a 10 second
6758 # silence is observed. At most 20 addresses are tracked.
6759 listen ssh
6760 bind :22
6761 mode tcp
6762 maxconn 100
Willy Tarreauc9705a12010-07-27 20:05:50 +02006763 stick-table type ip size 20 expire 10s store conn_cnt
Willy Tarreaua975b8f2010-06-05 19:13:27 +02006764 tcp-request content reject if { src_update_count gt 3 }
6765 server local 127.0.0.1:22
6766
Willy Tarreau0b1cd942010-05-16 22:18:27 +02006767srv_is_up(<server>)
6768srv_is_up(<backend>/<server>)
6769 Returns true when the designated server is UP, and false when it is either
6770 DOWN or in maintenance mode. If <backend> is omitted, then the server is
6771 looked up in the current backend. The function takes no arguments since it
6772 is used as a boolean. It is mainly used to take action based on an external
6773 status reported via a health check (eg: a geographical site's availability).
6774 Another possible use which is more of a hack consists in using dummy servers
6775 as boolean variables that can be enabled or disabled from the CLI, so that
6776 rules depending on those ACLs can be tweaked in realtime.
6777
Willy Tarreau0ba27502007-12-24 16:55:16 +01006778
Willy Tarreaue9656522010-08-17 15:40:09 +020067797.5.2. Matching contents at Layer 4 (also called Layer 6)
6780---------------------------------------------------------
Willy Tarreau62644772008-07-16 18:36:06 +02006781
6782A second set of criteria depends on data found in buffers, but which can change
6783during analysis. This requires that some data has been buffered, for instance
Willy Tarreaue9656522010-08-17 15:40:09 +02006784through TCP request content inspection. Please see the "tcp-request content"
6785keyword for more detailed information on the subject.
Willy Tarreau62644772008-07-16 18:36:06 +02006786
6787req_len <integer>
Emeric Brunbede3d02009-06-30 17:54:00 +02006788 Returns true when the length of the data in the request buffer matches the
Willy Tarreau62644772008-07-16 18:36:06 +02006789 specified range. It is important to understand that this test does not
6790 return false as long as the buffer is changing. This means that a check with
6791 equality to zero will almost always immediately match at the beginning of the
6792 session, while a test for more data will wait for that data to come in and
6793 return false only when haproxy is certain that no more data will come in.
6794 This test was designed to be used with TCP request content inspection.
6795
Willy Tarreau2492d5b2009-07-11 00:06:00 +02006796req_proto_http
6797 Returns true when data in the request buffer look like HTTP and correctly
6798 parses as such. It is the same parser as the common HTTP request parser which
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006799 is used so there should be no surprises. This test can be used for instance
Willy Tarreau2492d5b2009-07-11 00:06:00 +02006800 to direct HTTP traffic to a given port and HTTPS traffic to another one
6801 using TCP request content inspection rules.
6802
Emeric Brunbede3d02009-06-30 17:54:00 +02006803req_rdp_cookie <string>
6804req_rdp_cookie(name) <string>
6805 Returns true when data in the request buffer look like the RDP protocol, and
6806 a cookie is present and equal to <string>. By default, any cookie name is
6807 checked, but a specific cookie name can be specified in parenthesis. The
6808 parser only checks for the first cookie, as illustrated in the RDP protocol
6809 specification. The cookie name is case insensitive. This ACL can be useful
6810 with the "MSTS" cookie, as it can contain the user name of the client
6811 connecting to the server if properly configured on the client. This can be
6812 used to restrict access to certain servers to certain users.
6813
6814req_rdp_cookie_cnt <integer>
6815req_rdp_cookie_cnt(name) <integer>
6816 Returns true when the data in the request buffer look like the RDP protocol
6817 and the number of RDP cookies matches the specified range (typically zero or
6818 one). Optionally a specific cookie name can be checked. This is a simple way
6819 of detecting the RDP protocol, as clients generally send the MSTS or MSTSHASH
6820 cookies.
6821
Willy Tarreau62644772008-07-16 18:36:06 +02006822req_ssl_ver <decimal>
6823 Returns true when data in the request buffer look like SSL, with a protocol
6824 version matching the specified range. Both SSLv2 hello messages and SSLv3
6825 messages are supported. The test tries to be strict enough to avoid being
6826 easily fooled. In particular, it waits for as many bytes as announced in the
6827 message header if this header looks valid (bound to the buffer size). Note
6828 that TLSv1 is announced as SSL version 3.1. This test was designed to be used
6829 with TCP request content inspection.
6830
Willy Tarreaub6fb4202008-07-20 11:18:28 +02006831wait_end
6832 Waits for the end of the analysis period to return true. This may be used in
6833 conjunction with content analysis to avoid returning a wrong verdict early.
6834 It may also be used to delay some actions, such as a delayed reject for some
6835 special addresses. Since it either stops the rules evaluation or immediately
6836 returns true, it is recommended to use this acl as the last one in a rule.
6837 Please note that the default ACL "WAIT_END" is always usable without prior
6838 declaration. This test was designed to be used with TCP request content
6839 inspection.
6840
6841 Examples :
6842 # delay every incoming request by 2 seconds
6843 tcp-request inspect-delay 2s
6844 tcp-request content accept if WAIT_END
6845
6846 # don't immediately tell bad guys they are rejected
6847 tcp-request inspect-delay 10s
6848 acl goodguys src 10.0.0.0/24
6849 acl badguys src 10.0.1.0/24
6850 tcp-request content accept if goodguys
6851 tcp-request content reject if badguys WAIT_END
6852 tcp-request content reject
6853
Willy Tarreau62644772008-07-16 18:36:06 +02006854
Willy Tarreauc57f0e22009-05-10 13:12:33 +020068557.5.3. Matching at Layer 7
6856--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01006857
Willy Tarreau62644772008-07-16 18:36:06 +02006858A third set of criteria applies to information which can be found at the
Willy Tarreau0ba27502007-12-24 16:55:16 +01006859application layer (layer 7). Those require that a full HTTP request has been
6860read, and are only evaluated then. They may require slightly more CPU resources
6861than the layer 4 ones, but not much since the request and response are indexed.
6862
Willy Tarreaud63335a2010-02-26 12:56:52 +01006863hdr <string>
6864hdr(header) <string>
6865 Note: all the "hdr*" matching criteria either apply to all headers, or to a
6866 particular header whose name is passed between parenthesis and without any
6867 space. The header name is not case-sensitive. The header matching complies
6868 with RFC2616, and treats as separate headers all values delimited by commas.
6869 Use the shdr() variant for response headers sent by the server.
6870
6871 The "hdr" criteria returns true if any of the headers matching the criteria
6872 match any of the strings. This can be used to check exact for values. For
6873 instance, checking that "connection: close" is set :
6874
6875 hdr(Connection) -i close
6876
6877hdr_beg <string>
6878hdr_beg(header) <string>
6879 Returns true when one of the headers begins with one of the strings. See
6880 "hdr" for more information on header matching. Use the shdr_beg() variant for
6881 response headers sent by the server.
6882
6883hdr_cnt <integer>
6884hdr_cnt(header) <integer>
6885 Returns true when the number of occurrence of the specified header matches
6886 the values or ranges specified. It is important to remember that one header
6887 line may count as several headers if it has several values. This is used to
6888 detect presence, absence or abuse of a specific header, as well as to block
6889 request smuggling attacks by rejecting requests which contain more than one
6890 of certain headers. See "hdr" for more information on header matching. Use
6891 the shdr_cnt() variant for response headers sent by the server.
6892
6893hdr_dir <string>
6894hdr_dir(header) <string>
6895 Returns true when one of the headers contains one of the strings either
6896 isolated or delimited by slashes. This is used to perform filename or
6897 directory name matching, and may be used with Referer. See "hdr" for more
6898 information on header matching. Use the shdr_dir() variant for response
6899 headers sent by the server.
6900
6901hdr_dom <string>
6902hdr_dom(header) <string>
6903 Returns true when one of the headers contains one of the strings either
6904 isolated or delimited by dots. This is used to perform domain name matching,
6905 and may be used with the Host header. See "hdr" for more information on
6906 header matching. Use the shdr_dom() variant for response headers sent by the
6907 server.
6908
6909hdr_end <string>
6910hdr_end(header) <string>
6911 Returns true when one of the headers ends with one of the strings. See "hdr"
6912 for more information on header matching. Use the shdr_end() variant for
6913 response headers sent by the server.
6914
6915hdr_ip <ip_address>
6916hdr_ip(header) <ip_address>
6917 Returns true when one of the headers' values contains an IP address matching
6918 <ip_address>. This is mainly used with headers such as X-Forwarded-For or
6919 X-Client-IP. See "hdr" for more information on header matching. Use the
6920 shdr_ip() variant for response headers sent by the server.
6921
6922hdr_reg <regex>
6923hdr_reg(header) <regex>
6924 Returns true when one of the headers matches of the regular expressions. It
6925 can be used at any time, but it is important to remember that regex matching
6926 is slower than other methods. See also other "hdr_" criteria, as well as
6927 "hdr" for more information on header matching. Use the shdr_reg() variant for
6928 response headers sent by the server.
6929
6930hdr_sub <string>
6931hdr_sub(header) <string>
6932 Returns true when one of the headers contains one of the strings. See "hdr"
6933 for more information on header matching. Use the shdr_sub() variant for
6934 response headers sent by the server.
6935
6936hdr_val <integer>
6937hdr_val(header) <integer>
6938 Returns true when one of the headers starts with a number which matches the
6939 values or ranges specified. This may be used to limit content-length to
6940 acceptable values for example. See "hdr" for more information on header
6941 matching. Use the shdr_val() variant for response headers sent by the server.
6942
6943http_auth(userlist)
6944http_auth_group(userlist) <group> [<group>]*
6945 Returns true when authentication data received from the client matches
6946 username & password stored on the userlist. It is also possible to
6947 use http_auth_group to check if the user is assigned to at least one
6948 of specified groups.
6949
6950 Currently only http basic auth is supported.
6951
Willy Tarreau6a06a402007-07-15 20:15:28 +02006952method <string>
6953 Applies to the method in the HTTP request, eg: "GET". Some predefined ACL
6954 already check for most common methods.
6955
Willy Tarreau6a06a402007-07-15 20:15:28 +02006956path <string>
6957 Returns true when the path part of the request, which starts at the first
6958 slash and ends before the question mark, equals one of the strings. It may be
6959 used to match known files, such as /favicon.ico.
6960
6961path_beg <string>
Willy Tarreau0ba27502007-12-24 16:55:16 +01006962 Returns true when the path begins with one of the strings. This can be used
6963 to send certain directory names to alternative backends.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006964
Willy Tarreau6a06a402007-07-15 20:15:28 +02006965path_dir <string>
6966 Returns true when one of the strings is found isolated or delimited with
6967 slashes in the path. This is used to perform filename or directory name
6968 matching without the risk of wrong match due to colliding prefixes. See also
6969 "url_dir" and "path_sub".
6970
6971path_dom <string>
6972 Returns true when one of the strings is found isolated or delimited with dots
6973 in the path. This may be used to perform domain name matching in proxy
6974 requests. See also "path_sub" and "url_dom".
6975
Willy Tarreaud63335a2010-02-26 12:56:52 +01006976path_end <string>
6977 Returns true when the path ends with one of the strings. This may be used to
6978 control file name extension.
6979
Willy Tarreau6a06a402007-07-15 20:15:28 +02006980path_reg <regex>
6981 Returns true when the path matches one of the regular expressions. It can be
6982 used any time, but it is important to remember that regex matching is slower
6983 than other methods. See also "url_reg" and all "path_" criteria.
6984
Willy Tarreaud63335a2010-02-26 12:56:52 +01006985path_sub <string>
6986 Returns true when the path contains one of the strings. It can be used to
6987 detect particular patterns in paths, such as "../" for example. See also
6988 "path_dir".
6989
6990req_ver <string>
6991 Applies to the version string in the HTTP request, eg: "1.0". Some predefined
6992 ACL already check for versions 1.0 and 1.1.
6993
6994status <integer>
6995 Applies to the HTTP status code in the HTTP response, eg: "302". It can be
6996 used to act on responses depending on status ranges, for instance, remove
6997 any Location header if the response is not a 3xx.
