blob: 91c306d9a8424eff2401d546fc4b7e2372845589 [file] [log] [blame]
Willy Tarreau6a06a402007-07-15 20:15:28 +02001 ----------------------
2 HAProxy
3 Configuration Manual
4 ----------------------
Willy Tarreau21475e32010-05-23 08:46:08 +02005 version 1.5
Willy Tarreau6a06a402007-07-15 20:15:28 +02006 willy tarreau
Willy Tarreau21475e32010-05-23 08:46:08 +02007 2010/05/23
Willy Tarreau6a06a402007-07-15 20:15:28 +02008
9
10This document covers the configuration language as implemented in the version
11specified above. It does not provide any hint, example or advice. For such
Willy Tarreau0ba27502007-12-24 16:55:16 +010012documentation, please refer to the Reference Manual or the Architecture Manual.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013The summary below is meant to help you search sections by name and navigate
14through the document.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015
Willy Tarreauc57f0e22009-05-10 13:12:33 +020016Note to documentation contributors :
17 This document is formated with 80 columns per line, with even number of
18 spaces for indentation and without tabs. Please follow these rules strictly
19 so that it remains easily printable everywhere. If a line needs to be
20 printed verbatim and does not fit, please end each line with a backslash
21 ('\') and continue on next line. If you add sections, please update the
22 summary below for easier searching.
23
24
25Summary
26-------
27
281. Quick reminder about HTTP
291.1. The HTTP transaction model
301.2. HTTP request
311.2.1. The Request line
321.2.2. The request headers
331.3. HTTP response
341.3.1. The Response line
351.3.2. The response headers
36
372. Configuring HAProxy
382.1. Configuration file format
392.2. Time format
Patrick Mezard35da19c2010-06-12 17:02:47 +0200402.3. Examples
Willy Tarreauc57f0e22009-05-10 13:12:33 +020041
423. Global parameters
433.1. Process management and security
443.2. Performance tuning
453.3. Debugging
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100463.4. Userlists
Willy Tarreauc57f0e22009-05-10 13:12:33 +020047
484. Proxies
494.1. Proxy keywords matrix
504.2. Alphabetically sorted keywords reference
51
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +0100525. Server and default-server options
Willy Tarreauc57f0e22009-05-10 13:12:33 +020053
546. HTTP header manipulation
55
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100567. Using ACLs and pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200577.1. Matching integers
587.2. Matching strings
597.3. Matching regular expressions (regexes)
607.4. Matching IPv4 addresses
617.5. Available matching criteria
627.5.1. Matching at Layer 4 and below
637.5.2. Matching contents at Layer 4
647.5.3. Matching at Layer 7
657.6. Pre-defined ACLs
667.7. Using ACLs to form conditions
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100677.8. Pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +020068
698. Logging
708.1. Log levels
718.2. Log formats
728.2.1. Default log format
738.2.2. TCP log format
748.2.3. HTTP log format
758.3. Advanced logging options
768.3.1. Disabling logging of external tests
778.3.2. Logging before waiting for the session to terminate
788.3.3. Raising log level upon errors
798.3.4. Disabling logging of successful connections
808.4. Timing events
818.5. Session state at disconnection
828.6. Non-printable characters
838.7. Capturing HTTP cookies
848.8. Capturing HTTP headers
858.9. Examples of logs
86
879. Statistics and monitoring
889.1. CSV format
899.2. Unix Socket commands
90
91
921. Quick reminder about HTTP
93----------------------------
94
95When haproxy is running in HTTP mode, both the request and the response are
96fully analyzed and indexed, thus it becomes possible to build matching criteria
97on almost anything found in the contents.
98
99However, it is important to understand how HTTP requests and responses are
100formed, and how HAProxy decomposes them. It will then become easier to write
101correct rules and to debug existing configurations.
102
103
1041.1. The HTTP transaction model
105-------------------------------
106
107The HTTP protocol is transaction-driven. This means that each request will lead
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100108to one and only one response. Traditionally, a TCP connection is established
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200109from the client to the server, a request is sent by the client on the
110connection, the server responds and the connection is closed. A new request
111will involve a new connection :
112
113 [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
114
115In this mode, called the "HTTP close" mode, there are as many connection
116establishments as there are HTTP transactions. Since the connection is closed
117by the server after the response, the client does not need to know the content
118length.
119
120Due to the transactional nature of the protocol, it was possible to improve it
121to avoid closing a connection between two subsequent transactions. In this mode
122however, it is mandatory that the server indicates the content length for each
123response so that the client does not wait indefinitely. For this, a special
124header is used: "Content-length". This mode is called the "keep-alive" mode :
125
126 [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ...
127
128Its advantages are a reduced latency between transactions, and less processing
129power required on the server side. It is generally better than the close mode,
130but not always because the clients often limit their concurrent connections to
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200131a smaller value.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200132
133A last improvement in the communications is the pipelining mode. It still uses
134keep-alive, but the client does not wait for the first response to send the
135second request. This is useful for fetching large number of images composing a
136page :
137
138 [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ...
139
140This can obviously have a tremendous benefit on performance because the network
141latency is eliminated between subsequent requests. Many HTTP agents do not
142correctly support pipelining since there is no way to associate a response with
143the corresponding request in HTTP. For this reason, it is mandatory for the
Cyril Bonté78caf842010-03-10 22:41:43 +0100144server to reply in the exact same order as the requests were received.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200145
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200146By default HAProxy operates in a tunnel-like mode with regards to persistent
147connections: for each connection it processes the first request and forwards
148everything else (including additional requests) to selected server. Once
149established, the connection is persisted both on the client and server
150sides. Use "option http-server-close" to preserve client persistent connections
151while handling every incoming request individually, dispatching them one after
152another to servers, in HTTP close mode. Use "option httpclose" to switch both
153sides to HTTP close mode. "option forceclose" and "option
154http-pretend-keepalive" help working around servers misbehaving in HTTP close
155mode.
156
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200157
1581.2. HTTP request
159-----------------
160
161First, let's consider this HTTP request :
162
163 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100164 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200165 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1
166 2 Host: www.mydomain.com
167 3 User-agent: my small browser
168 4 Accept: image/jpeg, image/gif
169 5 Accept: image/png
170
171
1721.2.1. The Request line
173-----------------------
174
175Line 1 is the "request line". It is always composed of 3 fields :
176
177 - a METHOD : GET
178 - a URI : /serv/login.php?lang=en&profile=2
179 - a version tag : HTTP/1.1
180
181All of them are delimited by what the standard calls LWS (linear white spaces),
182which are commonly spaces, but can also be tabs or line feeds/carriage returns
183followed by spaces/tabs. The method itself cannot contain any colon (':') and
184is limited to alphabetic letters. All those various combinations make it
185desirable that HAProxy performs the splitting itself rather than leaving it to
186the user to write a complex or inaccurate regular expression.
187
188The URI itself can have several forms :
189
190 - A "relative URI" :
191
192 /serv/login.php?lang=en&profile=2
193
194 It is a complete URL without the host part. This is generally what is
195 received by servers, reverse proxies and transparent proxies.
196
197 - An "absolute URI", also called a "URL" :
198
199 http://192.168.0.12:8080/serv/login.php?lang=en&profile=2
200
201 It is composed of a "scheme" (the protocol name followed by '://'), a host
202 name or address, optionally a colon (':') followed by a port number, then
203 a relative URI beginning at the first slash ('/') after the address part.
204 This is generally what proxies receive, but a server supporting HTTP/1.1
205 must accept this form too.
206
207 - a star ('*') : this form is only accepted in association with the OPTIONS
208 method and is not relayable. It is used to inquiry a next hop's
209 capabilities.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100210
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200211 - an address:port combination : 192.168.0.12:80
212 This is used with the CONNECT method, which is used to establish TCP
213 tunnels through HTTP proxies, generally for HTTPS, but sometimes for
214 other protocols too.
215
216In a relative URI, two sub-parts are identified. The part before the question
217mark is called the "path". It is typically the relative path to static objects
218on the server. The part after the question mark is called the "query string".
219It is mostly used with GET requests sent to dynamic scripts and is very
220specific to the language, framework or application in use.
221
222
2231.2.2. The request headers
224--------------------------
225
226The headers start at the second line. They are composed of a name at the
227beginning of the line, immediately followed by a colon (':'). Traditionally,
228an LWS is added after the colon but that's not required. Then come the values.
229Multiple identical headers may be folded into one single line, delimiting the
230values with commas, provided that their order is respected. This is commonly
231encountered in the "Cookie:" field. A header may span over multiple lines if
232the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5
233define a total of 3 values for the "Accept:" header.
234
235Contrary to a common mis-conception, header names are not case-sensitive, and
236their values are not either if they refer to other header names (such as the
237"Connection:" header).
238
239The end of the headers is indicated by the first empty line. People often say
240that it's a double line feed, which is not exact, even if a double line feed
241is one valid form of empty line.
242
243Fortunately, HAProxy takes care of all these complex combinations when indexing
244headers, checking values and counting them, so there is no reason to worry
245about the way they could be written, but it is important not to accuse an
246application of being buggy if it does unusual, valid things.
247
248Important note:
249 As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks
250 in the middle of headers by LWS in order to join multi-line headers. This
251 is necessary for proper analysis and helps less capable HTTP parsers to work
252 correctly and not to be fooled by such complex constructs.
253
254
2551.3. HTTP response
256------------------
257
258An HTTP response looks very much like an HTTP request. Both are called HTTP
259messages. Let's consider this HTTP response :
260
261 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100262 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200263 1 HTTP/1.1 200 OK
264 2 Content-length: 350
265 3 Content-Type: text/html
266
Willy Tarreau816b9792009-09-15 21:25:21 +0200267As a special case, HTTP supports so called "Informational responses" as status
268codes 1xx. These messages are special in that they don't convey any part of the
269response, they're just used as sort of a signaling message to ask a client to
Willy Tarreau5843d1a2010-02-01 15:13:32 +0100270continue to post its request for instance. In the case of a status 100 response
271the requested information will be carried by the next non-100 response message
272following the informational one. This implies that multiple responses may be
273sent to a single request, and that this only works when keep-alive is enabled
274(1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to
275correctly forward and skip them, and only process the next non-100 response. As
276such, these messages are neither logged nor transformed, unless explicitly
277state otherwise. Status 101 messages indicate that the protocol is changing
278over the same connection and that haproxy must switch to tunnel mode, just as
279if a CONNECT had occurred. Then the Upgrade header would contain additional
280information about the type of protocol the connection is switching to.
Willy Tarreau816b9792009-09-15 21:25:21 +0200281
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200282
2831.3.1. The Response line
284------------------------
285
286Line 1 is the "response line". It is always composed of 3 fields :
287
288 - a version tag : HTTP/1.1
289 - a status code : 200
290 - a reason : OK
291
292The status code is always 3-digit. The first digit indicates a general status :
Willy Tarreau816b9792009-09-15 21:25:21 +0200293 - 1xx = informational message to be skipped (eg: 100, 101)
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200294 - 2xx = OK, content is following (eg: 200, 206)
295 - 3xx = OK, no content following (eg: 302, 304)
296 - 4xx = error caused by the client (eg: 401, 403, 404)
297 - 5xx = error caused by the server (eg: 500, 502, 503)
298
299Please refer to RFC2616 for the detailed meaning of all such codes. The
Willy Tarreaud72758d2010-01-12 10:42:19 +0100300"reason" field is just a hint, but is not parsed by clients. Anything can be
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200301found there, but it's a common practice to respect the well-established
302messages. It can be composed of one or multiple words, such as "OK", "Found",
303or "Authentication Required".
304
305Haproxy may emit the following status codes by itself :
306
307 Code When / reason
308 200 access to stats page, and when replying to monitoring requests
309 301 when performing a redirection, depending on the configured code
310 302 when performing a redirection, depending on the configured code
311 303 when performing a redirection, depending on the configured code
312 400 for an invalid or too large request
313 401 when an authentication is required to perform the action (when
314 accessing the stats page)
315 403 when a request is forbidden by a "block" ACL or "reqdeny" filter
316 408 when the request timeout strikes before the request is complete
317 500 when haproxy encounters an unrecoverable internal error, such as a
318 memory allocation failure, which should never happen
319 502 when the server returns an empty, invalid or incomplete response, or
320 when an "rspdeny" filter blocks the response.
321 503 when no server was available to handle the request, or in response to
322 monitoring requests which match the "monitor fail" condition
323 504 when the response timeout strikes before the server responds
324
325The error 4xx and 5xx codes above may be customized (see "errorloc" in section
3264.2).
327
328
3291.3.2. The response headers
330---------------------------
331
332Response headers work exactly like request headers, and as such, HAProxy uses
333the same parsing function for both. Please refer to paragraph 1.2.2 for more
334details.
335
336
3372. Configuring HAProxy
338----------------------
339
3402.1. Configuration file format
341------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200342
343HAProxy's configuration process involves 3 major sources of parameters :
344
345 - the arguments from the command-line, which always take precedence
346 - the "global" section, which sets process-wide parameters
347 - the proxies sections which can take form of "defaults", "listen",
348 "frontend" and "backend".
349
Willy Tarreau0ba27502007-12-24 16:55:16 +0100350The configuration file syntax consists in lines beginning with a keyword
351referenced in this manual, optionally followed by one or several parameters
352delimited by spaces. If spaces have to be entered in strings, then they must be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100353preceded by a backslash ('\') to be escaped. Backslashes also have to be
Willy Tarreau0ba27502007-12-24 16:55:16 +0100354escaped by doubling them.
355
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200356
3572.2. Time format
358----------------
359
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100360Some parameters involve values representing time, such as timeouts. These
Willy Tarreau0ba27502007-12-24 16:55:16 +0100361values are generally expressed in milliseconds (unless explicitly stated
362otherwise) but may be expressed in any other unit by suffixing the unit to the
363numeric value. It is important to consider this because it will not be repeated
364for every keyword. Supported units are :
365
366 - us : microseconds. 1 microsecond = 1/1000000 second
367 - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
368 - s : seconds. 1s = 1000ms
369 - m : minutes. 1m = 60s = 60000ms
370 - h : hours. 1h = 60m = 3600s = 3600000ms
371 - d : days. 1d = 24h = 1440m = 86400s = 86400000ms
372
373
Patrick Mezard35da19c2010-06-12 17:02:47 +02003742.3. Examples
375-------------
376
377 # Simple configuration for an HTTP proxy listening on port 80 on all
378 # interfaces and forwarding requests to a single backend "servers" with a
379 # single server "server1" listening on 127.0.0.1:8000
380 global
381 daemon
382 maxconn 256
383
384 defaults
385 mode http
386 timeout connect 5000ms
387 timeout client 50000ms
388 timeout server 50000ms
389
390 frontend http-in
391 bind *:80
392 default_backend servers
393
394 backend servers
395 server server1 127.0.0.1:8000 maxconn 32
396
397
398 # The same configuration defined with a single listen block. Shorter but
399 # less expressive, especially in HTTP mode.
400 global
401 daemon
402 maxconn 256
403
404 defaults
405 mode http
406 timeout connect 5000ms
407 timeout client 50000ms
408 timeout server 50000ms
409
410 listen http-in
411 bind *:80
412 server server1 127.0.0.1:8000 maxconn 32
413
414
415Assuming haproxy is in $PATH, test these configurations in a shell with:
416
417 $ sudo haproxy -f configuration.conf -d
418
419
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004203. Global parameters
Willy Tarreau6a06a402007-07-15 20:15:28 +0200421--------------------
422
423Parameters in the "global" section are process-wide and often OS-specific. They
424are generally set once for all and do not need being changed once correct. Some
425of them have command-line equivalents.
426
427The following keywords are supported in the "global" section :
428
429 * Process management and security
430 - chroot
431 - daemon
432 - gid
433 - group
434 - log
435 - nbproc
436 - pidfile
437 - uid
438 - ulimit-n
439 - user
Willy Tarreaufbee7132007-10-18 13:53:22 +0200440 - stats
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200441 - node
442 - description
Willy Tarreaud72758d2010-01-12 10:42:19 +0100443
Willy Tarreau6a06a402007-07-15 20:15:28 +0200444 * Performance tuning
445 - maxconn
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100446 - maxpipes
Willy Tarreau6a06a402007-07-15 20:15:28 +0200447 - noepoll
448 - nokqueue
449 - nopoll
450 - nosepoll
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100451 - nosplice
Willy Tarreaufe255b72007-10-14 23:09:26 +0200452 - spread-checks
Willy Tarreau27a674e2009-08-17 07:23:33 +0200453 - tune.bufsize
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100454 - tune.maxaccept
455 - tune.maxpollevents
Willy Tarreau27a674e2009-08-17 07:23:33 +0200456 - tune.maxrewrite
Willy Tarreaue803de22010-01-21 17:43:04 +0100457 - tune.rcvbuf.client
458 - tune.rcvbuf.server
459 - tune.sndbuf.client
460 - tune.sndbuf.server
Willy Tarreaud72758d2010-01-12 10:42:19 +0100461
Willy Tarreau6a06a402007-07-15 20:15:28 +0200462 * Debugging
463 - debug
464 - quiet
Willy Tarreau6a06a402007-07-15 20:15:28 +0200465
466
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004673.1. Process management and security
Willy Tarreau6a06a402007-07-15 20:15:28 +0200468------------------------------------
469
470chroot <jail dir>
471 Changes current directory to <jail dir> and performs a chroot() there before
472 dropping privileges. This increases the security level in case an unknown
473 vulnerability would be exploited, since it would make it very hard for the
474 attacker to exploit the system. This only works when the process is started
475 with superuser privileges. It is important to ensure that <jail_dir> is both
476 empty and unwritable to anyone.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100477
Willy Tarreau6a06a402007-07-15 20:15:28 +0200478daemon
479 Makes the process fork into background. This is the recommended mode of
480 operation. It is equivalent to the command line "-D" argument. It can be
481 disabled by the command line "-db" argument.
482
483gid <number>
484 Changes the process' group ID to <number>. It is recommended that the group
485 ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
486 be started with a user belonging to this group, or with superuser privileges.
487 See also "group" and "uid".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100488
Willy Tarreau6a06a402007-07-15 20:15:28 +0200489group <group name>
490 Similar to "gid" but uses the GID of group name <group name> from /etc/group.
491 See also "gid" and "user".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100492
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200493log <address> <facility> [max level [min level]]
Willy Tarreau6a06a402007-07-15 20:15:28 +0200494 Adds a global syslog server. Up to two global servers can be defined. They
495 will receive logs for startups and exits, as well as all logs from proxies
Robert Tsai81ae1952007-12-05 10:47:29 +0100496 configured with "log global".
497
498 <address> can be one of:
499
Willy Tarreau2769aa02007-12-27 18:26:09 +0100500 - An IPv4 address optionally followed by a colon and a UDP port. If
Robert Tsai81ae1952007-12-05 10:47:29 +0100501 no port is specified, 514 is used by default (the standard syslog
502 port).
503
504 - A filesystem path to a UNIX domain socket, keeping in mind
505 considerations for chroot (be sure the path is accessible inside
506 the chroot) and uid/gid (be sure the path is appropriately
507 writeable).
508
509 <facility> must be one of the 24 standard syslog facilities :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200510
511 kern user mail daemon auth syslog lpr news
512 uucp cron auth2 ftp ntp audit alert cron2
513 local0 local1 local2 local3 local4 local5 local6 local7
514
515 An optional level can be specified to filter outgoing messages. By default,
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200516 all messages are sent. If a maximum level is specified, only messages with a
517 severity at least as important as this level will be sent. An optional minimum
518 level can be specified. If it is set, logs emitted with a more severe level
519 than this one will be capped to this level. This is used to avoid sending
520 "emerg" messages on all terminals on some default syslog configurations.
521 Eight levels are known :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200522
523 emerg alert crit err warning notice info debug
524
525nbproc <number>
526 Creates <number> processes when going daemon. This requires the "daemon"
527 mode. By default, only one process is created, which is the recommended mode
528 of operation. For systems limited to small sets of file descriptors per
529 process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES
530 IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon".
531
532pidfile <pidfile>
533 Writes pids of all daemons into file <pidfile>. This option is equivalent to
534 the "-p" command line argument. The file must be accessible to the user
535 starting the process. See also "daemon".
536
Willy Tarreaufbee7132007-10-18 13:53:22 +0200537stats socket <path> [{uid | user} <uid>] [{gid | group} <gid>] [mode <mode>]
Willy Tarreau6162db22009-10-10 17:13:00 +0200538 [level <level>]
539
Willy Tarreaufbee7132007-10-18 13:53:22 +0200540 Creates a UNIX socket in stream mode at location <path>. Any previously
541 existing socket will be backed up then replaced. Connections to this socket
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100542 will return various statistics outputs and even allow some commands to be
Willy Tarreau6162db22009-10-10 17:13:00 +0200543 issued. Please consult section 9.2 "Unix Socket commands" for more details.
544
545 An optional "level" parameter can be specified to restrict the nature of
546 the commands that can be issued on the socket :
547 - "user" is the least privileged level ; only non-sensitive stats can be
548 read, and no change is allowed. It would make sense on systems where it
549 is not easy to restrict access to the socket.
550
551 - "operator" is the default level and fits most common uses. All data can
552 be read, and only non-sensible changes are permitted (eg: clear max
553 counters).
554
555 - "admin" should be used with care, as everything is permitted (eg: clear
556 all counters).
Willy Tarreaua8efd362008-01-03 10:19:15 +0100557
558 On platforms which support it, it is possible to restrict access to this
559 socket by specifying numerical IDs after "uid" and "gid", or valid user and
560 group names after the "user" and "group" keywords. It is also possible to
561 restrict permissions on the socket by passing an octal value after the "mode"
562 keyword (same syntax as chmod). Depending on the platform, the permissions on
563 the socket will be inherited from the directory which hosts it, or from the
564 user the process is started with.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200565
566stats timeout <timeout, in milliseconds>
567 The default timeout on the stats socket is set to 10 seconds. It is possible
568 to change this value with "stats timeout". The value must be passed in
Willy Tarreaubefdff12007-12-02 22:27:38 +0100569 milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200570
571stats maxconn <connections>
572 By default, the stats socket is limited to 10 concurrent connections. It is
573 possible to change this value with "stats maxconn".
574
Willy Tarreau6a06a402007-07-15 20:15:28 +0200575uid <number>
576 Changes the process' user ID to <number>. It is recommended that the user ID
577 is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
578 be started with superuser privileges in order to be able to switch to another
579 one. See also "gid" and "user".
580
581ulimit-n <number>
582 Sets the maximum number of per-process file-descriptors to <number>. By
583 default, it is automatically computed, so it is recommended not to use this
584 option.
585
586user <user name>
587 Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
588 See also "uid" and "group".
589
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200590node <name>
591 Only letters, digits, hyphen and underscore are allowed, like in DNS names.
592
593 This statement is useful in HA configurations where two or more processes or
594 servers share the same IP address. By setting a different node-name on all
595 nodes, it becomes easy to immediately spot what server is handling the
596 traffic.
597
598description <text>
599 Add a text that describes the instance.
600
601 Please note that it is required to escape certain characters (# for example)
602 and this text is inserted into a html page so you should avoid using
603 "<" and ">" characters.
604
Willy Tarreau6a06a402007-07-15 20:15:28 +0200605
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006063.2. Performance tuning
Willy Tarreau6a06a402007-07-15 20:15:28 +0200607-----------------------
608
609maxconn <number>
610 Sets the maximum per-process number of concurrent connections to <number>. It
611 is equivalent to the command-line argument "-n". Proxies will stop accepting
612 connections when this limit is reached. The "ulimit-n" parameter is
613 automatically adjusted according to this value. See also "ulimit-n".
614
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100615maxpipes <number>
616 Sets the maximum per-process number of pipes to <number>. Currently, pipes
617 are only used by kernel-based tcp splicing. Since a pipe contains two file
618 descriptors, the "ulimit-n" value will be increased accordingly. The default
619 value is maxconn/4, which seems to be more than enough for most heavy usages.
620 The splice code dynamically allocates and releases pipes, and can fall back
621 to standard copy, so setting this value too low may only impact performance.
622
Willy Tarreau6a06a402007-07-15 20:15:28 +0200623noepoll
624 Disables the use of the "epoll" event polling system on Linux. It is
625 equivalent to the command-line argument "-de". The next polling system
626 used will generally be "poll". See also "nosepoll", and "nopoll".
627
628nokqueue
629 Disables the use of the "kqueue" event polling system on BSD. It is
630 equivalent to the command-line argument "-dk". The next polling system
631 used will generally be "poll". See also "nopoll".
632
633nopoll
634 Disables the use of the "poll" event polling system. It is equivalent to the
635 command-line argument "-dp". The next polling system used will be "select".
Willy Tarreau0ba27502007-12-24 16:55:16 +0100636 It should never be needed to disable "poll" since it's available on all
Willy Tarreau6a06a402007-07-15 20:15:28 +0200637 platforms supported by HAProxy. See also "nosepoll", and "nopoll" and
638 "nokqueue".
639
640nosepoll
641 Disables the use of the "speculative epoll" event polling system on Linux. It
642 is equivalent to the command-line argument "-ds". The next polling system
643 used will generally be "epoll". See also "nosepoll", and "nopoll".
644
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100645nosplice
646 Disables the use of kernel tcp splicing between sockets on Linux. It is
647 equivalent to the command line argument "-dS". Data will then be copied
648 using conventional and more portable recv/send calls. Kernel tcp splicing is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100649 limited to some very recent instances of kernel 2.6. Most versions between
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100650 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not
651 be used. This option makes it easier to globally disable kernel splicing in
652 case of doubt. See also "option splice-auto", "option splice-request" and
653 "option splice-response".
654
Willy Tarreaufe255b72007-10-14 23:09:26 +0200655spread-checks <0..50, in percent>
656 Sometimes it is desirable to avoid sending health checks to servers at exact
657 intervals, for instance when many logical servers are located on the same
658 physical server. With the help of this parameter, it becomes possible to add
659 some randomness in the check interval between 0 and +/- 50%. A value between
660 2 and 5 seems to show good results. The default value remains at 0.
661
Willy Tarreau27a674e2009-08-17 07:23:33 +0200662tune.bufsize <number>
663 Sets the buffer size to this size (in bytes). Lower values allow more
664 sessions to coexist in the same amount of RAM, and higher values allow some
665 applications with very large cookies to work. The default value is 16384 and
666 can be changed at build time. It is strongly recommended not to change this
667 from the default value, as very low values will break some services such as
668 statistics, and values larger than default size will increase memory usage,
669 possibly causing the system to run out of memory. At least the global maxconn
670 parameter should be decreased by the same factor as this one is increased.
671
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100672tune.maxaccept <number>
673 Sets the maximum number of consecutive accepts that a process may perform on
674 a single wake up. High values give higher priority to high connection rates,
675 while lower values give higher priority to already established connections.
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100676 This value is limited to 100 by default in single process mode. However, in
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100677 multi-process mode (nbproc > 1), it defaults to 8 so that when one process
678 wakes up, it does not take all incoming connections for itself and leaves a
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100679 part of them to other processes. Setting this value to -1 completely disables
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100680 the limitation. It should normally not be needed to tweak this value.
681
682tune.maxpollevents <number>
683 Sets the maximum amount of events that can be processed at once in a call to
684 the polling system. The default value is adapted to the operating system. It
685 has been noticed that reducing it below 200 tends to slightly decrease
686 latency at the expense of network bandwidth, and increasing it above 200
687 tends to trade latency for slightly increased bandwidth.
688
Willy Tarreau27a674e2009-08-17 07:23:33 +0200689tune.maxrewrite <number>
690 Sets the reserved buffer space to this size in bytes. The reserved space is
691 used for header rewriting or appending. The first reads on sockets will never
692 fill more than bufsize-maxrewrite. Historically it has defaulted to half of
693 bufsize, though that does not make much sense since there are rarely large
694 numbers of headers to add. Setting it too high prevents processing of large
695 requests or responses. Setting it too low prevents addition of new headers
696 to already large requests or to POST requests. It is generally wise to set it
697 to about 1024. It is automatically readjusted to half of bufsize if it is
698 larger than that. This means you don't have to worry about it when changing
699 bufsize.
700
Willy Tarreaue803de22010-01-21 17:43:04 +0100701tune.rcvbuf.client <number>
702tune.rcvbuf.server <number>
703 Forces the kernel socket receive buffer size on the client or the server side
704 to the specified value in bytes. This value applies to all TCP/HTTP frontends
705 and backends. It should normally never be set, and the default size (0) lets
706 the kernel autotune this value depending on the amount of available memory.
707 However it can sometimes help to set it to very low values (eg: 4096) in
708 order to save kernel memory by preventing it from buffering too large amounts
709 of received data. Lower values will significantly increase CPU usage though.
710
711tune.sndbuf.client <number>
712tune.sndbuf.server <number>
713 Forces the kernel socket send buffer size on the client or the server side to
714 the specified value in bytes. This value applies to all TCP/HTTP frontends
715 and backends. It should normally never be set, and the default size (0) lets
716 the kernel autotune this value depending on the amount of available memory.
717 However it can sometimes help to set it to very low values (eg: 4096) in
718 order to save kernel memory by preventing it from buffering too large amounts
719 of received data. Lower values will significantly increase CPU usage though.
720 Another use case is to prevent write timeouts with extremely slow clients due
721 to the kernel waiting for a large part of the buffer to be read before
722 notifying haproxy again.
723
Willy Tarreau6a06a402007-07-15 20:15:28 +0200724
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007253.3. Debugging
726--------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200727
728debug
729 Enables debug mode which dumps to stdout all exchanges, and disables forking
730 into background. It is the equivalent of the command-line argument "-d". It
731 should never be used in a production configuration since it may prevent full
732 system startup.
733
734quiet
735 Do not display any message during startup. It is equivalent to the command-
736 line argument "-q".
737
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01007383.4. Userlists
739--------------
740It is possible to control access to frontend/backend/listen sections or to
741http stats by allowing only authenticated and authorized users. To do this,
742it is required to create at least one userlist and to define users.
743
744userlist <listname>
Cyril Bonté78caf842010-03-10 22:41:43 +0100745 Creates new userlist with name <listname>. Many independent userlists can be
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100746 used to store authentication & authorization data for independent customers.
747
748group <groupname> [users <user>,<user>,(...)]
Cyril Bonté78caf842010-03-10 22:41:43 +0100749 Adds group <groupname> to the current userlist. It is also possible to
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100750 attach users to this group by using a comma separated list of names
751 proceeded by "users" keyword.
752
Cyril Bontéf0c60612010-02-06 14:44:47 +0100753user <username> [password|insecure-password <password>]
754 [groups <group>,<group>,(...)]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100755 Adds user <username> to the current userlist. Both secure (encrypted) and
756 insecure (unencrypted) passwords can be used. Encrypted passwords are
Cyril Bonté78caf842010-03-10 22:41:43 +0100757 evaluated using the crypt(3) function so depending of the system's
758 capabilities, different algorithms are supported. For example modern Glibc
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100759 based Linux system supports MD5, SHA-256, SHA-512 and of course classic,
760 DES-based method of crypting passwords.
761
762
763 Example:
Cyril Bontéf0c60612010-02-06 14:44:47 +0100764 userlist L1
765 group G1 users tiger,scott
766 group G2 users xdb,scott
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100767
Cyril Bontéf0c60612010-02-06 14:44:47 +0100768 user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91
769 user scott insecure-password elgato
770 user xdb insecure-password hello
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100771
Cyril Bontéf0c60612010-02-06 14:44:47 +0100772 userlist L2
773 group G1
774 group G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100775
Cyril Bontéf0c60612010-02-06 14:44:47 +0100776 user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1
777 user scott insecure-password elgato groups G1,G2
778 user xdb insecure-password hello groups G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100779
780 Please note that both lists are functionally identical.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200781
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007824. Proxies
Willy Tarreau6a06a402007-07-15 20:15:28 +0200783----------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100784
Willy Tarreau6a06a402007-07-15 20:15:28 +0200785Proxy configuration can be located in a set of sections :
786 - defaults <name>
787 - frontend <name>
788 - backend <name>
789 - listen <name>
790
791A "defaults" section sets default parameters for all other sections following
792its declaration. Those default parameters are reset by the next "defaults"
793section. See below for the list of parameters which can be set in a "defaults"
Willy Tarreau0ba27502007-12-24 16:55:16 +0100794section. The name is optional but its use is encouraged for better readability.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200795
796A "frontend" section describes a set of listening sockets accepting client
797connections.
798
799A "backend" section describes a set of servers to which the proxy will connect
800to forward incoming connections.
801
802A "listen" section defines a complete proxy with its frontend and backend
803parts combined in one section. It is generally useful for TCP-only traffic.
804
Willy Tarreau0ba27502007-12-24 16:55:16 +0100805All proxy names must be formed from upper and lower case letters, digits,
806'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
807case-sensitive, which means that "www" and "WWW" are two different proxies.
808
809Historically, all proxy names could overlap, it just caused troubles in the
810logs. Since the introduction of content switching, it is mandatory that two
811proxies with overlapping capabilities (frontend/backend) have different names.
812However, it is still permitted that a frontend and a backend share the same
813name, as this configuration seems to be commonly encountered.
814
815Right now, two major proxy modes are supported : "tcp", also known as layer 4,
816and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100817bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the
Willy Tarreau0ba27502007-12-24 16:55:16 +0100818protocol, and can interact with it by allowing, blocking, switching, adding,
819modifying, or removing arbitrary contents in requests or responses, based on
820arbitrary criteria.
821
Willy Tarreau0ba27502007-12-24 16:55:16 +0100822
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008234.1. Proxy keywords matrix
824--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100825
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200826The following list of keywords is supported. Most of them may only be used in a
827limited set of section types. Some of them are marked as "deprecated" because
828they are inherited from an old syntax which may be confusing or functionally
829limited, and there are new recommended keywords to replace them. Keywords
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100830marked with "(*)" can be optionally inverted using the "no" prefix, eg. "no
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200831option contstats". This makes sense when the option has been enabled by default
Willy Tarreau3842f002009-06-14 11:39:52 +0200832and must be disabled for a specific instance. Such options may also be prefixed
833with "default" in order to restore default settings regardless of what has been
834specified in a previous "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +0100835
Willy Tarreau6a06a402007-07-15 20:15:28 +0200836
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100837 keyword defaults frontend listen backend
838------------------------------------+----------+----------+---------+---------
839acl - X X X
840appsession - - X X
841backlog X X X -
842balance X - X X
843bind - X X -
844bind-process X X X X
845block - X X X
846capture cookie - X X -
847capture request header - X X -
848capture response header - X X -
849clitimeout (deprecated) X X X -
850contimeout (deprecated) X - X X
851cookie X - X X
852default-server X - X X
853default_backend X X X -
854description - X X X
855disabled X X X X
856dispatch - - X X
857enabled X X X X
858errorfile X X X X
859errorloc X X X X
860errorloc302 X X X X
861-- keyword -------------------------- defaults - frontend - listen -- backend -
862errorloc303 X X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +0200863force-persist - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100864fullconn X - X X
865grace X X X X
866hash-type X - X X
867http-check disable-on-404 X - X X
868http-request - X X X
869id - X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +0200870ignore-persist - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100871log X X X X
872maxconn X X X -
873mode X X X X
874monitor fail - X X -
875monitor-net X X X -
876monitor-uri X X X -
877option abortonclose (*) X - X X
878option accept-invalid-http-request (*) X X X -
879option accept-invalid-http-response (*) X - X X
880option allbackups (*) X - X X
881option checkcache (*) X - X X
882option clitcpka (*) X X X -
883option contstats (*) X X X -
884option dontlog-normal (*) X X X -
885option dontlognull (*) X X X -
886option forceclose (*) X X X X
887-- keyword -------------------------- defaults - frontend - listen -- backend -
888option forwardfor X X X X
Willy Tarreau8a8e1d92010-04-05 16:15:16 +0200889option http-pretend-keepalive (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100890option http-server-close (*) X X X X
891option http-use-proxy-header (*) X X X -
892option httpchk X - X X
893option httpclose (*) X X X X
894option httplog X X X X
895option http_proxy (*) X X X X
896option independant-streams (*) X X X X
897option log-health-checks (*) X - X X
898option log-separate-errors (*) X X X -
899option logasap (*) X X X -
900option mysql-check X - X X
901option nolinger (*) X X X X
902option originalto X X X X
903option persist (*) X - X X
904option redispatch (*) X - X X
905option smtpchk X - X X
906option socket-stats (*) X X X -
907option splice-auto (*) X X X X
908option splice-request (*) X X X X
909option splice-response (*) X X X X
910option srvtcpka (*) X - X X
911option ssl-hello-chk X - X X
912-- keyword -------------------------- defaults - frontend - listen -- backend -
913option tcp-smart-accept (*) X X X -
914option tcp-smart-connect (*) X - X X
915option tcpka X X X X
916option tcplog X X X X
917option transparent (*) X - X X
918persist rdp-cookie X - X X
919rate-limit sessions X X X -
920redirect - X X X
921redisp (deprecated) X - X X
922redispatch (deprecated) X - X X
923reqadd - X X X
924reqallow - X X X
925reqdel - X X X
926reqdeny - X X X
927reqiallow - X X X
928reqidel - X X X
929reqideny - X X X
930reqipass - X X X
931reqirep - X X X
932reqisetbe - X X X
933reqitarpit - X X X
934reqpass - X X X
935reqrep - X X X
936-- keyword -------------------------- defaults - frontend - listen -- backend -
937reqsetbe - X X X
938reqtarpit - X X X
939retries X - X X
940rspadd - X X X
941rspdel - X X X
942rspdeny - X X X
943rspidel - X X X
944rspideny - X X X
945rspirep - X X X
946rsprep - X X X
947server - - X X
948source X - X X
949srvtimeout (deprecated) X - X X
950stats auth X - X X
951stats enable X - X X
952stats hide-version X - X X
953stats realm X - X X
954stats refresh X - X X
955stats scope X - X X
956stats show-desc X - X X
957stats show-legends X - X X
958stats show-node X - X X
959stats uri X - X X
960-- keyword -------------------------- defaults - frontend - listen -- backend -
961stick match - - X X
962stick on - - X X
963stick store-request - - X X
964stick-table - - X X
Willy Tarreau1a687942010-05-23 22:40:30 +0200965tcp-request accept - X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100966tcp-request content accept - X X -
967tcp-request content reject - X X -
968tcp-request inspect-delay - X X -
Willy Tarreau1a687942010-05-23 22:40:30 +0200969tcp-request reject - X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100970timeout check X - X X
971timeout client X X X -
972timeout clitimeout (deprecated) X X X -
973timeout connect X - X X
974timeout contimeout (deprecated) X - X X
975timeout http-keep-alive X X X X
976timeout http-request X X X X
977timeout queue X - X X
978timeout server X - X X
979timeout srvtimeout (deprecated) X - X X
980timeout tarpit X X X X
981transparent (deprecated) X - X X
982use_backend - X X -
983------------------------------------+----------+----------+---------+---------
984 keyword defaults frontend listen backend
Willy Tarreau6a06a402007-07-15 20:15:28 +0200985
Willy Tarreau0ba27502007-12-24 16:55:16 +0100986
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009874.2. Alphabetically sorted keywords reference
988---------------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100989
990This section provides a description of each keyword and its usage.
991
992
993acl <aclname> <criterion> [flags] [operator] <value> ...
994 Declare or complete an access list.
995 May be used in sections : defaults | frontend | listen | backend
996 no | yes | yes | yes
997 Example:
998 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
999 acl invalid_src src_port 0:1023
1000 acl local_dst hdr(host) -i localhost
1001
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001002 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001003
1004
Cyril Bontéb21570a2009-11-29 20:04:48 +01001005appsession <cookie> len <length> timeout <holdtime>
1006 [request-learn] [prefix] [mode <path-parameters|query-string>]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001007 Define session stickiness on an existing application cookie.
1008 May be used in sections : defaults | frontend | listen | backend
1009 no | no | yes | yes
1010 Arguments :
1011 <cookie> this is the name of the cookie used by the application and which
1012 HAProxy will have to learn for each new session.
1013
Cyril Bontéb21570a2009-11-29 20:04:48 +01001014 <length> this is the max number of characters that will be memorized and
Willy Tarreau0ba27502007-12-24 16:55:16 +01001015 checked in each cookie value.
1016
1017 <holdtime> this is the time after which the cookie will be removed from
1018 memory if unused. If no unit is specified, this time is in
1019 milliseconds.
1020
Cyril Bontébf47aeb2009-10-15 00:15:40 +02001021 request-learn
1022 If this option is specified, then haproxy will be able to learn
1023 the cookie found in the request in case the server does not
1024 specify any in response. This is typically what happens with
1025 PHPSESSID cookies, or when haproxy's session expires before
1026 the application's session and the correct server is selected.
1027 It is recommended to specify this option to improve reliability.
1028
Cyril Bontéb21570a2009-11-29 20:04:48 +01001029 prefix When this option is specified, haproxy will match on the cookie
1030 prefix (or URL parameter prefix). The appsession value is the
1031 data following this prefix.
1032
1033 Example :
1034 appsession ASPSESSIONID len 64 timeout 3h prefix
1035
1036 This will match the cookie ASPSESSIONIDXXXX=XXXXX,
1037 the appsession value will be XXXX=XXXXX.
1038
1039 mode This option allows to change the URL parser mode.
1040 2 modes are currently supported :
1041 - path-parameters :
1042 The parser looks for the appsession in the path parameters
1043 part (each parameter is separated by a semi-colon), which is
1044 convenient for JSESSIONID for example.
1045 This is the default mode if the option is not set.
1046 - query-string :
1047 In this mode, the parser will look for the appsession in the
1048 query string.
1049
Willy Tarreau0ba27502007-12-24 16:55:16 +01001050 When an application cookie is defined in a backend, HAProxy will check when
1051 the server sets such a cookie, and will store its value in a table, and
1052 associate it with the server's identifier. Up to <length> characters from
1053 the value will be retained. On each connection, haproxy will look for this
Cyril Bontéb21570a2009-11-29 20:04:48 +01001054 cookie both in the "Cookie:" headers, and as a URL parameter (depending on
1055 the mode used). If a known value is found, the client will be directed to the
1056 server associated with this value. Otherwise, the load balancing algorithm is
Willy Tarreau0ba27502007-12-24 16:55:16 +01001057 applied. Cookies are automatically removed from memory when they have been
1058 unused for a duration longer than <holdtime>.
1059
1060 The definition of an application cookie is limited to one per backend.
1061
1062 Example :
1063 appsession JSESSIONID len 52 timeout 3h
1064
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02001065 See also : "cookie", "capture cookie", "balance", "stick", "stick-table"
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001066 and "ignore-persist"
Willy Tarreau0ba27502007-12-24 16:55:16 +01001067
1068
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001069backlog <conns>
1070 Give hints to the system about the approximate listen backlog desired size
1071 May be used in sections : defaults | frontend | listen | backend
1072 yes | yes | yes | no
1073 Arguments :
1074 <conns> is the number of pending connections. Depending on the operating
1075 system, it may represent the number of already acknowledged
1076 connections, of non-acknowledged ones, or both.
1077
1078 In order to protect against SYN flood attacks, one solution is to increase
1079 the system's SYN backlog size. Depending on the system, sometimes it is just
1080 tunable via a system parameter, sometimes it is not adjustable at all, and
1081 sometimes the system relies on hints given by the application at the time of
1082 the listen() syscall. By default, HAProxy passes the frontend's maxconn value
1083 to the listen() syscall. On systems which can make use of this value, it can
1084 sometimes be useful to be able to specify a different value, hence this
1085 backlog parameter.
1086
1087 On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
1088 used as a hint and the system accepts up to the smallest greater power of
1089 two, and never more than some limits (usually 32768).
1090
1091 See also : "maxconn" and the target operating system's tuning guide.
1092
1093
Willy Tarreau0ba27502007-12-24 16:55:16 +01001094balance <algorithm> [ <arguments> ]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001095balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001096 Define the load balancing algorithm to be used in a backend.
1097 May be used in sections : defaults | frontend | listen | backend
1098 yes | no | yes | yes
1099 Arguments :
1100 <algorithm> is the algorithm used to select a server when doing load
1101 balancing. This only applies when no persistence information
1102 is available, or when a connection is redispatched to another
1103 server. <algorithm> may be one of the following :
1104
1105 roundrobin Each server is used in turns, according to their weights.
1106 This is the smoothest and fairest algorithm when the server's
1107 processing time remains equally distributed. This algorithm
1108 is dynamic, which means that server weights may be adjusted
Willy Tarreau9757a382009-10-03 12:56:50 +02001109 on the fly for slow starts for instance. It is limited by
1110 design to 4128 active servers per backend. Note that in some
1111 large farms, when a server becomes up after having been down
1112 for a very short time, it may sometimes take a few hundreds
1113 requests for it to be re-integrated into the farm and start
1114 receiving traffic. This is normal, though very rare. It is
1115 indicated here in case you would have the chance to observe
1116 it, so that you don't worry.
1117
1118 static-rr Each server is used in turns, according to their weights.
1119 This algorithm is as similar to roundrobin except that it is
1120 static, which means that changing a server's weight on the
1121 fly will have no effect. On the other hand, it has no design
1122 limitation on the number of servers, and when a server goes
1123 up, it is always immediately reintroduced into the farm, once
1124 the full map is recomputed. It also uses slightly less CPU to
1125 run (around -1%).
Willy Tarreau0ba27502007-12-24 16:55:16 +01001126
Willy Tarreau2d2a7f82008-03-17 12:07:56 +01001127 leastconn The server with the lowest number of connections receives the
1128 connection. Round-robin is performed within groups of servers
1129 of the same load to ensure that all servers will be used. Use
1130 of this algorithm is recommended where very long sessions are
1131 expected, such as LDAP, SQL, TSE, etc... but is not very well
1132 suited for protocols using short sessions such as HTTP. This
1133 algorithm is dynamic, which means that server weights may be
1134 adjusted on the fly for slow starts for instance.
1135
Willy Tarreau0ba27502007-12-24 16:55:16 +01001136 source The source IP address is hashed and divided by the total
1137 weight of the running servers to designate which server will
1138 receive the request. This ensures that the same client IP
1139 address will always reach the same server as long as no
1140 server goes down or up. If the hash result changes due to the
1141 number of running servers changing, many clients will be
1142 directed to a different server. This algorithm is generally
1143 used in TCP mode where no cookie may be inserted. It may also
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001144 be used on the Internet to provide a best-effort stickiness
Willy Tarreau0ba27502007-12-24 16:55:16 +01001145 to clients which refuse session cookies. This algorithm is
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001146 static by default, which means that changing a server's
1147 weight on the fly will have no effect, but this can be
1148 changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001149
1150 uri The left part of the URI (before the question mark) is hashed
1151 and divided by the total weight of the running servers. The
1152 result designates which server will receive the request. This
1153 ensures that a same URI will always be directed to the same
1154 server as long as no server goes up or down. This is used
1155 with proxy caches and anti-virus proxies in order to maximize
1156 the cache hit rate. Note that this algorithm may only be used
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001157 in an HTTP backend. This algorithm is static by default,
1158 which means that changing a server's weight on the fly will
1159 have no effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001160
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001161 This algorithm support two optional parameters "len" and
1162 "depth", both followed by a positive integer number. These
1163 options may be helpful when it is needed to balance servers
1164 based on the beginning of the URI only. The "len" parameter
1165 indicates that the algorithm should only consider that many
1166 characters at the beginning of the URI to compute the hash.
