blob: ab26df579552090faf07d799dee269b9a066a19f [file] [log] [blame]
willy tarreau0174f312005-12-18 01:02:42 +01001 -------------------
Willy Tarreau94b45912006-05-31 06:40:15 +02002 HAProxy
willy tarreau0174f312005-12-18 01:02:42 +01003 Reference Manual
4 -------------------
Willy Tarreau2272dc12006-09-03 10:19:38 +02005 version 1.3.2
willy tarreauc5f73ed2005-12-18 01:26:38 +01006 willy tarreau
Willy Tarreau2272dc12006-09-03 10:19:38 +02007 2006/09/03
willy tarreaueedaa9f2005-12-17 14:08:03 +01008
9============
10| Abstract |
11============
12
Willy Tarreau94b45912006-05-31 06:40:15 +020013HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high
willy tarreaueedaa9f2005-12-17 14:08:03 +010014availability environments. Indeed, it can :
15 - route HTTP requests depending on statically assigned cookies ;
16 - spread the load among several servers while assuring server persistence
17 through the use of HTTP cookies ;
18 - switch to backup servers in the event a main one fails ;
19 - accept connections to special ports dedicated to service monitoring ;
20 - stop accepting connections without breaking existing ones ;
21 - add/modify/delete HTTP headers both ways ;
22 - block requests matching a particular pattern ;
willy tarreau532bb552006-05-13 18:40:37 +020023 - hold clients to the right application server depending on application
24 cookies
willy tarreau481132e2006-05-21 21:43:10 +020025 - report detailed status as HTML pages to authenticated users from an URI
26 intercepted from the application.
willy tarreaueedaa9f2005-12-17 14:08:03 +010027
28It needs very little resource. Its event-driven architecture allows it to easily
29handle thousands of simultaneous connections on hundreds of instances without
30risking the system's stability.
31
32====================
33| Start parameters |
34====================
35
36There are only a few command line options :
37
38 -f <configuration file>
39 -n <high limit for the total number of simultaneous connections>
willy tarreau532bb552006-05-13 18:40:37 +020040 = 'maxconn' in 'global' section
41 -N <high limit for the per-listener number of simultaneous connections>
42 = 'maxconn' in 'listen' or 'default' sections
willy tarreaueedaa9f2005-12-17 14:08:03 +010043 -d starts in foregreound with debugging mode enabled
44 -D starts in daemon mode
willy tarreau982249e2005-12-18 00:57:06 +010045 -q disable messages on output
46 -V displays messages on output even when -q or 'quiet' are specified.
47 -c only checks config file and exits with code 0 if no error was found, or
48 exits with code 1 if a syntax error was found.
willy tarreaufe2c5c12005-12-17 14:14:34 +010049 -p <pidfile> asks the process to write down each of its children's
50 pids to this file in daemon mode.
willy tarreau34f45302006-04-15 21:37:14 +020051 -sf specifies a list of pids to send a FINISH signal to after startup.
52 -st specifies a list of pids to send a TERMINATE signal to after startup.
willy tarreaueedaa9f2005-12-17 14:08:03 +010053 -s shows statistics (only if compiled in)
54 -l shows even more statistics (implies '-s')
willy tarreau64a3cc32005-12-18 01:13:11 +010055 -de disables use of epoll()
56 -dp disables use of poll()
willy tarreau34f45302006-04-15 21:37:14 +020057 -db disables background mode (stays in foreground, useful for debugging)
58 -m <megs> enforces a memory usage limit to a maximum of <megs> megabytes.
willy tarreaueedaa9f2005-12-17 14:08:03 +010059
willy tarreau532bb552006-05-13 18:40:37 +020060The maximal number of connections per proxy instance is used as the default
61parameter for each instance for which the 'maxconn' paramter is not set in the
62'listen' section.
willy tarreaueedaa9f2005-12-17 14:08:03 +010063
64The maximal number of total connections limits the number of connections used by
65the whole process if the 'maxconn' parameter is not set in the 'global' section.
66
67The debugging mode has the same effect as the 'debug' option in the 'global'
68section. When the proxy runs in this mode, it dumps every connections,
69disconnections, timestamps, and HTTP headers to stdout. This should NEVER
70be used in an init script since it will prevent the system from starting up.