6998
Willy Tarreau6a06a402007-07-15 20:15:28 +02006999url <string>
7000 Applies to the whole URL passed in the request. The only real use is to match
7001 "*", for which there already is a predefined ACL.
7002
7003url_beg <string>
7004 Returns true when the URL begins with one of the strings. This can be used to
7005 check whether a URL begins with a slash or with a protocol scheme.
7006
Willy Tarreau6a06a402007-07-15 20:15:28 +02007007url_dir <string>
7008 Returns true when one of the strings is found isolated or delimited with
7009 slashes in the URL. This is used to perform filename or directory name
7010 matching without the risk of wrong match due to colliding prefixes. See also
7011 "path_dir" and "url_sub".
7012
7013url_dom <string>
7014 Returns true when one of the strings is found isolated or delimited with dots
7015 in the URL. This is used to perform domain name matching without the risk of
7016 wrong match due to colliding prefixes. See also "url_sub".
7017
Willy Tarreaud63335a2010-02-26 12:56:52 +01007018url_end <string>
7019 Returns true when the URL ends with one of the strings. It has very limited
7020 use. "path_end" should be used instead for filename matching.
Willy Tarreau6a06a402007-07-15 20:15:28 +02007021
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01007022url_ip <ip_address>
Willy Tarreau0ba27502007-12-24 16:55:16 +01007023 Applies to the IP address specified in the absolute URI in an HTTP request.
7024 It can be used to prevent access to certain resources such as local network.
Willy Tarreau198a7442008-01-17 12:05:32 +01007025 It is useful with option "http_proxy".
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01007026
7027url_port <integer>
Willy Tarreau0ba27502007-12-24 16:55:16 +01007028 Applies to the port specified in the absolute URI in an HTTP request. It can
7029 be used to prevent access to certain resources. It is useful with option
Willy Tarreau198a7442008-01-17 12:05:32 +01007030 "http_proxy". Note that if the port is not specified in the request, port 80
Willy Tarreau0ba27502007-12-24 16:55:16 +01007031 is assumed.
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01007032
Willy Tarreaud63335a2010-02-26 12:56:52 +01007033url_reg <regex>
7034 Returns true when the URL matches one of the regular expressions. It can be
7035 used any time, but it is important to remember that regex matching is slower
7036 than other methods. See also "path_reg" and all "url_" criteria.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01007037
Willy Tarreaud63335a2010-02-26 12:56:52 +01007038url_sub <string>
7039 Returns true when the URL contains one of the strings. It can be used to
7040 detect particular patterns in query strings for example. See also "path_sub".
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01007041
Willy Tarreau198a7442008-01-17 12:05:32 +01007042
Willy Tarreauc57f0e22009-05-10 13:12:33 +020070437.6. Pre-defined ACLs
7044---------------------
Willy Tarreauced27012008-01-17 20:35:34 +01007045
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007046Some predefined ACLs are hard-coded so that they do not have to be declared in
7047every frontend which needs them. They all have their names in upper case in
Patrick Mézard2382ad62010-05-09 10:43:32 +02007048order to avoid confusion. Their equivalence is provided below.
Willy Tarreauced27012008-01-17 20:35:34 +01007049
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007050ACL name Equivalent to Usage
7051---------------+-----------------------------+---------------------------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007052FALSE always_false never match
Willy Tarreau2492d5b2009-07-11 00:06:00 +02007053HTTP req_proto_http match if protocol is valid HTTP
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007054HTTP_1.0 req_ver 1.0 match HTTP version 1.0
7055HTTP_1.1 req_ver 1.1 match HTTP version 1.1
Willy Tarreaud63335a2010-02-26 12:56:52 +01007056HTTP_CONTENT hdr_val(content-length) gt 0 match an existing content-length
7057HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme
7058HTTP_URL_SLASH url_beg / match URL beginning with "/"
7059HTTP_URL_STAR url * match URL equal to "*"
7060LOCALHOST src 127.0.0.1/8 match connection from local host
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007061METH_CONNECT method CONNECT match HTTP CONNECT method
7062METH_GET method GET HEAD match HTTP GET or HEAD method
7063METH_HEAD method HEAD match HTTP HEAD method
7064METH_OPTIONS method OPTIONS match HTTP OPTIONS method
7065METH_POST method POST match HTTP POST method
7066METH_TRACE method TRACE match HTTP TRACE method
Emeric Brunbede3d02009-06-30 17:54:00 +02007067RDP_COOKIE req_rdp_cookie_cnt gt 0 match presence of an RDP cookie
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007068REQ_CONTENT req_len gt 0 match data in the request buffer
Willy Tarreaud63335a2010-02-26 12:56:52 +01007069TRUE always_true always match
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007070WAIT_END wait_end wait for end of content analysis
7071---------------+-----------------------------+---------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +01007072
Willy Tarreauced27012008-01-17 20:35:34 +01007073
Willy Tarreauc57f0e22009-05-10 13:12:33 +020070747.7. Using ACLs to form conditions
7075----------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +01007076
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007077Some actions are only performed upon a valid condition. A condition is a
7078combination of ACLs with operators. 3 operators are supported :
Willy Tarreauced27012008-01-17 20:35:34 +01007079
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007080 - AND (implicit)
7081 - OR (explicit with the "or" keyword or the "||" operator)
7082 - Negation with the exclamation mark ("!")
Willy Tarreauced27012008-01-17 20:35:34 +01007083
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007084A condition is formed as a disjunctive form:
Willy Tarreauced27012008-01-17 20:35:34 +01007085
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007086 [!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ...
Willy Tarreauced27012008-01-17 20:35:34 +01007087
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007088Such conditions are generally used after an "if" or "unless" statement,
7089indicating when the condition will trigger the action.
Willy Tarreauced27012008-01-17 20:35:34 +01007090
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007091For instance, to block HTTP requests to the "*" URL with methods other than
7092"OPTIONS", as well as POST requests without content-length, and GET or HEAD
7093requests with a content-length greater than 0, and finally every request which
7094is not either GET/HEAD/POST/OPTIONS !
Willy Tarreauced27012008-01-17 20:35:34 +01007095
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007096 acl missing_cl hdr_cnt(Content-length) eq 0
7097 block if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
7098 block if METH_GET HTTP_CONTENT
7099 block unless METH_GET or METH_POST or METH_OPTIONS
Willy Tarreauced27012008-01-17 20:35:34 +01007100
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007101To select a different backend for requests to static contents on the "www" site
7102and to every request on the "img", "video", "download" and "ftp" hosts :
Willy Tarreauced27012008-01-17 20:35:34 +01007103
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007104 acl url_static path_beg /static /images /img /css
7105 acl url_static path_end .gif .png .jpg .css .js
7106 acl host_www hdr_beg(host) -i www
7107 acl host_static hdr_beg(host) -i img. video. download. ftp.
Willy Tarreauced27012008-01-17 20:35:34 +01007108
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007109 # now use backend "static" for all static-only hosts, and for static urls
7110 # of host "www". Use backend "www" for the rest.
7111 use_backend static if host_static or host_www url_static
7112 use_backend www if host_www
Willy Tarreauced27012008-01-17 20:35:34 +01007113
Willy Tarreau95fa4692010-02-01 13:05:50 +01007114It is also possible to form rules using "anonymous ACLs". Those are unnamed ACL
7115expressions that are built on the fly without needing to be declared. They must
7116be enclosed between braces, with a space before and after each brace (because
7117the braces must be seen as independant words). Example :
7118
7119 The following rule :
7120
7121 acl missing_cl hdr_cnt(Content-length) eq 0
7122 block if METH_POST missing_cl
7123
7124 Can also be written that way :
7125
7126 block if METH_POST { hdr_cnt(Content-length) eq 0 }
7127
7128It is generally not recommended to use this construct because it's a lot easier
7129to leave errors in the configuration when written that way. However, for very
7130simple rules matching only one source IP address for instance, it can make more
7131sense to use them than to declare ACLs with random names. Another example of
7132good use is the following :
7133
7134 With named ACLs :
7135
7136 acl site_dead nbsrv(dynamic) lt 2
7137 acl site_dead nbsrv(static) lt 2
7138 monitor fail if site_dead
7139
7140 With anonymous ACLs :
7141
7142 monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
7143
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007144See section 4.2 for detailed help on the "block" and "use_backend" keywords.
Willy Tarreauced27012008-01-17 20:35:34 +01007145
Willy Tarreau5764b382007-11-30 17:46:49 +01007146
Willy Tarreaub937b7e2010-01-12 15:27:54 +010071477.8. Pattern extraction
7148-----------------------
7149
7150The stickiness features relies on pattern extraction in the request and
7151response. Sometimes the data needs to be converted first before being stored,
7152for instance converted from ASCII to IP or upper case to lower case.
7153
7154All these operations of data extraction and conversion are defined as
7155"pattern extraction rules". A pattern rule always has the same format. It
7156begins with a single pattern fetch word, potentially followed by a list of
7157arguments within parenthesis then an optional list of transformations. As
7158much as possible, the pattern fetch functions use the same name as their
7159equivalent used in ACLs.
7160
7161The list of currently supported pattern fetch functions is the following :
7162
7163 src This is the source IPv4 address of the client of the session.
7164 It is of type IP and only works with such tables.
7165
7166 dst This is the destination IPv4 address of the session on the
7167 client side, which is the address the client connected to.
7168 It can be useful when running in transparent mode. It is of
7169 typie IP and only works with such tables.
7170
7171 dst_port This is the destination TCP port of the session on the client
7172 side, which is the port the client connected to. This might be
7173 used when running in transparent mode or when assigning dynamic
7174 ports to some clients for a whole application session. It is of
7175 type integer and only works with such tables.
7176
Willy Tarreau4a568972010-05-12 08:08:50 +02007177 hdr(name) This extracts the last occurrence of header <name> in an HTTP
7178 request and converts it to an IP address. This IP address is
7179 then used to match the table. A typical use is with the
7180 x-forwarded-for header.
7181
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007182
7183The currently available list of transformations include :
7184
7185 lower Convert a string pattern to lower case. This can only be placed
7186 after a string pattern fetch function or after a conversion
7187 function returning a string type. The result is of type string.
7188
7189 upper Convert a string pattern to upper case. This can only be placed
7190 after a string pattern fetch function or after a conversion
7191 function returning a string type. The result is of type string.
7192
Willy Tarreaud31d6eb2010-01-26 18:01:41 +01007193 ipmask(mask) Apply a mask to an IPv4 address, and use the result for lookups
7194 and storage. This can be used to make all hosts within a
7195 certain mask to share the same table entries and as such use
7196 the same server. The mask can be passed in dotted form (eg:
7197 255.255.255.0) or in CIDR form (eg: 24).
7198
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007199
Willy Tarreauc57f0e22009-05-10 13:12:33 +020072008. Logging
7201----------
Willy Tarreau844e3c52008-01-11 16:28:18 +01007202
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007203One of HAProxy's strong points certainly lies is its precise logs. It probably
7204provides the finest level of information available for such a product, which is
7205very important for troubleshooting complex environments. Standard information
7206provided in logs include client ports, TCP/HTTP state timers, precise session
7207state at termination and precise termination cause, information about decisions
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007208to direct traffic to a server, and of course the ability to capture arbitrary
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007209headers.
7210
7211In order to improve administrators reactivity, it offers a great transparency
7212about encountered problems, both internal and external, and it is possible to
7213send logs to different sources at the same time with different level filters :
7214
7215 - global process-level logs (system errors, start/stop, etc..)
7216 - per-instance system and internal errors (lack of resource, bugs, ...)
7217 - per-instance external troubles (servers up/down, max connections)
7218 - per-instance activity (client connections), either at the establishment or
7219 at the termination.
7220
7221The ability to distribute different levels of logs to different log servers
7222allow several production teams to interact and to fix their problems as soon
7223as possible. For example, the system team might monitor system-wide errors,
7224while the application team might be monitoring the up/down for their servers in
7225real time, and the security team might analyze the activity logs with one hour
7226delay.