1167 Note that having "len" set to 1 rarely makes sense since most
1168 URIs start with a leading "/".
1169
1170 The "depth" parameter indicates the maximum directory depth
1171 to be used to compute the hash. One level is counted for each
1172 slash in the request. If both parameters are specified, the
1173 evaluation stops when either is reached.
1174
Willy Tarreau0ba27502007-12-24 16:55:16 +01001175 url_param The URL parameter specified in argument will be looked up in
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001176 the query string of each HTTP GET request.
1177
1178 If the modifier "check_post" is used, then an HTTP POST
1179 request entity will be searched for the parameter argument,
1180 when the question mark indicating a query string ('?') is not
1181 present in the URL. Optionally, specify a number of octets to
1182 wait for before attempting to search the message body. If the
1183 entity can not be searched, then round robin is used for each
1184 request. For instance, if your clients always send the LB
1185 parameter in the first 128 bytes, then specify that. The
1186 default is 48. The entity data will not be scanned until the
1187 required number of octets have arrived at the gateway, this
1188 is the minimum of: (default/max_wait, Content-Length or first
1189 chunk length). If Content-Length is missing or zero, it does
1190 not need to wait for more data than the client promised to
1191 send. When Content-Length is present and larger than
1192 <max_wait>, then waiting is limited to <max_wait> and it is
1193 assumed that this will be enough data to search for the
1194 presence of the parameter. In the unlikely event that
1195 Transfer-Encoding: chunked is used, only the first chunk is
1196 scanned. Parameter values separated by a chunk boundary, may
1197 be randomly balanced if at all.
1198
1199 If the parameter is found followed by an equal sign ('=') and
1200 a value, then the value is hashed and divided by the total
1201 weight of the running servers. The result designates which
1202 server will receive the request.
1203
1204 This is used to track user identifiers in requests and ensure
1205 that a same user ID will always be sent to the same server as
1206 long as no server goes up or down. If no value is found or if
1207 the parameter is not found, then a round robin algorithm is
1208 applied. Note that this algorithm may only be used in an HTTP
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001209 backend. This algorithm is static by default, which means
1210 that changing a server's weight on the fly will have no
1211 effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001212
Benoitaffb4812009-03-25 13:02:10 +01001213 hdr(name) The HTTP header <name> will be looked up in each HTTP request.
1214 Just as with the equivalent ACL 'hdr()' function, the header
1215 name in parenthesis is not case sensitive. If the header is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001216 absent or if it does not contain any value, the roundrobin
Benoitaffb4812009-03-25 13:02:10 +01001217 algorithm is applied instead.
1218
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001219 An optional 'use_domain_only' parameter is available, for
Benoitaffb4812009-03-25 13:02:10 +01001220 reducing the hash algorithm to the main domain part with some
1221 specific headers such as 'Host'. For instance, in the Host
1222 value "haproxy.1wt.eu", only "1wt" will be considered.
1223
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001224 This algorithm is static by default, which means that
1225 changing a server's weight on the fly will have no effect,
1226 but this can be changed using "hash-type".
1227
Emeric Brun736aa232009-06-30 17:56:00 +02001228 rdp-cookie
1229 rdp-cookie(name)
1230 The RDP cookie <name> (or "mstshash" if omitted) will be
1231 looked up and hashed for each incoming TCP request. Just as
1232 with the equivalent ACL 'req_rdp_cookie()' function, the name
1233 is not case-sensitive. This mechanism is useful as a degraded
1234 persistence mode, as it makes it possible to always send the
1235 same user (or the same session ID) to the same server. If the
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001236 cookie is not found, the normal roundrobin algorithm is
Emeric Brun736aa232009-06-30 17:56:00 +02001237 used instead.
1238
1239 Note that for this to work, the frontend must ensure that an
1240 RDP cookie is already present in the request buffer. For this
1241 you must use 'tcp-request content accept' rule combined with
1242 a 'req_rdp_cookie_cnt' ACL.
1243
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001244 This algorithm is static by default, which means that
1245 changing a server's weight on the fly will have no effect,
1246 but this can be changed using "hash-type".
1247
Willy Tarreau0ba27502007-12-24 16:55:16 +01001248 <arguments> is an optional list of arguments which may be needed by some
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001249 algorithms. Right now, only "url_param" and "uri" support an
1250 optional argument.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001251
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001252 balance uri [len <len>] [depth <depth>]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001253 balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001254
Willy Tarreau3cd9af22009-03-15 14:06:41 +01001255 The load balancing algorithm of a backend is set to roundrobin when no other
1256 algorithm, mode nor option have been set. The algorithm may only be set once
1257 for each backend.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001258
1259 Examples :
1260 balance roundrobin
1261 balance url_param userid
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001262 balance url_param session_id check_post 64
Benoitaffb4812009-03-25 13:02:10 +01001263 balance hdr(User-Agent)
1264 balance hdr(host)
1265 balance hdr(Host) use_domain_only
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001266
1267 Note: the following caveats and limitations on using the "check_post"
1268 extension with "url_param" must be considered :
1269
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001270 - all POST requests are eligible for consideration, because there is no way
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001271 to determine if the parameters will be found in the body or entity which
1272 may contain binary data. Therefore another method may be required to
1273 restrict consideration of POST requests that have no URL parameters in
1274 the body. (see acl reqideny http_end)
1275
1276 - using a <max_wait> value larger than the request buffer size does not
1277 make sense and is useless. The buffer size is set at build time, and
1278 defaults to 16 kB.
1279
1280 - Content-Encoding is not supported, the parameter search will probably
1281 fail; and load balancing will fall back to Round Robin.
1282
1283 - Expect: 100-continue is not supported, load balancing will fall back to
1284 Round Robin.
1285
1286 - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk.
1287 If the entire parameter value is not present in the first chunk, the
1288 selection of server is undefined (actually, defined by how little
1289 actually appeared in the first chunk).
1290
1291 - This feature does not support generation of a 100, 411 or 501 response.
1292
1293 - In some cases, requesting "check_post" MAY attempt to scan the entire
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001294 contents of a message body. Scanning normally terminates when linear
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001295 white space or control characters are found, indicating the end of what
1296 might be a URL parameter list. This is probably not a concern with SGML
1297 type message bodies.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001298
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001299 See also : "dispatch", "cookie", "appsession", "transparent", "hash-type" and
1300 "http_proxy".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001301
1302
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001303bind [<address>]:<port_range> [, ...]
1304bind [<address>]:<port_range> [, ...] interface <interface>
1305bind [<address>]:<port_range> [, ...] mss <maxseg>
1306bind [<address>]:<port_range> [, ...] transparent
1307bind [<address>]:<port_range> [, ...] id <id>
1308bind [<address>]:<port_range> [, ...] name <name>
1309bind [<address>]:<port_range> [, ...] defer-accept
Willy Tarreau0ba27502007-12-24 16:55:16 +01001310 Define one or several listening addresses and/or ports in a frontend.
1311 May be used in sections : defaults | frontend | listen | backend
1312 no | yes | yes | no
1313 Arguments :
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001314 <address> is optional and can be a host name, an IPv4 address, an IPv6
1315 address, or '*'. It designates the address the frontend will
1316 listen on. If unset, all IPv4 addresses of the system will be
1317 listened on. The same will apply for '*' or the system's
1318 special address "0.0.0.0".
1319
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001320 <port_range> is either a unique TCP port, or a port range for which the
1321 proxy will accept connections for the IP address specified
1322 above. The port is mandatory. Note that in the case of an
1323 IPv6 address, the port is always the number after the last
1324 colon (':'). A range can either be :
1325 - a numerical port (ex: '80')
1326 - a dash-delimited ports range explicitly stating the lower
1327 and upper bounds (ex: '2000-2100') which are included in
1328 the range.
1329
1330 Particular care must be taken against port ranges, because
1331 every <address:port> couple consumes one socket (= a file
1332 descriptor), so it's easy to consume lots of descriptors
1333 with a simple range, and to run out of sockets. Also, each
1334 <address:port> couple must be used only once among all
1335 instances running on a same system. Please note that binding
1336 to ports lower than 1024 generally require particular
1337 privileges to start the program, which are independant of
1338 the 'uid' parameter.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001339
Willy Tarreau5e6e2042009-02-04 17:19:29 +01001340 <interface> is an optional physical interface name. This is currently
1341 only supported on Linux. The interface must be a physical
1342 interface, not an aliased interface. When specified, all
1343 addresses on the same line will only be accepted if the
1344 incoming packet physically come through the designated
1345 interface. It is also possible to bind multiple frontends to
1346 the same address if they are bound to different interfaces.
1347 Note that binding to a physical interface requires root
1348 privileges.
1349
Willy Tarreaube1b9182009-06-14 18:48:19 +02001350 <maxseg> is an optional TCP Maximum Segment Size (MSS) value to be
1351 advertised on incoming connections. This can be used to force
1352 a lower MSS for certain specific ports, for instance for
1353 connections passing through a VPN. Note that this relies on a
1354 kernel feature which is theorically supported under Linux but
1355 was buggy in all versions prior to 2.6.28. It may or may not
1356 work on other operating systems. The commonly advertised
1357 value on Ethernet networks is 1460 = 1500(MTU) - 40(IP+TCP).
1358
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02001359 <id> is a persistent value for socket ID. Must be positive and
1360 unique in the proxy. An unused value will automatically be
1361 assigned if unset. Can only be used when defining only a
1362 single socket.
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02001363
1364 <name> is an optional name provided for stats
1365
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001366 transparent is an optional keyword which is supported only on certain
1367 Linux kernels. It indicates that the addresses will be bound
1368 even if they do not belong to the local machine. Any packet
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001369 targeting any of these addresses will be caught just as if
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001370 the address was locally configured. This normally requires
1371 that IP forwarding is enabled. Caution! do not use this with
1372 the default address '*', as it would redirect any traffic for
1373 the specified port. This keyword is available only when
1374 HAProxy is built with USE_LINUX_TPROXY=1.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001375
Willy Tarreaucb6cd432009-10-13 07:34:14 +02001376 defer_accept is an optional keyword which is supported only on certain
1377 Linux kernels. It states that a connection will only be
1378 accepted once some data arrive on it, or at worst after the
1379 first retransmit. This should be used only on protocols for
1380 which the client talks first (eg: HTTP). It can slightly
1381 improve performance by ensuring that most of the request is
1382 already available when the connection is accepted. On the
1383 other hand, it will not be able to detect connections which
1384 don't talk. It is important to note that this option is
1385 broken in all kernels up to 2.6.31, as the connection is
1386 never accepted until the client talks. This can cause issues
1387 with front firewalls which would see an established
1388 connection while the proxy will only see it in SYN_RECV.
1389
Willy Tarreau0ba27502007-12-24 16:55:16 +01001390 It is possible to specify a list of address:port combinations delimited by
1391 commas. The frontend will then listen on all of these addresses. There is no
1392 fixed limit to the number of addresses and ports which can be listened on in
1393 a frontend, as well as there is no limit to the number of "bind" statements
1394 in a frontend.
1395
1396 Example :
1397 listen http_proxy
1398 bind :80,:443
1399 bind 10.0.0.1:10080,10.0.0.1:10443
1400
1401 See also : "source".
1402
1403
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001404bind-process [ all | odd | even | <number 1-32> ] ...
1405 Limit visibility of an instance to a certain set of processes numbers.
1406 May be used in sections : defaults | frontend | listen | backend
1407 yes | yes | yes | yes
1408 Arguments :
1409 all All process will see this instance. This is the default. It
1410 may be used to override a default value.
1411
1412 odd This instance will be enabled on processes 1,3,5,...31. This
1413 option may be combined with other numbers.
1414
1415 even This instance will be enabled on processes 2,4,6,...32. This
1416 option may be combined with other numbers. Do not use it
1417 with less than 2 processes otherwise some instances might be
1418 missing from all processes.
1419
1420 number The instance will be enabled on this process number, between
1421 1 and 32. You must be careful not to reference a process
1422 number greater than the configured global.nbproc, otherwise
1423 some instances might be missing from all processes.
1424
1425 This keyword limits binding of certain instances to certain processes. This
1426 is useful in order not to have too many processes listening to the same
1427 ports. For instance, on a dual-core machine, it might make sense to set
1428 'nbproc 2' in the global section, then distributes the listeners among 'odd'
1429 and 'even' instances.
1430
1431 At the moment, it is not possible to reference more than 32 processes using
1432 this keyword, but this should be more than enough for most setups. Please
1433 note that 'all' really means all processes and is not limited to the first
1434 32.
1435
1436 If some backends are referenced by frontends bound to other processes, the
1437 backend automatically inherits the frontend's processes.
1438
1439 Example :
1440 listen app_ip1
1441 bind 10.0.0.1:80
1442 bind_process odd
1443
1444 listen app_ip2
1445 bind 10.0.0.2:80
1446 bind_process even
1447
1448 listen management
1449 bind 10.0.0.3:80
1450 bind_process 1 2 3 4
1451
1452 See also : "nbproc" in global section.
1453
1454
Willy Tarreau0ba27502007-12-24 16:55:16 +01001455block { if | unless } <condition>
1456 Block a layer 7 request if/unless a condition is matched
1457 May be used in sections : defaults | frontend | listen | backend
1458 no | yes | yes | yes
1459
1460 The HTTP request will be blocked very early in the layer 7 processing
1461 if/unless <condition> is matched. A 403 error will be returned if the request
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001462 is blocked. The condition has to reference ACLs (see section 7). This is
Willy Tarreau0ba27502007-12-24 16:55:16 +01001463 typically used to deny access to certain sensible resources if some
1464 conditions are met or not met. There is no fixed limit to the number of
1465 "block" statements per instance.
1466
1467 Example:
1468 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1469 acl invalid_src src_port 0:1023
1470 acl local_dst hdr(host) -i localhost
1471 block if invalid_src || local_dst
1472
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001473 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001474
1475
1476capture cookie <name> len <length>
1477 Capture and log a cookie in the request and in the response.
1478 May be used in sections : defaults | frontend | listen | backend
1479 no | yes | yes | no
1480 Arguments :
1481 <name> is the beginning of the name of the cookie to capture. In order
1482 to match the exact name, simply suffix the name with an equal
1483 sign ('='). The full name will appear in the logs, which is
1484 useful with application servers which adjust both the cookie name
1485 and value (eg: ASPSESSIONXXXXX).
1486
1487 <length> is the maximum number of characters to report in the logs, which
1488 include the cookie name, the equal sign and the value, all in the
1489 standard "name=value" form. The string will be truncated on the
1490 right if it exceeds <length>.
1491
1492 Only the first cookie is captured. Both the "cookie" request headers and the
1493 "set-cookie" response headers are monitored. This is particularly useful to
1494 check for application bugs causing session crossing or stealing between
1495 users, because generally the user's cookies can only change on a login page.
1496
1497 When the cookie was not presented by the client, the associated log column
1498 will report "-". When a request does not cause a cookie to be assigned by the
1499 server, a "-" is reported in the response column.
1500
1501 The capture is performed in the frontend only because it is necessary that
1502 the log format does not change for a given frontend depending on the
1503 backends. This may change in the future. Note that there can be only one
1504 "capture cookie" statement in a frontend. The maximum capture length is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001505 configured in the sources by default to 64 characters. It is not possible to
Willy Tarreau0ba27502007-12-24 16:55:16 +01001506 specify a capture in a "defaults" section.
1507
1508 Example:
1509 capture cookie ASPSESSION len 32
1510
1511 See also : "capture request header", "capture response header" as well as
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001512 section 8 about logging.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001513
1514
1515capture request header <name> len <length>
1516 Capture and log the first occurrence of the specified request header.
1517 May be used in sections : defaults | frontend | listen | backend
1518 no | yes | yes | no
1519 Arguments :
1520 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001521 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001522 appear in the requests, with the first letter of each word in
1523 upper case. The header name will not appear in the logs, only the
1524 value is reported, but the position in the logs is respected.
1525
1526 <length> is the maximum number of characters to extract from the value and
1527 report in the logs. The string will be truncated on the right if
1528 it exceeds <length>.
1529
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001530 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001531 value will be added to the logs between braces ('{}'). If multiple headers
1532 are captured, they will be delimited by a vertical bar ('|') and will appear
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001533 in the same order they were declared in the configuration. Non-existent
1534 headers will be logged just as an empty string. Common uses for request
1535 header captures include the "Host" field in virtual hosting environments, the
1536 "Content-length" when uploads are supported, "User-agent" to quickly
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001537 differentiate between real users and robots, and "X-Forwarded-For" in proxied
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001538 environments to find where the request came from.
1539
1540 Note that when capturing headers such as "User-agent", some spaces may be
1541 logged, making the log analysis more difficult. Thus be careful about what
1542 you log if you know your log parser is not smart enough to rely on the
1543 braces.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001544
1545 There is no limit to the number of captured request headers, but each capture
1546 is limited to 64 characters. In order to keep log format consistent for a
1547 same frontend, header captures can only be declared in a frontend. It is not
1548 possible to specify a capture in a "defaults" section.
1549
1550 Example:
1551 capture request header Host len 15
1552 capture request header X-Forwarded-For len 15
1553 capture request header Referrer len 15
1554
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001555 See also : "capture cookie", "capture response header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001556 about logging.
1557
1558
1559capture response header <name> len <length>
1560 Capture and log the first occurrence of the specified response header.
1561 May be used in sections : defaults | frontend | listen | backend
1562 no | yes | yes | no
1563 Arguments :
1564 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001565 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001566 appear in the response, with the first letter of each word in
1567 upper case. The header name will not appear in the logs, only the
1568 value is reported, but the position in the logs is respected.
1569
1570 <length> is the maximum number of characters to extract from the value and
1571 report in the logs. The string will be truncated on the right if
1572 it exceeds <length>.
1573
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001574 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001575 result will be added to the logs between braces ('{}') after the captured
1576 request headers. If multiple headers are captured, they will be delimited by
1577 a vertical bar ('|') and will appear in the same order they were declared in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001578 the configuration. Non-existent headers will be logged just as an empty
1579 string. Common uses for response header captures include the "Content-length"
1580 header which indicates how many bytes are expected to be returned, the
1581 "Location" header to track redirections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001582
1583 There is no limit to the number of captured response headers, but each
1584 capture is limited to 64 characters. In order to keep log format consistent
1585 for a same frontend, header captures can only be declared in a frontend. It
1586 is not possible to specify a capture in a "defaults" section.
1587
1588 Example:
1589 capture response header Content-length len 9
1590 capture response header Location len 15
1591
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001592 See also : "capture cookie", "capture request header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001593 about logging.
1594
1595
Cyril Bontéf0c60612010-02-06 14:44:47 +01001596clitimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01001597 Set the maximum inactivity time on the client side.
1598 May be used in sections : defaults | frontend | listen | backend
1599 yes | yes | yes | no
1600 Arguments :
1601 <timeout> is the timeout value is specified in milliseconds by default, but
1602 can be in any other unit if the number is suffixed by the unit,
1603 as explained at the top of this document.
1604
1605 The inactivity timeout applies when the client is expected to acknowledge or
1606 send data. In HTTP mode, this timeout is particularly important to consider
1607 during the first phase, when the client sends the request, and during the
1608 response while it is reading data sent by the server. The value is specified
1609 in milliseconds by default, but can be in any other unit if the number is
1610 suffixed by the unit, as specified at the top of this document. In TCP mode
1611 (and to a lesser extent, in HTTP mode), it is highly recommended that the
1612 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001613 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01001614 losses by specifying timeouts that are slightly above multiples of 3 seconds
1615 (eg: 4 or 5 seconds).
1616
1617 This parameter is specific to frontends, but can be specified once for all in
1618 "defaults" sections. This is in fact one of the easiest solutions not to
1619 forget about it. An unspecified timeout results in an infinite timeout, which
1620 is not recommended. Such a usage is accepted and works but reports a warning
1621 during startup because it may results in accumulation of expired sessions in
1622 the system if the system's timeouts are not configured either.
1623
1624 This parameter is provided for compatibility but is currently deprecated.
1625 Please use "timeout client" instead.
1626
Willy Tarreau036fae02008-01-06 13:24:40 +01001627 See also : "timeout client", "timeout http-request", "timeout server", and
1628 "srvtimeout".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001629
1630
Cyril Bontéf0c60612010-02-06 14:44:47 +01001631contimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01001632 Set the maximum time to wait for a connection attempt to a server to succeed.
1633 May be used in sections : defaults | frontend | listen | backend
1634 yes | no | yes | yes
1635 Arguments :
1636 <timeout> is the timeout value is specified in milliseconds by default, but
1637 can be in any other unit if the number is suffixed by the unit,
1638 as explained at the top of this document.
1639
1640 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001641 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01001642 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01001643 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
1644 connect timeout also presets the queue timeout to the same value if this one
1645 has not been specified. Historically, the contimeout was also used to set the
1646 tarpit timeout in a listen section, which is not possible in a pure frontend.
1647
1648 This parameter is specific to backends, but can be specified once for all in
1649 "defaults" sections. This is in fact one of the easiest solutions not to
1650 forget about it. An unspecified timeout results in an infinite timeout, which
1651 is not recommended. Such a usage is accepted and works but reports a warning
1652 during startup because it may results in accumulation of failed sessions in
1653 the system if the system's timeouts are not configured either.
1654
1655 This parameter is provided for backwards compatibility but is currently
1656 deprecated. Please use "timeout connect", "timeout queue" or "timeout tarpit"
1657 instead.
1658
1659 See also : "timeout connect", "timeout queue", "timeout tarpit",
1660 "timeout server", "contimeout".
1661
1662
Willy Tarreau55165fe2009-05-10 12:02:55 +02001663cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
Willy Tarreau68a897b2009-12-03 23:28:34 +01001664 [ postonly ] [ domain <domain> ]*
Willy Tarreau0ba27502007-12-24 16:55:16 +01001665 Enable cookie-based persistence in a backend.
1666 May be used in sections : defaults | frontend | listen | backend
1667 yes | no | yes | yes
1668 Arguments :
1669 <name> is the name of the cookie which will be monitored, modified or
1670 inserted in order to bring persistence. This cookie is sent to
1671 the client via a "Set-Cookie" header in the response, and is
1672 brought back by the client in a "Cookie" header in all requests.
1673 Special care should be taken to choose a name which does not
1674 conflict with any likely application cookie. Also, if the same
1675 backends are subject to be used by the same clients (eg:
1676 HTTP/HTTPS), care should be taken to use different cookie names
1677 between all backends if persistence between them is not desired.
1678
1679 rewrite This keyword indicates that the cookie will be provided by the
1680 server and that haproxy will have to modify its value to set the
1681 server's identifier in it. This mode is handy when the management
1682 of complex combinations of "Set-cookie" and "Cache-control"
1683 headers is left to the application. The application can then
1684 decide whether or not it is appropriate to emit a persistence
1685 cookie. Since all responses should be monitored, this mode only
1686 works in HTTP close mode. Unless the application behaviour is
1687 very complex and/or broken, it is advised not to start with this
1688 mode for new deployments. This keyword is incompatible with
1689 "insert" and "prefix".
1690
1691 insert This keyword indicates that the persistence cookie will have to
1692 be inserted by haproxy in the responses. If the server emits a
1693 cookie with the same name, it will be replaced anyway. For this
1694 reason, this mode can be used to upgrade existing configurations
1695 running in the "rewrite" mode. The cookie will only be a session
1696 cookie and will not be stored on the client's disk. Due to
1697 caching effects, it is generally wise to add the "indirect" and
1698 "nocache" or "postonly" keywords (see below). The "insert"
1699 keyword is not compatible with "rewrite" and "prefix".
1700
1701 prefix This keyword indicates that instead of relying on a dedicated
1702 cookie for the persistence, an existing one will be completed.
1703 This may be needed in some specific environments where the client
1704 does not support more than one single cookie and the application
1705 already needs it. In this case, whenever the server sets a cookie
1706 named <name>, it will be prefixed with the server's identifier
1707 and a delimiter. The prefix will be removed from all client
1708 requests so that the server still finds the cookie it emitted.
1709 Since all requests and responses are subject to being modified,
1710 this mode requires the HTTP close mode. The "prefix" keyword is
1711 not compatible with "rewrite" and "insert".
1712
1713 indirect When this option is specified in insert mode, cookies will only
1714 be added when the server was not reached after a direct access,
1715 which means that only when a server is elected after applying a
1716 load-balancing algorithm, or after a redispatch, then the cookie
1717 will be inserted. If the client has all the required information
1718 to connect to the same server next time, no further cookie will
1719 be inserted. In all cases, when the "indirect" option is used in
1720 insert mode, the cookie is always removed from the requests
1721 transmitted to the server. The persistence mechanism then becomes
1722 totally transparent from the application point of view.
1723
1724 nocache This option is recommended in conjunction with the insert mode
1725 when there is a cache between the client and HAProxy, as it
1726 ensures that a cacheable response will be tagged non-cacheable if
1727 a cookie needs to be inserted. This is important because if all
1728 persistence cookies are added on a cacheable home page for
1729 instance, then all customers will then fetch the page from an
1730 outer cache and will all share the same persistence cookie,
1731 leading to one server receiving much more traffic than others.
1732 See also the "insert" and "postonly" options.
1733
1734 postonly This option ensures that cookie insertion will only be performed
1735 on responses to POST requests. It is an alternative to the
1736 "nocache" option, because POST responses are not cacheable, so
1737 this ensures that the persistence cookie will never get cached.
1738 Since most sites do not need any sort of persistence before the
1739 first POST which generally is a login request, this is a very
1740 efficient method to optimize caching without risking to find a
1741 persistence cookie in the cache.
1742 See also the "insert" and "nocache" options.
1743
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02001744 domain This option allows to specify the domain at which a cookie is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001745 inserted. It requires exactly one parameter: a valid domain
Willy Tarreau68a897b2009-12-03 23:28:34 +01001746 name. If the domain begins with a dot, the browser is allowed to
1747 use it for any host ending with that name. It is also possible to
1748 specify several domain names by invoking this option multiple
1749 times. Some browsers might have small limits on the number of
1750 domains, so be careful when doing that. For the record, sending
1751 10 domains to MSIE 6 or Firefox 2 works as expected.
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02001752
Willy Tarreau0ba27502007-12-24 16:55:16 +01001753 There can be only one persistence cookie per HTTP backend, and it can be
1754 declared in a defaults section. The value of the cookie will be the value
1755 indicated after the "cookie" keyword in a "server" statement. If no cookie
1756 is declared for a given server, the cookie is not set.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001757
Willy Tarreau0ba27502007-12-24 16:55:16 +01001758 Examples :
1759 cookie JSESSIONID prefix
1760 cookie SRV insert indirect nocache
1761 cookie SRV insert postonly indirect
1762
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02001763 See also : "appsession", "balance source", "capture cookie", "server"
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001764 and "ignore-persist".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001765
Willy Tarreau983e01e2010-01-11 18:42:06 +01001766
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01001767default-server [param*]
1768 Change default options for a server in a backend
1769 May be used in sections : defaults | frontend | listen | backend
1770 yes | no | yes | yes
1771 Arguments:
Willy Tarreau983e01e2010-01-11 18:42:06 +01001772 <param*> is a list of parameters for this server. The "default-server"
1773 keyword accepts an important number of options and has a complete
1774 section dedicated to it. Please refer to section 5 for more
1775 details.
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01001776
Willy Tarreau983e01e2010-01-11 18:42:06 +01001777 Example :
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01001778 default-server inter 1000 weight 13
1779
1780 See also: "server" and section 5 about server options
Willy Tarreau0ba27502007-12-24 16:55:16 +01001781
Willy Tarreau983e01e2010-01-11 18:42:06 +01001782
Willy Tarreau0ba27502007-12-24 16:55:16 +01001783default_backend <backend>
1784 Specify the backend to use when no "use_backend" rule has been matched.
1785 May be used in sections : defaults | frontend | listen | backend
1786 yes | yes | yes | no
1787 Arguments :
1788 <backend> is the name of the backend to use.
1789
1790 When doing content-switching between frontend and backends using the
1791 "use_backend" keyword, it is often useful to indicate which backend will be
1792 used when no rule has matched. It generally is the dynamic backend which
1793 will catch all undetermined requests.
1794
Willy Tarreau0ba27502007-12-24 16:55:16 +01001795 Example :
1796
1797 use_backend dynamic if url_dyn
1798 use_backend static if url_css url_img extension_img
1799 default_backend dynamic
1800
Willy Tarreau2769aa02007-12-27 18:26:09 +01001801 See also : "use_backend", "reqsetbe", "reqisetbe"
1802
Willy Tarreau0ba27502007-12-24 16:55:16 +01001803
1804disabled
1805 Disable a proxy, frontend or backend.
1806 May be used in sections : defaults | frontend | listen | backend
1807 yes | yes | yes | yes
1808 Arguments : none
1809
1810 The "disabled" keyword is used to disable an instance, mainly in order to
1811 liberate a listening port or to temporarily disable a service. The instance
1812 will still be created and its configuration will be checked, but it will be
1813 created in the "stopped" state and will appear as such in the statistics. It
1814 will not receive any traffic nor will it send any health-checks or logs. It
1815 is possible to disable many instances at once by adding the "disabled"
1816 keyword in a "defaults" section.
1817
1818 See also : "enabled"
1819
1820
Willy Tarreau5ce94572010-06-07 14:35:41 +02001821dispatch <address>:<port>
1822 Set a default server address
1823 May be used in sections : defaults | frontend | listen | backend
1824 no | no | yes | yes
1825 Arguments : none
1826
1827 <address> is the IPv4 address of the default server. Alternatively, a
1828 resolvable hostname is supported, but this name will be resolved
1829 during start-up.
1830
1831 <ports> is a mandatory port specification. All connections will be sent
1832 to this port, and it is not permitted to use port offsets as is
1833 possible with normal servers.
1834
1835 The "disabled" keyword designates a default server for use when no other
1836 server can take the connection. In the past it was used to forward non
1837 persistent connections to an auxiliary load balancer. Due to its simple
1838 syntax, it has also been used for simple TCP relays. It is recommended not to
1839 use it for more clarity, and to use the "server" directive instead.
1840
1841 See also : "server"
1842
1843
Willy Tarreau0ba27502007-12-24 16:55:16 +01001844enabled
1845 Enable a proxy, frontend or backend.
1846 May be used in sections : defaults | frontend | listen | backend
1847 yes | yes | yes | yes
1848 Arguments : none
1849
1850 The "enabled" keyword is used to explicitly enable an instance, when the
1851 defaults has been set to "disabled". This is very rarely used.
1852
1853 See also : "disabled"
1854
1855
1856errorfile <code> <file>
1857 Return a file contents instead of errors generated by HAProxy
1858 May be used in sections : defaults | frontend | listen | backend
1859 yes | yes | yes | yes
1860 Arguments :
1861 <code> is the HTTP status code. Currently, HAProxy is capable of
1862 generating codes 400, 403, 408, 500, 502, 503, and 504.
1863
1864 <file> designates a file containing the full HTTP response. It is
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001865 recommended to follow the common practice of appending ".http" to
Willy Tarreau0ba27502007-12-24 16:55:16 +01001866 the filename so that people do not confuse the response with HTML
Willy Tarreau59140a22009-02-22 12:02:30 +01001867 error pages, and to use absolute paths, since files are read
1868 before any chroot is performed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001869
1870 It is important to understand that this keyword is not meant to rewrite
1871 errors returned by the server, but errors detected and returned by HAProxy.
1872 This is why the list of supported errors is limited to a small set.
1873
1874 The files are returned verbatim on the TCP socket. This allows any trick such
1875 as redirections to another URL or site, as well as tricks to clean cookies,
1876 force enable or disable caching, etc... The package provides default error
1877 files returning the same contents as default errors.
1878
Willy Tarreau59140a22009-02-22 12:02:30 +01001879 The files should not exceed the configured buffer size (BUFSIZE), which
1880 generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
1881 not to put any reference to local contents (eg: images) in order to avoid
1882 loops between the client and HAProxy when all servers are down, causing an
1883 error to be returned instead of an image. For better HTTP compliance, it is
1884 recommended that all header lines end with CR-LF and not LF alone.
1885
Willy Tarreau0ba27502007-12-24 16:55:16 +01001886 The files are read at the same time as the configuration and kept in memory.
1887 For this reason, the errors continue to be returned even when the process is
1888 chrooted, and no file change is considered while the process is running. A
Willy Tarreauc27debf2008-01-06 08:57:02 +01001889 simple method for developing those files consists in associating them to the
Willy Tarreau0ba27502007-12-24 16:55:16 +01001890 403 status code and interrogating a blocked URL.
1891
1892 See also : "errorloc", "errorloc302", "errorloc303"
1893
Willy Tarreau59140a22009-02-22 12:02:30 +01001894 Example :
1895 errorfile 400 /etc/haproxy/errorfiles/400badreq.http
1896 errorfile 403 /etc/haproxy/errorfiles/403forbid.http
1897 errorfile 503 /etc/haproxy/errorfiles/503sorry.http
1898
Willy Tarreau2769aa02007-12-27 18:26:09 +01001899
1900errorloc <code> <url>
1901errorloc302 <code> <url>
1902 Return an HTTP redirection to a URL instead of errors generated by HAProxy
1903 May be used in sections : defaults | frontend | listen | backend
1904 yes | yes | yes | yes
1905 Arguments :
1906 <code> is the HTTP status code. Currently, HAProxy is capable of
1907 generating codes 400, 403, 408, 500, 502, 503, and 504.
1908
1909 <url> it is the exact contents of the "Location" header. It may contain
1910 either a relative URI to an error page hosted on the same site,
1911 or an absolute URI designating an error page on another site.
1912 Special care should be given to relative URIs to avoid redirect
1913 loops if the URI itself may generate the same error (eg: 500).
1914
1915 It is important to understand that this keyword is not meant to rewrite
1916 errors returned by the server, but errors detected and returned by HAProxy.
1917 This is why the list of supported errors is limited to a small set.
1918
1919 Note that both keyword return the HTTP 302 status code, which tells the
1920 client to fetch the designated URL using the same HTTP method. This can be
1921 quite problematic in case of non-GET methods such as POST, because the URL
1922 sent to the client might not be allowed for something other than GET. To
1923 workaround this problem, please use "errorloc303" which send the HTTP 303
1924 status code, indicating to the client that the URL must be fetched with a GET
1925 request.
1926
1927 See also : "errorfile", "errorloc303"
1928
1929
1930errorloc303 <code> <url>
1931 Return an HTTP redirection to a URL instead of errors generated by HAProxy
1932 May be used in sections : defaults | frontend | listen | backend
1933 yes | yes | yes | yes
1934 Arguments :
1935 <code> is the HTTP status code. Currently, HAProxy is capable of
1936 generating codes 400, 403, 408, 500, 502, 503, and 504.
1937
1938 <url> it is the exact contents of the "Location" header. It may contain
1939 either a relative URI to an error page hosted on the same site,
1940 or an absolute URI designating an error page on another site.
1941 Special care should be given to relative URIs to avoid redirect
1942 loops if the URI itself may generate the same error (eg: 500).
1943
1944 It is important to understand that this keyword is not meant to rewrite
1945 errors returned by the server, but errors detected and returned by HAProxy.
1946 This is why the list of supported errors is limited to a small set.
1947
1948 Note that both keyword return the HTTP 303 status code, which tells the
1949 client to fetch the designated URL using the same HTTP GET method. This
1950 solves the usual problems associated with "errorloc" and the 302 code. It is
1951 possible that some very old browsers designed before HTTP/1.1 do not support
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001952 it, but no such problem has been reported till now.
Willy Tarreau2769aa02007-12-27 18:26:09 +01001953
1954 See also : "errorfile", "errorloc", "errorloc302"
1955
1956
Willy Tarreau4de91492010-01-22 19:10:05 +01001957force-persist { if | unless } <condition>
1958 Declare a condition to force persistence on down servers
1959 May be used in sections: defaults | frontend | listen | backend
1960 no | yes | yes | yes
1961
1962 By default, requests are not dispatched to down servers. It is possible to
1963 force this using "option persist", but it is unconditional and redispatches
1964 to a valid server if "option redispatch" is set. That leaves with very little
1965 possibilities to force some requests to reach a server which is artificially
1966 marked down for maintenance operations.
1967
1968 The "force-persist" statement allows one to declare various ACL-based
1969 conditions which, when met, will cause a request to ignore the down status of
1970 a server and still try to connect to it. That makes it possible to start a
1971 server, still replying an error to the health checks, and run a specially
1972 configured browser to test the service. Among the handy methods, one could
1973 use a specific source IP address, or a specific cookie. The cookie also has
1974 the advantage that it can easily be added/removed on the browser from a test
1975 page. Once the service is validated, it is then possible to open the service
1976 to the world by returning a valid response to health checks.
1977
1978 The forced persistence is enabled when an "if" condition is met, or unless an
1979 "unless" condition is met. The final redispatch is always disabled when this
1980 is used.
1981
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001982 See also : "option redispatch", "ignore-persist", "persist",
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02001983 and section 7 about ACL usage.
Willy Tarreau4de91492010-01-22 19:10:05 +01001984
1985
Willy Tarreau2769aa02007-12-27 18:26:09 +01001986fullconn <conns>
1987 Specify at what backend load the servers will reach their maxconn
1988 May be used in sections : defaults | frontend | listen | backend
1989 yes | no | yes | yes
1990 Arguments :
1991 <conns> is the number of connections on the backend which will make the
1992 servers use the maximal number of connections.
1993
Willy Tarreau198a7442008-01-17 12:05:32 +01001994 When a server has a "maxconn" parameter specified, it means that its number
Willy Tarreau2769aa02007-12-27 18:26:09 +01001995 of concurrent connections will never go higher. Additionally, if it has a
Willy Tarreau198a7442008-01-17 12:05:32 +01001996 "minconn" parameter, it indicates a dynamic limit following the backend's
Willy Tarreau2769aa02007-12-27 18:26:09 +01001997 load. The server will then always accept at least <minconn> connections,
1998 never more than <maxconn>, and the limit will be on the ramp between both
1999 values when the backend has less than <conns> concurrent connections. This
2000 makes it possible to limit the load on the servers during normal loads, but
2001 push it further for important loads without overloading the servers during
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002002 exceptional loads.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002003
2004 Example :
2005 # The servers will accept between 100 and 1000 concurrent connections each
2006 # and the maximum of 1000 will be reached when the backend reaches 10000
2007 # connections.
2008 backend dynamic
2009 fullconn 10000
2010 server srv1 dyn1:80 minconn 100 maxconn 1000
2011 server srv2 dyn2:80 minconn 100 maxconn 1000
2012
2013 See also : "maxconn", "server"
2014
2015
2016grace <time>
2017 Maintain a proxy operational for some time after a soft stop
2018 May be used in sections : defaults | frontend | listen | backend
Cyril Bonté99ed3272010-01-24 23:29:44 +01002019 yes | yes | yes | yes
Willy Tarreau2769aa02007-12-27 18:26:09 +01002020 Arguments :
2021 <time> is the time (by default in milliseconds) for which the instance
2022 will remain operational with the frontend sockets still listening
2023 when a soft-stop is received via the SIGUSR1 signal.
2024
2025 This may be used to ensure that the services disappear in a certain order.
2026 This was designed so that frontends which are dedicated to monitoring by an
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002027 external equipment fail immediately while other ones remain up for the time
Willy Tarreau2769aa02007-12-27 18:26:09 +01002028 needed by the equipment to detect the failure.
2029
2030 Note that currently, there is very little benefit in using this parameter,
2031 and it may in fact complicate the soft-reconfiguration process more than
2032 simplify it.
2033
Willy Tarreau0ba27502007-12-24 16:55:16 +01002034
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002035hash-type <method>
2036 Specify a method to use for mapping hashes to servers
2037 May be used in sections : defaults | frontend | listen | backend
2038 yes | no | yes | yes
2039 Arguments :
2040 map-based the hash table is a static array containing all alive servers.
2041 The hashes will be very smooth, will consider weights, but will
2042 be static in that weight changes while a server is up will be
2043 ignored. This means that there will be no slow start. Also,
2044 since a server is selected by its position in the array, most
2045 mappings are changed when the server count changes. This means
2046 that when a server goes up or down, or when a server is added
2047 to a farm, most connections will be redistributed to different
2048 servers. This can be inconvenient with caches for instance.
2049
2050 consistent the hash table is a tree filled with many occurrences of each
2051 server. The hash key is looked up in the tree and the closest
2052 server is chosen. This hash is dynamic, it supports changing
2053 weights while the servers are up, so it is compatible with the
2054 slow start feature. It has the advantage that when a server
2055 goes up or down, only its associations are moved. When a server
2056 is added to the farm, only a few part of the mappings are
2057 redistributed, making it an ideal algorithm for caches.
2058 However, due to its principle, the algorithm will never be very
2059 smooth and it may sometimes be necessary to adjust a server's
2060 weight or its ID to get a more balanced distribution. In order
2061 to get the same distribution on multiple load balancers, it is
2062 important that all servers have the same IDs.
2063
2064 The default hash type is "map-based" and is recommended for most usages.
2065
2066 See also : "balance", "server"
2067
2068
Willy Tarreau0ba27502007-12-24 16:55:16 +01002069http-check disable-on-404
2070 Enable a maintenance mode upon HTTP/404 response to health-checks
2071 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau2769aa02007-12-27 18:26:09 +01002072 yes | no | yes | yes
Willy Tarreau0ba27502007-12-24 16:55:16 +01002073 Arguments : none
2074
2075 When this option is set, a server which returns an HTTP code 404 will be
2076 excluded from further load-balancing, but will still receive persistent
2077 connections. This provides a very convenient method for Web administrators
2078 to perform a graceful shutdown of their servers. It is also important to note
2079 that a server which is detected as failed while it was in this mode will not
2080 generate an alert, just a notice. If the server responds 2xx or 3xx again, it
2081 will immediately be reinserted into the farm. The status on the stats page
2082 reports "NOLB" for a server in this mode. It is important to note that this
2083 option only works in conjunction with the "httpchk" option.
2084
Willy Tarreau2769aa02007-12-27 18:26:09 +01002085 See also : "option httpchk"
2086
2087
Willy Tarreauef781042010-01-27 11:53:01 +01002088http-check send-state
2089 Enable emission of a state header with HTTP health checks
2090 May be used in sections : defaults | frontend | listen | backend
2091 yes | no | yes | yes
2092 Arguments : none
2093
2094 When this option is set, haproxy will systematically send a special header
2095 "X-Haproxy-Server-State" with a list of parameters indicating to each server
2096 how they are seen by haproxy. This can be used for instance when a server is
2097 manipulated without access to haproxy and the operator needs to know whether
2098 haproxy still sees it up or not, or if the server is the last one in a farm.
2099
2100 The header is composed of fields delimited by semi-colons, the first of which
2101 is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid
2102 checks on the total number before transition, just as appears in the stats
2103 interface. Next headers are in the form "<variable>=<value>", indicating in
2104 no specific order some values available in the stats interface :
2105 - a variable "name", containing the name of the backend followed by a slash
2106 ("/") then the name of the server. This can be used when a server is
2107 checked in multiple backends.
2108
2109 - a variable "node" containing the name of the haproxy node, as set in the
2110 global "node" variable, otherwise the system's hostname if unspecified.
2111
2112 - a variable "weight" indicating the weight of the server, a slash ("/")
2113 and the total weight of the farm (just counting usable servers). This
2114 helps to know if other servers are available to handle the load when this
2115 one fails.
2116
2117 - a variable "scur" indicating the current number of concurrent connections
2118 on the server, followed by a slash ("/") then the total number of
2119 connections on all servers of the same backend.
2120
2121 - a variable "qcur" indicating the current number of requests in the
2122 server's queue.
2123
2124 Example of a header received by the application server :
2125 >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \
2126 scur=13/22; qcur=0
2127
2128 See also : "option httpchk", "http-check disable-on-404"
2129
Cyril Bontéf0c60612010-02-06 14:44:47 +01002130http-request { allow | deny | http-auth [realm <realm>] }
2131 [ { if | unless } <condition> ]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002132 Access control for Layer 7 requests
2133
2134 May be used in sections: defaults | frontend | listen | backend
2135 no | yes | yes | yes
2136
2137 These set of options allow to fine control access to a
2138 frontend/listen/backend. Each option may be followed by if/unless and acl.
2139 First option with matched condition (or option without condition) is final.
2140 For "block" a 403 error will be returned, for "allow" normal processing is
2141 performed, for "http-auth" a 401/407 error code is returned so the client
2142 should be asked to enter a username and password.
2143
2144 There is no fixed limit to the number of http-request statements per
2145 instance.
2146
2147 Example:
Cyril Bonté78caf842010-03-10 22:41:43 +01002148 acl nagios src 192.168.129.3
2149 acl local_net src 192.168.0.0/16
2150 acl auth_ok http_auth(L1)
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002151
Cyril Bonté78caf842010-03-10 22:41:43 +01002152 http-request allow if nagios
2153 http-request allow if local_net auth_ok
2154 http-request auth realm Gimme if local_net auth_ok
2155 http-request deny
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002156
Cyril Bonté78caf842010-03-10 22:41:43 +01002157 Example:
2158 acl auth_ok http_auth_group(L1) G1
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002159
Cyril Bonté78caf842010-03-10 22:41:43 +01002160 http-request auth unless auth_ok
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002161
2162 See section 3.4 about userlists and 7 about ACL usage.
Willy Tarreauef781042010-01-27 11:53:01 +01002163
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01002164id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02002165 Set a persistent ID to a proxy.
2166 May be used in sections : defaults | frontend | listen | backend
2167 no | yes | yes | yes
2168 Arguments : none
2169
2170 Set a persistent ID for the proxy. This ID must be unique and positive.
2171 An unused ID will automatically be assigned if unset. The first assigned
2172 value will be 1. This ID is currently only returned in statistics.
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01002173
2174
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002175ignore-persist { if | unless } <condition>
2176 Declare a condition to ignore persistence
2177 May be used in sections: defaults | frontend | listen | backend
2178 no | yes | yes | yes
2179
2180 By default, when cookie persistence is enabled, every requests containing
2181 the cookie are unconditionally persistent (assuming the target server is up
2182 and running).
2183
2184 The "ignore-persist" statement allows one to declare various ACL-based
2185 conditions which, when met, will cause a request to ignore persistence.
2186 This is sometimes useful to load balance requests for static files, which
2187 oftenly don't require persistence. This can also be used to fully disable
2188 persistence for a specific User-Agent (for example, some web crawler bots).
2189
2190 Combined with "appsession", it can also help reduce HAProxy memory usage, as
2191 the appsession table won't grow if persistence is ignored.
2192
2193 The persistence is ignored when an "if" condition is met, or unless an
2194 "unless" condition is met.