71
willy tarreau34f45302006-04-15 21:37:14 +020072For debugging, the '-db' option is very useful as it temporarily disables
73daemon mode and multi-process mode. The service can then be stopped by simply
74pressing Ctrl-C, without having to edit the config nor run full debug.
75
willy tarreaueedaa9f2005-12-17 14:08:03 +010076Statistics are only available if compiled in with the 'STATTIME' option. It's
willy tarreau481132e2006-05-21 21:43:10 +020077only used during code optimization phases, and will soon disappear.
willy tarreaueedaa9f2005-12-17 14:08:03 +010078
willy tarreau532bb552006-05-13 18:40:37 +020079The '-st' and '-sf' options are used for hot reconfiguration (see below).
willy tarreau34f45302006-04-15 21:37:14 +020080
willy tarreaueedaa9f2005-12-17 14:08:03 +010081======================
82| Configuration file |
83======================
84
85Structure
86=========
87
88The configuration file parser ignores empty lines, spaces, tabs. Anything
89between a sharp ('#') not following a backslash ('\'), and the end of a line
90constitutes a comment and is ignored too.
91
92The configuration file is segmented in sections. A section begins whenever
93one of these 3 keywords are encountered :
94
95 - 'global'
96 - 'listen'
97 - 'defaults'
98
99Every parameter refer to the section beginning at the last one of these 3
100keywords.
101
102
1031) Global parameters
104====================
105
106Global parameters affect the whole process behaviour. They are all set in the
107'global' section. There may be several 'global' sections if needed, but their
108parameters will only be merged. Allowed parameters in 'global' section include
109the following ones :
110
111 - log <address> <facility> [max_level]
112 - maxconn <number>
113 - uid <user id>
114 - gid <group id>
115 - chroot <directory>
116 - nbproc <number>
117 - daemon
118 - debug
willy tarreau64a3cc32005-12-18 01:13:11 +0100119 - noepoll
120 - nopoll
willy tarreaueedaa9f2005-12-17 14:08:03 +0100121 - quiet
willy tarreaufe2c5c12005-12-17 14:14:34 +0100122 - pidfile <file>
willy tarreauc5f73ed2005-12-18 01:26:38 +0100123 - ulimit-n <number>
willy tarreau598da412005-12-18 01:07:29 +0100124 - stats
willy tarreaueedaa9f2005-12-17 14:08:03 +0100125
willy tarreauc5f73ed2005-12-18 01:26:38 +0100126
willy tarreaueedaa9f2005-12-17 14:08:03 +01001271.1) Event logging
128------------------
129Most events are logged : start, stop, servers going up and down, connections and
130errors. Each event generates a syslog message which can be sent to up to 2
131servers. The syntax is :
132
133 log <ip_address> <facility> [max_level]
134
135Connections are logged at level "info". Services initialization and servers
136going up are logged at level "notice", termination signals are logged at
137"warning", and definitive service termination, as well as loss of servers are
138logged at level "alert". The optional parameter <max_level> specifies above
139what level messages should be sent. Level can take one of these 8 values :
140
141 emerg, alert, crit, err, warning, notice, info, debug
142
143For backwards compatibility with versions 1.1.16 and earlier, the default level
144value is "debug" if not specified.
145
146Permitted facilities are :
147 kern, user, mail, daemon, auth, syslog, lpr, news,
148 uucp, cron, auth2, ftp, ntp, audit, alert, cron2,
149 local0, local1, local2, local3, local4, local5, local6, local7
150
151According to RFC3164, messages are truncated to 1024 bytes before being emitted.
152
153Example :
154---------
155 global
willy tarreauc5f73ed2005-12-18 01:26:38 +0100156 log 192.168.2.200 local3
157 log 127.0.0.1 local4 notice
158
willy tarreaueedaa9f2005-12-17 14:08:03 +0100159
1601.2) limiting the number of connections
161---------------------------------------
162It is possible and recommended to limit the global number of per-process
willy tarreauc5f73ed2005-12-18 01:26:38 +0100163connections using the 'maxconn' global keyword. Since one connection includes
164both a client and a server, it means that the max number of TCP sessions will
165be about the double of this number. It's important to understand this when
166trying to find best values for 'ulimit -n' before starting the proxy. To
167anticipate the number of sockets needed, all these parameters must be counted :
willy tarreaueedaa9f2005-12-17 14:08:03 +0100168
169 - 1 socket per incoming connection
170 - 1 socket per outgoing connection
171 - 1 socket per address/port/proxy tuple.