7227
7228
Willy Tarreauc57f0e22009-05-10 13:12:33 +020072298.1. Log levels
7230---------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007231
7232TCP and HTTP connections can be logged with informations such as date, time,
7233source IP address, destination address, connection duration, response times,
7234HTTP request, the HTTP return code, number of bytes transmitted, the conditions
7235in which the session ended, and even exchanged cookies values, to track a
7236particular user's problems for example. All messages are sent to up to two
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007237syslog servers. Check the "log" keyword in section 4.2 for more info about log
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007238facilities.
7239
7240
Willy Tarreauc57f0e22009-05-10 13:12:33 +020072418.2. Log formats
7242----------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007243
Emeric Brun3a058f32009-06-30 18:26:00 +02007244HAProxy supports 4 log formats. Several fields are common between these formats
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007245and will be detailed in the next sections. A few of them may slightly vary with
7246the configuration, due to indicators specific to certain options. The supported
7247formats are the following ones :
7248
7249 - the default format, which is very basic and very rarely used. It only
7250 provides very basic information about the incoming connection at the moment
7251 it is accepted : source IP:port, destination IP:port, and frontend-name.
7252 This mode will eventually disappear so it will not be described to great
7253 extents.
7254
7255 - the TCP format, which is more advanced. This format is enabled when "option
7256 tcplog" is set on the frontend. HAProxy will then usually wait for the
7257 connection to terminate before logging. This format provides much richer
7258 information, such as timers, connection counts, queue size, etc... This
7259 format is recommended for pure TCP proxies.
7260
7261 - the HTTP format, which is the most advanced for HTTP proxying. This format
7262 is enabled when "option httplog" is set on the frontend. It provides the
7263 same information as the TCP format with some HTTP-specific fields such as
7264 the request, the status code, and captures of headers and cookies. This
7265 format is recommended for HTTP proxies.
7266
Emeric Brun3a058f32009-06-30 18:26:00 +02007267 - the CLF HTTP format, which is equivalent to the HTTP format, but with the
7268 fields arranged in the same order as the CLF format. In this mode, all
7269 timers, captures, flags, etc... appear one per field after the end of the
7270 common fields, in the same order they appear in the standard HTTP format.
7271
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007272Next sections will go deeper into details for each of these formats. Format
7273specification will be performed on a "field" basis. Unless stated otherwise, a
7274field is a portion of text delimited by any number of spaces. Since syslog
7275servers are susceptible of inserting fields at the beginning of a line, it is
7276always assumed that the first field is the one containing the process name and
7277identifier.
7278
7279Note : Since log lines may be quite long, the log examples in sections below
7280 might be broken into multiple lines. The example log lines will be
7281 prefixed with 3 closing angle brackets ('>>>') and each time a log is
7282 broken into multiple lines, each non-final line will end with a
7283 backslash ('\') and the next line will start indented by two characters.
7284
7285
Willy Tarreauc57f0e22009-05-10 13:12:33 +020072868.2.1. Default log format
7287-------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007288
7289This format is used when no specific option is set. The log is emitted as soon
7290as the connection is accepted. One should note that this currently is the only
7291format which logs the request's destination IP and ports.
7292
7293 Example :
7294 listen www
7295 mode http
7296 log global
7297 server srv1 127.0.0.1:8000
7298
7299 >>> Feb 6 12:12:09 localhost \
7300 haproxy[14385]: Connect from 10.0.1.2:33312 to 10.0.3.31:8012 \
7301 (www/HTTP)
7302
7303 Field Format Extract from the example above
7304 1 process_name '[' pid ']:' haproxy[14385]:
7305 2 'Connect from' Connect from
7306 3 source_ip ':' source_port 10.0.1.2:33312
7307 4 'to' to
7308 5 destination_ip ':' destination_port 10.0.3.31:8012
7309 6 '(' frontend_name '/' mode ')' (www/HTTP)
7310
7311Detailed fields description :
7312 - "source_ip" is the IP address of the client which initiated the connection.
7313 - "source_port" is the TCP port of the client which initiated the connection.
7314 - "destination_ip" is the IP address the client connected to.
7315 - "destination_port" is the TCP port the client connected to.
7316 - "frontend_name" is the name of the frontend (or listener) which received
7317 and processed the connection.
7318 - "mode is the mode the frontend is operating (TCP or HTTP).
7319
7320It is advised not to use this deprecated format for newer installations as it
7321will eventually disappear.
7322
7323
Willy Tarreauc57f0e22009-05-10 13:12:33 +020073248.2.2. TCP log format
7325---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007326
7327The TCP format is used when "option tcplog" is specified in the frontend, and
7328is the recommended format for pure TCP proxies. It provides a lot of precious
7329information for troubleshooting. Since this format includes timers and byte
7330counts, the log is normally emitted at the end of the session. It can be
7331emitted earlier if "option logasap" is specified, which makes sense in most
7332environments with long sessions such as remote terminals. Sessions which match
7333the "monitor" rules are never logged. It is also possible not to emit logs for
7334sessions for which no data were exchanged between the client and the server, by
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02007335specifying "option dontlognull" in the frontend. Successful connections will
7336not be logged if "option dontlog-normal" is specified in the frontend. A few
7337fields may slightly vary depending on some configuration options, those are
7338marked with a star ('*') after the field name below.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007339
7340 Example :
7341 frontend fnt
7342 mode tcp
7343 option tcplog
7344 log global
7345 default_backend bck
7346
7347 backend bck
7348 server srv1 127.0.0.1:8000
7349
7350 >>> Feb 6 12:12:56 localhost \
7351 haproxy[14387]: 10.0.1.2:33313 [06/Feb/2009:12:12:51.443] fnt \
7352 bck/srv1 0/0/5007 212 -- 0/0/0/0/3 0/0
7353
7354 Field Format Extract from the example above
7355 1 process_name '[' pid ']:' haproxy[14387]:
7356 2 client_ip ':' client_port 10.0.1.2:33313
7357 3 '[' accept_date ']' [06/Feb/2009:12:12:51.443]
7358 4 frontend_name fnt
7359 5 backend_name '/' server_name bck/srv1
7360 6 Tw '/' Tc '/' Tt* 0/0/5007
7361 7 bytes_read* 212
7362 8 termination_state --
7363 9 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 0/0/0/0/3
7364 10 srv_queue '/' backend_queue 0/0
7365
7366Detailed fields description :
7367 - "client_ip" is the IP address of the client which initiated the TCP
7368 connection to haproxy.
7369
7370 - "client_port" is the TCP port of the client which initiated the connection.
7371
7372 - "accept_date" is the exact date when the connection was received by haproxy
7373 (which might be very slightly different from the date observed on the
7374 network if there was some queuing in the system's backlog). This is usually
7375 the same date which may appear in any upstream firewall's log.
7376
7377 - "frontend_name" is the name of the frontend (or listener) which received
7378 and processed the connection.
7379
7380 - "backend_name" is the name of the backend (or listener) which was selected
7381 to manage the connection to the server. This will be the same as the
7382 frontend if no switching rule has been applied, which is common for TCP
7383 applications.
7384
7385 - "server_name" is the name of the last server to which the connection was
7386 sent, which might differ from the first one if there were connection errors
7387 and a redispatch occurred. Note that this server belongs to the backend
7388 which processed the request. If the connection was aborted before reaching
7389 a server, "<NOSRV>" is indicated instead of a server name.
7390
7391 - "Tw" is the total time in milliseconds spent waiting in the various queues.
7392 It can be "-1" if the connection was aborted before reaching the queue.
7393 See "Timers" below for more details.
7394
7395 - "Tc" is the total time in milliseconds spent waiting for the connection to
7396 establish to the final server, including retries. It can be "-1" if the
7397 connection was aborted before a connection could be established. See
7398 "Timers" below for more details.
7399
7400 - "Tt" is the total time in milliseconds elapsed between the accept and the
7401 last close. It covers all possible processings. There is one exception, if
7402 "option logasap" was specified, then the time counting stops at the moment
7403 the log is emitted. In this case, a '+' sign is prepended before the value,
7404 indicating that the final one will be larger. See "Timers" below for more
7405 details.
7406
7407 - "bytes_read" is the total number of bytes transmitted from the server to
7408 the client when the log is emitted. If "option logasap" is specified, the
7409 this value will be prefixed with a '+' sign indicating that the final one
7410 may be larger. Please note that this value is a 64-bit counter, so log
7411 analysis tools must be able to handle it without overflowing.
7412
7413 - "termination_state" is the condition the session was in when the session
7414 ended. This indicates the session state, which side caused the end of
7415 session to happen, and for what reason (timeout, error, ...). The normal
7416 flags should be "--", indicating the session was closed by either end with
7417 no data remaining in buffers. See below "Session state at disconnection"
7418 for more details.
7419
7420 - "actconn" is the total number of concurrent connections on the process when
7421 the session was logged. It it useful to detect when some per-process system
7422 limits have been reached. For instance, if actconn is close to 512 when
7423 multiple connection errors occur, chances are high that the system limits
7424 the process to use a maximum of 1024 file descriptors and that all of them
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007425 are used. See section 3 "Global parameters" to find how to tune the system.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007426
7427 - "feconn" is the total number of concurrent connections on the frontend when
7428 the session was logged. It is useful to estimate the amount of resource
7429 required to sustain high loads, and to detect when the frontend's "maxconn"
7430 has been reached. Most often when this value increases by huge jumps, it is
7431 because there is congestion on the backend servers, but sometimes it can be
7432 caused by a denial of service attack.
7433
7434 - "beconn" is the total number of concurrent connections handled by the
7435 backend when the session was logged. It includes the total number of
7436 concurrent connections active on servers as well as the number of
7437 connections pending in queues. It is useful to estimate the amount of
7438 additional servers needed to support high loads for a given application.
7439 Most often when this value increases by huge jumps, it is because there is
7440 congestion on the backend servers, but sometimes it can be caused by a
7441 denial of service attack.
7442
7443 - "srv_conn" is the total number of concurrent connections still active on
7444 the server when the session was logged. It can never exceed the server's
7445 configured "maxconn" parameter. If this value is very often close or equal
7446 to the server's "maxconn", it means that traffic regulation is involved a
7447 lot, meaning that either the server's maxconn value is too low, or that
7448 there aren't enough servers to process the load with an optimal response
7449 time. When only one of the server's "srv_conn" is high, it usually means
7450 that this server has some trouble causing the connections to take longer to
7451 be processed than on other servers.
7452
7453 - "retries" is the number of connection retries experienced by this session
7454 when trying to connect to the server. It must normally be zero, unless a
7455 server is being stopped at the same moment the connection was attempted.
7456 Frequent retries generally indicate either a network problem between
7457 haproxy and the server, or a misconfigured system backlog on the server
7458 preventing new connections from being queued. This field may optionally be
7459 prefixed with a '+' sign, indicating that the session has experienced a
7460 redispatch after the maximal retry count has been reached on the initial
7461 server. In this case, the server name appearing in the log is the one the
7462 connection was redispatched to, and not the first one, though both may
7463 sometimes be the same in case of hashing for instance. So as a general rule
7464 of thumb, when a '+' is present in front of the retry count, this count
7465 should not be attributed to the logged server.
7466
7467 - "srv_queue" is the total number of requests which were processed before
7468 this one in the server queue. It is zero when the request has not gone
7469 through the server queue. It makes it possible to estimate the approximate
7470 server's response time by dividing the time spent in queue by the number of
7471 requests in the queue. It is worth noting that if a session experiences a
7472 redispatch and passes through two server queues, their positions will be
7473 cumulated. A request should not pass through both the server queue and the
7474 backend queue unless a redispatch occurs.
7475
7476 - "backend_queue" is the total number of requests which were processed before
7477 this one in the backend's global queue. It is zero when the request has not
7478 gone through the global queue. It makes it possible to estimate the average
7479 queue length, which easily translates into a number of missing servers when
7480 divided by a server's "maxconn" parameter. It is worth noting that if a
7481 session experiences a redispatch, it may pass twice in the backend's queue,
7482 and then both positions will be cumulated. A request should not pass
7483 through both the server queue and the backend queue unless a redispatch
7484 occurs.