2195
2196 See also : "force-persist", "cookie", and section 7 about ACL usage.
2197
2198
Willy Tarreau2769aa02007-12-27 18:26:09 +01002199log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002200log <address> <facility> [<level> [<minlevel>]]
Willy Tarreau2769aa02007-12-27 18:26:09 +01002201 Enable per-instance logging of events and traffic.
2202 May be used in sections : defaults | frontend | listen | backend
2203 yes | yes | yes | yes
2204 Arguments :
2205 global should be used when the instance's logging parameters are the
2206 same as the global ones. This is the most common usage. "global"
2207 replaces <address>, <facility> and <level> with those of the log
2208 entries found in the "global" section. Only one "log global"
2209 statement may be used per instance, and this form takes no other
2210 parameter.
2211
2212 <address> indicates where to send the logs. It takes the same format as
2213 for the "global" section's logs, and can be one of :
2214
2215 - An IPv4 address optionally followed by a colon (':') and a UDP
2216 port. If no port is specified, 514 is used by default (the
2217 standard syslog port).
2218
2219 - A filesystem path to a UNIX domain socket, keeping in mind
2220 considerations for chroot (be sure the path is accessible
2221 inside the chroot) and uid/gid (be sure the path is
2222 appropriately writeable).
2223
2224 <facility> must be one of the 24 standard syslog facilities :
2225
2226 kern user mail daemon auth syslog lpr news
2227 uucp cron auth2 ftp ntp audit alert cron2
2228 local0 local1 local2 local3 local4 local5 local6 local7
2229
2230 <level> is optional and can be specified to filter outgoing messages. By
2231 default, all messages are sent. If a level is specified, only
2232 messages with a severity at least as important as this level
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002233 will be sent. An optional minimum level can be specified. If it
2234 is set, logs emitted with a more severe level than this one will
2235 be capped to this level. This is used to avoid sending "emerg"
2236 messages on all terminals on some default syslog configurations.
2237 Eight levels are known :
Willy Tarreau2769aa02007-12-27 18:26:09 +01002238
2239 emerg alert crit err warning notice info debug
2240
2241 Note that up to two "log" entries may be specified per instance. However, if
2242 "log global" is used and if the "global" section already contains 2 log
2243 entries, then additional log entries will be ignored.
2244
2245 Also, it is important to keep in mind that it is the frontend which decides
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002246 what to log from a connection, and that in case of content switching, the log
2247 entries from the backend will be ignored. Connections are logged at level
2248 "info".
2249
2250 However, backend log declaration define how and where servers status changes
2251 will be logged. Level "notice" will be used to indicate a server going up,
2252 "warning" will be used for termination signals and definitive service
2253 termination, and "alert" will be used for when a server goes down.
2254
2255 Note : According to RFC3164, messages are truncated to 1024 bytes before
2256 being emitted.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002257
2258 Example :
2259 log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002260 log 127.0.0.1:514 local0 notice # only send important events
2261 log 127.0.0.1:514 local0 notice notice # same but limit output level
Willy Tarreau2769aa02007-12-27 18:26:09 +01002262
2263
2264maxconn <conns>
2265 Fix the maximum number of concurrent connections on a frontend
2266 May be used in sections : defaults | frontend | listen | backend
2267 yes | yes | yes | no
2268 Arguments :
2269 <conns> is the maximum number of concurrent connections the frontend will
2270 accept to serve. Excess connections will be queued by the system
2271 in the socket's listen queue and will be served once a connection
2272 closes.
2273
2274 If the system supports it, it can be useful on big sites to raise this limit
2275 very high so that haproxy manages connection queues, instead of leaving the
2276 clients with unanswered connection attempts. This value should not exceed the
2277 global maxconn. Also, keep in mind that a connection contains two buffers
2278 of 8kB each, as well as some other data resulting in about 17 kB of RAM being
2279 consumed per established connection. That means that a medium system equipped
2280 with 1GB of RAM can withstand around 40000-50000 concurrent connections if
2281 properly tuned.
2282
2283 Also, when <conns> is set to large values, it is possible that the servers
2284 are not sized to accept such loads, and for this reason it is generally wise
2285 to assign them some reasonable connection limits.
2286
2287 See also : "server", global section's "maxconn", "fullconn"
2288
2289
2290mode { tcp|http|health }
2291 Set the running mode or protocol of the instance
2292 May be used in sections : defaults | frontend | listen | backend
2293 yes | yes | yes | yes
2294 Arguments :
2295 tcp The instance will work in pure TCP mode. A full-duplex connection
2296 will be established between clients and servers, and no layer 7
2297 examination will be performed. This is the default mode. It
2298 should be used for SSL, SSH, SMTP, ...
2299
2300 http The instance will work in HTTP mode. The client request will be
2301 analyzed in depth before connecting to any server. Any request
2302 which is not RFC-compliant will be rejected. Layer 7 filtering,
2303 processing and switching will be possible. This is the mode which
2304 brings HAProxy most of its value.
2305
2306 health The instance will work in "health" mode. It will just reply "OK"
2307 to incoming connections and close the connection. Nothing will be
2308 logged. This mode is used to reply to external components health
2309 checks. This mode is deprecated and should not be used anymore as
2310 it is possible to do the same and even better by combining TCP or
2311 HTTP modes with the "monitor" keyword.
2312
2313 When doing content switching, it is mandatory that the frontend and the
2314 backend are in the same mode (generally HTTP), otherwise the configuration
2315 will be refused.
2316
2317 Example :
2318 defaults http_instances
2319 mode http
2320
2321 See also : "monitor", "monitor-net"
2322
Willy Tarreau0ba27502007-12-24 16:55:16 +01002323
Cyril Bontéf0c60612010-02-06 14:44:47 +01002324monitor fail { if | unless } <condition>
Willy Tarreau2769aa02007-12-27 18:26:09 +01002325 Add a condition to report a failure to a monitor HTTP request.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002326 May be used in sections : defaults | frontend | listen | backend
2327 no | yes | yes | no
Willy Tarreau0ba27502007-12-24 16:55:16 +01002328 Arguments :
2329 if <cond> the monitor request will fail if the condition is satisfied,
2330 and will succeed otherwise. The condition should describe a
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002331 combined test which must induce a failure if all conditions
Willy Tarreau0ba27502007-12-24 16:55:16 +01002332 are met, for instance a low number of servers both in a
2333 backend and its backup.
2334
2335 unless <cond> the monitor request will succeed only if the condition is
2336 satisfied, and will fail otherwise. Such a condition may be
2337 based on a test on the presence of a minimum number of active
2338 servers in a list of backends.
2339
2340 This statement adds a condition which can force the response to a monitor
2341 request to report a failure. By default, when an external component queries
2342 the URI dedicated to monitoring, a 200 response is returned. When one of the
2343 conditions above is met, haproxy will return 503 instead of 200. This is
2344 very useful to report a site failure to an external component which may base
2345 routing advertisements between multiple sites on the availability reported by
2346 haproxy. In this case, one would rely on an ACL involving the "nbsrv"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002347 criterion. Note that "monitor fail" only works in HTTP mode.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002348
2349 Example:
2350 frontend www
Willy Tarreau2769aa02007-12-27 18:26:09 +01002351 mode http
Willy Tarreau0ba27502007-12-24 16:55:16 +01002352 acl site_dead nbsrv(dynamic) lt 2
2353 acl site_dead nbsrv(static) lt 2
2354 monitor-uri /site_alive
2355 monitor fail if site_dead
2356
Willy Tarreau2769aa02007-12-27 18:26:09 +01002357 See also : "monitor-net", "monitor-uri"
2358
2359
2360monitor-net <source>
2361 Declare a source network which is limited to monitor requests
2362 May be used in sections : defaults | frontend | listen | backend
2363 yes | yes | yes | no
2364 Arguments :
2365 <source> is the source IPv4 address or network which will only be able to
2366 get monitor responses to any request. It can be either an IPv4
2367 address, a host name, or an address followed by a slash ('/')
2368 followed by a mask.
2369
2370 In TCP mode, any connection coming from a source matching <source> will cause
2371 the connection to be immediately closed without any log. This allows another
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002372 equipment to probe the port and verify that it is still listening, without
Willy Tarreau2769aa02007-12-27 18:26:09 +01002373 forwarding the connection to a remote server.
2374
2375 In HTTP mode, a connection coming from a source matching <source> will be
2376 accepted, the following response will be sent without waiting for a request,
2377 then the connection will be closed : "HTTP/1.0 200 OK". This is normally
2378 enough for any front-end HTTP probe to detect that the service is UP and
2379 running without forwarding the request to a backend server.
2380
2381 Monitor requests are processed very early. It is not possible to block nor
2382 divert them using ACLs. They cannot be logged either, and it is the intended
2383 purpose. They are only used to report HAProxy's health to an upper component,
2384 nothing more. Right now, it is not possible to set failure conditions on
2385 requests caught by "monitor-net".
2386
Willy Tarreau95cd2832010-03-04 23:36:33 +01002387 Last, please note that only one "monitor-net" statement can be specified in
2388 a frontend. If more than one is found, only the last one will be considered.
2389
Willy Tarreau2769aa02007-12-27 18:26:09 +01002390 Example :
2391 # addresses .252 and .253 are just probing us.
2392 frontend www
2393 monitor-net 192.168.0.252/31
2394
2395 See also : "monitor fail", "monitor-uri"
2396
2397
2398monitor-uri <uri>
2399 Intercept a URI used by external components' monitor requests
2400 May be used in sections : defaults | frontend | listen | backend
2401 yes | yes | yes | no
2402 Arguments :
2403 <uri> is the exact URI which we want to intercept to return HAProxy's
2404 health status instead of forwarding the request.
2405
2406 When an HTTP request referencing <uri> will be received on a frontend,
2407 HAProxy will not forward it nor log it, but instead will return either
2408 "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
2409 conditions defined with "monitor fail". This is normally enough for any
2410 front-end HTTP probe to detect that the service is UP and running without
2411 forwarding the request to a backend server. Note that the HTTP method, the
2412 version and all headers are ignored, but the request must at least be valid
2413 at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
2414
2415 Monitor requests are processed very early. It is not possible to block nor
2416 divert them using ACLs. They cannot be logged either, and it is the intended
2417 purpose. They are only used to report HAProxy's health to an upper component,
2418 nothing more. However, it is possible to add any number of conditions using
2419 "monitor fail" and ACLs so that the result can be adjusted to whatever check
2420 can be imagined (most often the number of available servers in a backend).
2421
2422 Example :
2423 # Use /haproxy_test to report haproxy's status
2424 frontend www
2425 mode http
2426 monitor-uri /haproxy_test
2427
2428 See also : "monitor fail", "monitor-net"
2429
Willy Tarreau0ba27502007-12-24 16:55:16 +01002430
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002431option abortonclose
2432no option abortonclose
2433 Enable or disable early dropping of aborted requests pending in queues.
2434 May be used in sections : defaults | frontend | listen | backend
2435 yes | no | yes | yes
2436 Arguments : none
2437
2438 In presence of very high loads, the servers will take some time to respond.
2439 The per-instance connection queue will inflate, and the response time will
2440 increase respective to the size of the queue times the average per-session
2441 response time. When clients will wait for more than a few seconds, they will
Willy Tarreau198a7442008-01-17 12:05:32 +01002442 often hit the "STOP" button on their browser, leaving a useless request in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002443 the queue, and slowing down other users, and the servers as well, because the
2444 request will eventually be served, then aborted at the first error
2445 encountered while delivering the response.
2446
2447 As there is no way to distinguish between a full STOP and a simple output
2448 close on the client side, HTTP agents should be conservative and consider
2449 that the client might only have closed its output channel while waiting for
2450 the response. However, this introduces risks of congestion when lots of users
2451 do the same, and is completely useless nowadays because probably no client at
2452 all will close the session while waiting for the response. Some HTTP agents
Willy Tarreaud72758d2010-01-12 10:42:19 +01002453 support this behaviour (Squid, Apache, HAProxy), and others do not (TUX, most
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002454 hardware-based load balancers). So the probability for a closed input channel
Willy Tarreau198a7442008-01-17 12:05:32 +01002455 to represent a user hitting the "STOP" button is close to 100%, and the risk
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002456 of being the single component to break rare but valid traffic is extremely
2457 low, which adds to the temptation to be able to abort a session early while
2458 still not served and not pollute the servers.
2459
2460 In HAProxy, the user can choose the desired behaviour using the option
2461 "abortonclose". By default (without the option) the behaviour is HTTP
2462 compliant and aborted requests will be served. But when the option is
2463 specified, a session with an incoming channel closed will be aborted while
2464 it is still possible, either pending in the queue for a connection slot, or
2465 during the connection establishment if the server has not yet acknowledged
2466 the connection request. This considerably reduces the queue size and the load
2467 on saturated servers when users are tempted to click on STOP, which in turn
Willy Tarreaud72758d2010-01-12 10:42:19 +01002468 reduces the response time for other users.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002469
2470 If this option has been enabled in a "defaults" section, it can be disabled
2471 in a specific instance by prepending the "no" keyword before it.
2472
2473 See also : "timeout queue" and server's "maxconn" and "maxqueue" parameters
2474
2475
Willy Tarreau4076a152009-04-02 15:18:36 +02002476option accept-invalid-http-request
2477no option accept-invalid-http-request
2478 Enable or disable relaxing of HTTP request parsing
2479 May be used in sections : defaults | frontend | listen | backend
2480 yes | yes | yes | no
2481 Arguments : none
2482
2483 By default, HAProxy complies with RFC2616 in terms of message parsing. This
2484 means that invalid characters in header names are not permitted and cause an
2485 error to be returned to the client. This is the desired behaviour as such
2486 forbidden characters are essentially used to build attacks exploiting server
2487 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
2488 server will emit invalid header names for whatever reason (configuration,
2489 implementation) and the issue will not be immediately fixed. In such a case,
2490 it is possible to relax HAProxy's header name parser to accept any character
2491 even if that does not make sense, by specifying this option.
2492
2493 This option should never be enabled by default as it hides application bugs
2494 and open security breaches. It should only be deployed after a problem has
2495 been confirmed.
2496
2497 When this option is enabled, erroneous header names will still be accepted in
2498 requests, but the complete request will be captured in order to permit later
2499 analysis using the "show errors" request on the UNIX stats socket. Doing this
2500 also helps confirming that the issue has been solved.
2501
2502 If this option has been enabled in a "defaults" section, it can be disabled
2503 in a specific instance by prepending the "no" keyword before it.
2504
2505 See also : "option accept-invalid-http-response" and "show errors" on the
2506 stats socket.
2507
2508
2509option accept-invalid-http-response
2510no option accept-invalid-http-response
2511 Enable or disable relaxing of HTTP response parsing
2512 May be used in sections : defaults | frontend | listen | backend
2513 yes | no | yes | yes
2514 Arguments : none
2515
2516 By default, HAProxy complies with RFC2616 in terms of message parsing. This
2517 means that invalid characters in header names are not permitted and cause an
2518 error to be returned to the client. This is the desired behaviour as such
2519 forbidden characters are essentially used to build attacks exploiting server
2520 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
2521 server will emit invalid header names for whatever reason (configuration,
2522 implementation) and the issue will not be immediately fixed. In such a case,
2523 it is possible to relax HAProxy's header name parser to accept any character
2524 even if that does not make sense, by specifying this option.
2525
2526 This option should never be enabled by default as it hides application bugs
2527 and open security breaches. It should only be deployed after a problem has
2528 been confirmed.
2529
2530 When this option is enabled, erroneous header names will still be accepted in
2531 responses, but the complete response will be captured in order to permit
2532 later analysis using the "show errors" request on the UNIX stats socket.
2533 Doing this also helps confirming that the issue has been solved.
2534
2535 If this option has been enabled in a "defaults" section, it can be disabled
2536 in a specific instance by prepending the "no" keyword before it.
2537
2538 See also : "option accept-invalid-http-request" and "show errors" on the
2539 stats socket.
2540
2541
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002542option allbackups
2543no option allbackups
2544 Use either all backup servers at a time or only the first one
2545 May be used in sections : defaults | frontend | listen | backend
2546 yes | no | yes | yes
2547 Arguments : none
2548
2549 By default, the first operational backup server gets all traffic when normal
2550 servers are all down. Sometimes, it may be preferred to use multiple backups
2551 at once, because one will not be enough. When "option allbackups" is enabled,
2552 the load balancing will be performed among all backup servers when all normal
2553 ones are unavailable. The same load balancing algorithm will be used and the
2554 servers' weights will be respected. Thus, there will not be any priority
2555 order between the backup servers anymore.
2556
2557 This option is mostly used with static server farms dedicated to return a
2558 "sorry" page when an application is completely offline.
2559
2560 If this option has been enabled in a "defaults" section, it can be disabled
2561 in a specific instance by prepending the "no" keyword before it.
2562
2563
2564option checkcache
2565no option checkcache
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002566 Analyze all server responses and block requests with cacheable cookies
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002567 May be used in sections : defaults | frontend | listen | backend
2568 yes | no | yes | yes
2569 Arguments : none
2570
2571 Some high-level frameworks set application cookies everywhere and do not
2572 always let enough control to the developer to manage how the responses should
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002573 be cached. When a session cookie is returned on a cacheable object, there is a
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002574 high risk of session crossing or stealing between users traversing the same
2575 caches. In some situations, it is better to block the response than to let
2576 some sensible session information go in the wild.
2577
2578 The option "checkcache" enables deep inspection of all server responses for
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002579 strict compliance with HTTP specification in terms of cacheability. It
Willy Tarreau198a7442008-01-17 12:05:32 +01002580 carefully checks "Cache-control", "Pragma" and "Set-cookie" headers in server
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002581 response to check if there's a risk of caching a cookie on a client-side
2582 proxy. When this option is enabled, the only responses which can be delivered
Willy Tarreau198a7442008-01-17 12:05:32 +01002583 to the client are :
2584 - all those without "Set-Cookie" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002585 - all those with a return code other than 200, 203, 206, 300, 301, 410,
Willy Tarreau198a7442008-01-17 12:05:32 +01002586 provided that the server has not set a "Cache-control: public" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002587 - all those that come from a POST request, provided that the server has not
2588 set a 'Cache-Control: public' header ;
2589 - those with a 'Pragma: no-cache' header
2590 - those with a 'Cache-control: private' header
2591 - those with a 'Cache-control: no-store' header
2592 - those with a 'Cache-control: max-age=0' header
2593 - those with a 'Cache-control: s-maxage=0' header
2594 - those with a 'Cache-control: no-cache' header
2595 - those with a 'Cache-control: no-cache="set-cookie"' header
2596 - those with a 'Cache-control: no-cache="set-cookie,' header
2597 (allowing other fields after set-cookie)
2598
2599 If a response doesn't respect these requirements, then it will be blocked
Willy Tarreau198a7442008-01-17 12:05:32 +01002600 just as if it was from an "rspdeny" filter, with an "HTTP 502 bad gateway".
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002601 The session state shows "PH--" meaning that the proxy blocked the response
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002602 during headers processing. Additionally, an alert will be sent in the logs so
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002603 that admins are informed that there's something to be fixed.
2604
2605 Due to the high impact on the application, the application should be tested
2606 in depth with the option enabled before going to production. It is also a
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002607 good practice to always activate it during tests, even if it is not used in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002608 production, as it will report potentially dangerous application behaviours.
2609
2610 If this option has been enabled in a "defaults" section, it can be disabled
2611 in a specific instance by prepending the "no" keyword before it.
2612
2613
2614option clitcpka
2615no option clitcpka
2616 Enable or disable the sending of TCP keepalive packets on the client side
2617 May be used in sections : defaults | frontend | listen | backend
2618 yes | yes | yes | no
2619 Arguments : none
2620
2621 When there is a firewall or any session-aware component between a client and
2622 a server, and when the protocol involves very long sessions with long idle
2623 periods (eg: remote desktops), there is a risk that one of the intermediate
2624 components decides to expire a session which has remained idle for too long.
2625
2626 Enabling socket-level TCP keep-alives makes the system regularly send packets
2627 to the other end of the connection, leaving it active. The delay between
2628 keep-alive probes is controlled by the system only and depends both on the
2629 operating system and its tuning parameters.
2630
2631 It is important to understand that keep-alive packets are neither emitted nor
2632 received at the application level. It is only the network stacks which sees
2633 them. For this reason, even if one side of the proxy already uses keep-alives
2634 to maintain its connection alive, those keep-alive packets will not be
2635 forwarded to the other side of the proxy.
2636
2637 Please note that this has nothing to do with HTTP keep-alive.
2638
2639 Using option "clitcpka" enables the emission of TCP keep-alive probes on the
2640 client side of a connection, which should help when session expirations are
2641 noticed between HAProxy and a client.
2642
2643 If this option has been enabled in a "defaults" section, it can be disabled
2644 in a specific instance by prepending the "no" keyword before it.
2645
2646 See also : "option srvtcpka", "option tcpka"
2647
2648
Willy Tarreau0ba27502007-12-24 16:55:16 +01002649option contstats
2650 Enable continuous traffic statistics updates
2651 May be used in sections : defaults | frontend | listen | backend
2652 yes | yes | yes | no
2653 Arguments : none
2654
2655 By default, counters used for statistics calculation are incremented
2656 only when a session finishes. It works quite well when serving small
2657 objects, but with big ones (for example large images or archives) or
2658 with A/V streaming, a graph generated from haproxy counters looks like
2659 a hedgehog. With this option enabled counters get incremented continuously,
2660 during a whole session. Recounting touches a hotpath directly so
2661 it is not enabled by default, as it has small performance impact (~0.5%).
2662
2663
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02002664option dontlog-normal
2665no option dontlog-normal
2666 Enable or disable logging of normal, successful connections
2667 May be used in sections : defaults | frontend | listen | backend
2668 yes | yes | yes | no
2669 Arguments : none
2670
2671 There are large sites dealing with several thousand connections per second
2672 and for which logging is a major pain. Some of them are even forced to turn
2673 logs off and cannot debug production issues. Setting this option ensures that
2674 normal connections, those which experience no error, no timeout, no retry nor
2675 redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
2676 mode, the response status code is checked and return codes 5xx will still be
2677 logged.
2678
2679 It is strongly discouraged to use this option as most of the time, the key to
2680 complex issues is in the normal logs which will not be logged here. If you
2681 need to separate logs, see the "log-separate-errors" option instead.
2682
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002683 See also : "log", "dontlognull", "log-separate-errors" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02002684 logging.
2685
2686
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002687option dontlognull
2688no option dontlognull
2689 Enable or disable logging of null connections
2690 May be used in sections : defaults | frontend | listen | backend
2691 yes | yes | yes | no
2692 Arguments : none
2693
2694 In certain environments, there are components which will regularly connect to
2695 various systems to ensure that they are still alive. It can be the case from
2696 another load balancer as well as from monitoring systems. By default, even a
2697 simple port probe or scan will produce a log. If those connections pollute
2698 the logs too much, it is possible to enable option "dontlognull" to indicate
2699 that a connection on which no data has been transferred will not be logged,
2700 which typically corresponds to those probes.
2701
2702 It is generally recommended not to use this option in uncontrolled
2703 environments (eg: internet), otherwise scans and other malicious activities
2704 would not be logged.
2705
2706 If this option has been enabled in a "defaults" section, it can be disabled
2707 in a specific instance by prepending the "no" keyword before it.
2708
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002709 See also : "log", "monitor-net", "monitor-uri" and section 8 about logging.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002710
2711
2712option forceclose
2713no option forceclose
2714 Enable or disable active connection closing after response is transferred.
2715 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaua31e5df2009-12-30 01:10:35 +01002716 yes | yes | yes | yes
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002717 Arguments : none
2718
2719 Some HTTP servers do not necessarily close the connections when they receive
2720 the "Connection: close" set by "option httpclose", and if the client does not
2721 close either, then the connection remains open till the timeout expires. This
2722 causes high number of simultaneous connections on the servers and shows high
2723 global session times in the logs.
2724
2725 When this happens, it is possible to use "option forceclose". It will
Willy Tarreau82eeaf22009-12-29 12:09:05 +01002726 actively close the outgoing server channel as soon as the server has finished
Willy Tarreau0dfdf192010-01-05 11:33:11 +01002727 to respond. This option implicitly enables the "httpclose" option. Note that
2728 this option also enables the parsing of the full request and response, which
2729 means we can close the connection to the server very quickly, releasing some
2730 resources earlier than with httpclose.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002731
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02002732 This option may also be combined with "option http-pretend-keepalive", which
2733 will disable sending of the "Connection: close" header, but will still cause
2734 the connection to be closed once the whole response is received.
2735
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002736 If this option has been enabled in a "defaults" section, it can be disabled
2737 in a specific instance by prepending the "no" keyword before it.
2738
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02002739 See also : "option httpclose" and "option http-pretend-keepalive"
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002740
2741
Ross Westaf72a1d2008-08-03 10:51:45 +02002742option forwardfor [ except <network> ] [ header <name> ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01002743 Enable insertion of the X-Forwarded-For header to requests sent to servers
2744 May be used in sections : defaults | frontend | listen | backend
2745 yes | yes | yes | yes
2746 Arguments :
2747 <network> is an optional argument used to disable this option for sources
2748 matching <network>
Ross Westaf72a1d2008-08-03 10:51:45 +02002749 <name> an optional argument to specify a different "X-Forwarded-For"
Willy Tarreaud72758d2010-01-12 10:42:19 +01002750 header name.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002751
2752 Since HAProxy works in reverse-proxy mode, the servers see its IP address as
2753 their client address. This is sometimes annoying when the client's IP address
2754 is expected in server logs. To solve this problem, the well-known HTTP header
2755 "X-Forwarded-For" may be added by HAProxy to all requests sent to the server.
2756 This header contains a value representing the client's IP address. Since this
2757 header is always appended at the end of the existing header list, the server
2758 must be configured to always use the last occurrence of this header only. See
Ross Westaf72a1d2008-08-03 10:51:45 +02002759 the server's manual to find how to enable use of this standard header. Note
2760 that only the last occurrence of the header must be used, since it is really
2761 possible that the client has already brought one.
2762
Willy Tarreaud72758d2010-01-12 10:42:19 +01002763 The keyword "header" may be used to supply a different header name to replace
Ross Westaf72a1d2008-08-03 10:51:45 +02002764 the default "X-Forwarded-For". This can be useful where you might already
Willy Tarreaud72758d2010-01-12 10:42:19 +01002765 have a "X-Forwarded-For" header from a different application (eg: stunnel),
2766 and you need preserve it. Also if your backend server doesn't use the
Ross Westaf72a1d2008-08-03 10:51:45 +02002767 "X-Forwarded-For" header and requires different one (eg: Zeus Web Servers
2768 require "X-Cluster-Client-IP").
Willy Tarreauc27debf2008-01-06 08:57:02 +01002769
2770 Sometimes, a same HAProxy instance may be shared between a direct client
2771 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
2772 used to decrypt HTTPS traffic). It is possible to disable the addition of the
2773 header for a known source address or network by adding the "except" keyword
2774 followed by the network address. In this case, any source IP matching the
2775 network will not cause an addition of this header. Most common uses are with
2776 private networks or 127.0.0.1.
2777
2778 This option may be specified either in the frontend or in the backend. If at
Ross Westaf72a1d2008-08-03 10:51:45 +02002779 least one of them uses it, the header will be added. Note that the backend's
2780 setting of the header subargument takes precedence over the frontend's if
2781 both are defined.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002782
2783 It is important to note that as long as HAProxy does not support keep-alive
2784 connections, only the first request of a connection will receive the header.
2785 For this reason, it is important to ensure that "option httpclose" is set
2786 when using this option.
2787
Ross Westaf72a1d2008-08-03 10:51:45 +02002788 Examples :
Willy Tarreauc27debf2008-01-06 08:57:02 +01002789 # Public HTTP address also used by stunnel on the same machine
2790 frontend www
2791 mode http
2792 option forwardfor except 127.0.0.1 # stunnel already adds the header
2793
Ross Westaf72a1d2008-08-03 10:51:45 +02002794 # Those servers want the IP Address in X-Client
2795 backend www
2796 mode http
2797 option forwardfor header X-Client
2798
Willy Tarreauc27debf2008-01-06 08:57:02 +01002799 See also : "option httpclose"
2800
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02002801
2802option http-pretend-keepalive
2803no option http-pretend-keepalive
2804 Define whether haproxy will announce keepalive to the server or not
2805 May be used in sections : defaults | frontend | listen | backend
2806 yes | yes | yes | yes
2807 Arguments : none
2808
2809 When running with "option http-server-close" or "option forceclose", haproxy
2810 adds a "Connection: close" header to the request forwarded to the server.
2811 Unfortunately, when some servers see this header, they automatically refrain
2812 from using the chunked encoding for responses of unknown length, while this
2813 is totally unrelated. The immediate effect is that this prevents haproxy from
2814 maintaining the client connection alive. A second effect is that a client or
2815 a cache could receive an incomplete response without being aware of it, and
2816 consider the response complete.
2817
2818 By setting "option http-pretend-keepalive", haproxy will make the server
2819 believe it will keep the connection alive. The server will then not fall back
2820 to the abnormal undesired above. When haproxy gets the whole response, it
2821 will close the connection with the server just as it would do with the
2822 "forceclose" option. That way the client gets a normal response and the
2823 connection is correctly closed on the server side.
2824
2825 It is recommended not to enable this option by default, because most servers
2826 will more efficiently close the connection themselves after the last packet,
2827 and release its buffers slightly earlier. Also, the added packet on the
2828 network could slightly reduce the overall peak performance. However it is
2829 worth noting that when this option is enabled, haproxy will have slightly
2830 less work to do. So if haproxy is the bottleneck on the whole architecture,
2831 enabling this option might save a few CPU cycles.
2832
2833 This option may be set both in a frontend and in a backend. It is enabled if
2834 at least one of the frontend or backend holding a connection has it enabled.
2835 This option has no effect if it is combined with "option httpclose", which
2836 has precedence.
2837
2838 If this option has been enabled in a "defaults" section, it can be disabled
2839 in a specific instance by prepending the "no" keyword before it.
2840
2841 See also : "option forceclose" and "option http-server-close"
2842
Willy Tarreauc27debf2008-01-06 08:57:02 +01002843
Willy Tarreaub608feb2010-01-02 22:47:18 +01002844option http-server-close
2845no option http-server-close
2846 Enable or disable HTTP connection closing on the server side
2847 May be used in sections : defaults | frontend | listen | backend
2848 yes | yes | yes | yes
2849 Arguments : none
2850
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02002851 By default, when a client communicates with a server, HAProxy will only
2852 analyze, log, and process the first request of each connection. Setting
2853 "option http-server-close" enables HTTP connection-close mode on the server
2854 side while keeping the ability to support HTTP keep-alive and pipelining on
2855 the client side. This provides the lowest latency on the client side (slow
2856 network) and the fastest session reuse on the server side to save server
2857 resources, similarly to "option forceclose". It also permits non-keepalive
2858 capable servers to be served in keep-alive mode to the clients if they
2859 conform to the requirements of RFC2616. Please note that some servers do not
2860 always conform to those requirements when they see "Connection: close" in the
2861 request. The effect will be that keep-alive will never be used. A workaround
2862 consists in enabling "option http-pretend-keepalive".
Willy Tarreaub608feb2010-01-02 22:47:18 +01002863
2864 At the moment, logs will not indicate whether requests came from the same
2865 session or not. The accept date reported in the logs corresponds to the end
2866 of the previous request, and the request time corresponds to the time spent
2867 waiting for a new request. The keep-alive request time is still bound to the
Willy Tarreaub16a5742010-01-10 14:46:16 +01002868 timeout defined by "timeout http-keep-alive" or "timeout http-request" if
2869 not set.
Willy Tarreaub608feb2010-01-02 22:47:18 +01002870
2871 This option may be set both in a frontend and in a backend. It is enabled if
2872 at least one of the frontend or backend holding a connection has it enabled.
Willy Tarreau0dfdf192010-01-05 11:33:11 +01002873 It is worth noting that "option forceclose" has precedence over "option
2874 http-server-close" and that combining "http-server-close" with "httpclose"
2875 basically achieve the same result as "forceclose".
Willy Tarreaub608feb2010-01-02 22:47:18 +01002876
2877 If this option has been enabled in a "defaults" section, it can be disabled
2878 in a specific instance by prepending the "no" keyword before it.
2879
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02002880 See also : "option forceclose", "option http-pretend-keepalive",
2881 "option httpclose" and "1.1. The HTTP transaction model".
Willy Tarreaub608feb2010-01-02 22:47:18 +01002882
2883
Willy Tarreau88d349d2010-01-25 12:15:43 +01002884option http-use-proxy-header
Cyril Bontéf0c60612010-02-06 14:44:47 +01002885no option http-use-proxy-header
Willy Tarreau88d349d2010-01-25 12:15:43 +01002886 Make use of non-standard Proxy-Connection header instead of Connection
2887 May be used in sections : defaults | frontend | listen | backend
2888 yes | yes | yes | no
2889 Arguments : none
2890
2891 While RFC2616 explicitly states that HTTP/1.1 agents must use the
2892 Connection header to indicate their wish of persistent or non-persistent
2893 connections, both browsers and proxies ignore this header for proxied
2894 connections and make use of the undocumented, non-standard Proxy-Connection
2895 header instead. The issue begins when trying to put a load balancer between
2896 browsers and such proxies, because there will be a difference between what
2897 haproxy understands and what the client and the proxy agree on.
2898
2899 By setting this option in a frontend, haproxy can automatically switch to use
2900 that non-standard header if it sees proxied requests. A proxied request is
2901 defined here as one where the URI begins with neither a '/' nor a '*'. The
2902 choice of header only affects requests passing through proxies making use of
2903 one of the "httpclose", "forceclose" and "http-server-close" options. Note
2904 that this option can only be specified in a frontend and will affect the
2905 request along its whole life.
2906
Willy Tarreau844a7e72010-01-31 21:46:18 +01002907 Also, when this option is set, a request which requires authentication will
2908 automatically switch to use proxy authentication headers if it is itself a
2909 proxied request. That makes it possible to check or enforce authentication in
2910 front of an existing proxy.
2911
Willy Tarreau88d349d2010-01-25 12:15:43 +01002912 This option should normally never be used, except in front of a proxy.
2913
2914 See also : "option httpclose", "option forceclose" and "option
2915 http-server-close".
2916
2917
Willy Tarreaud63335a2010-02-26 12:56:52 +01002918option httpchk
2919option httpchk <uri>
2920option httpchk <method> <uri>
2921option httpchk <method> <uri> <version>
2922 Enable HTTP protocol to check on the servers health
2923 May be used in sections : defaults | frontend | listen | backend
2924 yes | no | yes | yes
2925 Arguments :
2926 <method> is the optional HTTP method used with the requests. When not set,
2927 the "OPTIONS" method is used, as it generally requires low server
2928 processing and is easy to filter out from the logs. Any method
2929 may be used, though it is not recommended to invent non-standard
2930 ones.
2931
2932 <uri> is the URI referenced in the HTTP requests. It defaults to " / "
2933 which is accessible by default on almost any server, but may be
2934 changed to any other URI. Query strings are permitted.
2935
2936 <version> is the optional HTTP version string. It defaults to "HTTP/1.0"
2937 but some servers might behave incorrectly in HTTP 1.0, so turning
2938 it to HTTP/1.1 may sometimes help. Note that the Host field is
2939 mandatory in HTTP/1.1, and as a trick, it is possible to pass it
2940 after "\r\n" following the version string.
2941
2942 By default, server health checks only consist in trying to establish a TCP
2943 connection. When "option httpchk" is specified, a complete HTTP request is
2944 sent once the TCP connection is established, and responses 2xx and 3xx are
2945 considered valid, while all other ones indicate a server failure, including
2946 the lack of any response.
2947
2948 The port and interval are specified in the server configuration.
2949
2950 This option does not necessarily require an HTTP backend, it also works with
2951 plain TCP backends. This is particularly useful to check simple scripts bound
2952 to some dedicated ports using the inetd daemon.
2953
2954 Examples :
2955 # Relay HTTPS traffic to Apache instance and check service availability
2956 # using HTTP request "OPTIONS * HTTP/1.1" on port 80.
2957 backend https_relay
2958 mode tcp
2959 option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
2960 server apache1 192.168.1.1:443 check port 80
2961
2962 See also : "option ssl-hello-chk", "option smtpchk", "option mysql-check",
2963 "http-check" and the "check", "port" and "inter" server options.
2964
2965
Willy Tarreauc27debf2008-01-06 08:57:02 +01002966option httpclose
2967no option httpclose
2968 Enable or disable passive HTTP connection closing
2969 May be used in sections : defaults | frontend | listen | backend
2970 yes | yes | yes | yes
2971 Arguments : none
2972
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02002973 By default, when a client communicates with a server, HAProxy will only
2974 analyze, log, and process the first request of each connection. If "option
2975 httpclose" is set, it will check if a "Connection: close" header is already
2976 set in each direction, and will add one if missing. Each end should react to
2977 this by actively closing the TCP connection after each transfer, thus
2978 resulting in a switch to the HTTP close mode. Any "Connection" header
2979 different from "close" will also be removed.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002980
2981 It seldom happens that some servers incorrectly ignore this header and do not
Willy Tarreau0dfdf192010-01-05 11:33:11 +01002982 close the connection eventhough they reply "Connection: close". For this
2983 reason, they are not compatible with older HTTP 1.0 browsers. If this happens
2984 it is possible to use the "option forceclose" which actively closes the
2985 request connection once the server responds. Option "forceclose" also
2986 releases the server connection earlier because it does not have to wait for
2987 the client to acknowledge it.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002988
2989 This option may be set both in a frontend and in a backend. It is enabled if
2990 at least one of the frontend or backend holding a connection has it enabled.
2991 If "option forceclose" is specified too, it has precedence over "httpclose".
Willy Tarreau0dfdf192010-01-05 11:33:11 +01002992 If "option http-server-close" is enabled at the same time as "httpclose", it
2993 basically achieves the same result as "option forceclose".
Willy Tarreauc27debf2008-01-06 08:57:02 +01002994
2995 If this option has been enabled in a "defaults" section, it can be disabled
2996 in a specific instance by prepending the "no" keyword before it.
2997
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02002998 See also : "option forceclose", "option http-server-close" and
2999 "1.1. The HTTP transaction model".
Willy Tarreauc27debf2008-01-06 08:57:02 +01003000
3001
Emeric Brun3a058f32009-06-30 18:26:00 +02003002option httplog [ clf ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01003003 Enable logging of HTTP request, session state and timers
3004 May be used in sections : defaults | frontend | listen | backend
3005 yes | yes | yes | yes
Emeric Brun3a058f32009-06-30 18:26:00 +02003006 Arguments :
3007 clf if the "clf" argument is added, then the output format will be
3008 the CLF format instead of HAProxy's default HTTP format. You can
3009 use this when you need to feed HAProxy's logs through a specific
3010 log analyser which only support the CLF format and which is not
3011 extensible.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003012
3013 By default, the log output format is very poor, as it only contains the
3014 source and destination addresses, and the instance name. By specifying
3015 "option httplog", each log line turns into a much richer format including,
3016 but not limited to, the HTTP request, the connection timers, the session
3017 status, the connections numbers, the captured headers and cookies, the
3018 frontend, backend and server name, and of course the source address and
3019 ports.
3020
3021 This option may be set either in the frontend or the backend.
3022
Emeric Brun3a058f32009-06-30 18:26:00 +02003023 If this option has been enabled in a "defaults" section, it can be disabled
3024 in a specific instance by prepending the "no" keyword before it. Specifying
3025 only "option httplog" will automatically clear the 'clf' mode if it was set
3026 by default.
3027
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003028 See also : section 8 about logging.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003029
Willy Tarreau55165fe2009-05-10 12:02:55 +02003030
3031option http_proxy
3032no option http_proxy
3033 Enable or disable plain HTTP proxy mode
3034 May be used in sections : defaults | frontend | listen | backend
3035 yes | yes | yes | yes
3036 Arguments : none
3037
3038 It sometimes happens that people need a pure HTTP proxy which understands
3039 basic proxy requests without caching nor any fancy feature. In this case,
3040 it may be worth setting up an HAProxy instance with the "option http_proxy"
3041 set. In this mode, no server is declared, and the connection is forwarded to
3042 the IP address and port found in the URL after the "http://" scheme.
3043
3044 No host address resolution is performed, so this only works when pure IP
3045 addresses are passed. Since this option's usage perimeter is rather limited,
3046 it will probably be used only by experts who know they need exactly it. Last,
3047 if the clients are susceptible of sending keep-alive requests, it will be
3048 needed to add "option http_close" to ensure that all requests will correctly
3049 be analyzed.
3050
3051 If this option has been enabled in a "defaults" section, it can be disabled
3052 in a specific instance by prepending the "no" keyword before it.
3053
3054 Example :
3055 # this backend understands HTTP proxy requests and forwards them directly.
3056 backend direct_forward
3057 option httpclose
3058 option http_proxy
3059
3060 See also : "option httpclose"
3061
Willy Tarreau211ad242009-10-03 21:45:07 +02003062
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02003063option ignore-persist { if | unless } <condition>
3064 Declare a condition to ignore persistence
3065 May be used in sections: defaults | frontend | listen | backend
3066 no | yes | yes | yes
3067
3068 By default, when cookie persistence is enabled, every requests containing
3069 the cookie are unconditionally persistent (assuming the target server is up
3070 and running).
3071
3072 The "ignore-persist" statement allows one to declare various ACL-based
3073 conditions which, when met, will cause a request to ignore persistence.
3074 This is sometimes useful to load balance requests for static files, which
3075 oftenly don't require persistence. This can also be used to fully disable
3076 persistence for a specific User-Agent (for example, some web crawler bots).
3077
3078 Combined with "appsession", it can also help reduce HAProxy memory usage, as
3079 the appsession table won't grow if persistence is ignored.
3080
3081 The persistence is ignored when an "if" condition is met, or unless an
3082 "unless" condition is met.
3083
3084 See also : "option force-persist", "cookie", and section 7 about ACL usage.
3085
3086
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02003087option independant-streams
3088no option independant-streams
3089 Enable or disable independant timeout processing for both directions
3090 May be used in sections : defaults | frontend | listen | backend
3091 yes | yes | yes | yes
3092 Arguments : none
3093
3094 By default, when data is sent over a socket, both the write timeout and the
3095 read timeout for that socket are refreshed, because we consider that there is
3096 activity on that socket, and we have no other means of guessing if we should
3097 receive data or not.
3098
3099 While this default behaviour is desirable for almost all applications, there
3100 exists a situation where it is desirable to disable it, and only refresh the
3101 read timeout if there are incoming data. This happens on sessions with large
3102 timeouts and low amounts of exchanged data such as telnet session. If the
3103 server suddenly disappears, the output data accumulates in the system's
3104 socket buffers, both timeouts are correctly refreshed, and there is no way
3105 to know the server does not receive them, so we don't timeout. However, when
3106 the underlying protocol always echoes sent data, it would be enough by itself
3107 to detect the issue using the read timeout. Note that this problem does not
3108 happen with more verbose protocols because data won't accumulate long in the
3109 socket buffers.
3110
3111 When this option is set on the frontend, it will disable read timeout updates
3112 on data sent to the client. There probably is little use of this case. When
3113 the option is set on the backend, it will disable read timeout updates on
3114 data sent to the server. Doing so will typically break large HTTP posts from
3115 slow lines, so use it with caution.
3116
3117 See also : "timeout client" and "timeout server"
3118
3119
Willy Tarreau211ad242009-10-03 21:45:07 +02003120option log-health-checks
3121no option log-health-checks
3122 Enable or disable logging of health checks
3123 May be used in sections : defaults | frontend | listen | backend
3124 yes | no | yes | yes
3125 Arguments : none
3126
3127 Enable health checks logging so it possible to check for example what
3128 was happening before a server crash. Failed health check are logged if
3129 server is UP and succeeded health checks if server is DOWN, so the amount
3130 of additional information is limited.
3131
3132 If health check logging is enabled no health check status is printed
3133 when servers is set up UP/DOWN/ENABLED/DISABLED.
3134
3135 See also: "log" and section 8 about logging.
3136
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003137
3138option log-separate-errors
3139no option log-separate-errors
3140 Change log level for non-completely successful connections
3141 May be used in sections : defaults | frontend | listen | backend
3142 yes | yes | yes | no
3143 Arguments : none
3144
3145 Sometimes looking for errors in logs is not easy. This option makes haproxy
3146 raise the level of logs containing potentially interesting information such
3147 as errors, timeouts, retries, redispatches, or HTTP status codes 5xx. The
3148 level changes from "info" to "err". This makes it possible to log them
3149 separately to a different file with most syslog daemons. Be careful not to
3150 remove them from the original file, otherwise you would lose ordering which
3151 provides very important information.
3152
3153 Using this option, large sites dealing with several thousand connections per
3154 second may log normal traffic to a rotating buffer and only archive smaller
3155 error logs.
3156
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003157 See also : "log", "dontlognull", "dontlog-normal" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003158 logging.
3159
Willy Tarreauc27debf2008-01-06 08:57:02 +01003160
3161option logasap
3162no option logasap
3163 Enable or disable early logging of HTTP requests
3164 May be used in sections : defaults | frontend | listen | backend
3165 yes | yes | yes | no
3166 Arguments : none
3167
3168 By default, HTTP requests are logged upon termination so that the total
3169 transfer time and the number of bytes appear in the logs. When large objects
3170 are being transferred, it may take a while before the request appears in the
3171 logs. Using "option logasap", the request gets logged as soon as the server
3172 sends the complete headers. The only missing information in the logs will be
3173 the total number of bytes which will indicate everything except the amount
3174 of data transferred, and the total time which will not take the transfer
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01003175 time into account. In such a situation, it's a good practice to capture the
Willy Tarreauc27debf2008-01-06 08:57:02 +01003176 "Content-Length" response header so that the logs at least indicate how many
3177 bytes are expected to be transferred.
3178
Willy Tarreaucc6c8912009-02-22 10:53:55 +01003179 Examples :
3180 listen http_proxy 0.0.0.0:80
3181 mode http
3182 option httplog
3183 option logasap
3184 log 192.168.2.200 local3
3185
3186 >>> Feb 6 12:14:14 localhost \
3187 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
3188 static/srv1 9/10/7/14/+30 200 +243 - - ---- 3/1/1/1/0 1/0 \
3189 "GET /image.iso HTTP/1.0"
3190
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003191 See also : "option httplog", "capture response header", and section 8 about
Willy Tarreauc27debf2008-01-06 08:57:02 +01003192 logging.
3193
3194
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01003195option mysql-check
3196 Use Mysql health checks for server testing
3197 May be used in sections : defaults | frontend | listen | backend
3198 yes | no | yes | yes
3199 Arguments : none
3200
3201 The check consists in parsing Mysql Handshake Initialisation packet or Error
3202 packet, which is sent by MySQL server on connect. It is a basic but useful
3203 test which does not produce any logging on the server. However, it does not
3204 check database presence nor database consistency, nor user permission to
3205 access. To do this, you can use an external check with xinetd for example.
3206
3207 Most often, an incoming MySQL server needs to see the client's IP address for
3208 various purposes, including IP privilege matching and connection logging.