172 - 1 socket per server being health-checked
173 - 1 socket for all logs
174
175In simple configurations where each proxy only listens one one address/port,
willy tarreauc5f73ed2005-12-18 01:26:38 +0100176set the limit of file descriptors (ulimit -n) to
177(2 * maxconn + nbproxies + nbservers + 1). Starting with versions 1.1.32/1.2.6,
178it is now possible to set the limit in the configuration using the 'ulimit-n'
179global keyword, provided the proxy is started as root. This puts an end to the
180recurrent problem of ensuring that the system limits are adapted to the proxy
181values. Note that these limits are per-process.
182
183Example :
184---------
185 global
186 maxconn 32000
187 ulimit-n 65536
188
willy tarreaueedaa9f2005-12-17 14:08:03 +0100189
1901.3) Drop of priviledges
191------------------------
192In order to reduce the risk and consequences of attacks, in the event where a
193yet non-identified vulnerability would be successfully exploited, it's possible
194to lower the process priviledges and even isolate it in a riskless directory.
195
196In the 'global' section, the 'uid' parameter sets a numerical user identifier
197which the process will switch to after binding its listening sockets. The value
198'0', which normally represents the super-user, here indicates that the UID must
199not change during startup. It's the default behaviour. The 'gid' parameter does
200the same for the group identifier. It's particularly advised against use of
201generic accounts such as 'nobody' because it has the same consequences as using
202'root' if other services use them.
203
204The 'chroot' parameter makes the process isolate itself in an empty directory
205just before switching its UID. This type of isolation (chroot) can sometimes
206be worked around on certain OS (Linux, Solaris), provided that the attacker
207has gained 'root' priviledges and has the ability to use or create a directory.
208For this reason, it's capital to use a dedicated directory and not to share one
209between several services of different nature. To make isolation more resistant,
210it's recommended to use an empty directory without any right, and to change the
211UID of the process so that it cannot do anything there.
212
213Note: in the event where such a vulnerability would be exploited, it's most
214likely that first attempts would kill the process due to 'Segmentation Fault',
215'Bus Error' or 'Illegal Instruction' signals. Eventhough it's true that
216isolating the server reduces the risks of intrusion, it's sometimes useful to
217find why a process dies, via the analysis of a 'core' file, although very rare
218(the last bug of this sort was fixed in 1.1.9). For security reasons, most
219systems disable the generation of core file when a process changes its UID. So
220the two workarounds are either to start the process from a restricted user
221account, which will not be able to chroot itself, or start it as root and not
222change the UID. In both cases the core will be either in the start or the chroot
223directories. Do not forget to allow core dumps prior to start the process :
224
225# ulimit -c unlimited
226
227Example :
228---------
229
230 global
willy tarreauc5f73ed2005-12-18 01:26:38 +0100231 uid 30000
232 gid 30000
233 chroot /var/chroot/haproxy
234
willy tarreaueedaa9f2005-12-17 14:08:03 +0100235
2361.4) Startup modes
237------------------
willy tarreau34f45302006-04-15 21:37:14 +0200238The service can start in several different modes :
willy tarreaueedaa9f2005-12-17 14:08:03 +0100239 - foreground / background
240 - quiet / normal / debug
241
242The default mode is normal, foreground, which means that the program doesn't
243return once started. NEVER EVER use this mode in a system startup script, or
244the system won't boot. It needs to be started in background, so that it
245returns immediately after forking. That's accomplished by the 'daemon' option
246in the 'global' section, which is the equivalent of the '-D' command line
247argument.
248
willy tarreau34f45302006-04-15 21:37:14 +0200249The '-db' command line argument overrides the 'daemon' and 'nbproc' global
250options to make the process run in normal, foreground mode.
251
willy tarreaueedaa9f2005-12-17 14:08:03 +0100252Moreover, certain alert messages are still sent to the standard output even
253in 'daemon' mode. To make them disappear, simply add the 'quiet' option in the
254'global' section. This option has no command-line equivalent.