7485
7486
Willy Tarreauc57f0e22009-05-10 13:12:33 +020074878.2.3. HTTP log format
7488----------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007489
7490The HTTP format is the most complete and the best suited for HTTP proxies. It
7491is enabled by when "option httplog" is specified in the frontend. It provides
7492the same level of information as the TCP format with additional features which
7493are specific to the HTTP protocol. Just like the TCP format, the log is usually
7494emitted at the end of the session, unless "option logasap" is specified, which
7495generally only makes sense for download sites. A session which matches the
7496"monitor" rules will never logged. It is also possible not to log sessions for
7497which no data were sent by the client by specifying "option dontlognull" in the
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02007498frontend. Successful connections will not be logged if "option dontlog-normal"
7499is specified in the frontend.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007500
7501Most fields are shared with the TCP log, some being different. A few fields may
7502slightly vary depending on some configuration options. Those ones are marked
7503with a star ('*') after the field name below.
7504
7505 Example :
7506 frontend http-in
7507 mode http
7508 option httplog
7509 log global
7510 default_backend bck
7511
7512 backend static
7513 server srv1 127.0.0.1:8000
7514
7515 >>> Feb 6 12:14:14 localhost \
7516 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
7517 static/srv1 10/0/30/69/109 200 2750 - - ---- 1/1/1/1/0 0/0 {1wt.eu} \
Willy Tarreaud72758d2010-01-12 10:42:19 +01007518 {} "GET /index.html HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007519
7520 Field Format Extract from the example above
7521 1 process_name '[' pid ']:' haproxy[14389]:
7522 2 client_ip ':' client_port 10.0.1.2:33317
7523 3 '[' accept_date ']' [06/Feb/2009:12:14:14.655]
7524 4 frontend_name http-in
7525 5 backend_name '/' server_name static/srv1
7526 6 Tq '/' Tw '/' Tc '/' Tr '/' Tt* 10/0/30/69/109
7527 7 status_code 200
7528 8 bytes_read* 2750
7529 9 captured_request_cookie -
7530 10 captured_response_cookie -
7531 11 termination_state ----
7532 12 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 1/1/1/1/0
7533 13 srv_queue '/' backend_queue 0/0
7534 14 '{' captured_request_headers* '}' {haproxy.1wt.eu}
7535 15 '{' captured_response_headers* '}' {}
7536 16 '"' http_request '"' "GET /index.html HTTP/1.1"
Willy Tarreaud72758d2010-01-12 10:42:19 +01007537
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007538
7539Detailed fields description :
7540 - "client_ip" is the IP address of the client which initiated the TCP
7541 connection to haproxy.
7542
7543 - "client_port" is the TCP port of the client which initiated the connection.
7544
7545 - "accept_date" is the exact date when the TCP connection was received by
7546 haproxy (which might be very slightly different from the date observed on
7547 the network if there was some queuing in the system's backlog). This is
7548 usually the same date which may appear in any upstream firewall's log. This
7549 does not depend on the fact that the client has sent the request or not.
7550
7551 - "frontend_name" is the name of the frontend (or listener) which received
7552 and processed the connection.
7553
7554 - "backend_name" is the name of the backend (or listener) which was selected
7555 to manage the connection to the server. This will be the same as the
7556 frontend if no switching rule has been applied.
7557
7558 - "server_name" is the name of the last server to which the connection was
7559 sent, which might differ from the first one if there were connection errors
7560 and a redispatch occurred. Note that this server belongs to the backend
7561 which processed the request. If the request was aborted before reaching a
7562 server, "<NOSRV>" is indicated instead of a server name. If the request was
7563 intercepted by the stats subsystem, "<STATS>" is indicated instead.
7564
7565 - "Tq" is the total time in milliseconds spent waiting for the client to send
7566 a full HTTP request, not counting data. It can be "-1" if the connection
7567 was aborted before a complete request could be received. It should always
7568 be very small because a request generally fits in one single packet. Large
7569 times here generally indicate network trouble between the client and
7570 haproxy. See "Timers" below for more details.
7571
7572 - "Tw" is the total time in milliseconds spent waiting in the various queues.
7573 It can be "-1" if the connection was aborted before reaching the queue.
7574 See "Timers" below for more details.
7575
7576 - "Tc" is the total time in milliseconds spent waiting for the connection to
7577 establish to the final server, including retries. It can be "-1" if the
7578 request was aborted before a connection could be established. See "Timers"
7579 below for more details.
7580
7581 - "Tr" is the total time in milliseconds spent waiting for the server to send
7582 a full HTTP response, not counting data. It can be "-1" if the request was
7583 aborted before a complete response could be received. It generally matches
7584 the server's processing time for the request, though it may be altered by
7585 the amount of data sent by the client to the server. Large times here on
7586 "GET" requests generally indicate an overloaded server. See "Timers" below
7587 for more details.
7588
7589 - "Tt" is the total time in milliseconds elapsed between the accept and the
7590 last close. It covers all possible processings. There is one exception, if
7591 "option logasap" was specified, then the time counting stops at the moment
7592 the log is emitted. In this case, a '+' sign is prepended before the value,
7593 indicating that the final one will be larger. See "Timers" below for more
7594 details.
7595
7596 - "status_code" is the HTTP status code returned to the client. This status
7597 is generally set by the server, but it might also be set by haproxy when
7598 the server cannot be reached or when its response is blocked by haproxy.
7599
7600 - "bytes_read" is the total number of bytes transmitted to the client when
7601 the log is emitted. This does include HTTP headers. If "option logasap" is
7602 specified, the this value will be prefixed with a '+' sign indicating that
7603 the final one may be larger. Please note that this value is a 64-bit
7604 counter, so log analysis tools must be able to handle it without
7605 overflowing.
7606
7607 - "captured_request_cookie" is an optional "name=value" entry indicating that
7608 the client had this cookie in the request. The cookie name and its maximum
7609 length are defined by the "capture cookie" statement in the frontend
7610 configuration. The field is a single dash ('-') when the option is not
7611 set. Only one cookie may be captured, it is generally used to track session
7612 ID exchanges between a client and a server to detect session crossing
7613 between clients due to application bugs. For more details, please consult
7614 the section "Capturing HTTP headers and cookies" below.
7615
7616 - "captured_response_cookie" is an optional "name=value" entry indicating
7617 that the server has returned a cookie with its response. The cookie name
7618 and its maximum length are defined by the "capture cookie" statement in the
7619 frontend configuration. The field is a single dash ('-') when the option is
7620 not set. Only one cookie may be captured, it is generally used to track
7621 session ID exchanges between a client and a server to detect session
7622 crossing between clients due to application bugs. For more details, please
7623 consult the section "Capturing HTTP headers and cookies" below.
7624
7625 - "termination_state" is the condition the session was in when the session
7626 ended. This indicates the session state, which side caused the end of
7627 session to happen, for what reason (timeout, error, ...), just like in TCP
7628 logs, and information about persistence operations on cookies in the last
7629 two characters. The normal flags should begin with "--", indicating the
7630 session was closed by either end with no data remaining in buffers. See
7631 below "Session state at disconnection" for more details.
7632
7633 - "actconn" is the total number of concurrent connections on the process when
7634 the session was logged. It it useful to detect when some per-process system
7635 limits have been reached. For instance, if actconn is close to 512 or 1024
7636 when multiple connection errors occur, chances are high that the system
7637 limits the process to use a maximum of 1024 file descriptors and that all
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007638 of them are used. See section 3 "Global parameters" to find how to tune the
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007639 system.
7640
7641 - "feconn" is the total number of concurrent connections on the frontend when
7642 the session was logged. It is useful to estimate the amount of resource
7643 required to sustain high loads, and to detect when the frontend's "maxconn"
7644 has been reached. Most often when this value increases by huge jumps, it is
7645 because there is congestion on the backend servers, but sometimes it can be
7646 caused by a denial of service attack.
7647
7648 - "beconn" is the total number of concurrent connections handled by the
7649 backend when the session was logged. It includes the total number of
7650 concurrent connections active on servers as well as the number of
7651 connections pending in queues. It is useful to estimate the amount of
7652 additional servers needed to support high loads for a given application.
7653 Most often when this value increases by huge jumps, it is because there is
7654 congestion on the backend servers, but sometimes it can be caused by a
7655 denial of service attack.
7656
7657 - "srv_conn" is the total number of concurrent connections still active on
7658 the server when the session was logged. It can never exceed the server's
7659 configured "maxconn" parameter. If this value is very often close or equal
7660 to the server's "maxconn", it means that traffic regulation is involved a
7661 lot, meaning that either the server's maxconn value is too low, or that
7662 there aren't enough servers to process the load with an optimal response
7663 time. When only one of the server's "srv_conn" is high, it usually means
7664 that this server has some trouble causing the requests to take longer to be
7665 processed than on other servers.
7666
7667 - "retries" is the number of connection retries experienced by this session
7668 when trying to connect to the server. It must normally be zero, unless a
7669 server is being stopped at the same moment the connection was attempted.
7670 Frequent retries generally indicate either a network problem between
7671 haproxy and the server, or a misconfigured system backlog on the server
7672 preventing new connections from being queued. This field may optionally be
7673 prefixed with a '+' sign, indicating that the session has experienced a
7674 redispatch after the maximal retry count has been reached on the initial
7675 server. In this case, the server name appearing in the log is the one the
7676 connection was redispatched to, and not the first one, though both may
7677 sometimes be the same in case of hashing for instance. So as a general rule
7678 of thumb, when a '+' is present in front of the retry count, this count
7679 should not be attributed to the logged server.
7680
7681 - "srv_queue" is the total number of requests which were processed before
7682 this one in the server queue. It is zero when the request has not gone
7683 through the server queue. It makes it possible to estimate the approximate
7684 server's response time by dividing the time spent in queue by the number of
7685 requests in the queue. It is worth noting that if a session experiences a
7686 redispatch and passes through two server queues, their positions will be
7687 cumulated. A request should not pass through both the server queue and the
7688 backend queue unless a redispatch occurs.
7689
7690 - "backend_queue" is the total number of requests which were processed before
7691 this one in the backend's global queue. It is zero when the request has not
7692 gone through the global queue. It makes it possible to estimate the average
7693 queue length, which easily translates into a number of missing servers when
7694 divided by a server's "maxconn" parameter. It is worth noting that if a
7695 session experiences a redispatch, it may pass twice in the backend's queue,
7696 and then both positions will be cumulated. A request should not pass
7697 through both the server queue and the backend queue unless a redispatch
7698 occurs.
7699
7700 - "captured_request_headers" is a list of headers captured in the request due
7701 to the presence of the "capture request header" statement in the frontend.
7702 Multiple headers can be captured, they will be delimited by a vertical bar
7703 ('|'). When no capture is enabled, the braces do not appear, causing a
7704 shift of remaining fields. It is important to note that this field may
7705 contain spaces, and that using it requires a smarter log parser than when
7706 it's not used. Please consult the section "Capturing HTTP headers and
7707 cookies" below for more details.
7708
7709 - "captured_response_headers" is a list of headers captured in the response
7710 due to the presence of the "capture response header" statement in the
7711 frontend. Multiple headers can be captured, they will be delimited by a
7712 vertical bar ('|'). When no capture is enabled, the braces do not appear,
7713 causing a shift of remaining fields. It is important to note that this
7714 field may contain spaces, and that using it requires a smarter log parser
7715 than when it's not used. Please consult the section "Capturing HTTP headers
7716 and cookies" below for more details.
7717
7718 - "http_request" is the complete HTTP request line, including the method,
7719 request and HTTP version string. Non-printable characters are encoded (see
7720 below the section "Non-printable characters"). This is always the last
7721 field, and it is always delimited by quotes and is the only one which can
7722 contain quotes. If new fields are added to the log format, they will be
7723 added before this field. This field might be truncated if the request is
7724 huge and does not fit in the standard syslog buffer (1024 characters). This
7725 is the reason why this field must always remain the last one.
7726
7727
Willy Tarreauc57f0e22009-05-10 13:12:33 +020077288.3. Advanced logging options
7729-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007730
7731Some advanced logging options are often looked for but are not easy to find out
7732just by looking at the various options. Here is an entry point for the few
7733options which can enable better logging. Please refer to the keywords reference
7734for more information about their usage.