3209 When possible, it is often wise to masquerade the client's IP address when
3210 connecting to the server using the "usesrc" argument of the "source" keyword,
3211 which requires the cttproxy feature to be compiled in, and the MySQL server
3212 to route the client via the machine hosting haproxy.
3213
3214 See also: "option httpchk"
3215
3216
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003217option nolinger
3218no option nolinger
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003219 Enable or disable immediate session resource cleaning after close
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003220 May be used in sections: defaults | frontend | listen | backend
3221 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003222 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003223
3224 When clients or servers abort connections in a dirty way (eg: they are
3225 physically disconnected), the session timeouts triggers and the session is
3226 closed. But it will remain in FIN_WAIT1 state for some time in the system,
3227 using some resources and possibly limiting the ability to establish newer
3228 connections.
3229
3230 When this happens, it is possible to activate "option nolinger" which forces
3231 the system to immediately remove any socket's pending data on close. Thus,
3232 the session is instantly purged from the system's tables. This usually has
3233 side effects such as increased number of TCP resets due to old retransmits
3234 getting immediately rejected. Some firewalls may sometimes complain about
3235 this too.
3236
3237 For this reason, it is not recommended to use this option when not absolutely
3238 needed. You know that you need it when you have thousands of FIN_WAIT1
3239 sessions on your system (TIME_WAIT ones do not count).
3240
3241 This option may be used both on frontends and backends, depending on the side
3242 where it is required. Use it on the frontend for clients, and on the backend
3243 for servers.
3244
3245 If this option has been enabled in a "defaults" section, it can be disabled
3246 in a specific instance by prepending the "no" keyword before it.
3247
3248
Willy Tarreau55165fe2009-05-10 12:02:55 +02003249option originalto [ except <network> ] [ header <name> ]
3250 Enable insertion of the X-Original-To header to requests sent to servers
3251 May be used in sections : defaults | frontend | listen | backend
3252 yes | yes | yes | yes
3253 Arguments :
3254 <network> is an optional argument used to disable this option for sources
3255 matching <network>
3256 <name> an optional argument to specify a different "X-Original-To"
3257 header name.
3258
3259 Since HAProxy can work in transparent mode, every request from a client can
3260 be redirected to the proxy and HAProxy itself can proxy every request to a
3261 complex SQUID environment and the destination host from SO_ORIGINAL_DST will
3262 be lost. This is annoying when you want access rules based on destination ip
3263 addresses. To solve this problem, a new HTTP header "X-Original-To" may be
3264 added by HAProxy to all requests sent to the server. This header contains a
3265 value representing the original destination IP address. Since this must be
3266 configured to always use the last occurrence of this header only. Note that
3267 only the last occurrence of the header must be used, since it is really
3268 possible that the client has already brought one.
3269
3270 The keyword "header" may be used to supply a different header name to replace
3271 the default "X-Original-To". This can be useful where you might already
3272 have a "X-Original-To" header from a different application, and you need
3273 preserve it. Also if your backend server doesn't use the "X-Original-To"
3274 header and requires different one.
3275
3276 Sometimes, a same HAProxy instance may be shared between a direct client
3277 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
3278 used to decrypt HTTPS traffic). It is possible to disable the addition of the
3279 header for a known source address or network by adding the "except" keyword
3280 followed by the network address. In this case, any source IP matching the
3281 network will not cause an addition of this header. Most common uses are with
3282 private networks or 127.0.0.1.
3283
3284 This option may be specified either in the frontend or in the backend. If at
3285 least one of them uses it, the header will be added. Note that the backend's
3286 setting of the header subargument takes precedence over the frontend's if
3287 both are defined.
3288
3289 It is important to note that as long as HAProxy does not support keep-alive
3290 connections, only the first request of a connection will receive the header.
3291 For this reason, it is important to ensure that "option httpclose" is set
3292 when using this option.
3293
3294 Examples :
3295 # Original Destination address
3296 frontend www
3297 mode http
3298 option originalto except 127.0.0.1
3299
3300 # Those servers want the IP Address in X-Client-Dst
3301 backend www
3302 mode http
3303 option originalto header X-Client-Dst
3304
3305 See also : "option httpclose"
3306
3307
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003308option persist
3309no option persist
3310 Enable or disable forced persistence on down servers
3311 May be used in sections: defaults | frontend | listen | backend
3312 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003313 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003314
3315 When an HTTP request reaches a backend with a cookie which references a dead
3316 server, by default it is redispatched to another server. It is possible to
3317 force the request to be sent to the dead server first using "option persist"
3318 if absolutely needed. A common use case is when servers are under extreme
3319 load and spend their time flapping. In this case, the users would still be
3320 directed to the server they opened the session on, in the hope they would be
3321 correctly served. It is recommended to use "option redispatch" in conjunction
3322 with this option so that in the event it would not be possible to connect to
3323 the server at all (server definitely dead), the client would finally be
3324 redirected to another valid server.
3325
3326 If this option has been enabled in a "defaults" section, it can be disabled
3327 in a specific instance by prepending the "no" keyword before it.
3328
Willy Tarreau4de91492010-01-22 19:10:05 +01003329 See also : "option redispatch", "retries", "force-persist"
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003330
3331
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003332option redispatch
3333no option redispatch
3334 Enable or disable session redistribution in case of connection failure
3335 May be used in sections: defaults | frontend | listen | backend
3336 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003337 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003338
3339 In HTTP mode, if a server designated by a cookie is down, clients may
3340 definitely stick to it because they cannot flush the cookie, so they will not
3341 be able to access the service anymore.
3342
3343 Specifying "option redispatch" will allow the proxy to break their
3344 persistence and redistribute them to a working server.
3345
3346 It also allows to retry last connection to another server in case of multiple
3347 connection failures. Of course, it requires having "retries" set to a nonzero
3348 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01003349
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003350 This form is the preferred form, which replaces both the "redispatch" and
3351 "redisp" keywords.
3352
3353 If this option has been enabled in a "defaults" section, it can be disabled
3354 in a specific instance by prepending the "no" keyword before it.
3355
Willy Tarreau4de91492010-01-22 19:10:05 +01003356 See also : "redispatch", "retries", "force-persist"
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003357
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003358
3359option smtpchk
3360option smtpchk <hello> <domain>
3361 Use SMTP health checks for server testing
3362 May be used in sections : defaults | frontend | listen | backend
3363 yes | no | yes | yes
Willy Tarreaud72758d2010-01-12 10:42:19 +01003364 Arguments :
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003365 <hello> is an optional argument. It is the "hello" command to use. It can
3366 be either "HELO" (for SMTP) or "EHLO" (for ESTMP). All other
3367 values will be turned into the default command ("HELO").
3368
3369 <domain> is the domain name to present to the server. It may only be
3370 specified (and is mandatory) if the hello command has been
3371 specified. By default, "localhost" is used.
3372
3373 When "option smtpchk" is set, the health checks will consist in TCP
3374 connections followed by an SMTP command. By default, this command is
3375 "HELO localhost". The server's return code is analyzed and only return codes
3376 starting with a "2" will be considered as valid. All other responses,
3377 including a lack of response will constitute an error and will indicate a
3378 dead server.
3379
3380 This test is meant to be used with SMTP servers or relays. Depending on the
3381 request, it is possible that some servers do not log each connection attempt,
3382 so you may want to experiment to improve the behaviour. Using telnet on port
3383 25 is often easier than adjusting the configuration.
3384
3385 Most often, an incoming SMTP server needs to see the client's IP address for
3386 various purposes, including spam filtering, anti-spoofing and logging. When
3387 possible, it is often wise to masquerade the client's IP address when
3388 connecting to the server using the "usesrc" argument of the "source" keyword,
3389 which requires the cttproxy feature to be compiled in.
3390
3391 Example :
3392 option smtpchk HELO mydomain.org
3393
3394 See also : "option httpchk", "source"
3395
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003396
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02003397option socket-stats
3398no option socket-stats
3399
3400 Enable or disable collecting & providing separate statistics for each socket.
3401 May be used in sections : defaults | frontend | listen | backend
3402 yes | yes | yes | no
3403
3404 Arguments : none
3405
3406
Willy Tarreauff4f82d2009-02-06 11:28:13 +01003407option splice-auto
3408no option splice-auto
3409 Enable or disable automatic kernel acceleration on sockets in both directions
3410 May be used in sections : defaults | frontend | listen | backend
3411 yes | yes | yes | yes
3412 Arguments : none
3413
3414 When this option is enabled either on a frontend or on a backend, haproxy
3415 will automatically evaluate the opportunity to use kernel tcp splicing to
3416 forward data between the client and the server, in either direction. Haproxy
3417 uses heuristics to estimate if kernel splicing might improve performance or
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003418 not. Both directions are handled independently. Note that the heuristics used
Willy Tarreauff4f82d2009-02-06 11:28:13 +01003419 are not much aggressive in order to limit excessive use of splicing. This
3420 option requires splicing to be enabled at compile time, and may be globally
3421 disabled with the global option "nosplice". Since splice uses pipes, using it
3422 requires that there are enough spare pipes.
3423
3424 Important note: kernel-based TCP splicing is a Linux-specific feature which
3425 first appeared in kernel 2.6.25. It offers kernel-based acceleration to
3426 transfer data between sockets without copying these data to user-space, thus
3427 providing noticeable performance gains and CPU cycles savings. Since many
3428 early implementations are buggy, corrupt data and/or are inefficient, this
3429 feature is not enabled by default, and it should be used with extreme care.
3430 While it is not possible to detect the correctness of an implementation,
3431 2.6.29 is the first version offering a properly working implementation. In
3432 case of doubt, splicing may be globally disabled using the global "nosplice"
3433 keyword.
3434
3435 Example :
3436 option splice-auto
3437
3438 If this option has been enabled in a "defaults" section, it can be disabled
3439 in a specific instance by prepending the "no" keyword before it.
3440
3441 See also : "option splice-request", "option splice-response", and global
3442 options "nosplice" and "maxpipes"
3443
3444
3445option splice-request
3446no option splice-request
3447 Enable or disable automatic kernel acceleration on sockets for requests
3448 May be used in sections : defaults | frontend | listen | backend
3449 yes | yes | yes | yes
3450 Arguments : none
3451
3452 When this option is enabled either on a frontend or on a backend, haproxy
3453 will user kernel tcp splicing whenever possible to forward data going from
3454 the client to the server. It might still use the recv/send scheme if there
3455 are no spare pipes left. This option requires splicing to be enabled at
3456 compile time, and may be globally disabled with the global option "nosplice".
3457 Since splice uses pipes, using it requires that there are enough spare pipes.
3458
3459 Important note: see "option splice-auto" for usage limitations.
3460
3461 Example :
3462 option splice-request
3463
3464 If this option has been enabled in a "defaults" section, it can be disabled
3465 in a specific instance by prepending the "no" keyword before it.
3466
3467 See also : "option splice-auto", "option splice-response", and global options
3468 "nosplice" and "maxpipes"
3469
3470
3471option splice-response
3472no option splice-response
3473 Enable or disable automatic kernel acceleration on sockets for responses
3474 May be used in sections : defaults | frontend | listen | backend
3475 yes | yes | yes | yes
3476 Arguments : none
3477
3478 When this option is enabled either on a frontend or on a backend, haproxy
3479 will user kernel tcp splicing whenever possible to forward data going from
3480 the server to the client. It might still use the recv/send scheme if there
3481 are no spare pipes left. This option requires splicing to be enabled at
3482 compile time, and may be globally disabled with the global option "nosplice".
3483 Since splice uses pipes, using it requires that there are enough spare pipes.
3484
3485 Important note: see "option splice-auto" for usage limitations.
3486
3487 Example :
3488 option splice-response
3489
3490 If this option has been enabled in a "defaults" section, it can be disabled
3491 in a specific instance by prepending the "no" keyword before it.
3492
3493 See also : "option splice-auto", "option splice-request", and global options
3494 "nosplice" and "maxpipes"
3495
3496
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003497option srvtcpka
3498no option srvtcpka
3499 Enable or disable the sending of TCP keepalive packets on the server side
3500 May be used in sections : defaults | frontend | listen | backend
3501 yes | no | yes | yes
3502 Arguments : none
3503
3504 When there is a firewall or any session-aware component between a client and
3505 a server, and when the protocol involves very long sessions with long idle
3506 periods (eg: remote desktops), there is a risk that one of the intermediate
3507 components decides to expire a session which has remained idle for too long.
3508
3509 Enabling socket-level TCP keep-alives makes the system regularly send packets
3510 to the other end of the connection, leaving it active. The delay between
3511 keep-alive probes is controlled by the system only and depends both on the
3512 operating system and its tuning parameters.
3513
3514 It is important to understand that keep-alive packets are neither emitted nor
3515 received at the application level. It is only the network stacks which sees
3516 them. For this reason, even if one side of the proxy already uses keep-alives
3517 to maintain its connection alive, those keep-alive packets will not be
3518 forwarded to the other side of the proxy.
3519
3520 Please note that this has nothing to do with HTTP keep-alive.
3521
3522 Using option "srvtcpka" enables the emission of TCP keep-alive probes on the
3523 server side of a connection, which should help when session expirations are
3524 noticed between HAProxy and a server.
3525
3526 If this option has been enabled in a "defaults" section, it can be disabled
3527 in a specific instance by prepending the "no" keyword before it.
3528
3529 See also : "option clitcpka", "option tcpka"
3530
3531
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003532option ssl-hello-chk
3533 Use SSLv3 client hello health checks for server testing
3534 May be used in sections : defaults | frontend | listen | backend
3535 yes | no | yes | yes
3536 Arguments : none
3537
3538 When some SSL-based protocols are relayed in TCP mode through HAProxy, it is
3539 possible to test that the server correctly talks SSL instead of just testing
3540 that it accepts the TCP connection. When "option ssl-hello-chk" is set, pure
3541 SSLv3 client hello messages are sent once the connection is established to
3542 the server, and the response is analyzed to find an SSL server hello message.
3543 The server is considered valid only when the response contains this server
3544 hello message.
3545
3546 All servers tested till there correctly reply to SSLv3 client hello messages,
3547 and most servers tested do not even log the requests containing only hello
3548 messages, which is appreciable.
3549
3550 See also: "option httpchk"
3551
3552
Willy Tarreau9ea05a72009-06-14 12:07:01 +02003553option tcp-smart-accept
3554no option tcp-smart-accept
3555 Enable or disable the saving of one ACK packet during the accept sequence
3556 May be used in sections : defaults | frontend | listen | backend
3557 yes | yes | yes | no
3558 Arguments : none
3559
3560 When an HTTP connection request comes in, the system acknowledges it on
3561 behalf of HAProxy, then the client immediately sends its request, and the
3562 system acknowledges it too while it is notifying HAProxy about the new
3563 connection. HAProxy then reads the request and responds. This means that we
3564 have one TCP ACK sent by the system for nothing, because the request could
3565 very well be acknowledged by HAProxy when it sends its response.
3566
3567 For this reason, in HTTP mode, HAProxy automatically asks the system to avoid
3568 sending this useless ACK on platforms which support it (currently at least
3569 Linux). It must not cause any problem, because the system will send it anyway
3570 after 40 ms if the response takes more time than expected to come.
3571
3572 During complex network debugging sessions, it may be desirable to disable
3573 this optimization because delayed ACKs can make troubleshooting more complex
3574 when trying to identify where packets are delayed. It is then possible to
3575 fall back to normal behaviour by specifying "no option tcp-smart-accept".
3576
3577 It is also possible to force it for non-HTTP proxies by simply specifying
3578 "option tcp-smart-accept". For instance, it can make sense with some services
3579 such as SMTP where the server speaks first.
3580
3581 It is recommended to avoid forcing this option in a defaults section. In case
3582 of doubt, consider setting it back to automatic values by prepending the
3583 "default" keyword before it, or disabling it using the "no" keyword.
3584
Willy Tarreaud88edf22009-06-14 15:48:17 +02003585 See also : "option tcp-smart-connect"
3586
3587
3588option tcp-smart-connect
3589no option tcp-smart-connect
3590 Enable or disable the saving of one ACK packet during the connect sequence
3591 May be used in sections : defaults | frontend | listen | backend
3592 yes | no | yes | yes
3593 Arguments : none
3594
3595 On certain systems (at least Linux), HAProxy can ask the kernel not to
3596 immediately send an empty ACK upon a connection request, but to directly
3597 send the buffer request instead. This saves one packet on the network and
3598 thus boosts performance. It can also be useful for some servers, because they
3599 immediately get the request along with the incoming connection.
3600
3601 This feature is enabled when "option tcp-smart-connect" is set in a backend.
3602 It is not enabled by default because it makes network troubleshooting more
3603 complex.
3604
3605 It only makes sense to enable it with protocols where the client speaks first
3606 such as HTTP. In other situations, if there is no data to send in place of
3607 the ACK, a normal ACK is sent.
3608
3609 If this option has been enabled in a "defaults" section, it can be disabled
3610 in a specific instance by prepending the "no" keyword before it.
3611
3612 See also : "option tcp-smart-accept"
3613
Willy Tarreau9ea05a72009-06-14 12:07:01 +02003614
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003615option tcpka
3616 Enable or disable the sending of TCP keepalive packets on both sides
3617 May be used in sections : defaults | frontend | listen | backend
3618 yes | yes | yes | yes
3619 Arguments : none
3620
3621 When there is a firewall or any session-aware component between a client and
3622 a server, and when the protocol involves very long sessions with long idle
3623 periods (eg: remote desktops), there is a risk that one of the intermediate
3624 components decides to expire a session which has remained idle for too long.
3625
3626 Enabling socket-level TCP keep-alives makes the system regularly send packets
3627 to the other end of the connection, leaving it active. The delay between
3628 keep-alive probes is controlled by the system only and depends both on the
3629 operating system and its tuning parameters.
3630
3631 It is important to understand that keep-alive packets are neither emitted nor
3632 received at the application level. It is only the network stacks which sees
3633 them. For this reason, even if one side of the proxy already uses keep-alives
3634 to maintain its connection alive, those keep-alive packets will not be
3635 forwarded to the other side of the proxy.
3636
3637 Please note that this has nothing to do with HTTP keep-alive.
3638
3639 Using option "tcpka" enables the emission of TCP keep-alive probes on both
3640 the client and server sides of a connection. Note that this is meaningful
3641 only in "defaults" or "listen" sections. If this option is used in a
3642 frontend, only the client side will get keep-alives, and if this option is
3643 used in a backend, only the server side will get keep-alives. For this
3644 reason, it is strongly recommended to explicitly use "option clitcpka" and
3645 "option srvtcpka" when the configuration is split between frontends and
3646 backends.
3647
3648 See also : "option clitcpka", "option srvtcpka"
3649
Willy Tarreau844e3c52008-01-11 16:28:18 +01003650
3651option tcplog
3652 Enable advanced logging of TCP connections with session state and timers
3653 May be used in sections : defaults | frontend | listen | backend
3654 yes | yes | yes | yes
3655 Arguments : none
3656
3657 By default, the log output format is very poor, as it only contains the
3658 source and destination addresses, and the instance name. By specifying
3659 "option tcplog", each log line turns into a much richer format including, but
3660 not limited to, the connection timers, the session status, the connections
3661 numbers, the frontend, backend and server name, and of course the source
3662 address and ports. This option is useful for pure TCP proxies in order to
3663 find which of the client or server disconnects or times out. For normal HTTP
3664 proxies, it's better to use "option httplog" which is even more complete.
3665
3666 This option may be set either in the frontend or the backend.
3667
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003668 See also : "option httplog", and section 8 about logging.
Willy Tarreau844e3c52008-01-11 16:28:18 +01003669
3670
Willy Tarreau844e3c52008-01-11 16:28:18 +01003671option transparent
3672no option transparent
3673 Enable client-side transparent proxying
3674 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01003675 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01003676 Arguments : none
3677
3678 This option was introduced in order to provide layer 7 persistence to layer 3
3679 load balancers. The idea is to use the OS's ability to redirect an incoming
3680 connection for a remote address to a local process (here HAProxy), and let
3681 this process know what address was initially requested. When this option is
3682 used, sessions without cookies will be forwarded to the original destination
3683 IP address of the incoming request (which should match that of another
3684 equipment), while requests with cookies will still be forwarded to the
3685 appropriate server.
3686
3687 Note that contrary to a common belief, this option does NOT make HAProxy
3688 present the client's IP to the server when establishing the connection.
3689
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003690 See also: the "usersrc" argument of the "source" keyword, and the
3691 "transparent" option of the "bind" keyword.
Willy Tarreau844e3c52008-01-11 16:28:18 +01003692
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003693
Emeric Brun647caf12009-06-30 17:57:00 +02003694persist rdp-cookie
3695persist rdp-cookie(name)
3696 Enable RDP cookie-based persistence
3697 May be used in sections : defaults | frontend | listen | backend
3698 yes | no | yes | yes
3699 Arguments :
3700 <name> is the optional name of the RDP cookie to check. If omitted, the
Willy Tarreau61e28f22010-05-16 22:31:05 +02003701 default cookie name "msts" will be used. There currently is no
3702 valid reason to change this name.
Emeric Brun647caf12009-06-30 17:57:00 +02003703
3704 This statement enables persistence based on an RDP cookie. The RDP cookie
3705 contains all information required to find the server in the list of known
3706 servers. So when this option is set in the backend, the request is analysed
3707 and if an RDP cookie is found, it is decoded. If it matches a known server
3708 which is still UP (or if "option persist" is set), then the connection is
3709 forwarded to this server.
3710
3711 Note that this only makes sense in a TCP backend, but for this to work, the
3712 frontend must have waited long enough to ensure that an RDP cookie is present
3713 in the request buffer. This is the same requirement as with the "rdp-cookie"
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003714 load-balancing method. Thus it is highly recommended to put all statements in
Emeric Brun647caf12009-06-30 17:57:00 +02003715 a single "listen" section.
3716
Willy Tarreau61e28f22010-05-16 22:31:05 +02003717 Also, it is important to understand that the terminal server will emit this
3718 RDP cookie only if it is configured for "token redirection mode", which means
3719 that the "IP address redirection" option is disabled.
3720
Emeric Brun647caf12009-06-30 17:57:00 +02003721 Example :
3722 listen tse-farm
3723 bind :3389
3724 # wait up to 5s for an RDP cookie in the request
3725 tcp-request inspect-delay 5s
3726 tcp-request content accept if RDP_COOKIE
3727 # apply RDP cookie persistence
3728 persist rdp-cookie
3729 # if server is unknown, let's balance on the same cookie.
3730 # alternatively, "balance leastconn" may be useful too.
3731 balance rdp-cookie
3732 server srv1 1.1.1.1:3389
3733 server srv2 1.1.1.2:3389
3734
3735 See also : "balance rdp-cookie", "tcp-request" and the "req_rdp_cookie" ACL.
3736
3737
Willy Tarreau3a7d2072009-03-05 23:48:25 +01003738rate-limit sessions <rate>
3739 Set a limit on the number of new sessions accepted per second on a frontend
3740 May be used in sections : defaults | frontend | listen | backend
3741 yes | yes | yes | no
3742 Arguments :
3743 <rate> The <rate> parameter is an integer designating the maximum number
3744 of new sessions per second to accept on the frontend.
3745
3746 When the frontend reaches the specified number of new sessions per second, it
3747 stops accepting new connections until the rate drops below the limit again.
3748 During this time, the pending sessions will be kept in the socket's backlog
3749 (in system buffers) and haproxy will not even be aware that sessions are
3750 pending. When applying very low limit on a highly loaded service, it may make
3751 sense to increase the socket's backlog using the "backlog" keyword.
3752
3753 This feature is particularly efficient at blocking connection-based attacks
3754 or service abuse on fragile servers. Since the session rate is measured every
3755 millisecond, it is extremely accurate. Also, the limit applies immediately,
3756 no delay is needed at all to detect the threshold.
3757
3758 Example : limit the connection rate on SMTP to 10 per second max
3759 listen smtp
3760 mode tcp
3761 bind :25
3762 rate-limit sessions 10
3763 server 127.0.0.1:1025
3764
3765 Note : when the maximum rate is reached, the frontend's status appears as
3766 "FULL" in the statistics, exactly as when it is saturated.
3767
3768 See also : the "backlog" keyword and the "fe_sess_rate" ACL criterion.
3769
3770
Willy Tarreauf285f542010-01-03 20:03:03 +01003771redirect location <to> [code <code>] <option> [{if | unless} <condition>]
3772redirect prefix <to> [code <code>] <option> [{if | unless} <condition>]
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003773 Return an HTTP redirection if/unless a condition is matched
3774 May be used in sections : defaults | frontend | listen | backend
3775 no | yes | yes | yes
3776
3777 If/unless the condition is matched, the HTTP request will lead to a redirect
Willy Tarreauf285f542010-01-03 20:03:03 +01003778 response. If no condition is specified, the redirect applies unconditionally.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003779
Willy Tarreau0140f252008-11-19 21:07:09 +01003780 Arguments :
3781 <to> With "redirect location", the exact value in <to> is placed into
3782 the HTTP "Location" header. In case of "redirect prefix", the
3783 "Location" header is built from the concatenation of <to> and the
3784 complete URI, including the query string, unless the "drop-query"
Willy Tarreaufe651a52008-11-19 21:15:17 +01003785 option is specified (see below). As a special case, if <to>
3786 equals exactly "/" in prefix mode, then nothing is inserted
3787 before the original URI. It allows one to redirect to the same
3788 URL.
Willy Tarreau0140f252008-11-19 21:07:09 +01003789
3790 <code> The code is optional. It indicates which type of HTTP redirection
3791 is desired. Only codes 301, 302 and 303 are supported, and 302 is
3792 used if no code is specified. 301 means "Moved permanently", and
3793 a browser may cache the Location. 302 means "Moved permanently"
3794 and means that the browser should not cache the redirection. 303
3795 is equivalent to 302 except that the browser will fetch the
3796 location with a GET method.
3797
3798 <option> There are several options which can be specified to adjust the
3799 expected behaviour of a redirection :
3800
3801 - "drop-query"
3802 When this keyword is used in a prefix-based redirection, then the
3803 location will be set without any possible query-string, which is useful
3804 for directing users to a non-secure page for instance. It has no effect
3805 with a location-type redirect.
3806
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01003807 - "append-slash"
3808 This keyword may be used in conjunction with "drop-query" to redirect
3809 users who use a URL not ending with a '/' to the same one with the '/'.
3810 It can be useful to ensure that search engines will only see one URL.
3811 For this, a return code 301 is preferred.
3812
Willy Tarreau0140f252008-11-19 21:07:09 +01003813 - "set-cookie NAME[=value]"
3814 A "Set-Cookie" header will be added with NAME (and optionally "=value")
3815 to the response. This is sometimes used to indicate that a user has
3816 been seen, for instance to protect against some types of DoS. No other
3817 cookie option is added, so the cookie will be a session cookie. Note
3818 that for a browser, a sole cookie name without an equal sign is
3819 different from a cookie with an equal sign.
3820
3821 - "clear-cookie NAME[=]"
3822 A "Set-Cookie" header will be added with NAME (and optionally "="), but
3823 with the "Max-Age" attribute set to zero. This will tell the browser to
3824 delete this cookie. It is useful for instance on logout pages. It is
3825 important to note that clearing the cookie "NAME" will not remove a
3826 cookie set with "NAME=value". You have to clear the cookie "NAME=" for
3827 that, because the browser makes the difference.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003828
3829 Example: move the login URL only to HTTPS.
3830 acl clear dst_port 80
3831 acl secure dst_port 8080
3832 acl login_page url_beg /login
Willy Tarreau0140f252008-11-19 21:07:09 +01003833 acl logout url_beg /logout
Willy Tarreau79da4692008-11-19 20:03:04 +01003834 acl uid_given url_reg /login?userid=[^&]+
Willy Tarreau0140f252008-11-19 21:07:09 +01003835 acl cookie_set hdr_sub(cookie) SEEN=1
3836
3837 redirect prefix https://mysite.com set-cookie SEEN=1 if !cookie_set
Willy Tarreau79da4692008-11-19 20:03:04 +01003838 redirect prefix https://mysite.com if login_page !secure
3839 redirect prefix http://mysite.com drop-query if login_page !uid_given
3840 redirect location http://mysite.com/ if !login_page secure
Willy Tarreau0140f252008-11-19 21:07:09 +01003841 redirect location / clear-cookie USERID= if logout
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003842
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01003843 Example: send redirects for request for articles without a '/'.
3844 acl missing_slash path_reg ^/article/[^/]*$
3845 redirect code 301 prefix / drop-query append-slash if missing_slash
3846
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003847 See section 7 about ACL usage.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003848
3849
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003850redisp (deprecated)
3851redispatch (deprecated)
3852 Enable or disable session redistribution in case of connection failure
3853 May be used in sections: defaults | frontend | listen | backend
3854 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003855 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003856
3857 In HTTP mode, if a server designated by a cookie is down, clients may
3858 definitely stick to it because they cannot flush the cookie, so they will not
3859 be able to access the service anymore.
3860
3861 Specifying "redispatch" will allow the proxy to break their persistence and
3862 redistribute them to a working server.
3863
3864 It also allows to retry last connection to another server in case of multiple
3865 connection failures. Of course, it requires having "retries" set to a nonzero
3866 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01003867
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003868 This form is deprecated, do not use it in any new configuration, use the new
3869 "option redispatch" instead.
3870
3871 See also : "option redispatch"
3872
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003873
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01003874reqadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01003875 Add a header at the end of the HTTP request
3876 May be used in sections : defaults | frontend | listen | backend
3877 no | yes | yes | yes
3878 Arguments :
3879 <string> is the complete line to be added. Any space or known delimiter
3880 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003881 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01003882
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01003883 <cond> is an optional matching condition built from ACLs. It makes it
3884 possible to ignore this rule when other conditions are not met.
3885
Willy Tarreau303c0352008-01-17 19:01:39 +01003886 A new line consisting in <string> followed by a line feed will be added after
3887 the last header of an HTTP request.
3888
3889 Header transformations only apply to traffic which passes through HAProxy,
3890 and not to traffic generated by HAProxy, such as health-checks or error
3891 responses.
3892
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01003893 Example : add "X-Proto: SSL" to requests coming via port 81
3894 acl is-ssl dst_port 81
3895 reqadd X-Proto:\ SSL if is-ssl
3896
3897 See also: "rspadd", section 6 about HTTP header manipulation, and section 7
3898 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01003899
3900
Willy Tarreau5321c422010-01-28 20:35:13 +01003901reqallow <search> [{if | unless} <cond>]
3902reqiallow <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01003903 Definitely allow an HTTP request if a line matches a regular expression
3904 May be used in sections : defaults | frontend | listen | backend
3905 no | yes | yes | yes
3906 Arguments :
3907 <search> is the regular expression applied to HTTP headers and to the
3908 request line. This is an extended regular expression. Parenthesis
3909 grouping is supported and no preliminary backslash is required.
3910 Any space or known delimiter must be escaped using a backslash
3911 ('\'). The pattern applies to a full line at a time. The
3912 "reqallow" keyword strictly matches case while "reqiallow"
3913 ignores case.
3914
Willy Tarreau5321c422010-01-28 20:35:13 +01003915 <cond> is an optional matching condition built from ACLs. It makes it
3916 possible to ignore this rule when other conditions are not met.
3917
Willy Tarreau303c0352008-01-17 19:01:39 +01003918 A request containing any line which matches extended regular expression
3919 <search> will mark the request as allowed, even if any later test would
3920 result in a deny. The test applies both to the request line and to request
3921 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01003922 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01003923
3924 It is easier, faster and more powerful to use ACLs to write access policies.
3925 Reqdeny, reqallow and reqpass should be avoided in new designs.
3926
3927 Example :
3928 # allow www.* but refuse *.local
3929 reqiallow ^Host:\ www\.
3930 reqideny ^Host:\ .*\.local
3931
Willy Tarreau5321c422010-01-28 20:35:13 +01003932 See also: "reqdeny", "block", section 6 about HTTP header manipulation, and
3933 section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01003934
3935
Willy Tarreau5321c422010-01-28 20:35:13 +01003936reqdel <search> [{if | unless} <cond>]
3937reqidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01003938 Delete all headers matching a regular expression in an HTTP request
3939 May be used in sections : defaults | frontend | listen | backend
3940 no | yes | yes | yes
3941 Arguments :
3942 <search> is the regular expression applied to HTTP headers and to the
3943 request line. This is an extended regular expression. Parenthesis
3944 grouping is supported and no preliminary backslash is required.
3945 Any space or known delimiter must be escaped using a backslash
3946 ('\'). The pattern applies to a full line at a time. The "reqdel"
3947 keyword strictly matches case while "reqidel" ignores case.
3948
Willy Tarreau5321c422010-01-28 20:35:13 +01003949 <cond> is an optional matching condition built from ACLs. It makes it
3950 possible to ignore this rule when other conditions are not met.
3951
Willy Tarreau303c0352008-01-17 19:01:39 +01003952 Any header line matching extended regular expression <search> in the request
3953 will be completely deleted. Most common use of this is to remove unwanted
3954 and/or dangerous headers or cookies from a request before passing it to the
3955 next servers.
3956
3957 Header transformations only apply to traffic which passes through HAProxy,
3958 and not to traffic generated by HAProxy, such as health-checks or error
3959 responses. Keep in mind that header names are not case-sensitive.
3960
3961 Example :
3962 # remove X-Forwarded-For header and SERVER cookie
3963 reqidel ^X-Forwarded-For:.*
3964 reqidel ^Cookie:.*SERVER=
3965
Willy Tarreau5321c422010-01-28 20:35:13 +01003966 See also: "reqadd", "reqrep", "rspdel", section 6 about HTTP header
3967 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01003968
3969
Willy Tarreau5321c422010-01-28 20:35:13 +01003970reqdeny <search> [{if | unless} <cond>]
3971reqideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01003972 Deny an HTTP request if a line matches a regular expression
3973 May be used in sections : defaults | frontend | listen | backend
3974 no | yes | yes | yes
3975 Arguments :
3976 <search> is the regular expression applied to HTTP headers and to the
3977 request line. This is an extended regular expression. Parenthesis
3978 grouping is supported and no preliminary backslash is required.
3979 Any space or known delimiter must be escaped using a backslash
3980 ('\'). The pattern applies to a full line at a time. The
3981 "reqdeny" keyword strictly matches case while "reqideny" ignores
3982 case.
3983
Willy Tarreau5321c422010-01-28 20:35:13 +01003984 <cond> is an optional matching condition built from ACLs. It makes it
3985 possible to ignore this rule when other conditions are not met.
3986
Willy Tarreau303c0352008-01-17 19:01:39 +01003987 A request containing any line which matches extended regular expression
3988 <search> will mark the request as denied, even if any later test would
3989 result in an allow. The test applies both to the request line and to request
3990 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01003991 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01003992
Willy Tarreauced27012008-01-17 20:35:34 +01003993 A denied request will generate an "HTTP 403 forbidden" response once the
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01003994 complete request has been parsed. This is consistent with what is practiced
Willy Tarreaud72758d2010-01-12 10:42:19 +01003995 using ACLs.
Willy Tarreauced27012008-01-17 20:35:34 +01003996
Willy Tarreau303c0352008-01-17 19:01:39 +01003997 It is easier, faster and more powerful to use ACLs to write access policies.
3998 Reqdeny, reqallow and reqpass should be avoided in new designs.
3999
4000 Example :
4001 # refuse *.local, then allow www.*
4002 reqideny ^Host:\ .*\.local
4003 reqiallow ^Host:\ www\.
4004
Willy Tarreau5321c422010-01-28 20:35:13 +01004005 See also: "reqallow", "rspdeny", "block", section 6 about HTTP header
4006 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004007
4008
Willy Tarreau5321c422010-01-28 20:35:13 +01004009reqpass <search> [{if | unless} <cond>]
4010reqipass <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004011 Ignore any HTTP request line matching a regular expression in next rules
4012 May be used in sections : defaults | frontend | listen | backend
4013 no | yes | yes | yes
4014 Arguments :
4015 <search> is the regular expression applied to HTTP headers and to the
4016 request line. This is an extended regular expression. Parenthesis
4017 grouping is supported and no preliminary backslash is required.
4018 Any space or known delimiter must be escaped using a backslash
4019 ('\'). The pattern applies to a full line at a time. The
4020 "reqpass" keyword strictly matches case while "reqipass" ignores
4021 case.
4022
Willy Tarreau5321c422010-01-28 20:35:13 +01004023 <cond> is an optional matching condition built from ACLs. It makes it
4024 possible to ignore this rule when other conditions are not met.
4025
Willy Tarreau303c0352008-01-17 19:01:39 +01004026 A request containing any line which matches extended regular expression
4027 <search> will skip next rules, without assigning any deny or allow verdict.
4028 The test applies both to the request line and to request headers. Keep in
4029 mind that URLs in request line are case-sensitive while header names are not.
4030
4031 It is easier, faster and more powerful to use ACLs to write access policies.
4032 Reqdeny, reqallow and reqpass should be avoided in new designs.
4033
4034 Example :
4035 # refuse *.local, then allow www.*, but ignore "www.private.local"
4036 reqipass ^Host:\ www.private\.local
4037 reqideny ^Host:\ .*\.local
4038 reqiallow ^Host:\ www\.
4039
Willy Tarreau5321c422010-01-28 20:35:13 +01004040 See also: "reqallow", "reqdeny", "block", section 6 about HTTP header
4041 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004042
4043
Willy Tarreau5321c422010-01-28 20:35:13 +01004044reqrep <search> <string> [{if | unless} <cond>]
4045reqirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004046 Replace a regular expression with a string in an HTTP request line
4047 May be used in sections : defaults | frontend | listen | backend
4048 no | yes | yes | yes
4049 Arguments :
4050 <search> is the regular expression applied to HTTP headers and to the
4051 request line. This is an extended regular expression. Parenthesis
4052 grouping is supported and no preliminary backslash is required.
4053 Any space or known delimiter must be escaped using a backslash
4054 ('\'). The pattern applies to a full line at a time. The "reqrep"
4055 keyword strictly matches case while "reqirep" ignores case.
4056
4057 <string> is the complete line to be added. Any space or known delimiter
4058 must be escaped using a backslash ('\'). References to matched
4059 pattern groups are possible using the common \N form, with N
4060 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004061 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004062
Willy Tarreau5321c422010-01-28 20:35:13 +01004063 <cond> is an optional matching condition built from ACLs. It makes it
4064 possible to ignore this rule when other conditions are not met.
4065
Willy Tarreau303c0352008-01-17 19:01:39 +01004066 Any line matching extended regular expression <search> in the request (both
4067 the request line and header lines) will be completely replaced with <string>.
4068 Most common use of this is to rewrite URLs or domain names in "Host" headers.
4069
4070 Header transformations only apply to traffic which passes through HAProxy,
4071 and not to traffic generated by HAProxy, such as health-checks or error
4072 responses. Note that for increased readability, it is suggested to add enough
4073 spaces between the request and the response. Keep in mind that URLs in
4074 request line are case-sensitive while header names are not.
4075
4076 Example :
4077 # replace "/static/" with "/" at the beginning of any request path.
4078 reqrep ^([^\ ]*)\ /static/(.*) \1\ /\2
4079 # replace "www.mydomain.com" with "www" in the host name.
4080 reqirep ^Host:\ www.mydomain.com Host:\ www
4081
Willy Tarreau5321c422010-01-28 20:35:13 +01004082 See also: "reqadd", "reqdel", "rsprep", section 6 about HTTP header
4083 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004084
4085
Willy Tarreau5321c422010-01-28 20:35:13 +01004086reqtarpit <search> [{if | unless} <cond>]
4087reqitarpit <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004088 Tarpit an HTTP request containing a line matching a regular expression
4089 May be used in sections : defaults | frontend | listen | backend
4090 no | yes | yes | yes
4091 Arguments :
4092 <search> is the regular expression applied to HTTP headers and to the
4093 request line. This is an extended regular expression. Parenthesis
4094 grouping is supported and no preliminary backslash is required.
4095 Any space or known delimiter must be escaped using a backslash
4096 ('\'). The pattern applies to a full line at a time. The
4097 "reqtarpit" keyword strictly matches case while "reqitarpit"
4098 ignores case.
4099
Willy Tarreau5321c422010-01-28 20:35:13 +01004100 <cond> is an optional matching condition built from ACLs. It makes it
4101 possible to ignore this rule when other conditions are not met.
4102
Willy Tarreau303c0352008-01-17 19:01:39 +01004103 A request containing any line which matches extended regular expression
4104 <search> will be tarpitted, which means that it will connect to nowhere, will
Willy Tarreauced27012008-01-17 20:35:34 +01004105 be kept open for a pre-defined time, then will return an HTTP error 500 so
4106 that the attacker does not suspect it has been tarpitted. The status 500 will
4107 be reported in the logs, but the completion flags will indicate "PT". The
Willy Tarreau303c0352008-01-17 19:01:39 +01004108 delay is defined by "timeout tarpit", or "timeout connect" if the former is
4109 not set.
4110
4111 The goal of the tarpit is to slow down robots attacking servers with
4112 identifiable requests. Many robots limit their outgoing number of connections
4113 and stay connected waiting for a reply which can take several minutes to
4114 come. Depending on the environment and attack, it may be particularly
4115 efficient at reducing the load on the network and firewalls.
4116
Willy Tarreau5321c422010-01-28 20:35:13 +01004117 Examples :
Willy Tarreau303c0352008-01-17 19:01:39 +01004118 # ignore user-agents reporting any flavour of "Mozilla" or "MSIE", but
4119 # block all others.
4120 reqipass ^User-Agent:\.*(Mozilla|MSIE)
4121 reqitarpit ^User-Agent:
4122
Willy Tarreau5321c422010-01-28 20:35:13 +01004123 # block bad guys
4124 acl badguys src 10.1.0.3 172.16.13.20/28
4125 reqitarpit . if badguys
4126
4127 See also: "reqallow", "reqdeny", "reqpass", section 6 about HTTP header
4128 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004129
4130
Willy Tarreaue5c5ce92008-06-20 17:27:19 +02004131retries <value>
4132 Set the number of retries to perform on a server after a connection failure
4133 May be used in sections: defaults | frontend | listen | backend
4134 yes | no | yes | yes
4135 Arguments :
4136 <value> is the number of times a connection attempt should be retried on
4137 a server when a connection either is refused or times out. The
4138 default value is 3.
4139
4140 It is important to understand that this value applies to the number of
4141 connection attempts, not full requests. When a connection has effectively
4142 been established to a server, there will be no more retry.
4143
4144 In order to avoid immediate reconnections to a server which is restarting,
4145 a turn-around timer of 1 second is applied before a retry occurs.
4146
4147 When "option redispatch" is set, the last retry may be performed on another
4148 server even if a cookie references a different server.
4149
4150 See also : "option redispatch"
4151
4152
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004153rspadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01004154 Add a header at the end of the HTTP response
4155 May be used in sections : defaults | frontend | listen | backend
4156 no | yes | yes | yes
4157 Arguments :
4158 <string> is the complete line to be added. Any space or known delimiter
4159 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004160 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004161
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004162 <cond> is an optional matching condition built from ACLs. It makes it
4163 possible to ignore this rule when other conditions are not met.
4164
Willy Tarreau303c0352008-01-17 19:01:39 +01004165 A new line consisting in <string> followed by a line feed will be added after
4166 the last header of an HTTP response.
4167
4168 Header transformations only apply to traffic which passes through HAProxy,
4169 and not to traffic generated by HAProxy, such as health-checks or error
4170 responses.
4171
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004172 See also: "reqadd", section 6 about HTTP header manipulation, and section 7
4173 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004174
4175
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004176rspdel <search> [{if | unless} <cond>]
4177rspidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004178 Delete all headers matching a regular expression in an HTTP response
4179 May be used in sections : defaults | frontend | listen | backend
4180 no | yes | yes | yes
4181 Arguments :
4182 <search> is the regular expression applied to HTTP headers and to the
4183 response line. This is an extended regular expression, so
4184 parenthesis grouping is supported and no preliminary backslash
4185 is required. Any space or known delimiter must be escaped using
4186 a backslash ('\'). The pattern applies to a full line at a time.
4187 The "rspdel" keyword strictly matches case while "rspidel"
4188 ignores case.
4189
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004190 <cond> is an optional matching condition built from ACLs. It makes it
4191 possible to ignore this rule when other conditions are not met.
4192
Willy Tarreau303c0352008-01-17 19:01:39 +01004193 Any header line matching extended regular expression <search> in the response
4194 will be completely deleted. Most common use of this is to remove unwanted
4195 and/or sensible headers or cookies from a response before passing it to the
4196 client.
4197
4198 Header transformations only apply to traffic which passes through HAProxy,
4199 and not to traffic generated by HAProxy, such as health-checks or error
4200 responses. Keep in mind that header names are not case-sensitive.
4201
4202 Example :
4203 # remove the Server header from responses
4204 reqidel ^Server:.*
4205
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004206 See also: "rspadd", "rsprep", "reqdel", section 6 about HTTP header
4207 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004208
4209
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004210rspdeny <search> [{if | unless} <cond>]
4211rspideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004212 Block an HTTP response if a line matches a regular expression
4213 May be used in sections : defaults | frontend | listen | backend
4214 no | yes | yes | yes
4215 Arguments :
4216 <search> is the regular expression applied to HTTP headers and to the
4217 response line. This is an extended regular expression, so
4218 parenthesis grouping is supported and no preliminary backslash
4219 is required. Any space or known delimiter must be escaped using
4220 a backslash ('\'). The pattern applies to a full line at a time.
4221 The "rspdeny" keyword strictly matches case while "rspideny"
4222 ignores case.
4223
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004224 <cond> is an optional matching condition built from ACLs. It makes it
4225 possible to ignore this rule when other conditions are not met.
4226
Willy Tarreau303c0352008-01-17 19:01:39 +01004227 A response containing any line which matches extended regular expression
4228 <search> will mark the request as denied. The test applies both to the
4229 response line and to response headers. Keep in mind that header names are not
4230 case-sensitive.
4231
4232 Main use of this keyword is to prevent sensitive information leak and to
Willy Tarreauced27012008-01-17 20:35:34 +01004233 block the response before it reaches the client. If a response is denied, it
4234 will be replaced with an HTTP 502 error so that the client never retrieves
4235 any sensitive data.
Willy Tarreau303c0352008-01-17 19:01:39 +01004236
4237 It is easier, faster and more powerful to use ACLs to write access policies.
4238 Rspdeny should be avoided in new designs.
4239
4240 Example :
4241 # Ensure that no content type matching ms-word will leak
4242 rspideny ^Content-type:\.*/ms-word
4243
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004244 See also: "reqdeny", "acl", "block", section 6 about HTTP header manipulation
4245 and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004246
4247
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004248rsprep <search> <string> [{if | unless} <cond>]
4249rspirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004250 Replace a regular expression with a string in an HTTP response line
4251 May be used in sections : defaults | frontend | listen | backend
4252 no | yes | yes | yes
4253 Arguments :
4254 <search> is the regular expression applied to HTTP headers and to the
4255 response line. This is an extended regular expression, so
4256 parenthesis grouping is supported and no preliminary backslash
4257 is required. Any space or known delimiter must be escaped using
4258 a backslash ('\'). The pattern applies to a full line at a time.