255
256Last, the 'debug' mode, enabled with the 'debug' option in the 'global' section,
257and which is equivalent of the '-d' option, allows deep TCP/HTTP analysis, with
258timestamped display of each connection, disconnection, and HTTP headers for both
259ways. This mode is incompatible with 'daemon' and 'quiet' modes for obvious
260reasons.
261
willy tarreauc5f73ed2005-12-18 01:26:38 +0100262
willy tarreaueedaa9f2005-12-17 14:08:03 +01002631.5) Increasing the overall processing power
264--------------------------------------------
265On multi-processor systems, it may seem to be a shame to use only one processor,
willy tarreau982249e2005-12-18 00:57:06 +0100266eventhough the load needed to saturate a recent processor is far above common
willy tarreaueedaa9f2005-12-17 14:08:03 +0100267usage. Anyway, for very specific needs, the proxy can start several processes
268between which the operating system will spread the incoming connections. The
269number of processes is controlled by the 'nbproc' parameter in the 'global'
willy tarreau4302f492005-12-18 01:00:37 +0100270section. It defaults to 1, and obviously works only in 'daemon' mode. One
271typical usage of this parameter has been to workaround the default per-process
272file-descriptor limit that Solaris imposes to user processes.
willy tarreaueedaa9f2005-12-17 14:08:03 +0100273
274Example :
275---------
276
277 global
willy tarreauc5f73ed2005-12-18 01:26:38 +0100278 daemon
279 quiet
280 nbproc 2
willy tarreaueedaa9f2005-12-17 14:08:03 +0100281
282
willy tarreaufe2c5c12005-12-17 14:14:34 +01002831.6) Helping process management
284-------------------------------
285Haproxy now supports the notion of pidfile. If the '-p' command line argument,
286or the 'pidfile' global option is followed with a file name, this file will be
287removed, then filled with all children's pids, one per line (only in daemon
288mode). This file is NOT within the chroot, which allows to work with a readonly
289 chroot. It will be owned by the user starting the process, and will have
290permissions 0644.
291
292Example :
293---------
294
295 global
296 daemon
297 quiet
willy tarreauc5f73ed2005-12-18 01:26:38 +0100298 nbproc 2
willy tarreaufe2c5c12005-12-17 14:14:34 +0100299 pidfile /var/run/haproxy-private.pid
300
301 # to stop only those processes among others :
302 # kill $(</var/run/haproxy-private.pid)
303
willy tarreau34f45302006-04-15 21:37:14 +0200304 # to reload a new configuration with minimal service impact and without
305 # breaking existing sessions :
306 # haproxy -f haproxy.cfg -p $(</var/run/haproxy-private.pid) -st $(</var/run/haproxy-private.pid)
willy tarreaufe2c5c12005-12-17 14:14:34 +0100307
willy tarreau64a3cc32005-12-18 01:13:11 +01003081.7) Polling mechanisms
309-----------------------
310Starting from version 1.2.5, haproxy supports the poll() and epoll() polling
311mechanisms. On systems where select() is limited by FD_SETSIZE (like Solaris),
312poll() can be an interesting alternative. Performance tests show that Solaris'
313poll() performance does not decay as fast as the numbers of sockets increase,
314making it a safe solution for high loads. However, Solaris already uses poll()
315to emulate select(), so as long as the number of sockets has no reason to go
316higher than FD_SETSIZE, poll() should not provide any better performance. On
317Linux systems with the epoll() patch (or any 2.6 version), haproxy will use
318epoll() which is extremely fast and non dependant on the number of sockets.
319Tests have shown constant performance from 1 to 20000 simultaneous sessions.
320
321Haproxy will use epoll() when available, and will fall back to poll(), then to
322select(). However, if for any reason you need to disable epoll() or poll() (eg.
323because of a bug or just to compare performance), two new global options have
324been created for this matter : 'noepoll' and 'nopoll'.
325
326Example :
327---------
328
329 global
330 # use only select()
331 noepoll
332 nopoll
333
334Note :
335------
336For the sake of configuration file portability, these options are accepted but
337ignored if the poll() or epoll() mechanisms have not been enabled at compile
338time.