7735
7736
Willy Tarreauc57f0e22009-05-10 13:12:33 +020077378.3.1. Disabling logging of external tests
7738------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007739
7740It is quite common to have some monitoring tools perform health checks on
7741haproxy. Sometimes it will be a layer 3 load-balancer such as LVS or any
7742commercial load-balancer, and sometimes it will simply be a more complete
7743monitoring system such as Nagios. When the tests are very frequent, users often
7744ask how to disable logging for those checks. There are three possibilities :
7745
7746 - if connections come from everywhere and are just TCP probes, it is often
7747 desired to simply disable logging of connections without data exchange, by
7748 setting "option dontlognull" in the frontend. It also disables logging of
7749 port scans, which may or may not be desired.
7750
7751 - if the connection come from a known source network, use "monitor-net" to
7752 declare this network as monitoring only. Any host in this network will then
7753 only be able to perform health checks, and their requests will not be
7754 logged. This is generally appropriate to designate a list of equipments
7755 such as other load-balancers.
7756
7757 - if the tests are performed on a known URI, use "monitor-uri" to declare
7758 this URI as dedicated to monitoring. Any host sending this request will
7759 only get the result of a health-check, and the request will not be logged.
7760
7761
Willy Tarreauc57f0e22009-05-10 13:12:33 +020077628.3.2. Logging before waiting for the session to terminate
7763----------------------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007764
7765The problem with logging at end of connection is that you have no clue about
7766what is happening during very long sessions, such as remote terminal sessions
7767or large file downloads. This problem can be worked around by specifying
7768"option logasap" in the frontend. Haproxy will then log as soon as possible,
7769just before data transfer begins. This means that in case of TCP, it will still
7770log the connection status to the server, and in case of HTTP, it will log just
7771after processing the server headers. In this case, the number of bytes reported
7772is the number of header bytes sent to the client. In order to avoid confusion
7773with normal logs, the total time field and the number of bytes are prefixed
7774with a '+' sign which means that real numbers are certainly larger.
7775
7776
Willy Tarreauc57f0e22009-05-10 13:12:33 +020077778.3.3. Raising log level upon errors
7778------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02007779
7780Sometimes it is more convenient to separate normal traffic from errors logs,
7781for instance in order to ease error monitoring from log files. When the option
7782"log-separate-errors" is used, connections which experience errors, timeouts,
7783retries, redispatches or HTTP status codes 5xx will see their syslog level
7784raised from "info" to "err". This will help a syslog daemon store the log in
7785a separate file. It is very important to keep the errors in the normal traffic
7786file too, so that log ordering is not altered. You should also be careful if
7787you already have configured your syslog daemon to store all logs higher than
7788"notice" in an "admin" file, because the "err" level is higher than "notice".
7789
7790
Willy Tarreauc57f0e22009-05-10 13:12:33 +020077918.3.4. Disabling logging of successful connections
7792--------------------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02007793
7794Although this may sound strange at first, some large sites have to deal with
7795multiple thousands of logs per second and are experiencing difficulties keeping
7796them intact for a long time or detecting errors within them. If the option
7797"dontlog-normal" is set on the frontend, all normal connections will not be
7798logged. In this regard, a normal connection is defined as one without any
7799error, timeout, retry nor redispatch. In HTTP, the status code is checked too,
7800and a response with a status 5xx is not considered normal and will be logged
7801too. Of course, doing is is really discouraged as it will remove most of the
7802useful information from the logs. Do this only if you have no other
7803alternative.
7804
7805
Willy Tarreauc57f0e22009-05-10 13:12:33 +020078068.4. Timing events
7807------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007808
7809Timers provide a great help in troubleshooting network problems. All values are
7810reported in milliseconds (ms). These timers should be used in conjunction with
7811the session termination flags. In TCP mode with "option tcplog" set on the
7812frontend, 3 control points are reported under the form "Tw/Tc/Tt", and in HTTP
7813mode, 5 control points are reported under the form "Tq/Tw/Tc/Tr/Tt" :
7814
7815 - Tq: total time to get the client request (HTTP mode only). It's the time
7816 elapsed between the moment the client connection was accepted and the
7817 moment the proxy received the last HTTP header. The value "-1" indicates
7818 that the end of headers (empty line) has never been seen. This happens when
7819 the client closes prematurely or times out.
7820
7821 - Tw: total time spent in the queues waiting for a connection slot. It
7822 accounts for backend queue as well as the server queues, and depends on the
7823 queue size, and the time needed for the server to complete previous
7824 requests. The value "-1" means that the request was killed before reaching
7825 the queue, which is generally what happens with invalid or denied requests.
7826
7827 - Tc: total time to establish the TCP connection to the server. It's the time
7828 elapsed between the moment the proxy sent the connection request, and the
7829 moment it was acknowledged by the server, or between the TCP SYN packet and
7830 the matching SYN/ACK packet in return. The value "-1" means that the
7831 connection never established.
7832
7833 - Tr: server response time (HTTP mode only). It's the time elapsed between
7834 the moment the TCP connection was established to the server and the moment
7835 the server sent its complete response headers. It purely shows its request
7836 processing time, without the network overhead due to the data transmission.
7837 It is worth noting that when the client has data to send to the server, for
7838 instance during a POST request, the time already runs, and this can distort
7839 apparent response time. For this reason, it's generally wise not to trust
7840 too much this field for POST requests initiated from clients behind an
7841 untrusted network. A value of "-1" here means that the last the response
7842 header (empty line) was never seen, most likely because the server timeout
7843 stroke before the server managed to process the request.
7844
7845 - Tt: total session duration time, between the moment the proxy accepted it
7846 and the moment both ends were closed. The exception is when the "logasap"
7847 option is specified. In this case, it only equals (Tq+Tw+Tc+Tr), and is
7848 prefixed with a '+' sign. From this field, we can deduce "Td", the data
7849 transmission time, by substracting other timers when valid :
7850
7851 Td = Tt - (Tq + Tw + Tc + Tr)
7852
7853 Timers with "-1" values have to be excluded from this equation. In TCP
7854 mode, "Tq" and "Tr" have to be excluded too. Note that "Tt" can never be
7855 negative.
7856
7857These timers provide precious indications on trouble causes. Since the TCP
7858protocol defines retransmit delays of 3, 6, 12... seconds, we know for sure
7859that timers close to multiples of 3s are nearly always related to lost packets
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007860due to network problems (wires, negotiation, congestion). Moreover, if "Tt" is
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007861close to a timeout value specified in the configuration, it often means that a
7862session has been aborted on timeout.
7863
7864Most common cases :
7865
7866 - If "Tq" is close to 3000, a packet has probably been lost between the
7867 client and the proxy. This is very rare on local networks but might happen
7868 when clients are on far remote networks and send large requests. It may
7869 happen that values larger than usual appear here without any network cause.
7870 Sometimes, during an attack or just after a resource starvation has ended,
7871 haproxy may accept thousands of connections in a few milliseconds. The time
7872 spent accepting these connections will inevitably slightly delay processing
7873 of other connections, and it can happen that request times in the order of
7874 a few tens of milliseconds are measured after a few thousands of new
Patrick Mezard105faca2010-06-12 17:02:46 +02007875 connections have been accepted at once. Setting "option http-server-close"
7876 may display larger request times since "Tq" also measures the time spent
7877 waiting for additional requests.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007878
7879 - If "Tc" is close to 3000, a packet has probably been lost between the
7880 server and the proxy during the server connection phase. This value should
7881 always be very low, such as 1 ms on local networks and less than a few tens
7882 of ms on remote networks.
7883
Willy Tarreau55165fe2009-05-10 12:02:55 +02007884 - If "Tr" is nearly always lower than 3000 except some rare values which seem
7885 to be the average majored by 3000, there are probably some packets lost
7886 between the proxy and the server.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007887
7888 - If "Tt" is large even for small byte counts, it generally is because
7889 neither the client nor the server decides to close the connection, for
7890 instance because both have agreed on a keep-alive connection mode. In order
7891 to solve this issue, it will be needed to specify "option httpclose" on
7892 either the frontend or the backend. If the problem persists, it means that
7893 the server ignores the "close" connection mode and expects the client to
7894 close. Then it will be required to use "option forceclose". Having the
7895 smallest possible 'Tt' is important when connection regulation is used with
7896 the "maxconn" option on the servers, since no new connection will be sent
7897 to the server until another one is released.
7898
7899Other noticeable HTTP log cases ('xx' means any value to be ignored) :
7900
7901 Tq/Tw/Tc/Tr/+Tt The "option logasap" is present on the frontend and the log
7902 was emitted before the data phase. All the timers are valid
7903 except "Tt" which is shorter than reality.
7904
7905 -1/xx/xx/xx/Tt The client was not able to send a complete request in time
7906 or it aborted too early. Check the session termination flags
7907 then "timeout http-request" and "timeout client" settings.
7908
7909 Tq/-1/xx/xx/Tt It was not possible to process the request, maybe because
7910 servers were out of order, because the request was invalid
7911 or forbidden by ACL rules. Check the session termination
7912 flags.
7913
7914 Tq/Tw/-1/xx/Tt The connection could not establish on the server. Either it
7915 actively refused it or it timed out after Tt-(Tq+Tw) ms.
7916 Check the session termination flags, then check the
7917 "timeout connect" setting. Note that the tarpit action might
7918 return similar-looking patterns, with "Tw" equal to the time
7919 the client connection was maintained open.
7920
7921 Tq/Tw/Tc/-1/Tt The server has accepted the connection but did not return
7922 a complete response in time, or it closed its connexion
7923 unexpectedly after Tt-(Tq+Tw+Tc) ms. Check the session
7924 termination flags, then check the "timeout server" setting.
7925
7926
Willy Tarreauc57f0e22009-05-10 13:12:33 +020079278.5. Session state at disconnection
7928-----------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007929
7930TCP and HTTP logs provide a session termination indicator in the
7931"termination_state" field, just before the number of active connections. It is
79322-characters long in TCP mode, and is extended to 4 characters in HTTP mode,
7933each of which has a special meaning :
7934
7935 - On the first character, a code reporting the first event which caused the
7936 session to terminate :
7937
7938 C : the TCP session was unexpectedly aborted by the client.
7939
7940 S : the TCP session was unexpectedly aborted by the server, or the
7941 server explicitly refused it.
7942
7943 P : the session was prematurely aborted by the proxy, because of a
7944 connection limit enforcement, because a DENY filter was matched,
7945 because of a security check which detected and blocked a dangerous
7946 error in server response which might have caused information leak
7947 (eg: cacheable cookie), or because the response was processed by
7948 the proxy (redirect, stats, etc...).
7949
7950 R : a resource on the proxy has been exhausted (memory, sockets, source
7951 ports, ...). Usually, this appears during the connection phase, and
7952 system logs should contain a copy of the precise error. If this
7953 happens, it must be considered as a very serious anomaly which
7954 should be fixed as soon as possible by any means.
7955
7956 I : an internal error was identified by the proxy during a self-check.
7957 This should NEVER happen, and you are encouraged to report any log
7958 containing this, because this would almost certainly be a bug. It
7959 would be wise to preventively restart the process after such an
7960 event too, in case it would be caused by memory corruption.
7961
7962 c : the client-side timeout expired while waiting for the client to
7963 send or receive data.
7964
7965 s : the server-side timeout expired while waiting for the server to
7966 send or receive data.
7967
7968 - : normal session completion, both the client and the server closed
7969 with nothing left in the buffers.
7970
7971 - on the second character, the TCP or HTTP session state when it was closed :
7972
7973 R : th proxy was waiting for a complete, valid REQUEST from the client
7974 (HTTP mode only). Nothing was sent to any server.
7975
7976 Q : the proxy was waiting in the QUEUE for a connection slot. This can
7977 only happen when servers have a 'maxconn' parameter set. It can
7978 also happen in the global queue after a redispatch consecutive to
7979 a failed attempt to connect to a dying server. If no redispatch is
7980 reported, then no connection attempt was made to any server.
7981
7982 C : the proxy was waiting for the CONNECTION to establish on the
7983 server. The server might at most have noticed a connection attempt.
7984
7985 H : the proxy was waiting for complete, valid response HEADERS from the
7986 server (HTTP only).
7987
7988 D : the session was in the DATA phase.
7989
7990 L : the proxy was still transmitting LAST data to the client while the
7991 server had already finished. This one is very rare as it can only
7992 happen when the client dies while receiving the last packets.
7993
7994 T : the request was tarpitted. It has been held open with the client
7995 during the whole "timeout tarpit" duration or until the client
7996 closed, both of which will be reported in the "Tw" timer.