4259 The "rsprep" keyword strictly matches case while "rspirep"
4260 ignores case.
4261
4262 <string> is the complete line to be added. Any space or known delimiter
4263 must be escaped using a backslash ('\'). References to matched
4264 pattern groups are possible using the common \N form, with N
4265 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004266 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004267
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004268 <cond> is an optional matching condition built from ACLs. It makes it
4269 possible to ignore this rule when other conditions are not met.
4270
Willy Tarreau303c0352008-01-17 19:01:39 +01004271 Any line matching extended regular expression <search> in the response (both
4272 the response line and header lines) will be completely replaced with
4273 <string>. Most common use of this is to rewrite Location headers.
4274
4275 Header transformations only apply to traffic which passes through HAProxy,
4276 and not to traffic generated by HAProxy, such as health-checks or error
4277 responses. Note that for increased readability, it is suggested to add enough
4278 spaces between the request and the response. Keep in mind that header names
4279 are not case-sensitive.
4280
4281 Example :
4282 # replace "Location: 127.0.0.1:8080" with "Location: www.mydomain.com"
4283 rspirep ^Location:\ 127.0.0.1:8080 Location:\ www.mydomain.com
4284
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004285 See also: "rspadd", "rspdel", "reqrep", section 6 about HTTP header
4286 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004287
4288
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004289server <name> <address>[:port] [param*]
4290 Declare a server in a backend
4291 May be used in sections : defaults | frontend | listen | backend
4292 no | no | yes | yes
4293 Arguments :
4294 <name> is the internal name assigned to this server. This name will
4295 appear in logs and alerts.
4296
4297 <address> is the IPv4 address of the server. Alternatively, a resolvable
4298 hostname is supported, but this name will be resolved during
Willy Tarreaud669a4f2010-07-13 14:49:50 +02004299 start-up. Address "0.0.0.0" or "*" has a special meaning. It
4300 indicates that the connection will be forwarded to the same IP
4301 address as the one from the client connection. This is useful in
4302 transparent proxy architectures where the client's connection is
4303 intercepted and haproxy must forward to the original destination
4304 address. This is more or less what the "transparent" keyword does
4305 except that with a server it's possible to limit concurrency and
4306 to report statistics.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004307
4308 <ports> is an optional port specification. If set, all connections will
4309 be sent to this port. If unset, the same port the client
4310 connected to will be used. The port may also be prefixed by a "+"
4311 or a "-". In this case, the server's port will be determined by
4312 adding this value to the client's port.
4313
4314 <param*> is a list of parameters for this server. The "server" keywords
4315 accepts an important number of options and has a complete section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004316 dedicated to it. Please refer to section 5 for more details.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004317
4318 Examples :
4319 server first 10.1.1.1:1080 cookie first check inter 1000
4320 server second 10.1.1.2:1080 cookie second check inter 1000
4321
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01004322 See also: "default-server" and section 5 about server options
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004323
4324
4325source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02004326source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreaud53f96b2009-02-04 18:46:54 +01004327source <addr>[:<port>] [interface <name>]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004328 Set the source address for outgoing connections
4329 May be used in sections : defaults | frontend | listen | backend
4330 yes | no | yes | yes
4331 Arguments :
4332 <addr> is the IPv4 address HAProxy will bind to before connecting to a
4333 server. This address is also used as a source for health checks.
4334 The default value of 0.0.0.0 means that the system will select
4335 the most appropriate address to reach its destination.
4336
4337 <port> is an optional port. It is normally not needed but may be useful
4338 in some very specific contexts. The default value of zero means
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02004339 the system will select a free port. Note that port ranges are not
4340 supported in the backend. If you want to force port ranges, you
4341 have to specify them on each "server" line.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004342
4343 <addr2> is the IP address to present to the server when connections are
4344 forwarded in full transparent proxy mode. This is currently only
4345 supported on some patched Linux kernels. When this address is
4346 specified, clients connecting to the server will be presented
4347 with this address, while health checks will still use the address
4348 <addr>.
4349
4350 <port2> is the optional port to present to the server when connections
4351 are forwarded in full transparent proxy mode (see <addr2> above).
4352 The default value of zero means the system will select a free
4353 port.
4354
Willy Tarreaubce70882009-09-07 11:51:47 +02004355 <hdr> is the name of a HTTP header in which to fetch the IP to bind to.
4356 This is the name of a comma-separated header list which can
4357 contain multiple IP addresses. By default, the last occurrence is
4358 used. This is designed to work with the X-Forwarded-For header
4359 and to automatically bind to the the client's IP address as seen
4360 by previous proxy, typically Stunnel. In order to use another
4361 occurrence from the last one, please see the <occ> parameter
4362 below. When the header (or occurrence) is not found, no binding
4363 is performed so that the proxy's default IP address is used. Also
4364 keep in mind that the header name is case insensitive, as for any
4365 HTTP header.
4366
4367 <occ> is the occurrence number of a value to be used in a multi-value
4368 header. This is to be used in conjunction with "hdr_ip(<hdr>)",
4369 in order to specificy which occurrence to use for the source IP
4370 address. Positive values indicate a position from the first
4371 occurrence, 1 being the first one. Negative values indicate
4372 positions relative to the last one, -1 being the last one. This
4373 is helpful for situations where an X-Forwarded-For header is set
4374 at the entry point of an infrastructure and must be used several
4375 proxy layers away. When this value is not specified, -1 is
4376 assumed. Passing a zero here disables the feature.
4377
Willy Tarreaud53f96b2009-02-04 18:46:54 +01004378 <name> is an optional interface name to which to bind to for outgoing
4379 traffic. On systems supporting this features (currently, only
4380 Linux), this allows one to bind all traffic to the server to
4381 this interface even if it is not the one the system would select
4382 based on routing tables. This should be used with extreme care.
4383 Note that using this option requires root privileges.
4384
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004385 The "source" keyword is useful in complex environments where a specific
4386 address only is allowed to connect to the servers. It may be needed when a
4387 private address must be used through a public gateway for instance, and it is
4388 known that the system cannot determine the adequate source address by itself.
4389
4390 An extension which is available on certain patched Linux kernels may be used
4391 through the "usesrc" optional keyword. It makes it possible to connect to the
4392 servers with an IP address which does not belong to the system itself. This
4393 is called "full transparent proxy mode". For this to work, the destination
4394 servers have to route their traffic back to this address through the machine
4395 running HAProxy, and IP forwarding must generally be enabled on this machine.
4396
4397 In this "full transparent proxy" mode, it is possible to force a specific IP
4398 address to be presented to the servers. This is not much used in fact. A more
4399 common use is to tell HAProxy to present the client's IP address. For this,
4400 there are two methods :
4401
4402 - present the client's IP and port addresses. This is the most transparent
4403 mode, but it can cause problems when IP connection tracking is enabled on
4404 the machine, because a same connection may be seen twice with different
4405 states. However, this solution presents the huge advantage of not
4406 limiting the system to the 64k outgoing address+port couples, because all
4407 of the client ranges may be used.
4408
4409 - present only the client's IP address and select a spare port. This
4410 solution is still quite elegant but slightly less transparent (downstream
4411 firewalls logs will not match upstream's). It also presents the downside
4412 of limiting the number of concurrent connections to the usual 64k ports.
4413 However, since the upstream and downstream ports are different, local IP
4414 connection tracking on the machine will not be upset by the reuse of the
4415 same session.
4416
4417 Note that depending on the transparent proxy technology used, it may be
4418 required to force the source address. In fact, cttproxy version 2 requires an
4419 IP address in <addr> above, and does not support setting of "0.0.0.0" as the
4420 IP address because it creates NAT entries which much match the exact outgoing
4421 address. Tproxy version 4 and some other kernel patches which work in pure
4422 forwarding mode generally will not have this limitation.
4423
4424 This option sets the default source for all servers in the backend. It may
4425 also be specified in a "defaults" section. Finer source address specification
4426 is possible at the server level using the "source" server option. Refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004427 section 5 for more information.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004428
4429 Examples :
4430 backend private
4431 # Connect to the servers using our 192.168.1.200 source address
4432 source 192.168.1.200
4433
4434 backend transparent_ssl1
4435 # Connect to the SSL farm from the client's source address
4436 source 192.168.1.200 usesrc clientip
4437
4438 backend transparent_ssl2
4439 # Connect to the SSL farm from the client's source address and port
4440 # not recommended if IP conntrack is present on the local machine.
4441 source 192.168.1.200 usesrc client
4442
4443 backend transparent_ssl3
4444 # Connect to the SSL farm from the client's source address. It
4445 # is more conntrack-friendly.
4446 source 192.168.1.200 usesrc clientip
4447
4448 backend transparent_smtp
4449 # Connect to the SMTP farm from the client's source address/port
4450 # with Tproxy version 4.
4451 source 0.0.0.0 usesrc clientip
4452
Willy Tarreaubce70882009-09-07 11:51:47 +02004453 backend transparent_http
4454 # Connect to the servers using the client's IP as seen by previous
4455 # proxy.
4456 source 0.0.0.0 usesrc hdr_ip(x-forwarded-for,-1)
4457
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004458 See also : the "source" server option in section 5, the Tproxy patches for
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004459 the Linux kernel on www.balabit.com, the "bind" keyword.
4460
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004461
Willy Tarreau844e3c52008-01-11 16:28:18 +01004462srvtimeout <timeout> (deprecated)
4463 Set the maximum inactivity time on the server side.
4464 May be used in sections : defaults | frontend | listen | backend
4465 yes | no | yes | yes
4466 Arguments :
4467 <timeout> is the timeout value specified in milliseconds by default, but
4468 can be in any other unit if the number is suffixed by the unit,
4469 as explained at the top of this document.
4470
4471 The inactivity timeout applies when the server is expected to acknowledge or
4472 send data. In HTTP mode, this timeout is particularly important to consider
4473 during the first phase of the server's response, when it has to send the
4474 headers, as it directly represents the server's processing time for the
4475 request. To find out what value to put there, it's often good to start with
4476 what would be considered as unacceptable response times, then check the logs
4477 to observe the response time distribution, and adjust the value accordingly.
4478
4479 The value is specified in milliseconds by default, but can be in any other
4480 unit if the number is suffixed by the unit, as specified at the top of this
4481 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
4482 recommended that the client timeout remains equal to the server timeout in
4483 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004484 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01004485 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreaud72758d2010-01-12 10:42:19 +01004486 seconds (eg: 4 or 5 seconds minimum).
Willy Tarreau844e3c52008-01-11 16:28:18 +01004487
4488 This parameter is specific to backends, but can be specified once for all in
4489 "defaults" sections. This is in fact one of the easiest solutions not to
4490 forget about it. An unspecified timeout results in an infinite timeout, which
4491 is not recommended. Such a usage is accepted and works but reports a warning
4492 during startup because it may results in accumulation of expired sessions in
4493 the system if the system's timeouts are not configured either.
4494
4495 This parameter is provided for compatibility but is currently deprecated.
4496 Please use "timeout server" instead.
4497
4498 See also : "timeout server", "timeout client" and "clitimeout".
4499
4500
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004501stats auth <user>:<passwd>
4502 Enable statistics with authentication and grant access to an account
4503 May be used in sections : defaults | frontend | listen | backend
4504 yes | no | yes | yes
4505 Arguments :
4506 <user> is a user name to grant access to
4507
4508 <passwd> is the cleartext password associated to this user
4509
4510 This statement enables statistics with default settings, and restricts access
4511 to declared users only. It may be repeated as many times as necessary to
4512 allow as many users as desired. When a user tries to access the statistics
4513 without a valid account, a "401 Forbidden" response will be returned so that
4514 the browser asks the user to provide a valid user and password. The real
4515 which will be returned to the browser is configurable using "stats realm".
4516
4517 Since the authentication method is HTTP Basic Authentication, the passwords
4518 circulate in cleartext on the network. Thus, it was decided that the
4519 configuration file would also use cleartext passwords to remind the users
4520 that those ones should not be sensible and not shared with any other account.
4521
4522 It is also possible to reduce the scope of the proxies which appear in the
4523 report using "stats scope".
4524
4525 Though this statement alone is enough to enable statistics reporting, it is
4526 recommended to set all other settings in order to avoid relying on default
4527 unobvious parameters.
4528
4529 Example :
4530 # public access (limited to this backend only)
4531 backend public_www
4532 server srv1 192.168.0.1:80
4533 stats enable
4534 stats hide-version
4535 stats scope .
4536 stats uri /admin?stats
4537 stats realm Haproxy\ Statistics
4538 stats auth admin1:AdMiN123
4539 stats auth admin2:AdMiN321
4540
4541 # internal monitoring access (unlimited)
4542 backend private_monitoring
4543 stats enable
4544 stats uri /admin?stats
4545 stats refresh 5s
4546
4547 See also : "stats enable", "stats realm", "stats scope", "stats uri"
4548
4549
4550stats enable
4551 Enable statistics reporting with default settings
4552 May be used in sections : defaults | frontend | listen | backend
4553 yes | no | yes | yes
4554 Arguments : none
4555
4556 This statement enables statistics reporting with default settings defined
4557 at build time. Unless stated otherwise, these settings are used :
4558 - stats uri : /haproxy?stats
4559 - stats realm : "HAProxy Statistics"
4560 - stats auth : no authentication
4561 - stats scope : no restriction
4562
4563 Though this statement alone is enough to enable statistics reporting, it is
4564 recommended to set all other settings in order to avoid relying on default
4565 unobvious parameters.
4566
4567 Example :
4568 # public access (limited to this backend only)
4569 backend public_www
4570 server srv1 192.168.0.1:80
4571 stats enable
4572 stats hide-version
4573 stats scope .
4574 stats uri /admin?stats
4575 stats realm Haproxy\ Statistics
4576 stats auth admin1:AdMiN123
4577 stats auth admin2:AdMiN321
4578
4579 # internal monitoring access (unlimited)
4580 backend private_monitoring
4581 stats enable
4582 stats uri /admin?stats
4583 stats refresh 5s
4584
4585 See also : "stats auth", "stats realm", "stats uri"
4586
4587
Willy Tarreaud63335a2010-02-26 12:56:52 +01004588stats hide-version
4589 Enable statistics and hide HAProxy version reporting
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004590 May be used in sections : defaults | frontend | listen | backend
4591 yes | no | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +01004592 Arguments : none
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004593
Willy Tarreaud63335a2010-02-26 12:56:52 +01004594 By default, the stats page reports some useful status information along with
4595 the statistics. Among them is HAProxy's version. However, it is generally
4596 considered dangerous to report precise version to anyone, as it can help them
4597 target known weaknesses with specific attacks. The "stats hide-version"
4598 statement removes the version from the statistics report. This is recommended
4599 for public sites or any site with a weak login/password.
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004600
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02004601 Though this statement alone is enough to enable statistics reporting, it is
4602 recommended to set all other settings in order to avoid relying on default
4603 unobvious parameters.
4604
Willy Tarreaud63335a2010-02-26 12:56:52 +01004605 Example :
4606 # public access (limited to this backend only)
4607 backend public_www
4608 server srv1 192.168.0.1:80
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02004609 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01004610 stats hide-version
4611 stats scope .
4612 stats uri /admin?stats
4613 stats realm Haproxy\ Statistics
4614 stats auth admin1:AdMiN123
4615 stats auth admin2:AdMiN321
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004616
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004617 # internal monitoring access (unlimited)
4618 backend private_monitoring
4619 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01004620 stats uri /admin?stats
4621 stats refresh 5s
Krzysztof Piotr Oledzki15514c22010-01-04 16:03:09 +01004622
Willy Tarreaud63335a2010-02-26 12:56:52 +01004623 See also : "stats auth", "stats enable", "stats realm", "stats uri"
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004624
Willy Tarreau983e01e2010-01-11 18:42:06 +01004625
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004626stats realm <realm>
4627 Enable statistics and set authentication realm
4628 May be used in sections : defaults | frontend | listen | backend
4629 yes | no | yes | yes
4630 Arguments :
4631 <realm> is the name of the HTTP Basic Authentication realm reported to
4632 the browser. The browser uses it to display it in the pop-up
4633 inviting the user to enter a valid username and password.
4634
4635 The realm is read as a single word, so any spaces in it should be escaped
4636 using a backslash ('\').
4637
4638 This statement is useful only in conjunction with "stats auth" since it is
4639 only related to authentication.
4640
4641 Though this statement alone is enough to enable statistics reporting, it is
4642 recommended to set all other settings in order to avoid relying on default
4643 unobvious parameters.
4644
4645 Example :
4646 # public access (limited to this backend only)
4647 backend public_www
4648 server srv1 192.168.0.1:80
4649 stats enable
4650 stats hide-version
4651 stats scope .
4652 stats uri /admin?stats
4653 stats realm Haproxy\ Statistics
4654 stats auth admin1:AdMiN123
4655 stats auth admin2:AdMiN321
4656
4657 # internal monitoring access (unlimited)
4658 backend private_monitoring
4659 stats enable
4660 stats uri /admin?stats
4661 stats refresh 5s
4662
4663 See also : "stats auth", "stats enable", "stats uri"
4664
4665
4666stats refresh <delay>
4667 Enable statistics with automatic refresh
4668 May be used in sections : defaults | frontend | listen | backend
4669 yes | no | yes | yes
4670 Arguments :
4671 <delay> is the suggested refresh delay, specified in seconds, which will
4672 be returned to the browser consulting the report page. While the
4673 browser is free to apply any delay, it will generally respect it
4674 and refresh the page this every seconds. The refresh interval may
4675 be specified in any other non-default time unit, by suffixing the
4676 unit after the value, as explained at the top of this document.
4677
4678 This statement is useful on monitoring displays with a permanent page
4679 reporting the load balancer's activity. When set, the HTML report page will
4680 include a link "refresh"/"stop refresh" so that the user can select whether
4681 he wants automatic refresh of the page or not.
4682
4683 Though this statement alone is enough to enable statistics reporting, it is
4684 recommended to set all other settings in order to avoid relying on default
4685 unobvious parameters.
4686
4687 Example :
4688 # public access (limited to this backend only)
4689 backend public_www
4690 server srv1 192.168.0.1:80
4691 stats enable
4692 stats hide-version
4693 stats scope .
4694 stats uri /admin?stats
4695 stats realm Haproxy\ Statistics
4696 stats auth admin1:AdMiN123
4697 stats auth admin2:AdMiN321
4698
4699 # internal monitoring access (unlimited)
4700 backend private_monitoring
4701 stats enable
4702 stats uri /admin?stats
4703 stats refresh 5s
4704
4705 See also : "stats auth", "stats enable", "stats realm", "stats uri"
4706
4707
4708stats scope { <name> | "." }
4709 Enable statistics and limit access scope
4710 May be used in sections : defaults | frontend | listen | backend
4711 yes | no | yes | yes
4712 Arguments :
4713 <name> is the name of a listen, frontend or backend section to be
4714 reported. The special name "." (a single dot) designates the
4715 section in which the statement appears.
4716
4717 When this statement is specified, only the sections enumerated with this
4718 statement will appear in the report. All other ones will be hidden. This
4719 statement may appear as many times as needed if multiple sections need to be
4720 reported. Please note that the name checking is performed as simple string
4721 comparisons, and that it is never checked that a give section name really
4722 exists.
4723
4724 Though this statement alone is enough to enable statistics reporting, it is
4725 recommended to set all other settings in order to avoid relying on default
4726 unobvious parameters.
4727
4728 Example :
4729 # public access (limited to this backend only)
4730 backend public_www
4731 server srv1 192.168.0.1:80
4732 stats enable
4733 stats hide-version
4734 stats scope .
4735 stats uri /admin?stats
4736 stats realm Haproxy\ Statistics
4737 stats auth admin1:AdMiN123
4738 stats auth admin2:AdMiN321
4739
4740 # internal monitoring access (unlimited)
4741 backend private_monitoring
4742 stats enable
4743 stats uri /admin?stats
4744 stats refresh 5s
4745
4746 See also : "stats auth", "stats enable", "stats realm", "stats uri"
4747
Willy Tarreaud63335a2010-02-26 12:56:52 +01004748
4749stats show-desc [ <description> ]
4750 Enable reporting of a description on the statistics page.
4751 May be used in sections : defaults | frontend | listen | backend
4752 yes | no | yes | yes
4753
4754 <name> is an optional description to be reported. If unspecified, the
4755 description from global section is automatically used instead.
4756
4757 This statement is useful for users that offer shared services to their
4758 customers, where node or description should be different for each customer.
4759
4760 Though this statement alone is enough to enable statistics reporting, it is
4761 recommended to set all other settings in order to avoid relying on default
4762 unobvious parameters.
4763
4764 Example :
4765 # internal monitoring access (unlimited)
4766 backend private_monitoring
4767 stats enable
4768 stats show-desc Master node for Europe, Asia, Africa
4769 stats uri /admin?stats
4770 stats refresh 5s
4771
4772 See also: "show-node", "stats enable", "stats uri" and "description" in
4773 global section.
4774
4775
4776stats show-legends
4777 Enable reporting additional informations on the statistics page :
4778 - cap: capabilities (proxy)
4779 - mode: one of tcp, http or health (proxy)
4780 - id: SNMP ID (proxy, socket, server)
4781 - IP (socket, server)
4782 - cookie (backend, server)
4783
4784 Though this statement alone is enough to enable statistics reporting, it is
4785 recommended to set all other settings in order to avoid relying on default
4786 unobvious parameters.
4787
4788 See also: "stats enable", "stats uri".
4789
4790
4791stats show-node [ <name> ]
4792 Enable reporting of a host name on the statistics page.
4793 May be used in sections : defaults | frontend | listen | backend
4794 yes | no | yes | yes
4795 Arguments:
4796 <name> is an optional name to be reported. If unspecified, the
4797 node name from global section is automatically used instead.
4798
4799 This statement is useful for users that offer shared services to their
4800 customers, where node or description might be different on a stats page
4801 provided for each customer.
4802
4803 Though this statement alone is enough to enable statistics reporting, it is
4804 recommended to set all other settings in order to avoid relying on default
4805 unobvious parameters.
4806
4807 Example:
4808 # internal monitoring access (unlimited)
4809 backend private_monitoring
4810 stats enable
4811 stats show-node Europe-1
4812 stats uri /admin?stats
4813 stats refresh 5s
4814
4815 See also: "show-desc", "stats enable", "stats uri", and "node" in global
4816 section.
4817
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004818
4819stats uri <prefix>
4820 Enable statistics and define the URI prefix to access them
4821 May be used in sections : defaults | frontend | listen | backend
4822 yes | no | yes | yes
4823 Arguments :
4824 <prefix> is the prefix of any URI which will be redirected to stats. This
4825 prefix may contain a question mark ('?') to indicate part of a
4826 query string.
4827
4828 The statistics URI is intercepted on the relayed traffic, so it appears as a
4829 page within the normal application. It is strongly advised to ensure that the
4830 selected URI will never appear in the application, otherwise it will never be
4831 possible to reach it in the application.
4832
4833 The default URI compiled in haproxy is "/haproxy?stats", but this may be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004834 changed at build time, so it's better to always explicitly specify it here.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004835 It is generally a good idea to include a question mark in the URI so that
4836 intermediate proxies refrain from caching the results. Also, since any string
4837 beginning with the prefix will be accepted as a stats request, the question
4838 mark helps ensuring that no valid URI will begin with the same words.
4839
4840 It is sometimes very convenient to use "/" as the URI prefix, and put that
4841 statement in a "listen" instance of its own. That makes it easy to dedicate
4842 an address or a port to statistics only.
4843
4844 Though this statement alone is enough to enable statistics reporting, it is
4845 recommended to set all other settings in order to avoid relying on default
4846 unobvious parameters.
4847
4848 Example :
4849 # public access (limited to this backend only)
4850 backend public_www
4851 server srv1 192.168.0.1:80
4852 stats enable
4853 stats hide-version
4854 stats scope .
4855 stats uri /admin?stats
4856 stats realm Haproxy\ Statistics
4857 stats auth admin1:AdMiN123
4858 stats auth admin2:AdMiN321
4859
4860 # internal monitoring access (unlimited)
4861 backend private_monitoring
4862 stats enable
4863 stats uri /admin?stats
4864 stats refresh 5s
4865
4866 See also : "stats auth", "stats enable", "stats realm"
4867
4868
Willy Tarreaud63335a2010-02-26 12:56:52 +01004869stick match <pattern> [table <table>] [{if | unless} <cond>]
4870 Define a request pattern matching condition to stick a user to a server
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004871 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaud63335a2010-02-26 12:56:52 +01004872 no | no | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01004873
4874 Arguments :
4875 <pattern> is a pattern extraction rule as described in section 7.8. It
4876 describes what elements of the incoming request or connection
4877 will be analysed in the hope to find a matching entry in a
4878 stickiness table. This rule is mandatory.
4879
4880 <table> is an optional stickiness table name. If unspecified, the same
4881 backend's table is used. A stickiness table is declared using
4882 the "stick-table" statement.
4883
4884 <cond> is an optional matching condition. It makes it possible to match
4885 on a certain criterion only when other conditions are met (or
4886 not met). For instance, it could be used to match on a source IP
4887 address except when a request passes through a known proxy, in
4888 which case we'd match on a header containing that IP address.
4889
4890 Some protocols or applications require complex stickiness rules and cannot
4891 always simply rely on cookies nor hashing. The "stick match" statement
4892 describes a rule to extract the stickiness criterion from an incoming request
4893 or connection. See section 7 for a complete list of possible patterns and
4894 transformation rules.
4895
4896 The table has to be declared using the "stick-table" statement. It must be of
4897 a type compatible with the pattern. By default it is the one which is present
4898 in the same backend. It is possible to share a table with other backends by
4899 referencing it using the "table" keyword. If another table is referenced,
4900 the server's ID inside the backends are used. By default, all server IDs
4901 start at 1 in each backend, so the server ordering is enough. But in case of
4902 doubt, it is highly recommended to force server IDs using their "id" setting.
4903
4904 It is possible to restrict the conditions where a "stick match" statement
4905 will apply, using "if" or "unless" followed by a condition. See section 7 for
4906 ACL based conditions.
4907
4908 There is no limit on the number of "stick match" statements. The first that
4909 applies and matches will cause the request to be directed to the same server
4910 as was used for the request which created the entry. That way, multiple
4911 matches can be used as fallbacks.
4912
4913 The stick rules are checked after the persistence cookies, so they will not
4914 affect stickiness if a cookie has already been used to select a server. That
4915 way, it becomes very easy to insert cookies and match on IP addresses in
4916 order to maintain stickiness between HTTP and HTTPS.
4917
4918 Example :
4919 # forward SMTP users to the same server they just used for POP in the
4920 # last 30 minutes
4921 backend pop
4922 mode tcp
4923 balance roundrobin
4924 stick store-request src
4925 stick-table type ip size 200k expire 30m
4926 server s1 192.168.1.1:110
4927 server s2 192.168.1.1:110
4928
4929 backend smtp
4930 mode tcp
4931 balance roundrobin
4932 stick match src table pop
4933 server s1 192.168.1.1:25
4934 server s2 192.168.1.1:25
4935
4936 See also : "stick-table", "stick on", and section 7 about ACLs and pattern
4937 extraction.
4938
4939
4940stick on <pattern> [table <table>] [{if | unless} <condition>]
4941 Define a request pattern to associate a user to a server
4942 May be used in sections : defaults | frontend | listen | backend
4943 no | no | yes | yes
4944
4945 Note : This form is exactly equivalent to "stick match" followed by
4946 "stick store-request", all with the same arguments. Please refer
4947 to both keywords for details. It is only provided as a convenience
4948 for writing more maintainable configurations.
4949
4950 Examples :
4951 # The following form ...
Willy Tarreauec579d82010-02-26 19:15:04 +01004952 stick on src table pop if !localhost
Willy Tarreaub937b7e2010-01-12 15:27:54 +01004953
4954 # ...is strictly equivalent to this one :
4955 stick match src table pop if !localhost
4956 stick store-request src table pop if !localhost
4957
4958
4959 # Use cookie persistence for HTTP, and stick on source address for HTTPS as
4960 # well as HTTP without cookie. Share the same table between both accesses.
4961 backend http
4962 mode http
4963 balance roundrobin
4964 stick on src table https
4965 cookie SRV insert indirect nocache
4966 server s1 192.168.1.1:80 cookie s1
4967 server s2 192.168.1.1:80 cookie s2
4968
4969 backend https
4970 mode tcp
4971 balance roundrobin
4972 stick-table type ip size 200k expire 30m
4973 stick on src
4974 server s1 192.168.1.1:443
4975 server s2 192.168.1.1:443
4976
4977 See also : "stick match" and "stick store-request"
4978
4979
4980stick store-request <pattern> [table <table>] [{if | unless} <condition>]
4981 Define a request pattern used to create an entry in a stickiness table
4982 May be used in sections : defaults | frontend | listen | backend
4983 no | no | yes | yes
4984
4985 Arguments :
4986 <pattern> is a pattern extraction rule as described in section 7.8. It
4987 describes what elements of the incoming request or connection
4988 will be analysed, extracted and stored in the table once a
4989 server is selected.
4990
4991 <table> is an optional stickiness table name. If unspecified, the same
4992 backend's table is used. A stickiness table is declared using
4993 the "stick-table" statement.
4994
4995 <cond> is an optional storage condition. It makes it possible to store
4996 certain criteria only when some conditions are met (or not met).
4997 For instance, it could be used to store the source IP address
4998 except when the request passes through a known proxy, in which
4999 case we'd store a converted form of a header containing that IP
5000 address.
5001
5002 Some protocols or applications require complex stickiness rules and cannot
5003 always simply rely on cookies nor hashing. The "stick store-request" statement
5004 describes a rule to decide what to extract from the request and when to do
5005 it, in order to store it into a stickiness table for further requests to
5006 match it using the "stick match" statement. Obviously the extracted part must
5007 make sense and have a chance to be matched in a further request. Storing a
5008 client's IP address for instance often makes sense. Storing an ID found in a
5009 URL parameter also makes sense. Storing a source port will almost never make
5010 any sense because it will be randomly matched. See section 7 for a complete
5011 list of possible patterns and transformation rules.
5012
5013 The table has to be declared using the "stick-table" statement. It must be of
5014 a type compatible with the pattern. By default it is the one which is present
5015 in the same backend. It is possible to share a table with other backends by
5016 referencing it using the "table" keyword. If another table is referenced,
5017 the server's ID inside the backends are used. By default, all server IDs
5018 start at 1 in each backend, so the server ordering is enough. But in case of
5019 doubt, it is highly recommended to force server IDs using their "id" setting.
5020
5021 It is possible to restrict the conditions where a "stick store-request"
5022 statement will apply, using "if" or "unless" followed by a condition. This
5023 condition will be evaluated while parsing the request, so any criteria can be
5024 used. See section 7 for ACL based conditions.
5025
5026 There is no limit on the number of "stick store-request" statements, but
5027 there is a limit of 8 simultaneous stores per request or response. This
5028 makes it possible to store up to 8 criteria, all extracted from either the
5029 request or the response, regardless of the number of rules. Only the 8 first
5030 ones which match will be kept. Using this, it is possible to feed multiple
5031 tables at once in the hope to increase the chance to recognize a user on
5032 another protocol or access method.
5033
5034 The "store-request" rules are evaluated once the server connection has been
5035 established, so that the table will contain the real server that processed
5036 the request.
5037
5038 Example :
5039 # forward SMTP users to the same server they just used for POP in the
5040 # last 30 minutes
5041 backend pop
5042 mode tcp
5043 balance roundrobin
5044 stick store-request src
5045 stick-table type ip size 200k expire 30m
5046 server s1 192.168.1.1:110
5047 server s2 192.168.1.1:110
5048
5049 backend smtp
5050 mode tcp
5051 balance roundrobin
5052 stick match src table pop
5053 server s1 192.168.1.1:25
5054 server s2 192.168.1.1:25
5055
5056 See also : "stick-table", "stick on", and section 7 about ACLs and pattern
5057 extraction.
5058
5059
5060stick-table type {ip | integer | string [len <length>] } size <size>
Willy Tarreau08d5f982010-06-06 13:34:54 +02005061 [expire <expire>] [nopurge] [store <data_type>]*
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005062 Configure the stickiness table for the current backend
5063 May be used in sections : defaults | frontend | listen | backend
Willy Tarreauc00cdc22010-06-06 16:48:26 +02005064 no | yes | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005065
5066 Arguments :
5067 ip a table declared with "type ip" will only store IPv4 addresses.
5068 This form is very compact (about 50 bytes per entry) and allows
5069 very fast entry lookup and stores with almost no overhead. This
5070 is mainly used to store client source IP addresses.
5071
5072 integer a table declared with "type integer" will store 32bit integers
5073 which can represent a client identifier found in a request for
5074 instance.
5075
5076 string a table declared with "type string" will store substrings of up
5077 to <len> characters. If the string provided by the pattern
5078 extractor is larger than <len>, it will be truncated before
5079 being stored. During matching, at most <len> characters will be
5080 compared between the string in the table and the extracted
5081 pattern. When not specified, the string is automatically limited
5082 to 31 characters.
5083
5084 <length> is the maximum number of characters that will be stored in a
5085 "string" type table. See type "string" above. Be careful when
5086 changing this parameter as memory usage will proportionally
5087 increase.
5088
5089 <size> is the maximum number of entries that can fit in the table. This
Cyril Bonté78caf842010-03-10 22:41:43 +01005090 value directly impacts memory usage. Count approximately
5091 50 bytes per entry, plus the size of a string if any. The size
5092 supports suffixes "k", "m", "g" for 2^10, 2^20 and 2^30 factors.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005093
5094 [nopurge] indicates that we refuse to purge older entries when the table
5095 is full. When not specified and the table is full when haproxy
5096 wants to store an entry in it, it will flush a few of the oldest
5097 entries in order to release some space for the new ones. This is
5098 most often the desired behaviour. In some specific cases, it
5099 be desirable to refuse new entries instead of purging the older
5100 ones. That may be the case when the amount of data to store is
5101 far above the hardware limits and we prefer not to offer access
5102 to new clients than to reject the ones already connected. When
5103 using this parameter, be sure to properly set the "expire"
5104 parameter (see below).
5105
5106 <expire> defines the maximum duration of an entry in the table since it
5107 was last created, refreshed or matched. The expiration delay is
5108 defined using the standard time format, similarly as the various
5109 timeouts. The maximum duration is slightly above 24 days. See
5110 section 2.2 for more information. If this delay is not specified,
5111 the session won't automatically expire, but older entries will
5112 be removed once full. Be sure not to use the "nopurge" parameter
5113 if not expiration delay is specified.
5114
Willy Tarreau08d5f982010-06-06 13:34:54 +02005115 <data_type> is used to store additional information in the stick-table. This
5116 may be used by ACLs in order to control various criteria related
5117 to the activity of the client matching the stick-table. For each
5118 item specified here, the size of each entry will be inflated so
Willy Tarreau8fb12c42010-06-18 20:16:39 +02005119 that the additional data can fit. At the moment, only "conn_cnt"
Willy Tarreau69b870f2010-06-06 14:30:13 +02005120 is supported, which can be used to store and retrieve the total
Willy Tarreau13c29de2010-06-06 16:40:39 +02005121 number of connections matching the entry since it was created. A
5122 "server_id" type is also supported but it's only for internal
5123 use for stick and store directives.
Willy Tarreau08d5f982010-06-06 13:34:54 +02005124
Willy Tarreauc00cdc22010-06-06 16:48:26 +02005125 There is only one stick-table per proxy. At the moment of writing this doc,
5126 it does not seem useful to have multiple tables per proxy. If this happens
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005127 to be required, simply create a dummy backend with a stick-table in it and
5128 reference it.
5129
5130 It is important to understand that stickiness based on learning information
5131 has some limitations, including the fact that all learned associations are
5132 lost upon restart. In general it can be good as a complement but not always
5133 as an exclusive stickiness.
5134
5135 See also : "stick match", "stick on", "stick store-request", and section 2.2
5136 about time format.
5137
5138
Willy Tarreau1a687942010-05-23 22:40:30 +02005139tcp-request accept [{if | unless} <condition>]
5140 Accept an incoming connection if/unless a layer 4 condition is matched
5141 May be used in sections : defaults | frontend | listen | backend
5142 no | yes | yes | no
5143
5144 Immediately after acceptance of a new incoming connection, it is possible to
5145 evaluate some conditions to decide whether this connection must be accepted
5146 or dropped. Those conditions cannot make use of any data contents because the
5147 connection has not been read from yet, and the buffers are not yet allocated.
5148 This can be used to selectively and very quickly accept or drop connections
5149 from various sources with a very low overhead. If some contents need to be
5150 inspected in order to take the decision, the "tcp-request content" statements
5151 must be used instead.
5152
5153 This statement accepts the connection if the condition is true (when used
5154 with "if") or false (when used with "unless"). It is important to understand
5155 that "accept" and "reject" rules are evaluated in their exact declaration
5156 order, so that it is possible to build complex rules from them. There is no
5157 specific limit to the number of rules which may be inserted.
5158
5159 Note that the "if/unless" condition is optional. If no condition is set on
5160 the action, it is simply performed unconditionally.
5161
5162 If no "tcp-request" rules are matched, the default action is to accept the
5163 connection, which implies that the "tcp-request accept" statement will only
5164 make sense when combined with another "tcp-request reject" statement.
5165
5166 See section 7 about ACL usage.
5167
5168 See also : "tcp-request reject" and "tcp-request content"
5169
5170
Willy Tarreau62644772008-07-16 18:36:06 +02005171tcp-request content accept [{if | unless} <condition>]
5172 Accept a connection if/unless a content inspection condition is matched
5173 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02005174 no | yes | yes | yes
Willy Tarreau62644772008-07-16 18:36:06 +02005175
5176 During TCP content inspection, the connection is immediately validated if the
5177 condition is true (when used with "if") or false (when used with "unless").
Willy Tarreaufb356202010-08-03 14:02:05 +02005178 TCP content inspection applies very early when a connection reaches a
5179 frontend, then very early when the connection is forwarded to a backend.
Willy Tarreau62644772008-07-16 18:36:06 +02005180 Most of the time during content inspection, a condition will be in an
5181 uncertain state which is neither true nor false. The evaluation immediately
5182 stops when such a condition is encountered. It is important to understand
5183 that "accept" and "reject" rules are evaluated in their exact declaration
5184 order, so that it is possible to build complex rules from them. There is no
5185 specific limit to the number of rules which may be inserted.
5186
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005187 Note that the "if/unless" condition is optional. If no condition is set on
Willy Tarreau62644772008-07-16 18:36:06 +02005188 the action, it is simply performed unconditionally.
5189
5190 If no "tcp-request content" rules are matched, the default action already is
5191 "accept". Thus, this statement alone does not bring anything without another
5192 "reject" statement.
5193
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005194 See section 7 about ACL usage.
Willy Tarreau62644772008-07-16 18:36:06 +02005195
Willy Tarreau55165fe2009-05-10 12:02:55 +02005196 See also : "tcp-request content reject", "tcp-request inspect-delay"
Willy Tarreau62644772008-07-16 18:36:06 +02005197
5198
5199tcp-request content reject [{if | unless} <condition>]
5200 Reject a connection if/unless a content inspection condition is matched
5201 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02005202 no | yes | yes | yes
Willy Tarreau62644772008-07-16 18:36:06 +02005203
5204 During TCP content inspection, the connection is immediately rejected if the
5205 condition is true (when used with "if") or false (when used with "unless").
Willy Tarreaufb356202010-08-03 14:02:05 +02005206 TCP content inspection applies very early when a connection reaches a
5207 frontend, then very early when the connection is forwarded to a backend.
Willy Tarreau62644772008-07-16 18:36:06 +02005208 Most of the time during content inspection, a condition will be in an
5209 uncertain state which is neither true nor false. The evaluation immediately
5210 stops when such a condition is encountered. It is important to understand
5211 that "accept" and "reject" rules are evaluated in their exact declaration
5212 order, so that it is possible to build complex rules from them. There is no
5213 specific limit to the number of rules which may be inserted.
5214
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005215 Note that the "if/unless" condition is optional. If no condition is set on
Willy Tarreau62644772008-07-16 18:36:06 +02005216 the action, it is simply performed unconditionally.
5217
5218 If no "tcp-request content" rules are matched, the default action is set to
5219 "accept".
5220
5221 Example:
5222 # reject SMTP connection if client speaks first
5223 tcp-request inspect-delay 30s
5224 acl content_present req_len gt 0
5225 tcp-request reject if content_present
5226
5227 # Forward HTTPS connection only if client speaks
5228 tcp-request inspect-delay 30s
5229 acl content_present req_len gt 0
5230 tcp-request accept if content_present
5231 tcp-request reject
5232
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005233 See section 7 about ACL usage.
Willy Tarreau62644772008-07-16 18:36:06 +02005234
Willy Tarreau55165fe2009-05-10 12:02:55 +02005235 See also : "tcp-request content accept", "tcp-request inspect-delay"
Willy Tarreau62644772008-07-16 18:36:06 +02005236
5237
5238tcp-request inspect-delay <timeout>
5239 Set the maximum allowed time to wait for data during content inspection
5240 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02005241 no | yes | yes | yes
Willy Tarreau62644772008-07-16 18:36:06 +02005242 Arguments :
5243 <timeout> is the timeout value specified in milliseconds by default, but
5244 can be in any other unit if the number is suffixed by the unit,
5245 as explained at the top of this document.
5246
5247 People using haproxy primarily as a TCP relay are often worried about the
5248 risk of passing any type of protocol to a server without any analysis. In
5249 order to be able to analyze the request contents, we must first withhold
5250 the data then analyze them. This statement simply enables withholding of
5251 data for at most the specified amount of time.
5252
Willy Tarreaufb356202010-08-03 14:02:05 +02005253 TCP content inspection applies very early when a connection reaches a
5254 frontend, then very early when the connection is forwarded to a backend. This
5255 means that a connection may experience a first delay in the frontend and a
5256 second delay in the backend if both have tcp-request rules.
5257
Willy Tarreau62644772008-07-16 18:36:06 +02005258 Note that when performing content inspection, haproxy will evaluate the whole
5259 rules for every new chunk which gets in, taking into account the fact that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005260 those data are partial. If no rule matches before the aforementioned delay,
Willy Tarreau62644772008-07-16 18:36:06 +02005261 a last check is performed upon expiration, this time considering that the
Willy Tarreaud869b242009-03-15 14:43:58 +01005262 contents are definitive. If no delay is set, haproxy will not wait at all
5263 and will immediately apply a verdict based on the available information.
5264 Obviously this is unlikely to be very useful and might even be racy, so such
5265 setups are not recommended.
Willy Tarreau62644772008-07-16 18:36:06 +02005266
5267 As soon as a rule matches, the request is released and continues as usual. If
5268 the timeout is reached and no rule matches, the default policy will be to let
5269 it pass through unaffected.
5270
5271 For most protocols, it is enough to set it to a few seconds, as most clients
5272 send the full request immediately upon connection. Add 3 or more seconds to
5273 cover TCP retransmits but that's all. For some protocols, it may make sense
Willy Tarreaud72758d2010-01-12 10:42:19 +01005274 to use large values, for instance to ensure that the client never talks
Willy Tarreau62644772008-07-16 18:36:06 +02005275 before the server (eg: SMTP), or to wait for a client to talk before passing
5276 data to the server (eg: SSL). Note that the client timeout must cover at
5277 least the inspection delay, otherwise it will expire first.
5278
Willy Tarreau55165fe2009-05-10 12:02:55 +02005279 See also : "tcp-request content accept", "tcp-request content reject",
Willy Tarreau62644772008-07-16 18:36:06 +02005280 "timeout client".
5281
5282
Willy Tarreau1a687942010-05-23 22:40:30 +02005283tcp-request reject [{if | unless} <condition>]
5284 Reject an incoming connection if/unless a layer 4 condition is matched
5285 May be used in sections : defaults | frontend | listen | backend
5286 no | yes | yes | no
5287
5288 Immediately after acceptance of a new incoming connection, it is possible to
5289 evaluate some conditions to decide whether this connection must be accepted
5290 or dropped. Those conditions cannot make use of any data contents because the
5291 connection has not been read from yet, and the buffers are not yet allocated.
5292 This can be used to selectively and very quickly accept or drop connections
5293 from various sources with a very low overhead. If some contents need to be
5294 inspected in order to take the decision, the "tcp-request content" statements
5295 must be used instead.
5296
5297 This statement rejects the connection if the condition is true (when used
5298 with "if") or false (when used with "unless"). It is important to understand
5299 that "accept" and "reject" rules are evaluated in their exact declaration
5300 order, so that it is possible to build complex rules from them. There is no
5301 specific limit to the number of rules which may be inserted.
5302
5303 Note that the "if/unless" condition is optional. If no condition is set on
5304 the action, it is simply performed unconditionally.
5305
5306 If no "tcp-request" rules are matched, the default action is to accept the
5307 connection, which implies that the "tcp-request accept" statement will only
5308 make sense when combined with another "tcp-request reject" statement.
5309
Willy Tarreau2799e982010-06-05 15:43:21 +02005310 Rejected connections do not even become a session, which is why they are
5311 accounted separately for in the stats, as "denied connections". They are not
5312 considered for the session rate-limit and are not logged either. The reason
5313 is that these rules should only be used to filter extremely high connection
Willy Tarreau1a687942010-05-23 22:40:30 +02005314 rates such as the ones encountered during a massive DDoS attack. Under these
5315 conditions, the simple action of logging each event would make the system
5316 collapse and would considerably lower the filtering capacity. If logging is
5317 absolutely desired, then "tcp-request content" rules should be used instead.
5318
5319 See section 7 about ACL usage.
5320
5321 See also : "tcp-request accept" and "tcp-request content"
5322
5323
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01005324timeout check <timeout>
5325 Set additional check timeout, but only after a connection has been already
5326 established.
5327
5328 May be used in sections: defaults | frontend | listen | backend
5329 yes | no | yes | yes
5330 Arguments:
5331 <timeout> is the timeout value specified in milliseconds by default, but
5332 can be in any other unit if the number is suffixed by the unit,
5333 as explained at the top of this document.
5334
5335 If set, haproxy uses min("timeout connect", "inter") as a connect timeout
5336 for check and "timeout check" as an additional read timeout. The "min" is
5337 used so that people running with *very* long "timeout connect" (eg. those
5338 who needed this due to the queue or tarpit) do not slow down their checks.
Willy Tarreaud7550a22010-02-10 05:10:19 +01005339 (Please also note that there is no valid reason to have such long connect
5340 timeouts, because "timeout queue" and "timeout tarpit" can always be used to
5341 avoid that).
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01005342
5343 If "timeout check" is not set haproxy uses "inter" for complete check
5344 timeout (connect + read) exactly like all <1.3.15 version.
5345
5346 In most cases check request is much simpler and faster to handle than normal
5347 requests and people may want to kick out laggy servers so this timeout should
Willy Tarreau41a340d2008-01-22 12:25:31 +01005348 be smaller than "timeout server".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01005349
5350 This parameter is specific to backends, but can be specified once for all in
5351 "defaults" sections. This is in fact one of the easiest solutions not to
5352 forget about it.