339
340To make debugging easier, the '-de' runtime argument disables epoll support and
341the '-dp' argument disables poll support. They are respectively equivalent to
342'noepoll' and 'nopoll'.
343
344
willy tarreaueedaa9f2005-12-17 14:08:03 +01003452) Declaration of a listening service
346=====================================
347
348Service sections start with the 'listen' keyword :
349
350 listen <instance_name> [ <IP_address>:<port_range>[,...] ]
351
352- <instance_name> is the name of the instance. This name will be reported in
353 logs, so it is good to have it reflect the proxied service. No unicity test
354 is done on this name, and it's not mandatory for it to be unique, but highly
355 recommended.
356
357- <IP_address> is the IP address the proxy binds to. Empty address, '*' and
358 '0.0.0.0' all mean that the proxy listens to all valid addresses on the
359 system.
360
361- <port_range> is either a unique port, or a port range for which the proxy will
362 accept connections for the IP address specified above. This range can be :
363 - a numerical port (ex: '80')
364 - a dash-delimited ports range explicitly stating the lower and upper bounds
365 (ex: '2000-2100') which are included in the range.
366
367 Particular care must be taken against port ranges, because every <addr:port>
368 couple consumes one socket (=a file descriptor), so it's easy to eat lots of
369 descriptors with a simple range. The <addr:port> couple must be used only once
370 among all instances running on a same system. Please note that attaching to
371 ports lower than 1024 need particular priviledges to start the program, which
372 are independant of the 'uid' parameter.
373
374- the <IP_address>:<port_range> couple may be repeated indefinitely to require
375 the proxy to listen to other addresses and/or ports. To achieve this, simply
376 separate them with a coma.
377
378Examples :
379---------
380 listen http_proxy :80
381 listen x11_proxy 127.0.0.1:6000-6009
382 listen smtp_proxy 127.0.0.1:25,127.0.0.1:587
383 listen ldap_proxy :389,:663
384
385In the event that all addresses do not fit line width, it's preferable to
386detach secondary addresses on other lines with the 'bind' keyword. If this
387keyword is used, it's not even necessary to specify the first address on the
388'listen' line, which sometimes makes multiple configuration handling easier :
389
390 bind [ <IP_address>:<port_range>[,...] ]
391
392Examples :
393----------
394 listen http_proxy
395 bind :80,:443
willy tarreauc5f73ed2005-12-18 01:26:38 +0100396 bind 10.0.0.1:10080,10.0.0.1:10443
397
willy tarreaueedaa9f2005-12-17 14:08:03 +0100398
3992.1) Inhibiting a service
400-------------------------
401A service may be disabled for maintenance reasons, without needing to comment
402out the whole section, simply by specifying the 'disabled' keyword in the
403section to be disabled :
404
405 listen smtp_proxy 0.0.0.0:25
willy tarreauc5f73ed2005-12-18 01:26:38 +0100406 disabled
willy tarreaueedaa9f2005-12-17 14:08:03 +0100407
408Note: the 'enabled' keyword allows to enable a service which has been disabled
409 previously by a default configuration.
410
willy tarreauc5f73ed2005-12-18 01:26:38 +0100411
willy tarreaueedaa9f2005-12-17 14:08:03 +01004122.2) Modes of operation
413-----------------------
414A service can work in 3 different distinct modes :
415 - TCP
416 - HTTP
willy tarreau532bb552006-05-13 18:40:37 +0200417 - health
willy tarreaueedaa9f2005-12-17 14:08:03 +0100418
419TCP mode
420--------
421In this mode, the service relays TCP connections as soon as they're established,
422towards one or several servers. No processing is done on the stream. It's only
423an association of source(addr:port) -> destination(addr:port). To use this mode,
424you must specify 'mode tcp' in the 'listen' section. This is the default mode.
425
426Example :
427---------
428 listen smtp_proxy 0.0.0.0:25
willy tarreauc5f73ed2005-12-18 01:26:38 +0100429 mode tcp
willy tarreaueedaa9f2005-12-17 14:08:03 +0100430
431HTTP mode
432---------
433In this mode, the service relays TCP connections towards one or several servers,
434when it has enough informations to decide, which normally means that all HTTP
435headers have been read. Some of them may be scanned for a cookie or a pattern
436matching a regex. To use this mode, specify 'mode http' in the 'listen' section.