7997
7998 - : normal session completion after end of data transfer.
7999
8000 - the third character tells whether the persistence cookie was provided by
8001 the client (only in HTTP mode) :
8002
8003 N : the client provided NO cookie. This is usually the case for new
8004 visitors, so counting the number of occurrences of this flag in the
8005 logs generally indicate a valid trend for the site frequentation.
8006
8007 I : the client provided an INVALID cookie matching no known server.
8008 This might be caused by a recent configuration change, mixed
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02008009 cookies between HTTP/HTTPS sites, persistence conditionally
8010 ignored, or an attack.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008011
8012 D : the client provided a cookie designating a server which was DOWN,
8013 so either "option persist" was used and the client was sent to
8014 this server, or it was not set and the client was redispatched to
8015 another server.
8016
8017 V : the client provided a valid cookie, and was sent to the associated
8018 server.
8019
8020 - : does not apply (no cookie set in configuration).
8021
8022 - the last character reports what operations were performed on the persistence
8023 cookie returned by the server (only in HTTP mode) :
8024
8025 N : NO cookie was provided by the server, and none was inserted either.
8026
8027 I : no cookie was provided by the server, and the proxy INSERTED one.
8028 Note that in "cookie insert" mode, if the server provides a cookie,
8029 it will still be overwritten and reported as "I" here.
8030
8031 P : a cookie was PROVIDED by the server and transmitted as-is.
8032
8033 R : the cookie provided by the server was REWRITTEN by the proxy, which
8034 happens in "cookie rewrite" or "cookie prefix" modes.
8035
8036 D : the cookie provided by the server was DELETED by the proxy.
8037
8038 - : does not apply (no cookie set in configuration).
8039
8040The combination of the two first flags give a lot of information about what was
8041happening when the session terminated, and why it did terminate. It can be
8042helpful to detect server saturation, network troubles, local system resource
8043starvation, attacks, etc...
8044
8045The most common termination flags combinations are indicated below. They are
8046alphabetically sorted, with the lowercase set just after the upper case for
8047easier finding and understanding.
8048
8049 Flags Reason
8050
8051 -- Normal termination.
8052
8053 CC The client aborted before the connection could be established to the
8054 server. This can happen when haproxy tries to connect to a recently
8055 dead (or unchecked) server, and the client aborts while haproxy is
8056 waiting for the server to respond or for "timeout connect" to expire.
8057
8058 CD The client unexpectedly aborted during data transfer. This can be
8059 caused by a browser crash, by an intermediate equipment between the
8060 client and haproxy which decided to actively break the connection,
8061 by network routing issues between the client and haproxy, or by a
8062 keep-alive session between the server and the client terminated first
8063 by the client.
Willy Tarreaud72758d2010-01-12 10:42:19 +01008064
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008065 cD The client did not send nor acknowledge any data for as long as the
8066 "timeout client" delay. This is often caused by network failures on
8067 the client side, or the client simply leaving the net uncleanly.
8068
8069 CH The client aborted while waiting for the server to start responding.
8070 It might be the server taking too long to respond or the client
8071 clicking the 'Stop' button too fast.
8072
8073 cH The "timeout client" stroke while waiting for client data during a
8074 POST request. This is sometimes caused by too large TCP MSS values
8075 for PPPoE networks which cannot transport full-sized packets. It can
8076 also happen when client timeout is smaller than server timeout and
8077 the server takes too long to respond.
8078
8079 CQ The client aborted while its session was queued, waiting for a server
8080 with enough empty slots to accept it. It might be that either all the
8081 servers were saturated or that the assigned server was taking too
8082 long a time to respond.
8083
8084 CR The client aborted before sending a full HTTP request. Most likely
8085 the request was typed by hand using a telnet client, and aborted
8086 too early. The HTTP status code is likely a 400 here. Sometimes this
8087 might also be caused by an IDS killing the connection between haproxy
8088 and the client.
8089
8090 cR The "timeout http-request" stroke before the client sent a full HTTP
8091 request. This is sometimes caused by too large TCP MSS values on the
8092 client side for PPPoE networks which cannot transport full-sized
8093 packets, or by clients sending requests by hand and not typing fast
8094 enough, or forgetting to enter the empty line at the end of the
8095 request. The HTTP status code is likely a 408 here.
8096
8097 CT The client aborted while its session was tarpitted. It is important to
8098 check if this happens on valid requests, in order to be sure that no
Willy Tarreau55165fe2009-05-10 12:02:55 +02008099 wrong tarpit rules have been written. If a lot of them happen, it
8100 might make sense to lower the "timeout tarpit" value to something
8101 closer to the average reported "Tw" timer, in order not to consume
8102 resources for just a few attackers.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008103
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008104 SC The server or an equipment between it and haproxy explicitly refused
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008105 the TCP connection (the proxy received a TCP RST or an ICMP message
8106 in return). Under some circumstances, it can also be the network
8107 stack telling the proxy that the server is unreachable (eg: no route,
8108 or no ARP response on local network). When this happens in HTTP mode,
8109 the status code is likely a 502 or 503 here.
8110
8111 sC The "timeout connect" stroke before a connection to the server could
8112 complete. When this happens in HTTP mode, the status code is likely a
8113 503 or 504 here.
8114
8115 SD The connection to the server died with an error during the data
8116 transfer. This usually means that haproxy has received an RST from
8117 the server or an ICMP message from an intermediate equipment while
8118 exchanging data with the server. This can be caused by a server crash
8119 or by a network issue on an intermediate equipment.
8120
8121 sD The server did not send nor acknowledge any data for as long as the
8122 "timeout server" setting during the data phase. This is often caused
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008123 by too short timeouts on L4 equipments before the server (firewalls,
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008124 load-balancers, ...), as well as keep-alive sessions maintained
8125 between the client and the server expiring first on haproxy.
8126
8127 SH The server aborted before sending its full HTTP response headers, or
8128 it crashed while processing the request. Since a server aborting at
8129 this moment is very rare, it would be wise to inspect its logs to
8130 control whether it crashed and why. The logged request may indicate a
8131 small set of faulty requests, demonstrating bugs in the application.
8132 Sometimes this might also be caused by an IDS killing the connection
8133 between haproxy and the server.
8134
8135 sH The "timeout server" stroke before the server could return its
8136 response headers. This is the most common anomaly, indicating too
8137 long transactions, probably caused by server or database saturation.
8138 The immediate workaround consists in increasing the "timeout server"
8139 setting, but it is important to keep in mind that the user experience
8140 will suffer from these long response times. The only long term
8141 solution is to fix the application.
8142
8143 sQ The session spent too much time in queue and has been expired. See
8144 the "timeout queue" and "timeout connect" settings to find out how to
8145 fix this if it happens too often. If it often happens massively in
8146 short periods, it may indicate general problems on the affected
8147 servers due to I/O or database congestion, or saturation caused by
8148 external attacks.
8149
8150 PC The proxy refused to establish a connection to the server because the
8151 process' socket limit has been reached while attempting to connect.
8152 The global "maxconn" parameter may be increased in the configuration
8153 so that it does not happen anymore. This status is very rare and
8154 might happen when the global "ulimit-n" parameter is forced by hand.
8155
8156 PH The proxy blocked the server's response, because it was invalid,
8157 incomplete, dangerous (cache control), or matched a security filter.
8158 In any case, an HTTP 502 error is sent to the client. One possible
8159 cause for this error is an invalid syntax in an HTTP header name
8160 containing unauthorized characters.
8161
8162 PR The proxy blocked the client's HTTP request, either because of an
8163 invalid HTTP syntax, in which case it returned an HTTP 400 error to
8164 the client, or because a deny filter matched, in which case it
8165 returned an HTTP 403 error.
8166
8167 PT The proxy blocked the client's request and has tarpitted its
8168 connection before returning it a 500 server error. Nothing was sent
8169 to the server. The connection was maintained open for as long as
8170 reported by the "Tw" timer field.
8171
8172 RC A local resource has been exhausted (memory, sockets, source ports)
8173 preventing the connection to the server from establishing. The error
8174 logs will tell precisely what was missing. This is very rare and can
8175 only be solved by proper system tuning.
8176
8177
Willy Tarreauc57f0e22009-05-10 13:12:33 +020081788.6. Non-printable characters
8179-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008180
8181In order not to cause trouble to log analysis tools or terminals during log
8182consulting, non-printable characters are not sent as-is into log files, but are
8183converted to the two-digits hexadecimal representation of their ASCII code,
8184prefixed by the character '#'. The only characters that can be logged without
8185being escaped are comprised between 32 and 126 (inclusive). Obviously, the
8186escape character '#' itself is also encoded to avoid any ambiguity ("#23"). It
8187is the same for the character '"' which becomes "#22", as well as '{', '|' and
8188'}' when logging headers.
8189
8190Note that the space character (' ') is not encoded in headers, which can cause
8191issues for tools relying on space count to locate fields. A typical header
8192containing spaces is "User-Agent".
8193
8194Last, it has been observed that some syslog daemons such as syslog-ng escape
8195the quote ('"') with a backslash ('\'). The reverse operation can safely be
8196performed since no quote may appear anywhere else in the logs.
8197
8198
Willy Tarreauc57f0e22009-05-10 13:12:33 +020081998.7. Capturing HTTP cookies
8200---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008201
8202Cookie capture simplifies the tracking a complete user session. This can be
8203achieved using the "capture cookie" statement in the frontend. Please refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008204section 4.2 for more details. Only one cookie can be captured, and the same
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008205cookie will simultaneously be checked in the request ("Cookie:" header) and in
8206the response ("Set-Cookie:" header). The respective values will be reported in
8207the HTTP logs at the "captured_request_cookie" and "captured_response_cookie"
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008208locations (see section 8.2.3 about HTTP log format). When either cookie is
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008209not seen, a dash ('-') replaces the value. This way, it's easy to detect when a
8210user switches to a new session for example, because the server will reassign it
8211a new cookie. It is also possible to detect if a server unexpectedly sets a
8212wrong cookie to a client, leading to session crossing.
8213
8214 Examples :
8215 # capture the first cookie whose name starts with "ASPSESSION"
8216 capture cookie ASPSESSION len 32
8217
8218 # capture the first cookie whose name is exactly "vgnvisitor"
8219 capture cookie vgnvisitor= len 32
8220
8221
Willy Tarreauc57f0e22009-05-10 13:12:33 +020082228.8. Capturing HTTP headers
8223---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008224
8225Header captures are useful to track unique request identifiers set by an upper
8226proxy, virtual host names, user-agents, POST content-length, referrers, etc. In
8227the response, one can search for information about the response length, how the
8228server asked the cache to behave, or an object location during a redirection.
8229
8230Header captures are performed using the "capture request header" and "capture
8231response header" statements in the frontend. Please consult their definition in
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008232section 4.2 for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008233
8234It is possible to include both request headers and response headers at the same
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008235time. Non-existent headers are logged as empty strings, and if one header
8236appears more than once, only its last occurrence will be logged. Request headers
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008237are grouped within braces '{' and '}' in the same order as they were declared,
8238and delimited with a vertical bar '|' without any space. Response headers
8239follow the same representation, but are displayed after a space following the
8240request headers block. These blocks are displayed just before the HTTP request
8241in the logs.