5353
Willy Tarreau41a340d2008-01-22 12:25:31 +01005354 See also: "timeout connect", "timeout queue", "timeout server",
5355 "timeout tarpit".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01005356
5357
Willy Tarreau0ba27502007-12-24 16:55:16 +01005358timeout client <timeout>
5359timeout clitimeout <timeout> (deprecated)
5360 Set the maximum inactivity time on the client side.
5361 May be used in sections : defaults | frontend | listen | backend
5362 yes | yes | yes | no
5363 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01005364 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01005365 can be in any other unit if the number is suffixed by the unit,
5366 as explained at the top of this document.
5367
5368 The inactivity timeout applies when the client is expected to acknowledge or
5369 send data. In HTTP mode, this timeout is particularly important to consider
5370 during the first phase, when the client sends the request, and during the
5371 response while it is reading data sent by the server. The value is specified
5372 in milliseconds by default, but can be in any other unit if the number is
5373 suffixed by the unit, as specified at the top of this document. In TCP mode
5374 (and to a lesser extent, in HTTP mode), it is highly recommended that the
5375 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01005376 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01005377 losses by specifying timeouts that are slightly above multiples of 3 seconds
5378 (eg: 4 or 5 seconds).
5379
5380 This parameter is specific to frontends, but can be specified once for all in
5381 "defaults" sections. This is in fact one of the easiest solutions not to
5382 forget about it. An unspecified timeout results in an infinite timeout, which
5383 is not recommended. Such a usage is accepted and works but reports a warning
5384 during startup because it may results in accumulation of expired sessions in
5385 the system if the system's timeouts are not configured either.
5386
5387 This parameter replaces the old, deprecated "clitimeout". It is recommended
5388 to use it to write new configurations. The form "timeout clitimeout" is
5389 provided only by backwards compatibility but its use is strongly discouraged.
5390
5391 See also : "clitimeout", "timeout server".
5392
5393
5394timeout connect <timeout>
5395timeout contimeout <timeout> (deprecated)
5396 Set the maximum time to wait for a connection attempt to a server to succeed.
5397 May be used in sections : defaults | frontend | listen | backend
5398 yes | no | yes | yes
5399 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01005400 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01005401 can be in any other unit if the number is suffixed by the unit,
5402 as explained at the top of this document.
5403
5404 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01005405 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01005406 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01005407 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01005408 connect timeout also presets both queue and tarpit timeouts to the same value
5409 if these have not been specified.
Willy Tarreau0ba27502007-12-24 16:55:16 +01005410
5411 This parameter is specific to backends, but can be specified once for all in
5412 "defaults" sections. This is in fact one of the easiest solutions not to
5413 forget about it. An unspecified timeout results in an infinite timeout, which
5414 is not recommended. Such a usage is accepted and works but reports a warning
5415 during startup because it may results in accumulation of failed sessions in
5416 the system if the system's timeouts are not configured either.
5417
5418 This parameter replaces the old, deprecated "contimeout". It is recommended
5419 to use it to write new configurations. The form "timeout contimeout" is
5420 provided only by backwards compatibility but its use is strongly discouraged.
5421
Willy Tarreau41a340d2008-01-22 12:25:31 +01005422 See also: "timeout check", "timeout queue", "timeout server", "contimeout",
5423 "timeout tarpit".
Willy Tarreau0ba27502007-12-24 16:55:16 +01005424
5425
Willy Tarreaub16a5742010-01-10 14:46:16 +01005426timeout http-keep-alive <timeout>
5427 Set the maximum allowed time to wait for a new HTTP request to appear
5428 May be used in sections : defaults | frontend | listen | backend
5429 yes | yes | yes | yes
5430 Arguments :
5431 <timeout> is the timeout value specified in milliseconds by default, but
5432 can be in any other unit if the number is suffixed by the unit,
5433 as explained at the top of this document.
5434
5435 By default, the time to wait for a new request in case of keep-alive is set
5436 by "timeout http-request". However this is not always convenient because some
5437 people want very short keep-alive timeouts in order to release connections
5438 faster, and others prefer to have larger ones but still have short timeouts
5439 once the request has started to present itself.
5440
5441 The "http-keep-alive" timeout covers these needs. It will define how long to
5442 wait for a new HTTP request to start coming after a response was sent. Once
5443 the first byte of request has been seen, the "http-request" timeout is used
5444 to wait for the complete request to come. Note that empty lines prior to a
5445 new request do not refresh the timeout and are not counted as a new request.
5446
5447 There is also another difference between the two timeouts : when a connection
5448 expires during timeout http-keep-alive, no error is returned, the connection
5449 just closes. If the connection expires in "http-request" while waiting for a
5450 connection to complete, a HTTP 408 error is returned.
5451
5452 In general it is optimal to set this value to a few tens to hundreds of
5453 milliseconds, to allow users to fetch all objects of a page at once but
5454 without waiting for further clicks. Also, if set to a very small value (eg:
5455 1 millisecond) it will probably only accept pipelined requests but not the
5456 non-pipelined ones. It may be a nice trade-off for very large sites running
Patrick Mézard2382ad62010-05-09 10:43:32 +02005457 with tens to hundreds of thousands of clients.
Willy Tarreaub16a5742010-01-10 14:46:16 +01005458
5459 If this parameter is not set, the "http-request" timeout applies, and if both
5460 are not set, "timeout client" still applies at the lower level. It should be
5461 set in the frontend to take effect, unless the frontend is in TCP mode, in
5462 which case the HTTP backend's timeout will be used.
5463
5464 See also : "timeout http-request", "timeout client".
5465
5466
Willy Tarreau036fae02008-01-06 13:24:40 +01005467timeout http-request <timeout>
5468 Set the maximum allowed time to wait for a complete HTTP request
5469 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaucd7afc02009-07-12 10:03:17 +02005470 yes | yes | yes | yes
Willy Tarreau036fae02008-01-06 13:24:40 +01005471 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01005472 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau036fae02008-01-06 13:24:40 +01005473 can be in any other unit if the number is suffixed by the unit,
5474 as explained at the top of this document.
5475
5476 In order to offer DoS protection, it may be required to lower the maximum
5477 accepted time to receive a complete HTTP request without affecting the client
5478 timeout. This helps protecting against established connections on which
5479 nothing is sent. The client timeout cannot offer a good protection against
5480 this abuse because it is an inactivity timeout, which means that if the
5481 attacker sends one character every now and then, the timeout will not
5482 trigger. With the HTTP request timeout, no matter what speed the client
5483 types, the request will be aborted if it does not complete in time.
5484
5485 Note that this timeout only applies to the header part of the request, and
5486 not to any data. As soon as the empty line is received, this timeout is not
Willy Tarreaub16a5742010-01-10 14:46:16 +01005487 used anymore. It is used again on keep-alive connections to wait for a second
5488 request if "timeout http-keep-alive" is not set.
Willy Tarreau036fae02008-01-06 13:24:40 +01005489
5490 Generally it is enough to set it to a few seconds, as most clients send the
5491 full request immediately upon connection. Add 3 or more seconds to cover TCP
5492 retransmits but that's all. Setting it to very low values (eg: 50 ms) will
5493 generally work on local networks as long as there are no packet losses. This
5494 will prevent people from sending bare HTTP requests using telnet.
5495
5496 If this parameter is not set, the client timeout still applies between each
Willy Tarreaucd7afc02009-07-12 10:03:17 +02005497 chunk of the incoming request. It should be set in the frontend to take
5498 effect, unless the frontend is in TCP mode, in which case the HTTP backend's
5499 timeout will be used.
Willy Tarreau036fae02008-01-06 13:24:40 +01005500
Willy Tarreaub16a5742010-01-10 14:46:16 +01005501 See also : "timeout http-keep-alive", "timeout client".
Willy Tarreau036fae02008-01-06 13:24:40 +01005502
Willy Tarreau844e3c52008-01-11 16:28:18 +01005503
5504timeout queue <timeout>
5505 Set the maximum time to wait in the queue for a connection slot to be free
5506 May be used in sections : defaults | frontend | listen | backend
5507 yes | no | yes | yes
5508 Arguments :
5509 <timeout> is the timeout value specified in milliseconds by default, but
5510 can be in any other unit if the number is suffixed by the unit,
5511 as explained at the top of this document.
5512
5513 When a server's maxconn is reached, connections are left pending in a queue
5514 which may be server-specific or global to the backend. In order not to wait
5515 indefinitely, a timeout is applied to requests pending in the queue. If the
5516 timeout is reached, it is considered that the request will almost never be
5517 served, so it is dropped and a 503 error is returned to the client.
5518
5519 The "timeout queue" statement allows to fix the maximum time for a request to
5520 be left pending in a queue. If unspecified, the same value as the backend's
5521 connection timeout ("timeout connect") is used, for backwards compatibility
5522 with older versions with no "timeout queue" parameter.
5523
5524 See also : "timeout connect", "contimeout".
5525
5526
5527timeout server <timeout>
5528timeout srvtimeout <timeout> (deprecated)
5529 Set the maximum inactivity time on the server side.
5530 May be used in sections : defaults | frontend | listen | backend
5531 yes | no | yes | yes
5532 Arguments :
5533 <timeout> is the timeout value specified in milliseconds by default, but
5534 can be in any other unit if the number is suffixed by the unit,
5535 as explained at the top of this document.
5536
5537 The inactivity timeout applies when the server is expected to acknowledge or
5538 send data. In HTTP mode, this timeout is particularly important to consider
5539 during the first phase of the server's response, when it has to send the
5540 headers, as it directly represents the server's processing time for the
5541 request. To find out what value to put there, it's often good to start with
5542 what would be considered as unacceptable response times, then check the logs
5543 to observe the response time distribution, and adjust the value accordingly.
5544
5545 The value is specified in milliseconds by default, but can be in any other
5546 unit if the number is suffixed by the unit, as specified at the top of this
5547 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
5548 recommended that the client timeout remains equal to the server timeout in
5549 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01005550 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01005551 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreaud72758d2010-01-12 10:42:19 +01005552 seconds (eg: 4 or 5 seconds minimum).
Willy Tarreau844e3c52008-01-11 16:28:18 +01005553
5554 This parameter is specific to backends, but can be specified once for all in
5555 "defaults" sections. This is in fact one of the easiest solutions not to
5556 forget about it. An unspecified timeout results in an infinite timeout, which
5557 is not recommended. Such a usage is accepted and works but reports a warning
5558 during startup because it may results in accumulation of expired sessions in
5559 the system if the system's timeouts are not configured either.
5560
5561 This parameter replaces the old, deprecated "srvtimeout". It is recommended
5562 to use it to write new configurations. The form "timeout srvtimeout" is
5563 provided only by backwards compatibility but its use is strongly discouraged.
5564
5565 See also : "srvtimeout", "timeout client".
5566
5567
5568timeout tarpit <timeout>
Cyril Bonté78caf842010-03-10 22:41:43 +01005569 Set the duration for which tarpitted connections will be maintained
Willy Tarreau844e3c52008-01-11 16:28:18 +01005570 May be used in sections : defaults | frontend | listen | backend
5571 yes | yes | yes | yes
5572 Arguments :
5573 <timeout> is the tarpit duration specified in milliseconds by default, but
5574 can be in any other unit if the number is suffixed by the unit,
5575 as explained at the top of this document.
5576
5577 When a connection is tarpitted using "reqtarpit", it is maintained open with
5578 no activity for a certain amount of time, then closed. "timeout tarpit"
5579 defines how long it will be maintained open.
5580
5581 The value is specified in milliseconds by default, but can be in any other
5582 unit if the number is suffixed by the unit, as specified at the top of this
5583 document. If unspecified, the same value as the backend's connection timeout
5584 ("timeout connect") is used, for backwards compatibility with older versions
Cyril Bonté78caf842010-03-10 22:41:43 +01005585 with no "timeout tarpit" parameter.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005586
5587 See also : "timeout connect", "contimeout".
5588
5589
5590transparent (deprecated)
5591 Enable client-side transparent proxying
5592 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01005593 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01005594 Arguments : none
5595
5596 This keyword was introduced in order to provide layer 7 persistence to layer
5597 3 load balancers. The idea is to use the OS's ability to redirect an incoming
5598 connection for a remote address to a local process (here HAProxy), and let
5599 this process know what address was initially requested. When this option is
5600 used, sessions without cookies will be forwarded to the original destination
5601 IP address of the incoming request (which should match that of another
5602 equipment), while requests with cookies will still be forwarded to the
5603 appropriate server.
5604
5605 The "transparent" keyword is deprecated, use "option transparent" instead.
5606
5607 Note that contrary to a common belief, this option does NOT make HAProxy
5608 present the client's IP to the server when establishing the connection.
5609
Willy Tarreau844e3c52008-01-11 16:28:18 +01005610 See also: "option transparent"
5611
5612
5613use_backend <backend> if <condition>
5614use_backend <backend> unless <condition>
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02005615 Switch to a specific backend if/unless an ACL-based condition is matched.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005616 May be used in sections : defaults | frontend | listen | backend
5617 no | yes | yes | no
5618 Arguments :
5619 <backend> is the name of a valid backend or "listen" section.
5620
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005621 <condition> is a condition composed of ACLs, as described in section 7.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005622
5623 When doing content-switching, connections arrive on a frontend and are then
5624 dispatched to various backends depending on a number of conditions. The
5625 relation between the conditions and the backends is described with the
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02005626 "use_backend" keyword. While it is normally used with HTTP processing, it can
5627 also be used in pure TCP, either without content using stateless ACLs (eg:
5628 source address validation) or combined with a "tcp-request" rule to wait for
5629 some payload.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005630
5631 There may be as many "use_backend" rules as desired. All of these rules are
5632 evaluated in their declaration order, and the first one which matches will
5633 assign the backend.
5634
5635 In the first form, the backend will be used if the condition is met. In the
5636 second form, the backend will be used if the condition is not met. If no
5637 condition is valid, the backend defined with "default_backend" will be used.
5638 If no default backend is defined, either the servers in the same section are
5639 used (in case of a "listen" section) or, in case of a frontend, no server is
5640 used and a 503 service unavailable response is returned.
5641
Willy Tarreau51aecc72009-07-12 09:47:04 +02005642 Note that it is possible to switch from a TCP frontend to an HTTP backend. In
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005643 this case, either the frontend has already checked that the protocol is HTTP,
Willy Tarreau51aecc72009-07-12 09:47:04 +02005644 and backend processing will immediately follow, or the backend will wait for
5645 a complete HTTP request to get in. This feature is useful when a frontend
5646 must decode several protocols on a unique port, one of them being HTTP.
5647
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02005648 See also: "default_backend", "tcp-request", and section 7 about ACLs.
Willy Tarreaud72758d2010-01-12 10:42:19 +01005649
Willy Tarreau036fae02008-01-06 13:24:40 +01005650
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +010056515. Server and default-server options
Cyril Bontéf0c60612010-02-06 14:44:47 +01005652------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02005653
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01005654The "server" and "default-server" keywords support a certain number of settings
5655which are all passed as arguments on the server line. The order in which those
5656arguments appear does not count, and they are all optional. Some of those
5657settings are single words (booleans) while others expect one or several values
5658after them. In this case, the values must immediately follow the setting name.
5659Except default-server, all those settings must be specified after the server's
5660address if they are used:
Willy Tarreau6a06a402007-07-15 20:15:28 +02005661
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005662 server <name> <address>[:port] [settings ...]
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01005663 default-server [settings ...]
Willy Tarreau6a06a402007-07-15 20:15:28 +02005664
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005665The currently supported settings are the following ones.
Willy Tarreau0ba27502007-12-24 16:55:16 +01005666
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005667addr <ipv4>
5668 Using the "addr" parameter, it becomes possible to use a different IP address
5669 to send health-checks. On some servers, it may be desirable to dedicate an IP
5670 address to specific component able to perform complex tests which are more
5671 suitable to health-checks than the application. This parameter is ignored if
5672 the "check" parameter is not set. See also the "port" parameter.
Willy Tarreau6a06a402007-07-15 20:15:28 +02005673
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005674 Supported in default-server: No
5675
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005676backup
5677 When "backup" is present on a server line, the server is only used in load
5678 balancing when all other non-backup servers are unavailable. Requests coming
5679 with a persistence cookie referencing the server will always be served
5680 though. By default, only the first operational backup server is used, unless
5681 the "allbackups" option is set in the backend. See also the "allbackups"
5682 option.
Willy Tarreau6a06a402007-07-15 20:15:28 +02005683
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005684 Supported in default-server: No
5685
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005686check
5687 This option enables health checks on the server. By default, a server is
5688 always considered available. If "check" is set, the server will receive
5689 periodic health checks to ensure that it is really able to serve requests.
5690 The default address and port to send the tests to are those of the server,
5691 and the default source is the same as the one defined in the backend. It is
5692 possible to change the address using the "addr" parameter, the port using the
5693 "port" parameter, the source address using the "source" address, and the
5694 interval and timers using the "inter", "rise" and "fall" parameters. The
5695 request method is define in the backend using the "httpchk", "smtpchk",
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01005696 "mysql-check" and "ssl-hello-chk" options. Please refer to those options and
5697 parameters for more information.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005698
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005699 Supported in default-server: No
5700
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005701cookie <value>
5702 The "cookie" parameter sets the cookie value assigned to the server to
5703 <value>. This value will be checked in incoming requests, and the first
5704 operational server possessing the same value will be selected. In return, in
5705 cookie insertion or rewrite modes, this value will be assigned to the cookie
5706 sent to the client. There is nothing wrong in having several servers sharing
5707 the same cookie value, and it is in fact somewhat common between normal and
5708 backup servers. See also the "cookie" keyword in backend section.
5709
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005710 Supported in default-server: No
5711
Willy Tarreau96839092010-03-29 10:02:24 +02005712disabled
5713 The "disabled" keyword starts the server in the "disabled" state. That means
5714 that it is marked down in maintenance mode, and no connection other than the
5715 ones allowed by persist mode will reach it. It is very well suited to setup
5716 new servers, because normal traffic will never reach them, while it is still
5717 possible to test the service by making use of the force-persist mechanism.
5718
5719 Supported in default-server: No
5720
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005721error-limit <count>
Willy Tarreau983e01e2010-01-11 18:42:06 +01005722 If health observing is enabled, the "error-limit" parameter specifies the
5723 number of consecutive errors that triggers event selected by the "on-error"
5724 option. By default it is set to 10 consecutive errors.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005725
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005726 Supported in default-server: Yes
5727
5728 See also the "check", "error-limit" and "on-error".
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005729
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005730fall <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005731 The "fall" parameter states that a server will be considered as dead after
5732 <count> consecutive unsuccessful health checks. This value defaults to 3 if
5733 unspecified. See also the "check", "inter" and "rise" parameters.
5734
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005735 Supported in default-server: Yes
5736
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005737id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02005738 Set a persistent ID for the server. This ID must be positive and unique for
5739 the proxy. An unused ID will automatically be assigned if unset. The first
5740 assigned value will be 1. This ID is currently only returned in statistics.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005741
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005742 Supported in default-server: No
5743
5744inter <delay>
5745fastinter <delay>
5746downinter <delay>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005747 The "inter" parameter sets the interval between two consecutive health checks
5748 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
5749 It is also possible to use "fastinter" and "downinter" to optimize delays
5750 between checks depending on the server state :
5751
5752 Server state | Interval used
5753 ---------------------------------+-----------------------------------------
5754 UP 100% (non-transitional) | "inter"
5755 ---------------------------------+-----------------------------------------
5756 Transitionally UP (going down), |
5757 Transitionally DOWN (going up), | "fastinter" if set, "inter" otherwise.
5758 or yet unchecked. |
5759 ---------------------------------+-----------------------------------------
5760 DOWN 100% (non-transitional) | "downinter" if set, "inter" otherwise.
5761 ---------------------------------+-----------------------------------------
Willy Tarreaud72758d2010-01-12 10:42:19 +01005762
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005763 Just as with every other time-based parameter, they can be entered in any
5764 other explicit unit among { us, ms, s, m, h, d }. The "inter" parameter also
5765 serves as a timeout for health checks sent to servers if "timeout check" is
5766 not set. In order to reduce "resonance" effects when multiple servers are
5767 hosted on the same hardware, the health-checks of all servers are started
5768 with a small time offset between them. It is also possible to add some random
5769 noise in the health checks interval using the global "spread-checks"
5770 keyword. This makes sense for instance when a lot of backends use the same
5771 servers.
5772
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005773 Supported in default-server: Yes
5774
5775maxconn <maxconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005776 The "maxconn" parameter specifies the maximal number of concurrent
5777 connections that will be sent to this server. If the number of incoming
5778 concurrent requests goes higher than this value, they will be queued, waiting
5779 for a connection to be released. This parameter is very important as it can
5780 save fragile servers from going down under extreme loads. If a "minconn"
5781 parameter is specified, the limit becomes dynamic. The default value is "0"
5782 which means unlimited. See also the "minconn" and "maxqueue" parameters, and
5783 the backend's "fullconn" keyword.
5784
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005785 Supported in default-server: Yes
5786
5787maxqueue <maxqueue>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005788 The "maxqueue" parameter specifies the maximal number of connections which
5789 will wait in the queue for this server. If this limit is reached, next
5790 requests will be redispatched to other servers instead of indefinitely
5791 waiting to be served. This will break persistence but may allow people to
5792 quickly re-log in when the server they try to connect to is dying. The
5793 default value is "0" which means the queue is unlimited. See also the
5794 "maxconn" and "minconn" parameters.
5795
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005796 Supported in default-server: Yes
5797
5798minconn <minconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005799 When the "minconn" parameter is set, the maxconn limit becomes a dynamic
5800 limit following the backend's load. The server will always accept at least
5801 <minconn> connections, never more than <maxconn>, and the limit will be on
5802 the ramp between both values when the backend has less than <fullconn>
5803 concurrent connections. This makes it possible to limit the load on the
5804 server during normal loads, but push it further for important loads without
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005805 overloading the server during exceptional loads. See also the "maxconn"
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005806 and "maxqueue" parameters, as well as the "fullconn" backend keyword.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005807
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005808 Supported in default-server: Yes
5809
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005810observe <mode>
5811 This option enables health adjusting based on observing communication with
5812 the server. By default this functionality is disabled and enabling it also
5813 requires to enable health checks. There are two supported modes: "layer4" and
5814 "layer7". In layer4 mode, only successful/unsuccessful tcp connections are
5815 significant. In layer7, which is only allowed for http proxies, responses
5816 received from server are verified, like valid/wrong http code, unparsable
5817 headers, a timeout, etc.
5818
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005819 Supported in default-server: No
5820
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005821 See also the "check", "on-error" and "error-limit".
5822
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005823on-error <mode>
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005824 Select what should happen when enough consecutive errors are detected.
5825 Currently, four modes are available:
5826 - fastinter: force fastinter
5827 - fail-check: simulate a failed check, also forces fastinter (default)
5828 - sudden-death: simulate a pre-fatal failed health check, one more failed
5829 check will mark a server down, forces fastinter
5830 - mark-down: mark the server immediately down and force fastinter
5831
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005832 Supported in default-server: Yes
5833
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005834 See also the "check", "observe" and "error-limit".
5835
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005836port <port>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005837 Using the "port" parameter, it becomes possible to use a different port to
5838 send health-checks. On some servers, it may be desirable to dedicate a port
5839 to a specific component able to perform complex tests which are more suitable
5840 to health-checks than the application. It is common to run a simple script in
5841 inetd for instance. This parameter is ignored if the "check" parameter is not
5842 set. See also the "addr" parameter.
5843
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005844 Supported in default-server: Yes
5845
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005846redir <prefix>
5847 The "redir" parameter enables the redirection mode for all GET and HEAD
5848 requests addressing this server. This means that instead of having HAProxy
5849 forward the request to the server, it will send an "HTTP 302" response with
5850 the "Location" header composed of this prefix immediately followed by the
5851 requested URI beginning at the leading '/' of the path component. That means
5852 that no trailing slash should be used after <prefix>. All invalid requests
5853 will be rejected, and all non-GET or HEAD requests will be normally served by
5854 the server. Note that since the response is completely forged, no header
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005855 mangling nor cookie insertion is possible in the response. However, cookies in
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005856 requests are still analysed, making this solution completely usable to direct
5857 users to a remote location in case of local disaster. Main use consists in
5858 increasing bandwidth for static servers by having the clients directly
5859 connect to them. Note: never use a relative location here, it would cause a
5860 loop between the client and HAProxy!
5861
5862 Example : server srv1 192.168.1.1:80 redir http://image1.mydomain.com check
5863
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005864 Supported in default-server: No
5865
5866rise <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005867 The "rise" parameter states that a server will be considered as operational
5868 after <count> consecutive successful health checks. This value defaults to 2
5869 if unspecified. See also the "check", "inter" and "fall" parameters.
5870
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005871 Supported in default-server: Yes
5872
5873slowstart <start_time_in_ms>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005874 The "slowstart" parameter for a server accepts a value in milliseconds which
5875 indicates after how long a server which has just come back up will run at
5876 full speed. Just as with every other time-based parameter, it can be entered
5877 in any other explicit unit among { us, ms, s, m, h, d }. The speed grows
5878 linearly from 0 to 100% during this time. The limitation applies to two
5879 parameters :
5880
5881 - maxconn: the number of connections accepted by the server will grow from 1
5882 to 100% of the usual dynamic limit defined by (minconn,maxconn,fullconn).
5883
5884 - weight: when the backend uses a dynamic weighted algorithm, the weight
5885 grows linearly from 1 to 100%. In this case, the weight is updated at every
5886 health-check. For this reason, it is important that the "inter" parameter
5887 is smaller than the "slowstart", in order to maximize the number of steps.
5888
5889 The slowstart never applies when haproxy starts, otherwise it would cause
5890 trouble to running servers. It only applies when a server has been previously
5891 seen as failed.
5892
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005893 Supported in default-server: Yes
5894
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02005895source <addr>[:<pl>[-<ph>]] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02005896source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02005897source <addr>[:<pl>[-<ph>]] [interface <name>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005898 The "source" parameter sets the source address which will be used when
5899 connecting to the server. It follows the exact same parameters and principle
5900 as the backend "source" keyword, except that it only applies to the server
5901 referencing it. Please consult the "source" keyword for details.
5902
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02005903 Additionally, the "source" statement on a server line allows one to specify a
5904 source port range by indicating the lower and higher bounds delimited by a
5905 dash ('-'). Some operating systems might require a valid IP address when a
5906 source port range is specified. It is permitted to have the same IP/range for
5907 several servers. Doing so makes it possible to bypass the maximum of 64k
5908 total concurrent connections. The limit will then reach 64k connections per
5909 server.
5910
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005911 Supported in default-server: No
5912
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005913track [<proxy>/]<server>
5914 This option enables ability to set the current state of the server by
5915 tracking another one. Only a server with checks enabled can be tracked
5916 so it is not possible for example to track a server that tracks another
5917 one. If <proxy> is omitted the current one is used. If disable-on-404 is
5918 used, it has to be enabled on both proxies.
5919
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005920 Supported in default-server: No
5921
5922weight <weight>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005923 The "weight" parameter is used to adjust the server's weight relative to
5924 other servers. All servers will receive a load proportional to their weight
5925 relative to the sum of all weights, so the higher the weight, the higher the
Willy Tarreau6704d672009-06-15 10:56:05 +02005926 load. The default weight is 1, and the maximal value is 256. A value of 0
5927 means the server will not participate in load-balancing but will still accept
5928 persistent connections. If this parameter is used to distribute the load
5929 according to server's capacity, it is recommended to start with values which
5930 can both grow and shrink, for instance between 10 and 100 to leave enough
5931 room above and below for later adjustments.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005932
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005933 Supported in default-server: Yes
5934
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005935
59366. HTTP header manipulation
5937---------------------------
5938
5939In HTTP mode, it is possible to rewrite, add or delete some of the request and
5940response headers based on regular expressions. It is also possible to block a
5941request or a response if a particular header matches a regular expression,
5942which is enough to stop most elementary protocol attacks, and to protect
5943against information leak from the internal network. But there is a limitation
5944to this : since HAProxy's HTTP engine does not support keep-alive, only headers
5945passed during the first request of a TCP session will be seen. All subsequent
5946headers will be considered data only and not analyzed. Furthermore, HAProxy
5947never touches data contents, it stops analysis at the end of headers.
5948
Willy Tarreau816b9792009-09-15 21:25:21 +02005949There is an exception though. If HAProxy encounters an "Informational Response"
5950(status code 1xx), it is able to process all rsp* rules which can allow, deny,
5951rewrite or delete a header, but it will refuse to add a header to any such
5952messages as this is not HTTP-compliant. The reason for still processing headers
5953in such responses is to stop and/or fix any possible information leak which may
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005954happen, for instance because another downstream equipment would unconditionally
Willy Tarreau816b9792009-09-15 21:25:21 +02005955add a header, or if a server name appears there. When such messages are seen,
5956normal processing still occurs on the next non-informational messages.
5957
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005958This section covers common usage of the following keywords, described in detail
5959in section 4.2 :
5960
5961 - reqadd <string>
5962 - reqallow <search>
5963 - reqiallow <search>
5964 - reqdel <search>
5965 - reqidel <search>
5966 - reqdeny <search>
5967 - reqideny <search>
5968 - reqpass <search>
5969 - reqipass <search>
5970 - reqrep <search> <replace>
5971 - reqirep <search> <replace>
5972 - reqtarpit <search>
5973 - reqitarpit <search>
5974 - rspadd <string>
5975 - rspdel <search>
5976 - rspidel <search>
5977 - rspdeny <search>
5978 - rspideny <search>
5979 - rsprep <search> <replace>
5980 - rspirep <search> <replace>
5981
5982With all these keywords, the same conventions are used. The <search> parameter
5983is a POSIX extended regular expression (regex) which supports grouping through
5984parenthesis (without the backslash). Spaces and other delimiters must be
5985prefixed with a backslash ('\') to avoid confusion with a field delimiter.
5986Other characters may be prefixed with a backslash to change their meaning :
5987
5988 \t for a tab
5989 \r for a carriage return (CR)
5990 \n for a new line (LF)
5991 \ to mark a space and differentiate it from a delimiter
5992 \# to mark a sharp and differentiate it from a comment
5993 \\ to use a backslash in a regex
5994 \\\\ to use a backslash in the text (*2 for regex, *2 for haproxy)
5995 \xXX to write the ASCII hex code XX as in the C language
5996
5997The <replace> parameter contains the string to be used to replace the largest
5998portion of text matching the regex. It can make use of the special characters
5999above, and can reference a substring which is delimited by parenthesis in the
6000regex, by writing a backslash ('\') immediately followed by one digit from 0 to
60019 indicating the group position (0 designating the entire line). This practice
6002is very common to users of the "sed" program.
6003
6004The <string> parameter represents the string which will systematically be added
6005after the last header line. It can also use special character sequences above.
6006
6007Notes related to these keywords :
6008---------------------------------
6009 - these keywords are not always convenient to allow/deny based on header
6010 contents. It is strongly recommended to use ACLs with the "block" keyword
6011 instead, resulting in far more flexible and manageable rules.
6012
6013 - lines are always considered as a whole. It is not possible to reference
6014 a header name only or a value only. This is important because of the way
6015 headers are written (notably the number of spaces after the colon).
6016
6017 - the first line is always considered as a header, which makes it possible to
6018 rewrite or filter HTTP requests URIs or response codes, but in turn makes
6019 it harder to distinguish between headers and request line. The regex prefix
6020 ^[^\ \t]*[\ \t] matches any HTTP method followed by a space, and the prefix
6021 ^[^ \t:]*: matches any header name followed by a colon.
6022
6023 - for performances reasons, the number of characters added to a request or to
6024 a response is limited at build time to values between 1 and 4 kB. This
6025 should normally be far more than enough for most usages. If it is too short
6026 on occasional usages, it is possible to gain some space by removing some
6027 useless headers before adding new ones.
6028
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006029 - keywords beginning with "reqi" and "rspi" are the same as their counterpart
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006030 without the 'i' letter except that they ignore case when matching patterns.
6031
6032 - when a request passes through a frontend then a backend, all req* rules
6033 from the frontend will be evaluated, then all req* rules from the backend
6034 will be evaluated. The reverse path is applied to responses.
6035
6036 - req* statements are applied after "block" statements, so that "block" is
6037 always the first one, but before "use_backend" in order to permit rewriting
Willy Tarreaud72758d2010-01-12 10:42:19 +01006038 before switching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006039
6040
Willy Tarreaub937b7e2010-01-12 15:27:54 +010060417. Using ACLs and pattern extraction
6042------------------------------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006043
6044The use of Access Control Lists (ACL) provides a flexible solution to perform
6045content switching and generally to take decisions based on content extracted
6046from the request, the response or any environmental status. The principle is
6047simple :
6048
6049 - define test criteria with sets of values
6050 - perform actions only if a set of tests is valid
6051
6052The actions generally consist in blocking the request, or selecting a backend.
6053
6054In order to define a test, the "acl" keyword is used. The syntax is :
6055
6056 acl <aclname> <criterion> [flags] [operator] <value> ...
6057
6058This creates a new ACL <aclname> or completes an existing one with new tests.
6059Those tests apply to the portion of request/response specified in <criterion>
6060and may be adjusted with optional flags [flags]. Some criteria also support
6061an operator which may be specified before the set of values. The values are
6062of the type supported by the criterion, and are separated by spaces.
6063
6064ACL names must be formed from upper and lower case letters, digits, '-' (dash),
6065'_' (underscore) , '.' (dot) and ':' (colon). ACL names are case-sensitive,
6066which means that "my_acl" and "My_Acl" are two different ACLs.
6067
6068There is no enforced limit to the number of ACLs. The unused ones do not affect
6069performance, they just consume a small amount of memory.
6070
6071The following ACL flags are currently supported :
6072
Willy Tarreau2b5285d2010-05-09 23:45:24 +02006073 -i : ignore case during matching of all subsequent patterns.
6074 -f : load patterns from a file.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006075 -- : force end of flags. Useful when a string looks like one of the flags.
6076
Willy Tarreau2b5285d2010-05-09 23:45:24 +02006077The "-f" flag is special as it loads all of the lines it finds in the file
6078specified in argument and loads all of them before continuing. It is even
6079possible to pass multiple "-f" arguments if the patterns are to be loaded from
Willy Tarreau58215a02010-05-13 22:07:43 +02006080multiple files. Empty lines as well as lines beginning with a sharp ('#') will
6081be ignored. All leading spaces and tabs will be stripped. If it is absolutely
6082needed to insert a valid pattern beginning with a sharp, just prefix it with a
6083space so that it is not taken for a comment. Depending on the data type and
6084match method, haproxy may load the lines into a binary tree, allowing very fast
6085lookups. This is true for IPv4 and exact string matching. In this case,
6086duplicates will automatically be removed. Also, note that the "-i" flag applies
6087to subsequent entries and not to entries loaded from files preceeding it. For
6088instance :
Willy Tarreau2b5285d2010-05-09 23:45:24 +02006089
6090 acl valid-ua hdr(user-agent) -f exact-ua.lst -i -f generic-ua.lst test
6091
6092In this example, each line of "exact-ua.lst" will be exactly matched against
6093the "user-agent" header of the request. Then each line of "generic-ua" will be
6094case-insensitively matched. Then the word "test" will be insensitively matched
6095too.
6096
6097Note that right now it is difficult for the ACL parsers to report errors, so if
6098a file is unreadable or unparsable, the most you'll get is a parse error in the
6099ACL. Thus, file-based ACLs should only be produced by reliable processes.
6100
Willy Tarreau6a06a402007-07-15 20:15:28 +02006101Supported types of values are :
Willy Tarreau0ba27502007-12-24 16:55:16 +01006102
Willy Tarreau6a06a402007-07-15 20:15:28 +02006103 - integers or integer ranges
6104 - strings
6105 - regular expressions
6106 - IP addresses and networks
6107
6108
Willy Tarreauc57f0e22009-05-10 13:12:33 +020061097.1. Matching integers
6110----------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02006111
6112Matching integers is special in that ranges and operators are permitted. Note
6113that integer matching only applies to positive values. A range is a value
6114expressed with a lower and an upper bound separated with a colon, both of which
6115may be omitted.
6116
6117For instance, "1024:65535" is a valid range to represent a range of
6118unprivileged ports, and "1024:" would also work. "0:1023" is a valid
6119representation of privileged ports, and ":1023" would also work.
6120
Willy Tarreau62644772008-07-16 18:36:06 +02006121As a special case, some ACL functions support decimal numbers which are in fact
6122two integers separated by a dot. This is used with some version checks for
6123instance. All integer properties apply to those decimal numbers, including
6124ranges and operators.
6125
Willy Tarreau6a06a402007-07-15 20:15:28 +02006126For an easier usage, comparison operators are also supported. Note that using
Willy Tarreau0ba27502007-12-24 16:55:16 +01006127operators with ranges does not make much sense and is strongly discouraged.
6128Similarly, it does not make much sense to perform order comparisons with a set
6129of values.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006130
Willy Tarreau0ba27502007-12-24 16:55:16 +01006131Available operators for integer matching are :
Willy Tarreau6a06a402007-07-15 20:15:28 +02006132
6133 eq : true if the tested value equals at least one value
6134 ge : true if the tested value is greater than or equal to at least one value
6135 gt : true if the tested value is greater than at least one value
6136 le : true if the tested value is less than or equal to at least one value
6137 lt : true if the tested value is less than at least one value
6138
Willy Tarreau0ba27502007-12-24 16:55:16 +01006139For instance, the following ACL matches any negative Content-Length header :
Willy Tarreau6a06a402007-07-15 20:15:28 +02006140
6141 acl negative-length hdr_val(content-length) lt 0
6142
Willy Tarreau62644772008-07-16 18:36:06 +02006143This one matches SSL versions between 3.0 and 3.1 (inclusive) :
6144
6145 acl sslv3 req_ssl_ver 3:3.1
6146
Willy Tarreau6a06a402007-07-15 20:15:28 +02006147
Willy Tarreauc57f0e22009-05-10 13:12:33 +020061487.2. Matching strings
6149---------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02006150
6151String matching applies to verbatim strings as they are passed, with the
6152exception of the backslash ("\") which makes it possible to escape some
6153characters such as the space. If the "-i" flag is passed before the first
6154string, then the matching will be performed ignoring the case. In order
6155to match the string "-i", either set it second, or pass the "--" flag
Willy Tarreau0ba27502007-12-24 16:55:16 +01006156before the first string. Same applies of course to match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02006157
6158
Willy Tarreauc57f0e22009-05-10 13:12:33 +020061597.3. Matching regular expressions (regexes)
6160-------------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02006161
6162Just like with string matching, regex matching applies to verbatim strings as
6163they are passed, with the exception of the backslash ("\") which makes it
6164possible to escape some characters such as the space. If the "-i" flag is
6165passed before the first regex, then the matching will be performed ignoring
6166the case. In order to match the string "-i", either set it second, or pass
Willy Tarreau0ba27502007-12-24 16:55:16 +01006167the "--" flag before the first string. Same principle applies of course to
6168match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02006169
6170
Willy Tarreauc57f0e22009-05-10 13:12:33 +020061717.4. Matching IPv4 addresses
6172----------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02006173
6174IPv4 addresses values can be specified either as plain addresses or with a
6175netmask appended, in which case the IPv4 address matches whenever it is
6176within the network. Plain addresses may also be replaced with a resolvable
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01006177host name, but this practice is generally discouraged as it makes it more
Willy Tarreau0ba27502007-12-24 16:55:16 +01006178difficult to read and debug configurations. If hostnames are used, you should
6179at least ensure that they are present in /etc/hosts so that the configuration
6180does not depend on any random DNS match at the moment the configuration is
6181parsed.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006182
6183
Willy Tarreauc57f0e22009-05-10 13:12:33 +020061847.5. Available matching criteria
6185--------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02006186
Willy Tarreauc57f0e22009-05-10 13:12:33 +020061877.5.1. Matching at Layer 4 and below
6188------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01006189
6190A first set of criteria applies to information which does not require any
6191analysis of the request or response contents. Those generally include TCP/IP
6192addresses and ports, as well as internal values independant on the stream.
6193
Willy Tarreau6a06a402007-07-15 20:15:28 +02006194always_false
6195 This one never matches. All values and flags are ignored. It may be used as
6196 a temporary replacement for another one when adjusting configurations.
6197
6198always_true
6199 This one always matches. All values and flags are ignored. It may be used as
6200 a temporary replacement for another one when adjusting configurations.
6201
Willy Tarreaud63335a2010-02-26 12:56:52 +01006202avg_queue <integer>
6203avg_queue(frontend) <integer>
6204 Returns the total number of queued connections of the designated backend
6205 divided by the number of active servers. This is very similar to "queue"
6206 except that the size of the farm is considered, in order to give a more
6207 accurate measurement of the time it may take for a new connection to be
6208 processed. The main usage is to return a sorry page to new users when it
6209 becomes certain they will get a degraded service. Note that in the event
6210 there would not be any active server anymore, we would consider twice the
6211 number of queued connections as the measured value. This is a fair estimate,
6212 as we expect one server to get back soon anyway, but we still prefer to send
6213 new traffic to another backend if in better shape. See also the "queue",
6214 "be_conn", and "be_sess_rate" criteria.
Krzysztof Piotr Oledzki346f76d2010-01-12 21:59:30 +01006215
Willy Tarreaua36af912009-10-10 12:02:45 +02006216be_conn <integer>
6217be_conn(frontend) <integer>
6218 Applies to the number of currently established connections on the backend,
6219 possibly including the connection being evaluated. If no backend name is
6220 specified, the current one is used. But it is also possible to check another
6221 backend. It can be used to use a specific farm when the nominal one is full.
6222 See also the "fe_conn", "queue" and "be_sess_rate" criteria.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006223
Willy Tarreaud63335a2010-02-26 12:56:52 +01006224be_sess_rate <integer>
6225be_sess_rate(backend) <integer>
6226 Returns true when the sessions creation rate on the backend matches the
6227 specified values or ranges, in number of new sessions per second. This is
6228 used to switch to an alternate backend when an expensive or fragile one
6229 reaches too high a session rate, or to limit abuse of service (eg. prevent
6230 sucking of an online dictionary).
6231
6232 Example :
6233 # Redirect to an error page if the dictionary is requested too often
6234 backend dynamic
6235 mode http
6236 acl being_scanned be_sess_rate gt 100
6237 redirect location /denied.html if being_scanned
Willy Tarreau0ba27502007-12-24 16:55:16 +01006238
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08006239connslots <integer>
6240connslots(backend) <integer>
6241 The basic idea here is to be able to measure the number of connection "slots"
Willy Tarreau55165fe2009-05-10 12:02:55 +02006242 still available (connection + queue), so that anything beyond that (intended
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08006243 usage; see "use_backend" keyword) can be redirected to a different backend.
6244
Willy Tarreau55165fe2009-05-10 12:02:55 +02006245 'connslots' = number of available server connection slots, + number of
6246 available server queue slots.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08006247
Willy Tarreaua36af912009-10-10 12:02:45 +02006248 Note that while "fe_conn" may be used, "connslots" comes in especially
Willy Tarreau55165fe2009-05-10 12:02:55 +02006249 useful when you have a case of traffic going to one single ip, splitting into
6250 multiple backends (perhaps using acls to do name-based load balancing) and
6251 you want to be able to differentiate between different backends, and their
6252 available "connslots". Also, whereas "nbsrv" only measures servers that are
6253 actually *down*, this acl is more fine-grained and looks into the number of
Willy Tarreaua36af912009-10-10 12:02:45 +02006254 available connection slots as well. See also "queue" and "avg_queue".
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08006255
Willy Tarreau55165fe2009-05-10 12:02:55 +02006256 OTHER CAVEATS AND NOTES: at this point in time, the code does not take care
6257 of dynamic connections. Also, if any of the server maxconn, or maxqueue is 0,
6258 then this acl clearly does not make sense, in which case the value returned
6259 will be -1.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08006260
Willy Tarreaud63335a2010-02-26 12:56:52 +01006261dst <ip_address>
6262 Applies to the local IPv4 address the client connected to. It can be used to
6263 switch to a different backend for some alternative addresses.
Willy Tarreaua36af912009-10-10 12:02:45 +02006264
Willy Tarreaud63335a2010-02-26 12:56:52 +01006265dst_conn <integer>
6266 Applies to the number of currently established connections on the same socket
6267 including the one being evaluated. It can be used to either return a sorry
6268 page before hard-blocking, or to use a specific backend to drain new requests
6269 when the socket is considered saturated. This offers the ability to assign
6270 different limits to different listening ports or addresses. See also the
6271 "fe_conn" and "be_conn" criteria.
6272
6273dst_port <integer>
6274 Applies to the local port the client connected to. It can be used to switch
6275 to a different backend for some alternative ports.
6276
6277fe_conn <integer>
6278fe_conn(frontend) <integer>
6279 Applies to the number of currently established connections on the frontend,
6280 possibly including the connection being evaluated. If no frontend name is
6281 specified, the current one is used. But it is also possible to check another
6282 frontend. It can be used to either return a sorry page before hard-blocking,
6283 or to use a specific backend to drain new requests when the farm is
6284 considered saturated. See also the "dst_conn", "be_conn" and "fe_sess_rate"
6285 criteria.
6286
6287fe_id <integer>
Cyril Bonté78caf842010-03-10 22:41:43 +01006288 Applies to the frontend's id. Can be used in backends to check from which
Willy Tarreaud63335a2010-02-26 12:56:52 +01006289 frontend it was called.
Willy Tarreaua36af912009-10-10 12:02:45 +02006290
Willy Tarreau079ff0a2009-03-05 21:34:28 +01006291fe_sess_rate <integer>
6292fe_sess_rate(frontend) <integer>
6293 Returns true when the session creation rate on the current or the named
6294 frontend matches the specified values or ranges, expressed in new sessions
6295 per second. This is used to limit the connection rate to acceptable ranges in
6296 order to prevent abuse of service at the earliest moment. This can be
6297 combined with layer 4 ACLs in order to force the clients to wait a bit for
6298 the rate to go down below the limit.
6299
6300 Example :
6301 # This frontend limits incoming mails to 10/s with a max of 100
6302 # concurrent connections. We accept any connection below 10/s, and
6303 # force excess clients to wait for 100 ms. Since clients are limited to
6304 # 100 max, there cannot be more than 10 incoming mails per second.
6305 frontend mail
6306 bind :25
6307 mode tcp
6308 maxconn 100
6309 acl too_fast fe_sess_rate ge 10
6310 tcp-request inspect-delay 100ms
6311 tcp-request content accept if ! too_fast
6312 tcp-request content accept if WAIT_END
Willy Tarreaud72758d2010-01-12 10:42:19 +01006313
Willy Tarreaud63335a2010-02-26 12:56:52 +01006314nbsrv <integer>
6315nbsrv(backend) <integer>
6316 Returns true when the number of usable servers of either the current backend
6317 or the named backend matches the values or ranges specified. This is used to
6318 switch to an alternate backend when the number of servers is too low to
6319 to handle some load. It is useful to report a failure when combined with
6320 "monitor fail".