437
438Example :
439---------
440 listen http_proxy 0.0.0.0:80
willy tarreauc5f73ed2005-12-18 01:26:38 +0100441 mode http
willy tarreaueedaa9f2005-12-17 14:08:03 +0100442
443Health-checking mode
444--------------------
445This mode provides a way for external components to check the proxy's health.
446It is meant to be used with intelligent load-balancers which can use send/expect
447scripts to check for all of their servers' availability. This one simply accepts
willy tarreau197e8ec2005-12-17 14:10:59 +0100448the connection, returns the word 'OK' and closes it. If the 'option httpchk' is
449set, then the reply will be 'HTTP/1.0 200 OK' with no data, so that it can be
450tested from a tool which supports HTTP health-checks. To enable it, simply
willy tarreaueedaa9f2005-12-17 14:08:03 +0100451specify 'health' as the working mode :
452
453Example :
454---------
willy tarreau197e8ec2005-12-17 14:10:59 +0100455 # simple response : 'OK'
willy tarreaueedaa9f2005-12-17 14:08:03 +0100456 listen health_check 0.0.0.0:60000
willy tarreauc5f73ed2005-12-18 01:26:38 +0100457 mode health
willy tarreaueedaa9f2005-12-17 14:08:03 +0100458
willy tarreau197e8ec2005-12-17 14:10:59 +0100459 # HTTP response : 'HTTP/1.0 200 OK'
460 listen http_health_check 0.0.0.0:60001
willy tarreauc5f73ed2005-12-18 01:26:38 +0100461 mode health
462 option httpchk
463
willy tarreau532bb552006-05-13 18:40:37 +02004642.2.1 Monitoring
465----------------
willy tarreauc5f73ed2005-12-18 01:26:38 +0100466Versions 1.1.32 and 1.2.6 provide a new solution to check the proxy's
467availability without perturbating the service. The 'monitor-net' keyword was
468created to specify a network of equipments which CANNOT use the service for
469anything but health-checks. This is particularly suited to TCP proxies, because
470it prevents the proxy from relaying the monitor's connection to the remote
471server.
472
473When used with TCP, the connection is accepted then closed and nothing is
474logged. This is enough for a front-end load-balancer to detect the service as
475available.
willy tarreau197e8ec2005-12-17 14:10:59 +0100476
willy tarreauc5f73ed2005-12-18 01:26:38 +0100477When used with HTTP, the connection is accepted, nothing is logged, the
478following response is sent, then the session is closed : "HTTP/1.0 200 OK".
479This is normally enough for any front-end HTTP load-balancer to detect the
480service as available too, both with TCP and HTTP checks.
481
482Proxies using the "monitor-net" keyword can remove the "option dontlognull", as
483it will make them log empty connections from hosts outside the monitoring
484network.
485
486Example :
487---------
488
489 listen tse-proxy
490 bind :3389,:1494,:5900 # TSE, ICA and VNC at once.
491 mode tcp
492 balance roundrobin
493 server tse-farm 192.168.1.10
494 monitor-net 192.168.1.252/31 # L4 load-balancers on .252 and .253
495
willy tarreaueedaa9f2005-12-17 14:08:03 +0100496
Willy Tarreau1c47f852006-07-09 08:22:27 +0200497When the system executing the checks is located behind a proxy, the monitor-net
498keyword cannot be used because haproxy will always see the proxy's address. To
499overcome this limitation, version 1.2.15 brought the 'monitor-uri' keyword. It
500defines an URI which will not be forwarded nor logged, but for which haproxy
501will immediately send an "HTTP/1.0 200 OK" response. This makes it possible to
502check the validity of the reverse-proxy->haproxy chain with one request. It can
503be used in HTTPS checks in front of an stunnel -> haproxy combination for
504instance. Obviously, this keyword is only valid in HTTP mode, otherwise there
505is no notion of URI. Note that the method and HTTP versions are simply ignored.