8242
8243 Example :
8244 # This instance chains to the outgoing proxy
8245 listen proxy-out
8246 mode http
8247 option httplog
8248 option logasap
8249 log global
8250 server cache1 192.168.1.1:3128
8251
8252 # log the name of the virtual server
8253 capture request header Host len 20
8254
8255 # log the amount of data uploaded during a POST
8256 capture request header Content-Length len 10
8257
8258 # log the beginning of the referrer
8259 capture request header Referer len 20
8260
8261 # server name (useful for outgoing proxies only)
8262 capture response header Server len 20
8263
8264 # logging the content-length is useful with "option logasap"
8265 capture response header Content-Length len 10
8266
8267 # log the expected cache behaviour on the response
8268 capture response header Cache-Control len 8
8269
8270 # the Via header will report the next proxy's name
8271 capture response header Via len 20
8272
8273 # log the URL location during a redirection
8274 capture response header Location len 20
8275
8276 >>> Aug 9 20:26:09 localhost \
8277 haproxy[2022]: 127.0.0.1:34014 [09/Aug/2004:20:26:09] proxy-out \
8278 proxy-out/cache1 0/0/0/162/+162 200 +350 - - ---- 0/0/0/0/0 0/0 \
8279 {fr.adserver.yahoo.co||http://fr.f416.mail.} {|864|private||} \
8280 "GET http://fr.adserver.yahoo.com/"
8281
8282 >>> Aug 9 20:30:46 localhost \
8283 haproxy[2022]: 127.0.0.1:34020 [09/Aug/2004:20:30:46] proxy-out \
8284 proxy-out/cache1 0/0/0/182/+182 200 +279 - - ---- 0/0/0/0/0 0/0 \
8285 {w.ods.org||} {Formilux/0.1.8|3495|||} \
Willy Tarreaud72758d2010-01-12 10:42:19 +01008286 "GET http://trafic.1wt.eu/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008287
8288 >>> Aug 9 20:30:46 localhost \
8289 haproxy[2022]: 127.0.0.1:34028 [09/Aug/2004:20:30:46] proxy-out \
8290 proxy-out/cache1 0/0/2/126/+128 301 +223 - - ---- 0/0/0/0/0 0/0 \
8291 {www.sytadin.equipement.gouv.fr||http://trafic.1wt.eu/} \
8292 {Apache|230|||http://www.sytadin.} \
Willy Tarreaud72758d2010-01-12 10:42:19 +01008293 "GET http://www.sytadin.equipement.gouv.fr/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008294
8295
Willy Tarreauc57f0e22009-05-10 13:12:33 +020082968.9. Examples of logs
8297---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008298
8299These are real-world examples of logs accompanied with an explanation. Some of
8300them have been made up by hand. The syslog part has been removed for better
8301reading. Their sole purpose is to explain how to decipher them.
8302
8303 >>> haproxy[674]: 127.0.0.1:33318 [15/Oct/2003:08:31:57.130] px-http \
8304 px-http/srv1 6559/0/7/147/6723 200 243 - - ---- 5/3/3/1/0 0/0 \
8305 "HEAD / HTTP/1.0"
8306
8307 => long request (6.5s) entered by hand through 'telnet'. The server replied
8308 in 147 ms, and the session ended normally ('----')
8309
8310 >>> haproxy[674]: 127.0.0.1:33319 [15/Oct/2003:08:31:57.149] px-http \
8311 px-http/srv1 6559/1230/7/147/6870 200 243 - - ---- 324/239/239/99/0 \
8312 0/9 "HEAD / HTTP/1.0"
8313
8314 => Idem, but the request was queued in the global queue behind 9 other
8315 requests, and waited there for 1230 ms.
8316
8317 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.654] px-http \
8318 px-http/srv1 9/0/7/14/+30 200 +243 - - ---- 3/3/3/1/0 0/0 \
8319 "GET /image.iso HTTP/1.0"
8320
8321 => request for a long data transfer. The "logasap" option was specified, so
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008322 the log was produced just before transferring data. The server replied in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008323 14 ms, 243 bytes of headers were sent to the client, and total time from
8324 accept to first data byte is 30 ms.
8325
8326 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.925] px-http \
8327 px-http/srv1 9/0/7/14/30 502 243 - - PH-- 3/2/2/0/0 0/0 \
8328 "GET /cgi-bin/bug.cgi? HTTP/1.0"
8329
8330 => the proxy blocked a server response either because of an "rspdeny" or
8331 "rspideny" filter, or because the response was improperly formatted and
8332 not HTTP-compliant, or because it blocked sensible information which
8333 risked being cached. In this case, the response is replaced with a "502
8334 bad gateway". The flags ("PH--") tell us that it was haproxy who decided
8335 to return the 502 and not the server.
8336
8337 >>> haproxy[18113]: 127.0.0.1:34548 [15/Oct/2003:15:18:55.798] px-http \
Willy Tarreaud72758d2010-01-12 10:42:19 +01008338 px-http/<NOSRV> -1/-1/-1/-1/8490 -1 0 - - CR-- 2/2/2/0/0 0/0 ""
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008339
8340 => the client never completed its request and aborted itself ("C---") after
8341 8.5s, while the proxy was waiting for the request headers ("-R--").
8342 Nothing was sent to any server.
8343
8344 >>> haproxy[18113]: 127.0.0.1:34549 [15/Oct/2003:15:19:06.103] px-http \
8345 px-http/<NOSRV> -1/-1/-1/-1/50001 408 0 - - cR-- 2/2/2/0/0 0/0 ""
8346
8347 => The client never completed its request, which was aborted by the
8348 time-out ("c---") after 50s, while the proxy was waiting for the request
8349 headers ("-R--"). Nothing was sent to any server, but the proxy could
8350 send a 408 return code to the client.
8351
8352 >>> haproxy[18989]: 127.0.0.1:34550 [15/Oct/2003:15:24:28.312] px-tcp \
8353 px-tcp/srv1 0/0/5007 0 cD 0/0/0/0/0 0/0
8354
8355 => This log was produced with "option tcplog". The client timed out after
8356 5 seconds ("c----").
8357
8358 >>> haproxy[18989]: 10.0.0.1:34552 [15/Oct/2003:15:26:31.462] px-http \
8359 px-http/srv1 3183/-1/-1/-1/11215 503 0 - - SC-- 205/202/202/115/3 \
Willy Tarreaud72758d2010-01-12 10:42:19 +01008360 0/0 "HEAD / HTTP/1.0"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008361
8362 => The request took 3s to complete (probably a network problem), and the
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008363 connection to the server failed ('SC--') after 4 attempts of 2 seconds
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008364 (config says 'retries 3'), and no redispatch (otherwise we would have
8365 seen "/+3"). Status code 503 was returned to the client. There were 115
8366 connections on this server, 202 connections on this proxy, and 205 on
8367 the global process. It is possible that the server refused the
8368 connection because of too many already established.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008369
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008370
Willy Tarreauc57f0e22009-05-10 13:12:33 +020083719. Statistics and monitoring
8372----------------------------
8373
8374It is possible to query HAProxy about its status. The most commonly used
8375mechanism is the HTTP statistics page. This page also exposes an alternative
8376CSV output format for monitoring tools. The same format is provided on the
8377Unix socket.
8378
8379
83809.1. CSV format
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008381---------------
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01008382
Willy Tarreau7f062c42009-03-05 18:43:00 +01008383The statistics may be consulted either from the unix socket or from the HTTP
8384page. Both means provide a CSV format whose fields follow.
8385
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01008386 0. pxname: proxy name
8387 1. svname: service name (FRONTEND for frontend, BACKEND for backend, any name
8388 for server)
8389 2. qcur: current queued requests
8390 3. qmax: max queued requests
8391 4. scur: current sessions
8392 5. smax: max sessions
8393 6. slim: sessions limit
8394 7. stot: total sessions
8395 8. bin: bytes in
8396 9. bout: bytes out
8397 10. dreq: denied requests
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01008398 11. dresp: denied responses
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01008399 12. ereq: request errors
8400 13. econ: connection errors
Willy Tarreauae526782010-03-04 20:34:23 +01008401 14. eresp: response errors (among which srv_abrt)
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01008402 15. wretr: retries (warning)
8403 16. wredis: redispatches (warning)
Cyril Bonté0dae5852010-02-03 00:26:28 +01008404 17. status: status (UP/DOWN/NOLB/MAINT/MAINT(via)...)
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01008405 18. weight: server weight (server), total weight (backend)
8406 19. act: server is active (server), number of active servers (backend)
8407 20. bck: server is backup (server), number of backup servers (backend)
8408 21. chkfail: number of failed checks
8409 22. chkdown: number of UP->DOWN transitions
8410 23. lastchg: last status change (in seconds)
8411 24. downtime: total downtime (in seconds)
8412 25. qlimit: queue limit
8413 26. pid: process id (0 for first instance, 1 for second, ...)
8414 27. iid: unique proxy id
8415 28. sid: service id (unique inside a proxy)
8416 29. throttle: warm up status
8417 30. lbtot: total number of times a server was selected
8418 31. tracked: id of proxy/server if tracking is enabled
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02008419 32. type (0=frontend, 1=backend, 2=server, 3=socket)
Krzysztof Piotr Oledzkidb57c6b2009-08-31 21:23:27 +02008420 33. rate: number of sessions per second over last elapsed second
8421 34. rate_lim: limit on new sessions per second
8422 35. rate_max: max number of new sessions per second
Krzysztof Piotr Oledzki09605412009-09-23 22:09:24 +02008423 36. check_status: status of last health check, one of:
Cyril Bontéf0c60612010-02-06 14:44:47 +01008424 UNK -> unknown
8425 INI -> initializing
8426 SOCKERR -> socket error
8427 L4OK -> check passed on layer 4, no upper layers testing enabled
8428 L4TMOUT -> layer 1-4 timeout
8429 L4CON -> layer 1-4 connection problem, for example
8430 "Connection refused" (tcp rst) or "No route to host" (icmp)
8431 L6OK -> check passed on layer 6
8432 L6TOUT -> layer 6 (SSL) timeout
8433 L6RSP -> layer 6 invalid response - protocol error
8434 L7OK -> check passed on layer 7
8435 L7OKC -> check conditionally passed on layer 7, for example 404 with
8436 disable-on-404
8437 L7TOUT -> layer 7 (HTTP/SMTP) timeout
8438 L7RSP -> layer 7 invalid response - protocol error
8439 L7STS -> layer 7 response error, for example HTTP 5xx
Krzysztof Piotr Oledzki09605412009-09-23 22:09:24 +02008440 37. check_code: layer5-7 code, if available
8441 38. check_duration: time in ms took to finish last health check
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008442 39. hrsp_1xx: http responses with 1xx code
8443 40. hrsp_2xx: http responses with 2xx code
8444 41. hrsp_3xx: http responses with 3xx code
8445 42. hrsp_4xx: http responses with 4xx code
8446 43. hrsp_5xx: http responses with 5xx code
8447 44. hrsp_other: http responses with other codes (protocol error)
Willy Tarreaud63335a2010-02-26 12:56:52 +01008448 45. hanafail: failed health checks details
8449 46. req_rate: HTTP requests per second over last elapsed second
8450 47. req_rate_max: max number of HTTP requests per second observed
8451 48. req_tot: total number of HTTP requests received
Willy Tarreauae526782010-03-04 20:34:23 +01008452 49. cli_abrt: number of data transfers aborted by the client
8453 50. srv_abrt: number of data transfers aborted by the server (inc. in eresp)
Willy Tarreau844e3c52008-01-11 16:28:18 +01008454
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008455
Willy Tarreauc57f0e22009-05-10 13:12:33 +020084569.2. Unix Socket commands
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008457-------------------------
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01008458
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008459The following commands are supported on the UNIX stats socket ; all of them
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008460must be terminated by a line feed. The socket supports pipelining, so that it
8461is possible to chain multiple commands at once provided they are delimited by
8462a semi-colon or a line feed, although the former is more reliable as it has no
8463risk of being truncated over the network. The responses themselves will each be
8464followed by an empty line, so it will be easy for an external script to match a
8465given response with a given request. By default one command line is processed
8466then the connection closes, but there is an interactive allowing multiple lines
8467to be issued one at a time.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008468
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008469It is important to understand that when multiple haproxy processes are started
8470on the same sockets, any process may pick up the request and will output its
8471own stats.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008472
Willy Tarreaud63335a2010-02-26 12:56:52 +01008473clear counters
8474 Clear the max values of the statistics counters in each proxy (frontend &
8475 backend) and in each server. The cumulated counters are not affected. This
8476 can be used to get clean counters after an incident, without having to
8477 restart nor to clear traffic counters. This command is restricted and can
8478 only be issued on sockets configured for levels "operator" or "admin".
8479
8480clear counters all
8481 Clear all statistics counters in each proxy (frontend & backend) and in each
8482 server. This has the same effect as restarting. This command is restricted
8483 and can only be issued on sockets configured for level "admin".
8484
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02008485clear table <table> key <key>
8486 Remove entry <key> from the stick-table <table>. The key must be of the same
8487 type as the table, which currently is limited to IPv4. This is typically used
8488 un unblock some users complaining they have been abusively denied access to a
8489 service, but this can also be used to clear some stickiness entries matching
8490 a server that is going to be replaced (see "show table" below for details).