Willy Tarreau079ff0a2009-03-05 21:34:28 +01006321
Willy Tarreaud63335a2010-02-26 12:56:52 +01006322queue <integer>
6323queue(frontend) <integer>
6324 Returns the total number of queued connections of the designated backend,
6325 including all the connections in server queues. If no backend name is
6326 specified, the current one is used, but it is also possible to check another
6327 one. This can be used to take actions when queuing goes above a known level,
6328 generally indicating a surge of traffic or a massive slowdown on the servers.
6329 One possible action could be to reject new users but still accept old ones.
6330 See also the "avg_queue", "be_conn", and "be_sess_rate" criteria.
6331
6332so_id <integer>
6333 Applies to the socket's id. Useful in frontends with many bind keywords.
6334
6335src <ip_address>
6336 Applies to the client's IPv4 address. It is usually used to limit access to
6337 certain resources such as statistics. Note that it is the TCP-level source
6338 address which is used, and not the address of a client behind a proxy.
6339
Willy Tarreaua975b8f2010-06-05 19:13:27 +02006340src_count <integer>
6341src_count(backend) <integer>
6342 Returns the number of occurrences of the source IPv4 address in the current
6343 backend's stick-table or in the designated stick-table. If the address is not
6344 found, zero is returned.
6345
Willy Tarreaud63335a2010-02-26 12:56:52 +01006346src_port <integer>
6347 Applies to the client's TCP source port. This has a very limited usage.
Willy Tarreau079ff0a2009-03-05 21:34:28 +01006348
Willy Tarreaua975b8f2010-06-05 19:13:27 +02006349src_update_count <integer>
6350src_update_count(backend) <integer>
6351 Creates or updates the entry associated to the source IPv4 address in the
6352 current backend's stick-table or in the designated stick-table. This table
6353 must be configured to store the "conn_cum" data type, otherwise the match
6354 will be ignored. The current count is incremented by one, and the expiration
6355 timer refreshed. The updated count is returned, so this match can't return
6356 zero. This is used to reject service abusers based on their source address.
6357
6358 Example :
6359 # This frontend limits incoming SSH connections to 3 per 10 second for
6360 # each source address, and rejects excess connections until a 10 second
6361 # silence is observed. At most 20 addresses are tracked.
6362 listen ssh
6363 bind :22
6364 mode tcp
6365 maxconn 100
6366 stick-table type ip size 20 expire 10s store conn_cum
6367 tcp-request content reject if { src_update_count gt 3 }
6368 server local 127.0.0.1:22
6369
Willy Tarreau0b1cd942010-05-16 22:18:27 +02006370srv_is_up(<server>)
6371srv_is_up(<backend>/<server>)
6372 Returns true when the designated server is UP, and false when it is either
6373 DOWN or in maintenance mode. If <backend> is omitted, then the server is
6374 looked up in the current backend. The function takes no arguments since it
6375 is used as a boolean. It is mainly used to take action based on an external
6376 status reported via a health check (eg: a geographical site's availability).
6377 Another possible use which is more of a hack consists in using dummy servers
6378 as boolean variables that can be enabled or disabled from the CLI, so that
6379 rules depending on those ACLs can be tweaked in realtime.
6380
Willy Tarreau0ba27502007-12-24 16:55:16 +01006381
Willy Tarreauc57f0e22009-05-10 13:12:33 +020063827.5.2. Matching contents at Layer 4
6383-----------------------------------
Willy Tarreau62644772008-07-16 18:36:06 +02006384
6385A second set of criteria depends on data found in buffers, but which can change
6386during analysis. This requires that some data has been buffered, for instance
6387through TCP request content inspection. Please see the "tcp-request" keyword
6388for more detailed information on the subject.
6389
6390req_len <integer>
Emeric Brunbede3d02009-06-30 17:54:00 +02006391 Returns true when the length of the data in the request buffer matches the
Willy Tarreau62644772008-07-16 18:36:06 +02006392 specified range. It is important to understand that this test does not
6393 return false as long as the buffer is changing. This means that a check with
6394 equality to zero will almost always immediately match at the beginning of the
6395 session, while a test for more data will wait for that data to come in and
6396 return false only when haproxy is certain that no more data will come in.
6397 This test was designed to be used with TCP request content inspection.
6398
Willy Tarreau2492d5b2009-07-11 00:06:00 +02006399req_proto_http
6400 Returns true when data in the request buffer look like HTTP and correctly
6401 parses as such. It is the same parser as the common HTTP request parser which
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006402 is used so there should be no surprises. This test can be used for instance
Willy Tarreau2492d5b2009-07-11 00:06:00 +02006403 to direct HTTP traffic to a given port and HTTPS traffic to another one
6404 using TCP request content inspection rules.
6405
Emeric Brunbede3d02009-06-30 17:54:00 +02006406req_rdp_cookie <string>
6407req_rdp_cookie(name) <string>
6408 Returns true when data in the request buffer look like the RDP protocol, and
6409 a cookie is present and equal to <string>. By default, any cookie name is
6410 checked, but a specific cookie name can be specified in parenthesis. The
6411 parser only checks for the first cookie, as illustrated in the RDP protocol
6412 specification. The cookie name is case insensitive. This ACL can be useful
6413 with the "MSTS" cookie, as it can contain the user name of the client
6414 connecting to the server if properly configured on the client. This can be
6415 used to restrict access to certain servers to certain users.
6416
6417req_rdp_cookie_cnt <integer>
6418req_rdp_cookie_cnt(name) <integer>
6419 Returns true when the data in the request buffer look like the RDP protocol
6420 and the number of RDP cookies matches the specified range (typically zero or
6421 one). Optionally a specific cookie name can be checked. This is a simple way
6422 of detecting the RDP protocol, as clients generally send the MSTS or MSTSHASH
6423 cookies.
6424
Willy Tarreau62644772008-07-16 18:36:06 +02006425req_ssl_ver <decimal>
6426 Returns true when data in the request buffer look like SSL, with a protocol
6427 version matching the specified range. Both SSLv2 hello messages and SSLv3
6428 messages are supported. The test tries to be strict enough to avoid being
6429 easily fooled. In particular, it waits for as many bytes as announced in the
6430 message header if this header looks valid (bound to the buffer size). Note
6431 that TLSv1 is announced as SSL version 3.1. This test was designed to be used
6432 with TCP request content inspection.
6433
Willy Tarreaub6fb4202008-07-20 11:18:28 +02006434wait_end
6435 Waits for the end of the analysis period to return true. This may be used in
6436 conjunction with content analysis to avoid returning a wrong verdict early.
6437 It may also be used to delay some actions, such as a delayed reject for some
6438 special addresses. Since it either stops the rules evaluation or immediately
6439 returns true, it is recommended to use this acl as the last one in a rule.
6440 Please note that the default ACL "WAIT_END" is always usable without prior
6441 declaration. This test was designed to be used with TCP request content
6442 inspection.
6443
6444 Examples :
6445 # delay every incoming request by 2 seconds
6446 tcp-request inspect-delay 2s
6447 tcp-request content accept if WAIT_END
6448
6449 # don't immediately tell bad guys they are rejected
6450 tcp-request inspect-delay 10s
6451 acl goodguys src 10.0.0.0/24
6452 acl badguys src 10.0.1.0/24
6453 tcp-request content accept if goodguys
6454 tcp-request content reject if badguys WAIT_END
6455 tcp-request content reject
6456
Willy Tarreau62644772008-07-16 18:36:06 +02006457
Willy Tarreauc57f0e22009-05-10 13:12:33 +020064587.5.3. Matching at Layer 7
6459--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01006460
Willy Tarreau62644772008-07-16 18:36:06 +02006461A third set of criteria applies to information which can be found at the
Willy Tarreau0ba27502007-12-24 16:55:16 +01006462application layer (layer 7). Those require that a full HTTP request has been
6463read, and are only evaluated then. They may require slightly more CPU resources
6464than the layer 4 ones, but not much since the request and response are indexed.
6465
Willy Tarreaud63335a2010-02-26 12:56:52 +01006466hdr <string>
6467hdr(header) <string>
6468 Note: all the "hdr*" matching criteria either apply to all headers, or to a
6469 particular header whose name is passed between parenthesis and without any
6470 space. The header name is not case-sensitive. The header matching complies
6471 with RFC2616, and treats as separate headers all values delimited by commas.
6472 Use the shdr() variant for response headers sent by the server.
6473
6474 The "hdr" criteria returns true if any of the headers matching the criteria
6475 match any of the strings. This can be used to check exact for values. For
6476 instance, checking that "connection: close" is set :
6477
6478 hdr(Connection) -i close
6479
6480hdr_beg <string>
6481hdr_beg(header) <string>
6482 Returns true when one of the headers begins with one of the strings. See
6483 "hdr" for more information on header matching. Use the shdr_beg() variant for
6484 response headers sent by the server.
6485
6486hdr_cnt <integer>
6487hdr_cnt(header) <integer>
6488 Returns true when the number of occurrence of the specified header matches
6489 the values or ranges specified. It is important to remember that one header
6490 line may count as several headers if it has several values. This is used to
6491 detect presence, absence or abuse of a specific header, as well as to block
6492 request smuggling attacks by rejecting requests which contain more than one
6493 of certain headers. See "hdr" for more information on header matching. Use
6494 the shdr_cnt() variant for response headers sent by the server.
6495
6496hdr_dir <string>
6497hdr_dir(header) <string>
6498 Returns true when one of the headers contains one of the strings either
6499 isolated or delimited by slashes. This is used to perform filename or
6500 directory name matching, and may be used with Referer. See "hdr" for more
6501 information on header matching. Use the shdr_dir() variant for response
6502 headers sent by the server.
6503
6504hdr_dom <string>
6505hdr_dom(header) <string>
6506 Returns true when one of the headers contains one of the strings either
6507 isolated or delimited by dots. This is used to perform domain name matching,
6508 and may be used with the Host header. See "hdr" for more information on
6509 header matching. Use the shdr_dom() variant for response headers sent by the
6510 server.
6511
6512hdr_end <string>
6513hdr_end(header) <string>
6514 Returns true when one of the headers ends with one of the strings. See "hdr"
6515 for more information on header matching. Use the shdr_end() variant for
6516 response headers sent by the server.
6517
6518hdr_ip <ip_address>
6519hdr_ip(header) <ip_address>
6520 Returns true when one of the headers' values contains an IP address matching
6521 <ip_address>. This is mainly used with headers such as X-Forwarded-For or
6522 X-Client-IP. See "hdr" for more information on header matching. Use the
6523 shdr_ip() variant for response headers sent by the server.
6524
6525hdr_reg <regex>
6526hdr_reg(header) <regex>
6527 Returns true when one of the headers matches of the regular expressions. It
6528 can be used at any time, but it is important to remember that regex matching
6529 is slower than other methods. See also other "hdr_" criteria, as well as
6530 "hdr" for more information on header matching. Use the shdr_reg() variant for
6531 response headers sent by the server.
6532
6533hdr_sub <string>
6534hdr_sub(header) <string>
6535 Returns true when one of the headers contains one of the strings. See "hdr"
6536 for more information on header matching. Use the shdr_sub() variant for
6537 response headers sent by the server.
6538
6539hdr_val <integer>
6540hdr_val(header) <integer>
6541 Returns true when one of the headers starts with a number which matches the
6542 values or ranges specified. This may be used to limit content-length to
6543 acceptable values for example. See "hdr" for more information on header
6544 matching. Use the shdr_val() variant for response headers sent by the server.
6545
6546http_auth(userlist)
6547http_auth_group(userlist) <group> [<group>]*
6548 Returns true when authentication data received from the client matches
6549 username & password stored on the userlist. It is also possible to
6550 use http_auth_group to check if the user is assigned to at least one
6551 of specified groups.
6552
6553 Currently only http basic auth is supported.
6554
Willy Tarreau6a06a402007-07-15 20:15:28 +02006555method <string>
6556 Applies to the method in the HTTP request, eg: "GET". Some predefined ACL
6557 already check for most common methods.
6558
Willy Tarreau6a06a402007-07-15 20:15:28 +02006559path <string>
6560 Returns true when the path part of the request, which starts at the first
6561 slash and ends before the question mark, equals one of the strings. It may be
6562 used to match known files, such as /favicon.ico.
6563
6564path_beg <string>
Willy Tarreau0ba27502007-12-24 16:55:16 +01006565 Returns true when the path begins with one of the strings. This can be used
6566 to send certain directory names to alternative backends.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006567
Willy Tarreau6a06a402007-07-15 20:15:28 +02006568path_dir <string>
6569 Returns true when one of the strings is found isolated or delimited with
6570 slashes in the path. This is used to perform filename or directory name
6571 matching without the risk of wrong match due to colliding prefixes. See also
6572 "url_dir" and "path_sub".
6573
6574path_dom <string>
6575 Returns true when one of the strings is found isolated or delimited with dots
6576 in the path. This may be used to perform domain name matching in proxy
6577 requests. See also "path_sub" and "url_dom".
6578
Willy Tarreaud63335a2010-02-26 12:56:52 +01006579path_end <string>
6580 Returns true when the path ends with one of the strings. This may be used to
6581 control file name extension.
6582
Willy Tarreau6a06a402007-07-15 20:15:28 +02006583path_reg <regex>
6584 Returns true when the path matches one of the regular expressions. It can be
6585 used any time, but it is important to remember that regex matching is slower
6586 than other methods. See also "url_reg" and all "path_" criteria.
6587
Willy Tarreaud63335a2010-02-26 12:56:52 +01006588path_sub <string>
6589 Returns true when the path contains one of the strings. It can be used to
6590 detect particular patterns in paths, such as "../" for example. See also
6591 "path_dir".
6592
6593req_ver <string>
6594 Applies to the version string in the HTTP request, eg: "1.0". Some predefined
6595 ACL already check for versions 1.0 and 1.1.
6596
6597status <integer>
6598 Applies to the HTTP status code in the HTTP response, eg: "302". It can be
6599 used to act on responses depending on status ranges, for instance, remove
6600 any Location header if the response is not a 3xx.
6601
Willy Tarreau6a06a402007-07-15 20:15:28 +02006602url <string>
6603 Applies to the whole URL passed in the request. The only real use is to match
6604 "*", for which there already is a predefined ACL.
6605
6606url_beg <string>
6607 Returns true when the URL begins with one of the strings. This can be used to
6608 check whether a URL begins with a slash or with a protocol scheme.
6609
Willy Tarreau6a06a402007-07-15 20:15:28 +02006610url_dir <string>
6611 Returns true when one of the strings is found isolated or delimited with
6612 slashes in the URL. This is used to perform filename or directory name
6613 matching without the risk of wrong match due to colliding prefixes. See also
6614 "path_dir" and "url_sub".
6615
6616url_dom <string>
6617 Returns true when one of the strings is found isolated or delimited with dots
6618 in the URL. This is used to perform domain name matching without the risk of
6619 wrong match due to colliding prefixes. See also "url_sub".
6620
Willy Tarreaud63335a2010-02-26 12:56:52 +01006621url_end <string>
6622 Returns true when the URL ends with one of the strings. It has very limited
6623 use. "path_end" should be used instead for filename matching.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006624
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01006625url_ip <ip_address>
Willy Tarreau0ba27502007-12-24 16:55:16 +01006626 Applies to the IP address specified in the absolute URI in an HTTP request.
6627 It can be used to prevent access to certain resources such as local network.
Willy Tarreau198a7442008-01-17 12:05:32 +01006628 It is useful with option "http_proxy".
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01006629
6630url_port <integer>
Willy Tarreau0ba27502007-12-24 16:55:16 +01006631 Applies to the port specified in the absolute URI in an HTTP request. It can
6632 be used to prevent access to certain resources. It is useful with option
Willy Tarreau198a7442008-01-17 12:05:32 +01006633 "http_proxy". Note that if the port is not specified in the request, port 80
Willy Tarreau0ba27502007-12-24 16:55:16 +01006634 is assumed.
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01006635
Willy Tarreaud63335a2010-02-26 12:56:52 +01006636url_reg <regex>
6637 Returns true when the URL matches one of the regular expressions. It can be
6638 used any time, but it is important to remember that regex matching is slower
6639 than other methods. See also "path_reg" and all "url_" criteria.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01006640
Willy Tarreaud63335a2010-02-26 12:56:52 +01006641url_sub <string>
6642 Returns true when the URL contains one of the strings. It can be used to
6643 detect particular patterns in query strings for example. See also "path_sub".
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01006644
Willy Tarreau198a7442008-01-17 12:05:32 +01006645
Willy Tarreauc57f0e22009-05-10 13:12:33 +020066467.6. Pre-defined ACLs
6647---------------------
Willy Tarreauced27012008-01-17 20:35:34 +01006648
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006649Some predefined ACLs are hard-coded so that they do not have to be declared in
6650every frontend which needs them. They all have their names in upper case in
Patrick Mézard2382ad62010-05-09 10:43:32 +02006651order to avoid confusion. Their equivalence is provided below.
Willy Tarreauced27012008-01-17 20:35:34 +01006652
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006653ACL name Equivalent to Usage
6654---------------+-----------------------------+---------------------------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006655FALSE always_false never match
Willy Tarreau2492d5b2009-07-11 00:06:00 +02006656HTTP req_proto_http match if protocol is valid HTTP
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006657HTTP_1.0 req_ver 1.0 match HTTP version 1.0
6658HTTP_1.1 req_ver 1.1 match HTTP version 1.1
Willy Tarreaud63335a2010-02-26 12:56:52 +01006659HTTP_CONTENT hdr_val(content-length) gt 0 match an existing content-length
6660HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme
6661HTTP_URL_SLASH url_beg / match URL beginning with "/"
6662HTTP_URL_STAR url * match URL equal to "*"
6663LOCALHOST src 127.0.0.1/8 match connection from local host
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006664METH_CONNECT method CONNECT match HTTP CONNECT method
6665METH_GET method GET HEAD match HTTP GET or HEAD method
6666METH_HEAD method HEAD match HTTP HEAD method
6667METH_OPTIONS method OPTIONS match HTTP OPTIONS method
6668METH_POST method POST match HTTP POST method
6669METH_TRACE method TRACE match HTTP TRACE method
Emeric Brunbede3d02009-06-30 17:54:00 +02006670RDP_COOKIE req_rdp_cookie_cnt gt 0 match presence of an RDP cookie
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006671REQ_CONTENT req_len gt 0 match data in the request buffer
Willy Tarreaud63335a2010-02-26 12:56:52 +01006672TRUE always_true always match
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006673WAIT_END wait_end wait for end of content analysis
6674---------------+-----------------------------+---------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +01006675
Willy Tarreauced27012008-01-17 20:35:34 +01006676
Willy Tarreauc57f0e22009-05-10 13:12:33 +020066777.7. Using ACLs to form conditions
6678----------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +01006679
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006680Some actions are only performed upon a valid condition. A condition is a
6681combination of ACLs with operators. 3 operators are supported :
Willy Tarreauced27012008-01-17 20:35:34 +01006682
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006683 - AND (implicit)
6684 - OR (explicit with the "or" keyword or the "||" operator)
6685 - Negation with the exclamation mark ("!")
Willy Tarreauced27012008-01-17 20:35:34 +01006686
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006687A condition is formed as a disjunctive form:
Willy Tarreauced27012008-01-17 20:35:34 +01006688
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006689 [!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ...
Willy Tarreauced27012008-01-17 20:35:34 +01006690
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006691Such conditions are generally used after an "if" or "unless" statement,
6692indicating when the condition will trigger the action.
Willy Tarreauced27012008-01-17 20:35:34 +01006693
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006694For instance, to block HTTP requests to the "*" URL with methods other than
6695"OPTIONS", as well as POST requests without content-length, and GET or HEAD
6696requests with a content-length greater than 0, and finally every request which
6697is not either GET/HEAD/POST/OPTIONS !
Willy Tarreauced27012008-01-17 20:35:34 +01006698
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006699 acl missing_cl hdr_cnt(Content-length) eq 0
6700 block if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
6701 block if METH_GET HTTP_CONTENT
6702 block unless METH_GET or METH_POST or METH_OPTIONS
Willy Tarreauced27012008-01-17 20:35:34 +01006703
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006704To select a different backend for requests to static contents on the "www" site
6705and to every request on the "img", "video", "download" and "ftp" hosts :
Willy Tarreauced27012008-01-17 20:35:34 +01006706
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006707 acl url_static path_beg /static /images /img /css
6708 acl url_static path_end .gif .png .jpg .css .js
6709 acl host_www hdr_beg(host) -i www
6710 acl host_static hdr_beg(host) -i img. video. download. ftp.
Willy Tarreauced27012008-01-17 20:35:34 +01006711
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006712 # now use backend "static" for all static-only hosts, and for static urls
6713 # of host "www". Use backend "www" for the rest.
6714 use_backend static if host_static or host_www url_static
6715 use_backend www if host_www
Willy Tarreauced27012008-01-17 20:35:34 +01006716
Willy Tarreau95fa4692010-02-01 13:05:50 +01006717It is also possible to form rules using "anonymous ACLs". Those are unnamed ACL
6718expressions that are built on the fly without needing to be declared. They must
6719be enclosed between braces, with a space before and after each brace (because
6720the braces must be seen as independant words). Example :
6721
6722 The following rule :
6723
6724 acl missing_cl hdr_cnt(Content-length) eq 0
6725 block if METH_POST missing_cl
6726
6727 Can also be written that way :
6728
6729 block if METH_POST { hdr_cnt(Content-length) eq 0 }
6730
6731It is generally not recommended to use this construct because it's a lot easier
6732to leave errors in the configuration when written that way. However, for very
6733simple rules matching only one source IP address for instance, it can make more
6734sense to use them than to declare ACLs with random names. Another example of
6735good use is the following :
6736
6737 With named ACLs :
6738
6739 acl site_dead nbsrv(dynamic) lt 2
6740 acl site_dead nbsrv(static) lt 2
6741 monitor fail if site_dead
6742
6743 With anonymous ACLs :
6744
6745 monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
6746
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006747See section 4.2 for detailed help on the "block" and "use_backend" keywords.
Willy Tarreauced27012008-01-17 20:35:34 +01006748
Willy Tarreau5764b382007-11-30 17:46:49 +01006749
Willy Tarreaub937b7e2010-01-12 15:27:54 +010067507.8. Pattern extraction
6751-----------------------
6752
6753The stickiness features relies on pattern extraction in the request and
6754response. Sometimes the data needs to be converted first before being stored,
6755for instance converted from ASCII to IP or upper case to lower case.
6756
6757All these operations of data extraction and conversion are defined as
6758"pattern extraction rules". A pattern rule always has the same format. It
6759begins with a single pattern fetch word, potentially followed by a list of
6760arguments within parenthesis then an optional list of transformations. As
6761much as possible, the pattern fetch functions use the same name as their
6762equivalent used in ACLs.
6763
6764The list of currently supported pattern fetch functions is the following :
6765
6766 src This is the source IPv4 address of the client of the session.
6767 It is of type IP and only works with such tables.
6768
6769 dst This is the destination IPv4 address of the session on the
6770 client side, which is the address the client connected to.
6771 It can be useful when running in transparent mode. It is of
6772 typie IP and only works with such tables.
6773
6774 dst_port This is the destination TCP port of the session on the client
6775 side, which is the port the client connected to. This might be
6776 used when running in transparent mode or when assigning dynamic
6777 ports to some clients for a whole application session. It is of
6778 type integer and only works with such tables.
6779
Willy Tarreau4a568972010-05-12 08:08:50 +02006780 hdr(name) This extracts the last occurrence of header <name> in an HTTP
6781 request and converts it to an IP address. This IP address is
6782 then used to match the table. A typical use is with the
6783 x-forwarded-for header.
6784
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006785
6786The currently available list of transformations include :
6787
6788 lower Convert a string pattern to lower case. This can only be placed
6789 after a string pattern fetch function or after a conversion
6790 function returning a string type. The result is of type string.
6791
6792 upper Convert a string pattern to upper case. This can only be placed
6793 after a string pattern fetch function or after a conversion
6794 function returning a string type. The result is of type string.
6795
Willy Tarreaud31d6eb2010-01-26 18:01:41 +01006796 ipmask(mask) Apply a mask to an IPv4 address, and use the result for lookups
6797 and storage. This can be used to make all hosts within a
6798 certain mask to share the same table entries and as such use
6799 the same server. The mask can be passed in dotted form (eg:
6800 255.255.255.0) or in CIDR form (eg: 24).
6801
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006802
Willy Tarreauc57f0e22009-05-10 13:12:33 +020068038. Logging
6804----------
Willy Tarreau844e3c52008-01-11 16:28:18 +01006805
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006806One of HAProxy's strong points certainly lies is its precise logs. It probably
6807provides the finest level of information available for such a product, which is
6808very important for troubleshooting complex environments. Standard information
6809provided in logs include client ports, TCP/HTTP state timers, precise session
6810state at termination and precise termination cause, information about decisions
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006811to direct traffic to a server, and of course the ability to capture arbitrary
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006812headers.
6813
6814In order to improve administrators reactivity, it offers a great transparency
6815about encountered problems, both internal and external, and it is possible to
6816send logs to different sources at the same time with different level filters :
6817
6818 - global process-level logs (system errors, start/stop, etc..)
6819 - per-instance system and internal errors (lack of resource, bugs, ...)
6820 - per-instance external troubles (servers up/down, max connections)
6821 - per-instance activity (client connections), either at the establishment or
6822 at the termination.
6823
6824The ability to distribute different levels of logs to different log servers
6825allow several production teams to interact and to fix their problems as soon
6826as possible. For example, the system team might monitor system-wide errors,
6827while the application team might be monitoring the up/down for their servers in
6828real time, and the security team might analyze the activity logs with one hour
6829delay.
6830
6831
Willy Tarreauc57f0e22009-05-10 13:12:33 +020068328.1. Log levels
6833---------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006834
6835TCP and HTTP connections can be logged with informations such as date, time,
6836source IP address, destination address, connection duration, response times,
6837HTTP request, the HTTP return code, number of bytes transmitted, the conditions
6838in which the session ended, and even exchanged cookies values, to track a
6839particular user's problems for example. All messages are sent to up to two
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006840syslog servers. Check the "log" keyword in section 4.2 for more info about log
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006841facilities.
6842
6843
Willy Tarreauc57f0e22009-05-10 13:12:33 +020068448.2. Log formats
6845----------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006846
Emeric Brun3a058f32009-06-30 18:26:00 +02006847HAProxy supports 4 log formats. Several fields are common between these formats
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006848and will be detailed in the next sections. A few of them may slightly vary with
6849the configuration, due to indicators specific to certain options. The supported
6850formats are the following ones :
6851
6852 - the default format, which is very basic and very rarely used. It only
6853 provides very basic information about the incoming connection at the moment
6854 it is accepted : source IP:port, destination IP:port, and frontend-name.
6855 This mode will eventually disappear so it will not be described to great
6856 extents.
6857
6858 - the TCP format, which is more advanced. This format is enabled when "option
6859 tcplog" is set on the frontend. HAProxy will then usually wait for the
6860 connection to terminate before logging. This format provides much richer
6861 information, such as timers, connection counts, queue size, etc... This
6862 format is recommended for pure TCP proxies.
6863
6864 - the HTTP format, which is the most advanced for HTTP proxying. This format
6865 is enabled when "option httplog" is set on the frontend. It provides the
6866 same information as the TCP format with some HTTP-specific fields such as
6867 the request, the status code, and captures of headers and cookies. This
6868 format is recommended for HTTP proxies.
6869
Emeric Brun3a058f32009-06-30 18:26:00 +02006870 - the CLF HTTP format, which is equivalent to the HTTP format, but with the
6871 fields arranged in the same order as the CLF format. In this mode, all
6872 timers, captures, flags, etc... appear one per field after the end of the
6873 common fields, in the same order they appear in the standard HTTP format.
6874
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006875Next sections will go deeper into details for each of these formats. Format
6876specification will be performed on a "field" basis. Unless stated otherwise, a
6877field is a portion of text delimited by any number of spaces. Since syslog
6878servers are susceptible of inserting fields at the beginning of a line, it is
6879always assumed that the first field is the one containing the process name and
6880identifier.
6881
6882Note : Since log lines may be quite long, the log examples in sections below
6883 might be broken into multiple lines. The example log lines will be
6884 prefixed with 3 closing angle brackets ('>>>') and each time a log is
6885 broken into multiple lines, each non-final line will end with a
6886 backslash ('\') and the next line will start indented by two characters.
6887
6888
Willy Tarreauc57f0e22009-05-10 13:12:33 +020068898.2.1. Default log format
6890-------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006891
6892This format is used when no specific option is set. The log is emitted as soon
6893as the connection is accepted. One should note that this currently is the only
6894format which logs the request's destination IP and ports.
6895
6896 Example :
6897 listen www
6898 mode http
6899 log global
6900 server srv1 127.0.0.1:8000
6901
6902 >>> Feb 6 12:12:09 localhost \
6903 haproxy[14385]: Connect from 10.0.1.2:33312 to 10.0.3.31:8012 \
6904 (www/HTTP)
6905
6906 Field Format Extract from the example above
6907 1 process_name '[' pid ']:' haproxy[14385]:
6908 2 'Connect from' Connect from
6909 3 source_ip ':' source_port 10.0.1.2:33312
6910 4 'to' to
6911 5 destination_ip ':' destination_port 10.0.3.31:8012
6912 6 '(' frontend_name '/' mode ')' (www/HTTP)
6913
6914Detailed fields description :
6915 - "source_ip" is the IP address of the client which initiated the connection.
6916 - "source_port" is the TCP port of the client which initiated the connection.
6917 - "destination_ip" is the IP address the client connected to.
6918 - "destination_port" is the TCP port the client connected to.
6919 - "frontend_name" is the name of the frontend (or listener) which received
6920 and processed the connection.
6921 - "mode is the mode the frontend is operating (TCP or HTTP).
6922
6923It is advised not to use this deprecated format for newer installations as it
6924will eventually disappear.
6925
6926
Willy Tarreauc57f0e22009-05-10 13:12:33 +020069278.2.2. TCP log format
6928---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006929
6930The TCP format is used when "option tcplog" is specified in the frontend, and
6931is the recommended format for pure TCP proxies. It provides a lot of precious
6932information for troubleshooting. Since this format includes timers and byte
6933counts, the log is normally emitted at the end of the session. It can be
6934emitted earlier if "option logasap" is specified, which makes sense in most
6935environments with long sessions such as remote terminals. Sessions which match
6936the "monitor" rules are never logged. It is also possible not to emit logs for
6937sessions for which no data were exchanged between the client and the server, by
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02006938specifying "option dontlognull" in the frontend. Successful connections will
6939not be logged if "option dontlog-normal" is specified in the frontend. A few
6940fields may slightly vary depending on some configuration options, those are
6941marked with a star ('*') after the field name below.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006942
6943 Example :
6944 frontend fnt
6945 mode tcp
6946 option tcplog
6947 log global
6948 default_backend bck
6949
6950 backend bck
6951 server srv1 127.0.0.1:8000
6952
6953 >>> Feb 6 12:12:56 localhost \
6954 haproxy[14387]: 10.0.1.2:33313 [06/Feb/2009:12:12:51.443] fnt \
6955 bck/srv1 0/0/5007 212 -- 0/0/0/0/3 0/0
6956
6957 Field Format Extract from the example above
6958 1 process_name '[' pid ']:' haproxy[14387]:
6959 2 client_ip ':' client_port 10.0.1.2:33313
6960 3 '[' accept_date ']' [06/Feb/2009:12:12:51.443]
6961 4 frontend_name fnt
6962 5 backend_name '/' server_name bck/srv1
6963 6 Tw '/' Tc '/' Tt* 0/0/5007
6964 7 bytes_read* 212
6965 8 termination_state --
6966 9 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 0/0/0/0/3
6967 10 srv_queue '/' backend_queue 0/0
6968
6969Detailed fields description :
6970 - "client_ip" is the IP address of the client which initiated the TCP
6971 connection to haproxy.
6972
6973 - "client_port" is the TCP port of the client which initiated the connection.
6974
6975 - "accept_date" is the exact date when the connection was received by haproxy
6976 (which might be very slightly different from the date observed on the
6977 network if there was some queuing in the system's backlog). This is usually
6978 the same date which may appear in any upstream firewall's log.
6979
6980 - "frontend_name" is the name of the frontend (or listener) which received
6981 and processed the connection.
6982
6983 - "backend_name" is the name of the backend (or listener) which was selected
6984 to manage the connection to the server. This will be the same as the
6985 frontend if no switching rule has been applied, which is common for TCP
6986 applications.
6987
6988 - "server_name" is the name of the last server to which the connection was
6989 sent, which might differ from the first one if there were connection errors
6990 and a redispatch occurred. Note that this server belongs to the backend
6991 which processed the request. If the connection was aborted before reaching
6992 a server, "<NOSRV>" is indicated instead of a server name.
6993
6994 - "Tw" is the total time in milliseconds spent waiting in the various queues.
6995 It can be "-1" if the connection was aborted before reaching the queue.
6996 See "Timers" below for more details.
6997
6998 - "Tc" is the total time in milliseconds spent waiting for the connection to
6999 establish to the final server, including retries. It can be "-1" if the
7000 connection was aborted before a connection could be established. See
7001 "Timers" below for more details.
7002
7003 - "Tt" is the total time in milliseconds elapsed between the accept and the
7004 last close. It covers all possible processings. There is one exception, if
7005 "option logasap" was specified, then the time counting stops at the moment
7006 the log is emitted. In this case, a '+' sign is prepended before the value,
7007 indicating that the final one will be larger. See "Timers" below for more
7008 details.
7009
7010 - "bytes_read" is the total number of bytes transmitted from the server to
7011 the client when the log is emitted. If "option logasap" is specified, the
7012 this value will be prefixed with a '+' sign indicating that the final one
7013 may be larger. Please note that this value is a 64-bit counter, so log
7014 analysis tools must be able to handle it without overflowing.
7015
7016 - "termination_state" is the condition the session was in when the session
7017 ended. This indicates the session state, which side caused the end of
7018 session to happen, and for what reason (timeout, error, ...). The normal
7019 flags should be "--", indicating the session was closed by either end with
7020 no data remaining in buffers. See below "Session state at disconnection"
7021 for more details.
7022
7023 - "actconn" is the total number of concurrent connections on the process when
7024 the session was logged. It it useful to detect when some per-process system
7025 limits have been reached. For instance, if actconn is close to 512 when
7026 multiple connection errors occur, chances are high that the system limits
7027 the process to use a maximum of 1024 file descriptors and that all of them
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007028 are used. See section 3 "Global parameters" to find how to tune the system.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007029
7030 - "feconn" is the total number of concurrent connections on the frontend when
7031 the session was logged. It is useful to estimate the amount of resource
7032 required to sustain high loads, and to detect when the frontend's "maxconn"
7033 has been reached. Most often when this value increases by huge jumps, it is
7034 because there is congestion on the backend servers, but sometimes it can be
7035 caused by a denial of service attack.
7036
7037 - "beconn" is the total number of concurrent connections handled by the
7038 backend when the session was logged. It includes the total number of
7039 concurrent connections active on servers as well as the number of
7040 connections pending in queues. It is useful to estimate the amount of
7041 additional servers needed to support high loads for a given application.
7042 Most often when this value increases by huge jumps, it is because there is
7043 congestion on the backend servers, but sometimes it can be caused by a
7044 denial of service attack.
7045
7046 - "srv_conn" is the total number of concurrent connections still active on
7047 the server when the session was logged. It can never exceed the server's
7048 configured "maxconn" parameter. If this value is very often close or equal
7049 to the server's "maxconn", it means that traffic regulation is involved a
7050 lot, meaning that either the server's maxconn value is too low, or that
7051 there aren't enough servers to process the load with an optimal response
7052 time. When only one of the server's "srv_conn" is high, it usually means
7053 that this server has some trouble causing the connections to take longer to
7054 be processed than on other servers.
7055
7056 - "retries" is the number of connection retries experienced by this session
7057 when trying to connect to the server. It must normally be zero, unless a
7058 server is being stopped at the same moment the connection was attempted.
7059 Frequent retries generally indicate either a network problem between
7060 haproxy and the server, or a misconfigured system backlog on the server
7061 preventing new connections from being queued. This field may optionally be
7062 prefixed with a '+' sign, indicating that the session has experienced a
7063 redispatch after the maximal retry count has been reached on the initial
7064 server. In this case, the server name appearing in the log is the one the
7065 connection was redispatched to, and not the first one, though both may
7066 sometimes be the same in case of hashing for instance. So as a general rule
7067 of thumb, when a '+' is present in front of the retry count, this count
7068 should not be attributed to the logged server.
7069
7070 - "srv_queue" is the total number of requests which were processed before
7071 this one in the server queue. It is zero when the request has not gone
7072 through the server queue. It makes it possible to estimate the approximate
7073 server's response time by dividing the time spent in queue by the number of
7074 requests in the queue. It is worth noting that if a session experiences a
7075 redispatch and passes through two server queues, their positions will be
7076 cumulated. A request should not pass through both the server queue and the
7077 backend queue unless a redispatch occurs.
7078
7079 - "backend_queue" is the total number of requests which were processed before
7080 this one in the backend's global queue. It is zero when the request has not
7081 gone through the global queue. It makes it possible to estimate the average
7082 queue length, which easily translates into a number of missing servers when
7083 divided by a server's "maxconn" parameter. It is worth noting that if a
7084 session experiences a redispatch, it may pass twice in the backend's queue,
7085 and then both positions will be cumulated. A request should not pass
7086 through both the server queue and the backend queue unless a redispatch
7087 occurs.
7088
7089
Willy Tarreauc57f0e22009-05-10 13:12:33 +020070908.2.3. HTTP log format
7091----------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007092
7093The HTTP format is the most complete and the best suited for HTTP proxies. It
7094is enabled by when "option httplog" is specified in the frontend. It provides
7095the same level of information as the TCP format with additional features which
7096are specific to the HTTP protocol. Just like the TCP format, the log is usually
7097emitted at the end of the session, unless "option logasap" is specified, which
7098generally only makes sense for download sites. A session which matches the
7099"monitor" rules will never logged. It is also possible not to log sessions for
7100which no data were sent by the client by specifying "option dontlognull" in the
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02007101frontend. Successful connections will not be logged if "option dontlog-normal"
7102is specified in the frontend.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007103
7104Most fields are shared with the TCP log, some being different. A few fields may
7105slightly vary depending on some configuration options. Those ones are marked
7106with a star ('*') after the field name below.
7107
7108 Example :
7109 frontend http-in
7110 mode http
7111 option httplog
7112 log global
7113 default_backend bck
7114
7115 backend static
7116 server srv1 127.0.0.1:8000
7117
7118 >>> Feb 6 12:14:14 localhost \
7119 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
7120 static/srv1 10/0/30/69/109 200 2750 - - ---- 1/1/1/1/0 0/0 {1wt.eu} \
Willy Tarreaud72758d2010-01-12 10:42:19 +01007121 {} "GET /index.html HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007122
7123 Field Format Extract from the example above
7124 1 process_name '[' pid ']:' haproxy[14389]:
7125 2 client_ip ':' client_port 10.0.1.2:33317
7126 3 '[' accept_date ']' [06/Feb/2009:12:14:14.655]
7127 4 frontend_name http-in
7128 5 backend_name '/' server_name static/srv1
7129 6 Tq '/' Tw '/' Tc '/' Tr '/' Tt* 10/0/30/69/109
7130 7 status_code 200
7131 8 bytes_read* 2750
7132 9 captured_request_cookie -
7133 10 captured_response_cookie -
7134 11 termination_state ----
7135 12 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 1/1/1/1/0
7136 13 srv_queue '/' backend_queue 0/0
7137 14 '{' captured_request_headers* '}' {haproxy.1wt.eu}
7138 15 '{' captured_response_headers* '}' {}
7139 16 '"' http_request '"' "GET /index.html HTTP/1.1"
Willy Tarreaud72758d2010-01-12 10:42:19 +01007140
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007141
7142Detailed fields description :
7143 - "client_ip" is the IP address of the client which initiated the TCP
7144 connection to haproxy.
7145
7146 - "client_port" is the TCP port of the client which initiated the connection.
7147
7148 - "accept_date" is the exact date when the TCP connection was received by
7149 haproxy (which might be very slightly different from the date observed on
7150 the network if there was some queuing in the system's backlog). This is
7151 usually the same date which may appear in any upstream firewall's log. This
7152 does not depend on the fact that the client has sent the request or not.
7153
7154 - "frontend_name" is the name of the frontend (or listener) which received
7155 and processed the connection.
7156
7157 - "backend_name" is the name of the backend (or listener) which was selected
7158 to manage the connection to the server. This will be the same as the
7159 frontend if no switching rule has been applied.
7160
7161 - "server_name" is the name of the last server to which the connection was
7162 sent, which might differ from the first one if there were connection errors
7163 and a redispatch occurred. Note that this server belongs to the backend
7164 which processed the request. If the request was aborted before reaching a
7165 server, "<NOSRV>" is indicated instead of a server name. If the request was
7166 intercepted by the stats subsystem, "<STATS>" is indicated instead.
7167
7168 - "Tq" is the total time in milliseconds spent waiting for the client to send
7169 a full HTTP request, not counting data. It can be "-1" if the connection
7170 was aborted before a complete request could be received. It should always
7171 be very small because a request generally fits in one single packet. Large
7172 times here generally indicate network trouble between the client and
7173 haproxy. See "Timers" below for more details.
7174
7175 - "Tw" is the total time in milliseconds spent waiting in the various queues.
7176 It can be "-1" if the connection was aborted before reaching the queue.
7177 See "Timers" below for more details.
7178
7179 - "Tc" is the total time in milliseconds spent waiting for the connection to
7180 establish to the final server, including retries. It can be "-1" if the
7181 request was aborted before a connection could be established. See "Timers"
7182 below for more details.
7183
7184 - "Tr" is the total time in milliseconds spent waiting for the server to send
7185 a full HTTP response, not counting data. It can be "-1" if the request was
7186 aborted before a complete response could be received. It generally matches
7187 the server's processing time for the request, though it may be altered by
7188 the amount of data sent by the client to the server. Large times here on
7189 "GET" requests generally indicate an overloaded server. See "Timers" below
7190 for more details.
7191
7192 - "Tt" is the total time in milliseconds elapsed between the accept and the
7193 last close. It covers all possible processings. There is one exception, if
7194 "option logasap" was specified, then the time counting stops at the moment
7195 the log is emitted. In this case, a '+' sign is prepended before the value,
7196 indicating that the final one will be larger. See "Timers" below for more
7197 details.
7198
7199 - "status_code" is the HTTP status code returned to the client. This status
7200 is generally set by the server, but it might also be set by haproxy when
7201 the server cannot be reached or when its response is blocked by haproxy.
7202
7203 - "bytes_read" is the total number of bytes transmitted to the client when
7204 the log is emitted. This does include HTTP headers. If "option logasap" is
7205 specified, the this value will be prefixed with a '+' sign indicating that
7206 the final one may be larger. Please note that this value is a 64-bit
7207 counter, so log analysis tools must be able to handle it without
7208 overflowing.
7209
7210 - "captured_request_cookie" is an optional "name=value" entry indicating that
7211 the client had this cookie in the request. The cookie name and its maximum
7212 length are defined by the "capture cookie" statement in the frontend
7213 configuration. The field is a single dash ('-') when the option is not
7214 set. Only one cookie may be captured, it is generally used to track session
7215 ID exchanges between a client and a server to detect session crossing
7216 between clients due to application bugs. For more details, please consult
7217 the section "Capturing HTTP headers and cookies" below.
7218
7219 - "captured_response_cookie" is an optional "name=value" entry indicating
7220 that the server has returned a cookie with its response. The cookie name
7221 and its maximum length are defined by the "capture cookie" statement in the
7222 frontend configuration. The field is a single dash ('-') when the option is
7223 not set. Only one cookie may be captured, it is generally used to track
7224 session ID exchanges between a client and a server to detect session
7225 crossing between clients due to application bugs. For more details, please
7226 consult the section "Capturing HTTP headers and cookies" below.
7227
7228 - "termination_state" is the condition the session was in when the session
7229 ended. This indicates the session state, which side caused the end of
7230 session to happen, for what reason (timeout, error, ...), just like in TCP
7231 logs, and information about persistence operations on cookies in the last
7232 two characters. The normal flags should begin with "--", indicating the
7233 session was closed by either end with no data remaining in buffers. See
7234 below "Session state at disconnection" for more details.
7235
7236 - "actconn" is the total number of concurrent connections on the process when
7237 the session was logged. It it useful to detect when some per-process system
7238 limits have been reached. For instance, if actconn is close to 512 or 1024
7239 when multiple connection errors occur, chances are high that the system
7240 limits the process to use a maximum of 1024 file descriptors and that all
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007241 of them are used. See section 3 "Global parameters" to find how to tune the
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007242 system.
7243
7244 - "feconn" is the total number of concurrent connections on the frontend when
7245 the session was logged. It is useful to estimate the amount of resource
7246 required to sustain high loads, and to detect when the frontend's "maxconn"
7247 has been reached. Most often when this value increases by huge jumps, it is
7248 because there is congestion on the backend servers, but sometimes it can be
7249 caused by a denial of service attack.
7250
7251 - "beconn" is the total number of concurrent connections handled by the
7252 backend when the session was logged. It includes the total number of
7253 concurrent connections active on servers as well as the number of
7254 connections pending in queues. It is useful to estimate the amount of
7255 additional servers needed to support high loads for a given application.
7256 Most often when this value increases by huge jumps, it is because there is
7257 congestion on the backend servers, but sometimes it can be caused by a
7258 denial of service attack.
7259
7260 - "srv_conn" is the total number of concurrent connections still active on
7261 the server when the session was logged. It can never exceed the server's
7262 configured "maxconn" parameter. If this value is very often close or equal
7263 to the server's "maxconn", it means that traffic regulation is involved a
7264 lot, meaning that either the server's maxconn value is too low, or that
7265 there aren't enough servers to process the load with an optimal response
7266 time. When only one of the server's "srv_conn" is high, it usually means
7267 that this server has some trouble causing the requests to take longer to be
7268 processed than on other servers.
7269
7270 - "retries" is the number of connection retries experienced by this session
7271 when trying to connect to the server. It must normally be zero, unless a
7272 server is being stopped at the same moment the connection was attempted.
7273 Frequent retries generally indicate either a network problem between
7274 haproxy and the server, or a misconfigured system backlog on the server
7275 preventing new connections from being queued. This field may optionally be
7276 prefixed with a '+' sign, indicating that the session has experienced a
7277 redispatch after the maximal retry count has been reached on the initial
7278 server. In this case, the server name appearing in the log is the one the
7279 connection was redispatched to, and not the first one, though both may
7280 sometimes be the same in case of hashing for instance. So as a general rule
7281 of thumb, when a '+' is present in front of the retry count, this count
7282 should not be attributed to the logged server.
7283
7284 - "srv_queue" is the total number of requests which were processed before
7285 this one in the server queue. It is zero when the request has not gone
7286 through the server queue. It makes it possible to estimate the approximate
7287 server's response time by dividing the time spent in queue by the number of
7288 requests in the queue. It is worth noting that if a session experiences a
7289 redispatch and passes through two server queues, their positions will be
7290 cumulated. A request should not pass through both the server queue and the
7291 backend queue unless a redispatch occurs.
7292
7293 - "backend_queue" is the total number of requests which were processed before
7294 this one in the backend's global queue. It is zero when the request has not
7295 gone through the global queue. It makes it possible to estimate the average
7296 queue length, which easily translates into a number of missing servers when
7297 divided by a server's "maxconn" parameter. It is worth noting that if a
7298 session experiences a redispatch, it may pass twice in the backend's queue,
7299 and then both positions will be cumulated. A request should not pass
7300 through both the server queue and the backend queue unless a redispatch
7301 occurs.
7302
7303 - "captured_request_headers" is a list of headers captured in the request due
7304 to the presence of the "capture request header" statement in the frontend.
7305 Multiple headers can be captured, they will be delimited by a vertical bar
7306 ('|'). When no capture is enabled, the braces do not appear, causing a
7307 shift of remaining fields. It is important to note that this field may
7308 contain spaces, and that using it requires a smarter log parser than when
7309 it's not used. Please consult the section "Capturing HTTP headers and
7310 cookies" below for more details.
7311
7312 - "captured_response_headers" is a list of headers captured in the response
7313 due to the presence of the "capture response header" statement in the
7314 frontend. Multiple headers can be captured, they will be delimited by a
7315 vertical bar ('|'). When no capture is enabled, the braces do not appear,
7316 causing a shift of remaining fields. It is important to note that this
7317 field may contain spaces, and that using it requires a smarter log parser
7318 than when it's not used. Please consult the section "Capturing HTTP headers
7319 and cookies" below for more details.
7320
7321 - "http_request" is the complete HTTP request line, including the method,
7322 request and HTTP version string. Non-printable characters are encoded (see
7323 below the section "Non-printable characters"). This is always the last
7324 field, and it is always delimited by quotes and is the only one which can
7325 contain quotes. If new fields are added to the log format, they will be
7326 added before this field. This field might be truncated if the request is
7327 huge and does not fit in the standard syslog buffer (1024 characters). This
7328 is the reason why this field must always remain the last one.
7329
7330
Willy Tarreauc57f0e22009-05-10 13:12:33 +020073318.3. Advanced logging options
7332-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007333
7334Some advanced logging options are often looked for but are not easy to find out
7335just by looking at the various options. Here is an entry point for the few
7336options which can enable better logging. Please refer to the keywords reference
7337for more information about their usage.
7338
7339
Willy Tarreauc57f0e22009-05-10 13:12:33 +020073408.3.1. Disabling logging of external tests
7341------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007342
7343It is quite common to have some monitoring tools perform health checks on
7344haproxy. Sometimes it will be a layer 3 load-balancer such as LVS or any
7345commercial load-balancer, and sometimes it will simply be a more complete
7346monitoring system such as Nagios. When the tests are very frequent, users often
7347ask how to disable logging for those checks. There are three possibilities :
7348
7349 - if connections come from everywhere and are just TCP probes, it is often
7350 desired to simply disable logging of connections without data exchange, by
7351 setting "option dontlognull" in the frontend. It also disables logging of
7352 port scans, which may or may not be desired.
7353
7354 - if the connection come from a known source network, use "monitor-net" to
7355 declare this network as monitoring only. Any host in this network will then
7356 only be able to perform health checks, and their requests will not be
7357 logged. This is generally appropriate to designate a list of equipments
7358 such as other load-balancers.
7359
7360 - if the tests are performed on a known URI, use "monitor-uri" to declare
7361 this URI as dedicated to monitoring. Any host sending this request will
7362 only get the result of a health-check, and the request will not be logged.
7363
7364
Willy Tarreauc57f0e22009-05-10 13:12:33 +020073658.3.2. Logging before waiting for the session to terminate
7366----------------------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007367
7368The problem with logging at end of connection is that you have no clue about
7369what is happening during very long sessions, such as remote terminal sessions
7370or large file downloads. This problem can be worked around by specifying
7371"option logasap" in the frontend. Haproxy will then log as soon as possible,
7372just before data transfer begins. This means that in case of TCP, it will still
7373log the connection status to the server, and in case of HTTP, it will log just
7374after processing the server headers. In this case, the number of bytes reported
7375is the number of header bytes sent to the client. In order to avoid confusion
7376with normal logs, the total time field and the number of bytes are prefixed
7377with a '+' sign which means that real numbers are certainly larger.
7378
7379
Willy Tarreauc57f0e22009-05-10 13:12:33 +020073808.3.3. Raising log level upon errors
7381------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02007382
7383Sometimes it is more convenient to separate normal traffic from errors logs,
7384for instance in order to ease error monitoring from log files. When the option
7385"log-separate-errors" is used, connections which experience errors, timeouts,
7386retries, redispatches or HTTP status codes 5xx will see their syslog level
7387raised from "info" to "err". This will help a syslog daemon store the log in
7388a separate file. It is very important to keep the errors in the normal traffic
7389file too, so that log ordering is not altered. You should also be careful if
7390you already have configured your syslog daemon to store all logs higher than
7391"notice" in an "admin" file, because the "err" level is higher than "notice".
7392
7393
Willy Tarreauc57f0e22009-05-10 13:12:33 +020073948.3.4. Disabling logging of successful connections
7395--------------------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02007396
7397Although this may sound strange at first, some large sites have to deal with
7398multiple thousands of logs per second and are experiencing difficulties keeping
7399them intact for a long time or detecting errors within them. If the option
7400"dontlog-normal" is set on the frontend, all normal connections will not be
7401logged. In this regard, a normal connection is defined as one without any
7402error, timeout, retry nor redispatch. In HTTP, the status code is checked too,
7403and a response with a status 5xx is not considered normal and will be logged
7404too. Of course, doing is is really discouraged as it will remove most of the
7405useful information from the logs. Do this only if you have no other
7406alternative.
7407
7408
Willy Tarreauc57f0e22009-05-10 13:12:33 +020074098.4. Timing events
7410------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007411
7412Timers provide a great help in troubleshooting network problems. All values are
7413reported in milliseconds (ms). These timers should be used in conjunction with
7414the session termination flags. In TCP mode with "option tcplog" set on the
7415frontend, 3 control points are reported under the form "Tw/Tc/Tt", and in HTTP
7416mode, 5 control points are reported under the form "Tq/Tw/Tc/Tr/Tt" :
7417
7418 - Tq: total time to get the client request (HTTP mode only). It's the time
7419 elapsed between the moment the client connection was accepted and the
7420 moment the proxy received the last HTTP header. The value "-1" indicates
7421 that the end of headers (empty line) has never been seen. This happens when
7422 the client closes prematurely or times out.
7423
7424 - Tw: total time spent in the queues waiting for a connection slot. It
7425 accounts for backend queue as well as the server queues, and depends on the
7426 queue size, and the time needed for the server to complete previous
7427 requests. The value "-1" means that the request was killed before reaching
7428 the queue, which is generally what happens with invalid or denied requests.
7429
7430 - Tc: total time to establish the TCP connection to the server. It's the time
7431 elapsed between the moment the proxy sent the connection request, and the
7432 moment it was acknowledged by the server, or between the TCP SYN packet and
7433 the matching SYN/ACK packet in return. The value "-1" means that the
7434 connection never established.
7435
7436 - Tr: server response time (HTTP mode only). It's the time elapsed between
7437 the moment the TCP connection was established to the server and the moment
7438 the server sent its complete response headers. It purely shows its request
7439 processing time, without the network overhead due to the data transmission.
7440 It is worth noting that when the client has data to send to the server, for
7441 instance during a POST request, the time already runs, and this can distort
7442 apparent response time. For this reason, it's generally wise not to trust
7443 too much this field for POST requests initiated from clients behind an
7444 untrusted network. A value of "-1" here means that the last the response
7445 header (empty line) was never seen, most likely because the server timeout
7446 stroke before the server managed to process the request.
7447
7448 - Tt: total session duration time, between the moment the proxy accepted it
7449 and the moment both ends were closed. The exception is when the "logasap"
7450 option is specified. In this case, it only equals (Tq+Tw+Tc+Tr), and is
7451 prefixed with a '+' sign. From this field, we can deduce "Td", the data
7452 transmission time, by substracting other timers when valid :
7453
7454 Td = Tt - (Tq + Tw + Tc + Tr)
7455
7456 Timers with "-1" values have to be excluded from this equation. In TCP
7457 mode, "Tq" and "Tr" have to be excluded too. Note that "Tt" can never be
7458 negative.
7459
7460These timers provide precious indications on trouble causes. Since the TCP
7461protocol defines retransmit delays of 3, 6, 12... seconds, we know for sure
7462that timers close to multiples of 3s are nearly always related to lost packets
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007463due to network problems (wires, negotiation, congestion). Moreover, if "Tt" is
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007464close to a timeout value specified in the configuration, it often means that a
7465session has been aborted on timeout.
7466
7467Most common cases :
7468
7469 - If "Tq" is close to 3000, a packet has probably been lost between the
7470 client and the proxy. This is very rare on local networks but might happen
7471 when clients are on far remote networks and send large requests. It may
7472 happen that values larger than usual appear here without any network cause.
7473 Sometimes, during an attack or just after a resource starvation has ended,
7474 haproxy may accept thousands of connections in a few milliseconds. The time
7475 spent accepting these connections will inevitably slightly delay processing
7476 of other connections, and it can happen that request times in the order of
7477 a few tens of milliseconds are measured after a few thousands of new
Patrick Mezard105faca2010-06-12 17:02:46 +02007478 connections have been accepted at once. Setting "option http-server-close"
7479 may display larger request times since "Tq" also measures the time spent
7480 waiting for additional requests.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007481
7482 - If "Tc" is close to 3000, a packet has probably been lost between the
7483 server and the proxy during the server connection phase. This value should
7484 always be very low, such as 1 ms on local networks and less than a few tens
7485 of ms on remote networks.
7486
Willy Tarreau55165fe2009-05-10 12:02:55 +02007487 - If "Tr" is nearly always lower than 3000 except some rare values which seem
7488 to be the average majored by 3000, there are probably some packets lost
7489 between the proxy and the server.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007490
7491 - If "Tt" is large even for small byte counts, it generally is because
7492 neither the client nor the server decides to close the connection, for
7493 instance because both have agreed on a keep-alive connection mode. In order
7494 to solve this issue, it will be needed to specify "option httpclose" on
7495 either the frontend or the backend. If the problem persists, it means that
7496 the server ignores the "close" connection mode and expects the client to
7497 close. Then it will be required to use "option forceclose". Having the
7498 smallest possible 'Tt' is important when connection regulation is used with
7499 the "maxconn" option on the servers, since no new connection will be sent
7500 to the server until another one is released.
7501
7502Other noticeable HTTP log cases ('xx' means any value to be ignored) :
7503
7504 Tq/Tw/Tc/Tr/+Tt The "option logasap" is present on the frontend and the log
7505 was emitted before the data phase. All the timers are valid
7506 except "Tt" which is shorter than reality.
7507
7508 -1/xx/xx/xx/Tt The client was not able to send a complete request in time
7509 or it aborted too early. Check the session termination flags
7510 then "timeout http-request" and "timeout client" settings.
7511
7512 Tq/-1/xx/xx/Tt It was not possible to process the request, maybe because
7513 servers were out of order, because the request was invalid
7514 or forbidden by ACL rules. Check the session termination
7515 flags.
7516
7517 Tq/Tw/-1/xx/Tt The connection could not establish on the server. Either it
7518 actively refused it or it timed out after Tt-(Tq+Tw) ms.
7519 Check the session termination flags, then check the
7520 "timeout connect" setting. Note that the tarpit action might
7521 return similar-looking patterns, with "Tw" equal to the time
7522 the client connection was maintained open.
7523
7524 Tq/Tw/Tc/-1/Tt The server has accepted the connection but did not return
7525 a complete response in time, or it closed its connexion
7526 unexpectedly after Tt-(Tq+Tw+Tc) ms. Check the session
7527 termination flags, then check the "timeout server" setting.
7528
7529
Willy Tarreauc57f0e22009-05-10 13:12:33 +020075308.5. Session state at disconnection
7531-----------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007532
7533TCP and HTTP logs provide a session termination indicator in the
7534"termination_state" field, just before the number of active connections. It is
75352-characters long in TCP mode, and is extended to 4 characters in HTTP mode,
7536each of which has a special meaning :
7537
7538 - On the first character, a code reporting the first event which caused the
7539 session to terminate :
7540
7541 C : the TCP session was unexpectedly aborted by the client.
7542
7543 S : the TCP session was unexpectedly aborted by the server, or the
7544 server explicitly refused it.
7545
7546 P : the session was prematurely aborted by the proxy, because of a
7547 connection limit enforcement, because a DENY filter was matched,
7548 because of a security check which detected and blocked a dangerous
7549 error in server response which might have caused information leak
7550 (eg: cacheable cookie), or because the response was processed by
7551 the proxy (redirect, stats, etc...).
7552
7553 R : a resource on the proxy has been exhausted (memory, sockets, source
7554 ports, ...). Usually, this appears during the connection phase, and
7555 system logs should contain a copy of the precise error. If this
7556 happens, it must be considered as a very serious anomaly which
7557 should be fixed as soon as possible by any means.
7558
7559 I : an internal error was identified by the proxy during a self-check.
7560 This should NEVER happen, and you are encouraged to report any log
7561 containing this, because this would almost certainly be a bug. It
7562 would be wise to preventively restart the process after such an
7563 event too, in case it would be caused by memory corruption.
7564
7565 c : the client-side timeout expired while waiting for the client to
7566 send or receive data.
7567
7568 s : the server-side timeout expired while waiting for the server to
7569 send or receive data.
7570
7571 - : normal session completion, both the client and the server closed
7572 with nothing left in the buffers.
7573
7574 - on the second character, the TCP or HTTP session state when it was closed :
7575
7576 R : th proxy was waiting for a complete, valid REQUEST from the client
7577 (HTTP mode only). Nothing was sent to any server.
7578
7579 Q : the proxy was waiting in the QUEUE for a connection slot. This can
7580 only happen when servers have a 'maxconn' parameter set. It can
7581 also happen in the global queue after a redispatch consecutive to
7582 a failed attempt to connect to a dying server. If no redispatch is
7583 reported, then no connection attempt was made to any server.
7584
7585 C : the proxy was waiting for the CONNECTION to establish on the
7586 server. The server might at most have noticed a connection attempt.
7587
7588 H : the proxy was waiting for complete, valid response HEADERS from the
7589 server (HTTP only).
7590
7591 D : the session was in the DATA phase.
7592
7593 L : the proxy was still transmitting LAST data to the client while the
7594 server had already finished. This one is very rare as it can only
7595 happen when the client dies while receiving the last packets.
7596
7597 T : the request was tarpitted. It has been held open with the client
7598 during the whole "timeout tarpit" duration or until the client
7599 closed, both of which will be reported in the "Tw" timer.
7600
7601 - : normal session completion after end of data transfer.
7602
7603 - the third character tells whether the persistence cookie was provided by
7604 the client (only in HTTP mode) :
7605
7606 N : the client provided NO cookie. This is usually the case for new
7607 visitors, so counting the number of occurrences of this flag in the
7608 logs generally indicate a valid trend for the site frequentation.
7609
7610 I : the client provided an INVALID cookie matching no known server.
7611 This might be caused by a recent configuration change, mixed
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02007612 cookies between HTTP/HTTPS sites, persistence conditionally
7613 ignored, or an attack.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007614
7615 D : the client provided a cookie designating a server which was DOWN,
7616 so either "option persist" was used and the client was sent to
7617 this server, or it was not set and the client was redispatched to
7618 another server.
7619
7620 V : the client provided a valid cookie, and was sent to the associated
7621 server.
7622
7623 - : does not apply (no cookie set in configuration).
7624
7625 - the last character reports what operations were performed on the persistence
7626 cookie returned by the server (only in HTTP mode) :
7627
7628 N : NO cookie was provided by the server, and none was inserted either.
7629
7630 I : no cookie was provided by the server, and the proxy INSERTED one.
7631 Note that in "cookie insert" mode, if the server provides a cookie,
7632 it will still be overwritten and reported as "I" here.
7633
7634 P : a cookie was PROVIDED by the server and transmitted as-is.
7635
7636 R : the cookie provided by the server was REWRITTEN by the proxy, which
7637 happens in "cookie rewrite" or "cookie prefix" modes.
7638
7639 D : the cookie provided by the server was DELETED by the proxy.
7640
7641 - : does not apply (no cookie set in configuration).
7642
7643The combination of the two first flags give a lot of information about what was
7644happening when the session terminated, and why it did terminate. It can be
7645helpful to detect server saturation, network troubles, local system resource
7646starvation, attacks, etc...
7647
7648The most common termination flags combinations are indicated below. They are
7649alphabetically sorted, with the lowercase set just after the upper case for
7650easier finding and understanding.
7651
7652 Flags Reason
7653
7654 -- Normal termination.
7655
7656 CC The client aborted before the connection could be established to the
7657 server. This can happen when haproxy tries to connect to a recently
7658 dead (or unchecked) server, and the client aborts while haproxy is
7659 waiting for the server to respond or for "timeout connect" to expire.
7660
7661 CD The client unexpectedly aborted during data transfer. This can be
7662 caused by a browser crash, by an intermediate equipment between the
7663 client and haproxy which decided to actively break the connection,
7664 by network routing issues between the client and haproxy, or by a
7665 keep-alive session between the server and the client terminated first
7666 by the client.
Willy Tarreaud72758d2010-01-12 10:42:19 +01007667
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007668 cD The client did not send nor acknowledge any data for as long as the
7669 "timeout client" delay. This is often caused by network failures on
7670 the client side, or the client simply leaving the net uncleanly.
7671
7672 CH The client aborted while waiting for the server to start responding.
7673 It might be the server taking too long to respond or the client
7674 clicking the 'Stop' button too fast.
7675
7676 cH The "timeout client" stroke while waiting for client data during a
7677 POST request. This is sometimes caused by too large TCP MSS values
7678 for PPPoE networks which cannot transport full-sized packets. It can
7679 also happen when client timeout is smaller than server timeout and
7680 the server takes too long to respond.
7681
7682 CQ The client aborted while its session was queued, waiting for a server
7683 with enough empty slots to accept it. It might be that either all the
7684 servers were saturated or that the assigned server was taking too
7685 long a time to respond.
7686
7687 CR The client aborted before sending a full HTTP request. Most likely
7688 the request was typed by hand using a telnet client, and aborted
7689 too early. The HTTP status code is likely a 400 here. Sometimes this
7690 might also be caused by an IDS killing the connection between haproxy
7691 and the client.
7692
7693 cR The "timeout http-request" stroke before the client sent a full HTTP
7694 request. This is sometimes caused by too large TCP MSS values on the
7695 client side for PPPoE networks which cannot transport full-sized
7696 packets, or by clients sending requests by hand and not typing fast
7697 enough, or forgetting to enter the empty line at the end of the
7698 request. The HTTP status code is likely a 408 here.
7699
7700 CT The client aborted while its session was tarpitted. It is important to
7701 check if this happens on valid requests, in order to be sure that no
Willy Tarreau55165fe2009-05-10 12:02:55 +02007702 wrong tarpit rules have been written. If a lot of them happen, it
7703 might make sense to lower the "timeout tarpit" value to something
7704 closer to the average reported "Tw" timer, in order not to consume
7705 resources for just a few attackers.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007706
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007707 SC The server or an equipment between it and haproxy explicitly refused
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007708 the TCP connection (the proxy received a TCP RST or an ICMP message
7709 in return). Under some circumstances, it can also be the network
7710 stack telling the proxy that the server is unreachable (eg: no route,
7711 or no ARP response on local network). When this happens in HTTP mode,
7712 the status code is likely a 502 or 503 here.
7713
7714 sC The "timeout connect" stroke before a connection to the server could
7715 complete. When this happens in HTTP mode, the status code is likely a
7716 503 or 504 here.
7717
7718 SD The connection to the server died with an error during the data
7719 transfer. This usually means that haproxy has received an RST from
7720 the server or an ICMP message from an intermediate equipment while
7721 exchanging data with the server. This can be caused by a server crash
7722 or by a network issue on an intermediate equipment.
7723
7724 sD The server did not send nor acknowledge any data for as long as the
7725 "timeout server" setting during the data phase. This is often caused
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007726 by too short timeouts on L4 equipments before the server (firewalls,
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007727 load-balancers, ...), as well as keep-alive sessions maintained
7728 between the client and the server expiring first on haproxy.
7729
7730 SH The server aborted before sending its full HTTP response headers, or
7731 it crashed while processing the request. Since a server aborting at
7732 this moment is very rare, it would be wise to inspect its logs to
7733 control whether it crashed and why. The logged request may indicate a
7734 small set of faulty requests, demonstrating bugs in the application.
7735 Sometimes this might also be caused by an IDS killing the connection
7736 between haproxy and the server.
7737
7738 sH The "timeout server" stroke before the server could return its
7739 response headers. This is the most common anomaly, indicating too
7740 long transactions, probably caused by server or database saturation.
7741 The immediate workaround consists in increasing the "timeout server"
7742 setting, but it is important to keep in mind that the user experience
7743 will suffer from these long response times. The only long term
7744 solution is to fix the application.
7745
7746 sQ The session spent too much time in queue and has been expired. See
7747 the "timeout queue" and "timeout connect" settings to find out how to
7748 fix this if it happens too often. If it often happens massively in
7749 short periods, it may indicate general problems on the affected
7750 servers due to I/O or database congestion, or saturation caused by
7751 external attacks.
7752
7753 PC The proxy refused to establish a connection to the server because the
7754 process' socket limit has been reached while attempting to connect.
7755 The global "maxconn" parameter may be increased in the configuration
7756 so that it does not happen anymore. This status is very rare and
7757 might happen when the global "ulimit-n" parameter is forced by hand.
7758
7759 PH The proxy blocked the server's response, because it was invalid,
7760 incomplete, dangerous (cache control), or matched a security filter.
7761 In any case, an HTTP 502 error is sent to the client. One possible
7762 cause for this error is an invalid syntax in an HTTP header name
7763 containing unauthorized characters.
7764
7765 PR The proxy blocked the client's HTTP request, either because of an
7766 invalid HTTP syntax, in which case it returned an HTTP 400 error to
7767 the client, or because a deny filter matched, in which case it
7768 returned an HTTP 403 error.
7769
7770 PT The proxy blocked the client's request and has tarpitted its
7771 connection before returning it a 500 server error. Nothing was sent
7772 to the server. The connection was maintained open for as long as
7773 reported by the "Tw" timer field.
7774
7775 RC A local resource has been exhausted (memory, sockets, source ports)
7776 preventing the connection to the server from establishing. The error
7777 logs will tell precisely what was missing. This is very rare and can
7778 only be solved by proper system tuning.
7779
7780
Willy Tarreauc57f0e22009-05-10 13:12:33 +020077818.6. Non-printable characters
7782-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007783
7784In order not to cause trouble to log analysis tools or terminals during log
7785consulting, non-printable characters are not sent as-is into log files, but are
7786converted to the two-digits hexadecimal representation of their ASCII code,
7787prefixed by the character '#'. The only characters that can be logged without
7788being escaped are comprised between 32 and 126 (inclusive). Obviously, the
7789escape character '#' itself is also encoded to avoid any ambiguity ("#23"). It
7790is the same for the character '"' which becomes "#22", as well as '{', '|' and
7791'}' when logging headers.
7792
7793Note that the space character (' ') is not encoded in headers, which can cause
7794issues for tools relying on space count to locate fields. A typical header
7795containing spaces is "User-Agent".
7796
7797Last, it has been observed that some syslog daemons such as syslog-ng escape
7798the quote ('"') with a backslash ('\'). The reverse operation can safely be
7799performed since no quote may appear anywhere else in the logs.
7800
7801
Willy Tarreauc57f0e22009-05-10 13:12:33 +020078028.7. Capturing HTTP cookies
7803---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007804
7805Cookie capture simplifies the tracking a complete user session. This can be
7806achieved using the "capture cookie" statement in the frontend. Please refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007807section 4.2 for more details. Only one cookie can be captured, and the same
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007808cookie will simultaneously be checked in the request ("Cookie:" header) and in
7809the response ("Set-Cookie:" header). The respective values will be reported in
7810the HTTP logs at the "captured_request_cookie" and "captured_response_cookie"
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007811locations (see section 8.2.3 about HTTP log format). When either cookie is
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007812not seen, a dash ('-') replaces the value. This way, it's easy to detect when a
7813user switches to a new session for example, because the server will reassign it
7814a new cookie. It is also possible to detect if a server unexpectedly sets a
7815wrong cookie to a client, leading to session crossing.
7816
7817 Examples :
7818 # capture the first cookie whose name starts with "ASPSESSION"
7819 capture cookie ASPSESSION len 32
7820
7821 # capture the first cookie whose name is exactly "vgnvisitor"
7822 capture cookie vgnvisitor= len 32
7823
7824
Willy Tarreauc57f0e22009-05-10 13:12:33 +020078258.8. Capturing HTTP headers
7826---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007827
7828Header captures are useful to track unique request identifiers set by an upper
7829proxy, virtual host names, user-agents, POST content-length, referrers, etc. In
7830the response, one can search for information about the response length, how the
7831server asked the cache to behave, or an object location during a redirection.
7832
7833Header captures are performed using the "capture request header" and "capture
7834response header" statements in the frontend. Please consult their definition in
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007835section 4.2 for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007836
7837It is possible to include both request headers and response headers at the same
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007838time. Non-existent headers are logged as empty strings, and if one header
7839appears more than once, only its last occurrence will be logged. Request headers
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007840are grouped within braces '{' and '}' in the same order as they were declared,
7841and delimited with a vertical bar '|' without any space. Response headers
7842follow the same representation, but are displayed after a space following the
7843request headers block. These blocks are displayed just before the HTTP request
7844in the logs.
7845
7846 Example :
7847 # This instance chains to the outgoing proxy
7848 listen proxy-out
7849 mode http
7850 option httplog
7851 option logasap
7852 log global
7853 server cache1 192.168.1.1:3128
7854
7855 # log the name of the virtual server
7856 capture request header Host len 20
7857
7858 # log the amount of data uploaded during a POST
7859 capture request header Content-Length len 10
7860
7861 # log the beginning of the referrer
7862 capture request header Referer len 20
7863
7864 # server name (useful for outgoing proxies only)
7865 capture response header Server len 20
7866
7867 # logging the content-length is useful with "option logasap"
7868 capture response header Content-Length len 10
7869
7870 # log the expected cache behaviour on the response
7871 capture response header Cache-Control len 8
7872
7873 # the Via header will report the next proxy's name
7874 capture response header Via len 20
7875
7876 # log the URL location during a redirection
7877 capture response header Location len 20
7878
7879 >>> Aug 9 20:26:09 localhost \
7880 haproxy[2022]: 127.0.0.1:34014 [09/Aug/2004:20:26:09] proxy-out \
7881 proxy-out/cache1 0/0/0/162/+162 200 +350 - - ---- 0/0/0/0/0 0/0 \
7882 {fr.adserver.yahoo.co||http://fr.f416.mail.} {|864|private||} \
7883 "GET http://fr.adserver.yahoo.com/"
7884
7885 >>> Aug 9 20:30:46 localhost \
7886 haproxy[2022]: 127.0.0.1:34020 [09/Aug/2004:20:30:46] proxy-out \
7887 proxy-out/cache1 0/0/0/182/+182 200 +279 - - ---- 0/0/0/0/0 0/0 \
7888 {w.ods.org||} {Formilux/0.1.8|3495|||} \
Willy Tarreaud72758d2010-01-12 10:42:19 +01007889 "GET http://trafic.1wt.eu/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007890
7891 >>> Aug 9 20:30:46 localhost \
7892 haproxy[2022]: 127.0.0.1:34028 [09/Aug/2004:20:30:46] proxy-out \
7893 proxy-out/cache1 0/0/2/126/+128 301 +223 - - ---- 0/0/0/0/0 0/0 \
7894 {www.sytadin.equipement.gouv.fr||http://trafic.1wt.eu/} \
7895 {Apache|230|||http://www.sytadin.} \
Willy Tarreaud72758d2010-01-12 10:42:19 +01007896 "GET http://www.sytadin.equipement.gouv.fr/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007897
7898
Willy Tarreauc57f0e22009-05-10 13:12:33 +020078998.9. Examples of logs
7900---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007901
7902These are real-world examples of logs accompanied with an explanation. Some of
7903them have been made up by hand. The syslog part has been removed for better
7904reading. Their sole purpose is to explain how to decipher them.
7905
7906 >>> haproxy[674]: 127.0.0.1:33318 [15/Oct/2003:08:31:57.130] px-http \
7907 px-http/srv1 6559/0/7/147/6723 200 243 - - ---- 5/3/3/1/0 0/0 \
7908 "HEAD / HTTP/1.0"
7909
7910 => long request (6.5s) entered by hand through 'telnet'. The server replied
7911 in 147 ms, and the session ended normally ('----')
7912
7913 >>> haproxy[674]: 127.0.0.1:33319 [15/Oct/2003:08:31:57.149] px-http \
7914 px-http/srv1 6559/1230/7/147/6870 200 243 - - ---- 324/239/239/99/0 \
7915 0/9 "HEAD / HTTP/1.0"
7916
7917 => Idem, but the request was queued in the global queue behind 9 other
7918 requests, and waited there for 1230 ms.
7919
7920 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.654] px-http \
7921 px-http/srv1 9/0/7/14/+30 200 +243 - - ---- 3/3/3/1/0 0/0 \
7922 "GET /image.iso HTTP/1.0"
7923
7924 => request for a long data transfer. The "logasap" option was specified, so
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007925 the log was produced just before transferring data. The server replied in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007926 14 ms, 243 bytes of headers were sent to the client, and total time from
7927 accept to first data byte is 30 ms.
7928
7929 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.925] px-http \
7930 px-http/srv1 9/0/7/14/30 502 243 - - PH-- 3/2/2/0/0 0/0 \
7931 "GET /cgi-bin/bug.cgi? HTTP/1.0"
7932
7933 => the proxy blocked a server response either because of an "rspdeny" or
7934 "rspideny" filter, or because the response was improperly formatted and
7935 not HTTP-compliant, or because it blocked sensible information which
7936 risked being cached. In this case, the response is replaced with a "502
7937 bad gateway". The flags ("PH--") tell us that it was haproxy who decided
7938 to return the 502 and not the server.
7939
7940 >>> haproxy[18113]: 127.0.0.1:34548 [15/Oct/2003:15:18:55.798] px-http \
Willy Tarreaud72758d2010-01-12 10:42:19 +01007941 px-http/<NOSRV> -1/-1/-1/-1/8490 -1 0 - - CR-- 2/2/2/0/0 0/0 ""
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007942
7943 => the client never completed its request and aborted itself ("C---") after
7944 8.5s, while the proxy was waiting for the request headers ("-R--").
7945 Nothing was sent to any server.
7946
7947 >>> haproxy[18113]: 127.0.0.1:34549 [15/Oct/2003:15:19:06.103] px-http \
7948 px-http/<NOSRV> -1/-1/-1/-1/50001 408 0 - - cR-- 2/2/2/0/0 0/0 ""
7949
7950 => The client never completed its request, which was aborted by the
7951 time-out ("c---") after 50s, while the proxy was waiting for the request
7952 headers ("-R--"). Nothing was sent to any server, but the proxy could
7953 send a 408 return code to the client.
7954
7955 >>> haproxy[18989]: 127.0.0.1:34550 [15/Oct/2003:15:24:28.312] px-tcp \
7956 px-tcp/srv1 0/0/5007 0 cD 0/0/0/0/0 0/0
7957
7958 => This log was produced with "option tcplog". The client timed out after
7959 5 seconds ("c----").
7960
7961 >>> haproxy[18989]: 10.0.0.1:34552 [15/Oct/2003:15:26:31.462] px-http \
7962 px-http/srv1 3183/-1/-1/-1/11215 503 0 - - SC-- 205/202/202/115/3 \
Willy Tarreaud72758d2010-01-12 10:42:19 +01007963 0/0 "HEAD / HTTP/1.0"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007964
7965 => The request took 3s to complete (probably a network problem), and the
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007966 connection to the server failed ('SC--') after 4 attempts of 2 seconds
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007967 (config says 'retries 3'), and no redispatch (otherwise we would have
7968 seen "/+3"). Status code 503 was returned to the client. There were 115
7969 connections on this server, 202 connections on this proxy, and 205 on
7970 the global process. It is possible that the server refused the
7971 connection because of too many already established.
Willy Tarreau844e3c52008-01-11 16:28:18 +01007972
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01007973
Willy Tarreauc57f0e22009-05-10 13:12:33 +020079749. Statistics and monitoring
7975----------------------------
7976
7977It is possible to query HAProxy about its status. The most commonly used
7978mechanism is the HTTP statistics page. This page also exposes an alternative
7979CSV output format for monitoring tools. The same format is provided on the
7980Unix socket.
7981
7982
79839.1. CSV format
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01007984---------------
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01007985
Willy Tarreau7f062c42009-03-05 18:43:00 +01007986The statistics may be consulted either from the unix socket or from the HTTP
7987page. Both means provide a CSV format whose fields follow.
7988
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01007989 0. pxname: proxy name
7990 1. svname: service name (FRONTEND for frontend, BACKEND for backend, any name
7991 for server)
7992 2. qcur: current queued requests
7993 3. qmax: max queued requests
7994 4. scur: current sessions
7995 5. smax: max sessions
7996 6. slim: sessions limit
7997 7. stot: total sessions
7998 8. bin: bytes in
7999 9. bout: bytes out
8000 10. dreq: denied requests
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01008001 11. dresp: denied responses
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01008002 12. ereq: request errors
8003 13. econ: connection errors
Willy Tarreauae526782010-03-04 20:34:23 +01008004 14. eresp: response errors (among which srv_abrt)
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01008005 15. wretr: retries (warning)
8006 16. wredis: redispatches (warning)
Cyril Bonté0dae5852010-02-03 00:26:28 +01008007 17. status: status (UP/DOWN/NOLB/MAINT/MAINT(via)...)
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01008008 18. weight: server weight (server), total weight (backend)
8009 19. act: server is active (server), number of active servers (backend)
8010 20. bck: server is backup (server), number of backup servers (backend)
8011 21. chkfail: number of failed checks
8012 22. chkdown: number of UP->DOWN transitions
8013 23. lastchg: last status change (in seconds)
8014 24. downtime: total downtime (in seconds)
8015 25. qlimit: queue limit
8016 26. pid: process id (0 for first instance, 1 for second, ...)
8017 27. iid: unique proxy id
8018 28. sid: service id (unique inside a proxy)
8019 29. throttle: warm up status
8020 30. lbtot: total number of times a server was selected
8021 31. tracked: id of proxy/server if tracking is enabled
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02008022 32. type (0=frontend, 1=backend, 2=server, 3=socket)
Krzysztof Piotr Oledzkidb57c6b2009-08-31 21:23:27 +02008023 33. rate: number of sessions per second over last elapsed second
8024 34. rate_lim: limit on new sessions per second
8025 35. rate_max: max number of new sessions per second
Krzysztof Piotr Oledzki09605412009-09-23 22:09:24 +02008026 36. check_status: status of last health check, one of:
Cyril Bontéf0c60612010-02-06 14:44:47 +01008027 UNK -> unknown
8028 INI -> initializing
8029 SOCKERR -> socket error
8030 L4OK -> check passed on layer 4, no upper layers testing enabled
8031 L4TMOUT -> layer 1-4 timeout
8032 L4CON -> layer 1-4 connection problem, for example
8033 "Connection refused" (tcp rst) or "No route to host" (icmp)
8034 L6OK -> check passed on layer 6
8035 L6TOUT -> layer 6 (SSL) timeout
8036 L6RSP -> layer 6 invalid response - protocol error
8037 L7OK -> check passed on layer 7
8038 L7OKC -> check conditionally passed on layer 7, for example 404 with
8039 disable-on-404
8040 L7TOUT -> layer 7 (HTTP/SMTP) timeout
8041 L7RSP -> layer 7 invalid response - protocol error
8042 L7STS -> layer 7 response error, for example HTTP 5xx
Krzysztof Piotr Oledzki09605412009-09-23 22:09:24 +02008043 37. check_code: layer5-7 code, if available
8044 38. check_duration: time in ms took to finish last health check
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008045 39. hrsp_1xx: http responses with 1xx code
8046 40. hrsp_2xx: http responses with 2xx code
8047 41. hrsp_3xx: http responses with 3xx code
8048 42. hrsp_4xx: http responses with 4xx code
8049 43. hrsp_5xx: http responses with 5xx code
8050 44. hrsp_other: http responses with other codes (protocol error)
Willy Tarreaud63335a2010-02-26 12:56:52 +01008051 45. hanafail: failed health checks details
8052 46. req_rate: HTTP requests per second over last elapsed second
8053 47. req_rate_max: max number of HTTP requests per second observed
8054 48. req_tot: total number of HTTP requests received
Willy Tarreauae526782010-03-04 20:34:23 +01008055 49. cli_abrt: number of data transfers aborted by the client
8056 50. srv_abrt: number of data transfers aborted by the server (inc. in eresp)
Willy Tarreau844e3c52008-01-11 16:28:18 +01008057
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008058
Willy Tarreauc57f0e22009-05-10 13:12:33 +020080599.2. Unix Socket commands
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008060-------------------------
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01008061
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008062The following commands are supported on the UNIX stats socket ; all of them
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008063must be terminated by a line feed. The socket supports pipelining, so that it
8064is possible to chain multiple commands at once provided they are delimited by
8065a semi-colon or a line feed, although the former is more reliable as it has no
8066risk of being truncated over the network. The responses themselves will each be
8067followed by an empty line, so it will be easy for an external script to match a
8068given response with a given request. By default one command line is processed
8069then the connection closes, but there is an interactive allowing multiple lines
8070to be issued one at a time.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008071
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008072It is important to understand that when multiple haproxy processes are started
8073on the same sockets, any process may pick up the request and will output its
8074own stats.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008075
Willy Tarreaud63335a2010-02-26 12:56:52 +01008076clear counters
8077 Clear the max values of the statistics counters in each proxy (frontend &
8078 backend) and in each server. The cumulated counters are not affected. This
8079 can be used to get clean counters after an incident, without having to
8080 restart nor to clear traffic counters. This command is restricted and can
8081 only be issued on sockets configured for levels "operator" or "admin".
8082
8083clear counters all
8084 Clear all statistics counters in each proxy (frontend & backend) and in each
8085 server. This has the same effect as restarting. This command is restricted
8086 and can only be issued on sockets configured for level "admin".
8087
8088disable server <backend>/<server>
8089 Mark the server DOWN for maintenance. In this mode, no more checks will be
8090 performed on the server until it leaves maintenance.
8091 If the server is tracked by other servers, those servers will be set to DOWN
8092 during the maintenance.
8093
8094 In the statistics page, a server DOWN for maintenance will appear with a
8095 "MAINT" status, its tracking servers with the "MAINT(via)" one.
8096
8097 Both the backend and the server may be specified either by their name or by
8098 their numeric ID, prefixed with a dash ('#').
8099
8100 This command is restricted and can only be issued on sockets configured for
8101 level "admin".
8102
8103enable server <backend>/<server>
8104 If the server was previously marked as DOWN for maintenance, this marks the
8105 server UP and checks are re-enabled.
8106
8107 Both the backend and the server may be specified either by their name or by
8108 their numeric ID, prefixed with a dash ('#').
8109
8110 This command is restricted and can only be issued on sockets configured for
8111 level "admin".
8112
8113get weight <backend>/<server>
8114 Report the current weight and the initial weight of server <server> in
8115 backend <backend> or an error if either doesn't exist. The initial weight is
8116 the one that appears in the configuration file. Both are normally equal
8117 unless the current weight has been changed. Both the backend and the server
8118 may be specified either by their name or by their numeric ID, prefixed with a
8119 dash ('#').
8120
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008121help
8122 Print the list of known keywords and their basic usage. The same help screen
8123 is also displayed for unknown commands.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008124
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008125prompt
8126 Toggle the prompt at the beginning of the line and enter or leave interactive
8127 mode. In interactive mode, the connection is not closed after a command
8128 completes. Instead, the prompt will appear again, indicating the user that
8129 the interpreter is waiting for a new command. The prompt consists in a right
8130 angle bracket followed by a space "> ". This mode is particularly convenient
8131 when one wants to periodically check information such as stats or errors.
8132 It is also a good idea to enter interactive mode before issuing a "help"
8133 command.
8134
8135quit
8136 Close the connection when in interactive mode.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01008137
Willy Tarreaud63335a2010-02-26 12:56:52 +01008138set timeout cli <delay>
8139 Change the CLI interface timeout for current connection. This can be useful
8140 during long debugging sessions where the user needs to constantly inspect
8141 some indicators without being disconnected. The delay is passed in seconds.
8142
8143set weight <backend>/<server> <weight>[%]
8144 Change a server's weight to the value passed in argument. If the value ends
8145 with the '%' sign, then the new weight will be relative to the initially
8146 configured weight. Relative weights are only permitted between 0 and 100%,
8147 and absolute weights are permitted between 0 and 256. Servers which are part
8148 of a farm running a static load-balancing algorithm have stricter limitations
8149 because the weight cannot change once set. Thus for these servers, the only
8150 accepted values are 0 and 100% (or 0 and the initial weight). Changes take
8151 effect immediately, though certain LB algorithms require a certain amount of
8152 requests to consider changes. A typical usage of this command is to disable
8153 a server during an update by setting its weight to zero, then to enable it
8154 again after the update by setting it back to 100%. This command is restricted
8155 and can only be issued on sockets configured for level "admin". Both the
8156 backend and the server may be specified either by their name or by their
8157 numeric ID, prefixed with a dash ('#').
8158
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +01008159show errors [<iid>]
8160 Dump last known request and response errors collected by frontends and
8161 backends. If <iid> is specified, the limit the dump to errors concerning
Willy Tarreau6162db22009-10-10 17:13:00 +02008162 either frontend or backend whose ID is <iid>. This command is restricted
8163 and can only be issued on sockets configured for levels "operator" or
8164 "admin".
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +01008165
8166 The errors which may be collected are the last request and response errors
8167 caused by protocol violations, often due to invalid characters in header
8168 names. The report precisely indicates what exact character violated the
8169 protocol. Other important information such as the exact date the error was
8170 detected, frontend and backend names, the server name (when known), the
8171 internal session ID and the source address which has initiated the session
8172 are reported too.
8173
8174 All characters are returned, and non-printable characters are encoded. The
8175 most common ones (\t = 9, \n = 10, \r = 13 and \e = 27) are encoded as one
8176 letter following a backslash. The backslash itself is encoded as '\\' to
8177 avoid confusion. Other non-printable characters are encoded '\xNN' where
8178 NN is the two-digits hexadecimal representation of the character's ASCII
8179 code.
8180
8181 Lines are prefixed with the position of their first character, starting at 0
8182 for the beginning of the buffer. At most one input line is printed per line,
8183 and large lines will be broken into multiple consecutive output lines so that
8184 the output never goes beyond 79 characters wide. It is easy to detect if a
8185 line was broken, because it will not end with '\n' and the next line's offset
8186 will be followed by a '+' sign, indicating it is a continuation of previous
8187 line.
8188
8189 Example :
8190 >>> $ echo "show errors" | socat stdio /tmp/sock1
8191 [04/Mar/2009:15:46:56.081] backend http-in (#2) : invalid response
8192 src 127.0.0.1, session #54, frontend fe-eth0 (#1), server s2 (#1)
8193 response length 213 bytes, error at position 23:
8194
8195 00000 HTTP/1.0 200 OK\r\n
8196 00017 header/bizarre:blah\r\n
8197 00038 Location: blah\r\n
8198 00054 Long-line: this is a very long line which should b
8199 00104+ e broken into multiple lines on the output buffer,
8200 00154+ otherwise it would be too large to print in a ter
8201 00204+ minal\r\n
8202 00211 \r\n
8203
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008204 In the example above, we see that the backend "http-in" which has internal
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +01008205 ID 2 has blocked an invalid response from its server s2 which has internal
8206 ID 1. The request was on session 54 initiated by source 127.0.0.1 and
8207 received by frontend fe-eth0 whose ID is 1. The total response length was
8208 213 bytes when the error was detected, and the error was at byte 23. This
8209 is the slash ('/') in header name "header/bizarre", which is not a valid
8210 HTTP character for a header name.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01008211
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008212show info
8213 Dump info about haproxy status on current process.
8214
8215show sess
8216 Dump all known sessions. Avoid doing this on slow connections as this can
Willy Tarreau6162db22009-10-10 17:13:00 +02008217 be huge. This command is restricted and can only be issued on sockets
8218 configured for levels "operator" or "admin".
8219
Willy Tarreau66dc20a2010-03-05 17:53:32 +01008220show sess <id>
8221 Display a lot of internal information about the specified session identifier.
8222 This identifier is the first field at the beginning of the lines in the dumps
8223 of "show sess" (it corresponds to the session pointer). Those information are
8224 useless to most users but may be used by haproxy developers to troubleshoot a
8225 complex bug. The output format is intentionally not documented so that it can
8226 freely evolve depending on demands.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008227
8228show stat [<iid> <type> <sid>]
8229 Dump statistics in the CSV format. By passing <id>, <type> and <sid>, it is
8230 possible to dump only selected items :
8231 - <iid> is a proxy ID, -1 to dump everything
8232 - <type> selects the type of dumpable objects : 1 for frontends, 2 for
8233 backends, 4 for servers, -1 for everything. These values can be ORed,
8234 for example:
8235 1 + 2 = 3 -> frontend + backend.
8236 1 + 2 + 4 = 7 -> frontend + backend + server.
8237 - <sid> is a server ID, -1 to dump everything from the selected proxy.
8238
8239 Example :
8240 >>> $ echo "show info;show stat" | socat stdio unix-connect:/tmp/sock1
8241 Name: HAProxy
8242 Version: 1.4-dev2-49
8243 Release_date: 2009/09/23
8244 Nbproc: 1
8245 Process_num: 1
8246 (...)
8247
8248 # pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq, (...)
8249 stats,FRONTEND,,,0,0,1000,0,0,0,0,0,0,,,,,OPEN,,,,,,,,,1,1,0, (...)
8250 stats,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,0,0,0,,0,250,(...)
8251 (...)
8252 www1,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,1,1,0,,0,250, (...)
8253
8254 $
8255
8256 Here, two commands have been issued at once. That way it's easy to find
8257 which process the stats apply to in multi-process mode. Notice the empty
8258 line after the information output which marks the end of the first block.
8259 A similar empty line appears at the end of the second block (stats) so that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008260 the reader knows the output has not been truncated.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008261
Krzysztof Piotr Oledzki719e7262009-10-04 15:02:46 +02008262
Willy Tarreau0ba27502007-12-24 16:55:16 +01008263/*
8264 * Local variables:
8265 * fill-column: 79
8266 * End:
8267 */