8491 Note that sometimes, removal of a key will be refused because it is currently
8492 tracked by a session. Retrying a few seconds later after the session ends is
8493 usuall enough.
8494
8495 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +02008496 $ echo "show table http_proxy" | socat stdio /tmp/sock1
8497 >>> # table: http_proxy, type: 0, size:204800, used:2
8498 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
8499 bytes_out_rate(60000)=187
8500 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
8501 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02008502
8503 $ echo "clear table http_proxy key 127.0.0.1" | socat stdio /tmp/sock1
8504
8505 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Willy Tarreau62a36c42010-08-17 15:53:10 +02008506 >>> # table: http_proxy, type: 0, size:204800, used:1
8507 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
8508 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02008509
Willy Tarreaud63335a2010-02-26 12:56:52 +01008510disable server <backend>/<server>
8511 Mark the server DOWN for maintenance. In this mode, no more checks will be
8512 performed on the server until it leaves maintenance.
8513 If the server is tracked by other servers, those servers will be set to DOWN
8514 during the maintenance.
8515
8516 In the statistics page, a server DOWN for maintenance will appear with a
8517 "MAINT" status, its tracking servers with the "MAINT(via)" one.
8518
8519 Both the backend and the server may be specified either by their name or by
8520 their numeric ID, prefixed with a dash ('#').
8521
8522 This command is restricted and can only be issued on sockets configured for
8523 level "admin".
8524
8525enable server <backend>/<server>
8526 If the server was previously marked as DOWN for maintenance, this marks the
8527 server UP and checks are re-enabled.
8528
8529 Both the backend and the server may be specified either by their name or by
8530 their numeric ID, prefixed with a dash ('#').
8531
8532 This command is restricted and can only be issued on sockets configured for
8533 level "admin".
8534
8535get weight <backend>/<server>
8536 Report the current weight and the initial weight of server <server> in
8537 backend <backend> or an error if either doesn't exist. The initial weight is
8538 the one that appears in the configuration file. Both are normally equal
8539 unless the current weight has been changed. Both the backend and the server
8540 may be specified either by their name or by their numeric ID, prefixed with a
8541 dash ('#').
8542
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008543help
8544 Print the list of known keywords and their basic usage. The same help screen
8545 is also displayed for unknown commands.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008546
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008547prompt
8548 Toggle the prompt at the beginning of the line and enter or leave interactive
8549 mode. In interactive mode, the connection is not closed after a command
8550 completes. Instead, the prompt will appear again, indicating the user that
8551 the interpreter is waiting for a new command. The prompt consists in a right
8552 angle bracket followed by a space "> ". This mode is particularly convenient
8553 when one wants to periodically check information such as stats or errors.
8554 It is also a good idea to enter interactive mode before issuing a "help"
8555 command.
8556
8557quit
8558 Close the connection when in interactive mode.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01008559
Willy Tarreaud63335a2010-02-26 12:56:52 +01008560set timeout cli <delay>
8561 Change the CLI interface timeout for current connection. This can be useful
8562 during long debugging sessions where the user needs to constantly inspect
8563 some indicators without being disconnected. The delay is passed in seconds.
8564
8565set weight <backend>/<server> <weight>[%]
8566 Change a server's weight to the value passed in argument. If the value ends
8567 with the '%' sign, then the new weight will be relative to the initially
8568 configured weight. Relative weights are only permitted between 0 and 100%,
8569 and absolute weights are permitted between 0 and 256. Servers which are part
8570 of a farm running a static load-balancing algorithm have stricter limitations
8571 because the weight cannot change once set. Thus for these servers, the only
8572 accepted values are 0 and 100% (or 0 and the initial weight). Changes take
8573 effect immediately, though certain LB algorithms require a certain amount of
8574 requests to consider changes. A typical usage of this command is to disable
8575 a server during an update by setting its weight to zero, then to enable it
8576 again after the update by setting it back to 100%. This command is restricted
8577 and can only be issued on sockets configured for level "admin". Both the
8578 backend and the server may be specified either by their name or by their
8579 numeric ID, prefixed with a dash ('#').
8580
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +01008581show errors [<iid>]
8582 Dump last known request and response errors collected by frontends and
8583 backends. If <iid> is specified, the limit the dump to errors concerning
Willy Tarreau6162db22009-10-10 17:13:00 +02008584 either frontend or backend whose ID is <iid>. This command is restricted
8585 and can only be issued on sockets configured for levels "operator" or
8586 "admin".
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +01008587
8588 The errors which may be collected are the last request and response errors
8589 caused by protocol violations, often due to invalid characters in header
8590 names. The report precisely indicates what exact character violated the
8591 protocol. Other important information such as the exact date the error was
8592 detected, frontend and backend names, the server name (when known), the
8593 internal session ID and the source address which has initiated the session
8594 are reported too.
8595
8596 All characters are returned, and non-printable characters are encoded. The
8597 most common ones (\t = 9, \n = 10, \r = 13 and \e = 27) are encoded as one
8598 letter following a backslash. The backslash itself is encoded as '\\' to
8599 avoid confusion. Other non-printable characters are encoded '\xNN' where
8600 NN is the two-digits hexadecimal representation of the character's ASCII
8601 code.
8602
8603 Lines are prefixed with the position of their first character, starting at 0
8604 for the beginning of the buffer. At most one input line is printed per line,
8605 and large lines will be broken into multiple consecutive output lines so that
8606 the output never goes beyond 79 characters wide. It is easy to detect if a
8607 line was broken, because it will not end with '\n' and the next line's offset
8608 will be followed by a '+' sign, indicating it is a continuation of previous
8609 line.
8610
8611 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +02008612 $ echo "show errors" | socat stdio /tmp/sock1
8613 >>> [04/Mar/2009:15:46:56.081] backend http-in (#2) : invalid response
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +01008614 src 127.0.0.1, session #54, frontend fe-eth0 (#1), server s2 (#1)
8615 response length 213 bytes, error at position 23:
8616
8617 00000 HTTP/1.0 200 OK\r\n
8618 00017 header/bizarre:blah\r\n
8619 00038 Location: blah\r\n
8620 00054 Long-line: this is a very long line which should b
8621 00104+ e broken into multiple lines on the output buffer,
8622 00154+ otherwise it would be too large to print in a ter
8623 00204+ minal\r\n
8624 00211 \r\n
8625
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008626 In the example above, we see that the backend "http-in" which has internal
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +01008627 ID 2 has blocked an invalid response from its server s2 which has internal
8628 ID 1. The request was on session 54 initiated by source 127.0.0.1 and
8629 received by frontend fe-eth0 whose ID is 1. The total response length was
8630 213 bytes when the error was detected, and the error was at byte 23. This
8631 is the slash ('/') in header name "header/bizarre", which is not a valid
8632 HTTP character for a header name.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01008633
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008634show info
8635 Dump info about haproxy status on current process.
8636
8637show sess
8638 Dump all known sessions. Avoid doing this on slow connections as this can
Willy Tarreau6162db22009-10-10 17:13:00 +02008639 be huge. This command is restricted and can only be issued on sockets
8640 configured for levels "operator" or "admin".
8641
Willy Tarreau66dc20a2010-03-05 17:53:32 +01008642show sess <id>
8643 Display a lot of internal information about the specified session identifier.
8644 This identifier is the first field at the beginning of the lines in the dumps
8645 of "show sess" (it corresponds to the session pointer). Those information are
8646 useless to most users but may be used by haproxy developers to troubleshoot a
8647 complex bug. The output format is intentionally not documented so that it can
8648 freely evolve depending on demands.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008649
8650show stat [<iid> <type> <sid>]
8651 Dump statistics in the CSV format. By passing <id>, <type> and <sid>, it is
8652 possible to dump only selected items :
8653 - <iid> is a proxy ID, -1 to dump everything
8654 - <type> selects the type of dumpable objects : 1 for frontends, 2 for
8655 backends, 4 for servers, -1 for everything. These values can be ORed,
8656 for example:
8657 1 + 2 = 3 -> frontend + backend.
8658 1 + 2 + 4 = 7 -> frontend + backend + server.
8659 - <sid> is a server ID, -1 to dump everything from the selected proxy.
8660
8661 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +02008662 $ echo "show info;show stat" | socat stdio unix-connect:/tmp/sock1
8663 >>> Name: HAProxy
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008664 Version: 1.4-dev2-49
8665 Release_date: 2009/09/23
8666 Nbproc: 1
8667 Process_num: 1
8668 (...)
8669
8670 # pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq, (...)
8671 stats,FRONTEND,,,0,0,1000,0,0,0,0,0,0,,,,,OPEN,,,,,,,,,1,1,0, (...)
8672 stats,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,0,0,0,,0,250,(...)
8673 (...)
8674 www1,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,1,1,0,,0,250, (...)
8675
8676 $
8677
8678 Here, two commands have been issued at once. That way it's easy to find
8679 which process the stats apply to in multi-process mode. Notice the empty
8680 line after the information output which marks the end of the first block.
8681 A similar empty line appears at the end of the second block (stats) so that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008682 the reader knows the output has not been truncated.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008683
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02008684show table
8685 Dump general information on all known stick-tables. Their name is returned
8686 (the name of the proxy which holds them), their type (currently zero, always
8687 IP), their size in maximum possible number of entries, and the number of
8688 entries currently in use.
8689
8690 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +02008691 $ echo "show table" | socat stdio /tmp/sock1
8692 >>> # table: front_pub, type: 0, size:204800, used:171454
8693 >>> # table: back_rdp, type: 0, size:204800, used:0
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02008694
8695show table <name> [ data.<type> <operator> <value> ]
8696 Dump contents of stick-table <name>. In this mode, a first line of generic
8697 information about the table is reported as with "show table", then all
8698 entries are dumped. Since this can be quite heavy, it is possible to specify
8699 a filter in order to specify what entries to display. The filter then applies
8700 to the stored data (see "stick-table" in section 4.2). One stored data type
8701 has to be specified in <type>, and this data type must be stored in the table
8702 otherwise an error is reported. The data is compared according to <operator>
8703 with the 64-bit integer <value>. Operators are the same as with the ACLs :
8704 - eq : match entries whose data is equal to this value
8705 - ne : match entries whose data is not equal to this value
8706 - le : match entries whose data is less than or equal to this value
8707 - ge : match entries whose data is greater than or equal to this value
8708 - lt : match entries whose data is less than this value
8709 - gt : match entries whose data is greater than this value
8710
8711 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +02008712 $ echo "show table http_proxy" | socat stdio /tmp/sock1
8713 >>> # table: http_proxy, type: 0, size:204800, used:2
8714 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
8715 bytes_out_rate(60000)=187
8716 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
8717 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02008718
Willy Tarreau62a36c42010-08-17 15:53:10 +02008719 $ echo "show table http_proxy data.gpc0 gt 0" | socat stdio /tmp/sock1
8720 >>> # table: http_proxy, type: 0, size:204800, used:2
8721 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
8722 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02008723
Willy Tarreau62a36c42010-08-17 15:53:10 +02008724 $ echo "show table http_proxy data.conn_rate gt 5" | \
8725 socat stdio /tmp/sock1
8726 >>> # table: http_proxy, type: 0, size:204800, used:2
8727 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
8728 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02008729
8730 When the data criterion applies to a dynamic value dependent on time such as
8731 a bytes rate, the value is dynamically computed during the evaluation of the
8732 entry in order to decide whether it has to be dumped or not. This means that
8733 such a filter could match for some time then not match anymore because as
8734 time goes, the average event rate drops.
8735
8736 It is possible to use this to extract lists of IP addresses abusing the
8737 service, in order to monitor them or even blacklist them in a firewall.
8738 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +02008739 $ echo "show table http_proxy data.gpc0 gt 0" \
8740 | socat stdio /tmp/sock1 \
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02008741 | fgrep 'key=' | cut -d' ' -f2 | cut -d= -f2 > abusers-ip.txt
8742 ( or | awk '/key/{ print a[split($2,a,"=")]; }' )
Krzysztof Piotr Oledzki719e7262009-10-04 15:02:46 +02008743
Willy Tarreau0ba27502007-12-24 16:55:16 +01008744/*
8745 * Local variables:
8746 * fill-column: 79
8747 * End:
8748 */