506
507Example :
508---------
509
510 listen stunnel_backend :8080
511 mode http
512 balance roundrobin
513 server web1 192.168.1.10:80 check
514 server web2 192.168.1.11:80 check
515 monitor-uri /haproxy_test
516
517
willy tarreaueedaa9f2005-12-17 14:08:03 +01005182.3) Limiting the number of simultaneous connections
519----------------------------------------------------
520The 'maxconn' parameter allows a proxy to refuse connections above a certain
521amount of simultaneous ones. When the limit is reached, it simply stops
522listening, but the system may still be accepting them because of the back log
willy tarreau982249e2005-12-18 00:57:06 +0100523queue. These connections will be processed later when other ones have freed
willy tarreaueedaa9f2005-12-17 14:08:03 +0100524some slots. This provides a serialization effect which helps very fragile
willy tarreau34f45302006-04-15 21:37:14 +0200525servers resist to high loads. See further for system limitations.
willy tarreaueedaa9f2005-12-17 14:08:03 +0100526
527Example :
528---------
529 listen tiny_server 0.0.0.0:80
530 maxconn 10
531
532
5332.4) Soft stop
534--------------
535It is possible to stop services without breaking existing connections by the
willy tarreau22739ef2006-01-20 20:43:32 +0100536sending of the SIGUSR1 signal to the process. All services are then put into
willy tarreaueedaa9f2005-12-17 14:08:03 +0100537soft-stop state, which means that they will refuse to accept new connections,
538except for those which have a non-zero value in the 'grace' parameter, in which
539case they will still accept connections for the specified amount of time, in
willy tarreau22739ef2006-01-20 20:43:32 +0100540milliseconds. This makes it possible to tell a load-balancer that the service
541is failing, while still doing the job during the time it needs to detect it.
willy tarreaueedaa9f2005-12-17 14:08:03 +0100542
543Note: active connections are never killed. In the worst case, the user will have
544to wait for all of them to close or to time-out, or simply kill the process
willy tarreau22739ef2006-01-20 20:43:32 +0100545normally (SIGTERM). The default 'grace' value is '0'.
willy tarreaueedaa9f2005-12-17 14:08:03 +0100546
547Example :
548---------
549 # enter soft stop after 'killall -USR1 haproxy'
550 # the service will still run 10 seconds after the signal
551 listen http_proxy 0.0.0.0:80
willy tarreauc5f73ed2005-12-18 01:26:38 +0100552 mode http
553 grace 10000
willy tarreaueedaa9f2005-12-17 14:08:03 +0100554
555 # this port is dedicated to a load-balancer, and must fail immediately
556 listen health_check 0.0.0.0:60000
willy tarreauc5f73ed2005-12-18 01:26:38 +0100557 mode health
558 grace 0
willy tarreaueedaa9f2005-12-17 14:08:03 +0100559
560
willy tarreau39df2dc2006-01-29 21:56:05 +0100561As of version 1.2.8, a new soft-reconfiguration mechanism has been introduced.
willy tarreau22739ef2006-01-20 20:43:32 +0100562It is now possible to "pause" all the proxies by sending a SIGTTOU signal to
563the processes. This will disable the listening socket without breaking existing
564connections. After that, sending a SIGTTIN signal to those processes enables
565the listening sockets again. This is very useful to try to load a new
566configuration or even a new version of haproxy without breaking existing
567connections. If the load succeeds, then simply send a SIGUSR1 which will make
568the previous proxies exit immediately once their sessions are closed ; and if
569the load fails, then simply send a SIGTTIN to restore the service immediately.
570Please note that the 'grace' parameter is ignored for SIGTTOU, as well as for
571SIGUSR1 when the process was in the pause mode. Please also note that it would
572be useful to save the pidfile before starting a new instance.
573
willy tarreau34f45302006-04-15 21:37:14 +0200574This mechanism fully exploited since 1.2.11 with the '-st' and '-sf' options
willy tarreau532bb552006-05-13 18:40:37 +0200575(see below).
576
5772.4.1) Hot reconfiguration
578--------------------------
579The '-st' and '-sf' command line options are used to inform previously running
580processes that a configuration is being reloaded. They will receive the SIGTTOU
581signal to ask them to temporarily stop listening to the ports so that the new
582process can grab them. If anything wrong happens, the new process will send
583them a SIGTTIN to tell them to re-listen to the ports and continue their normal
584work. Otherwise, it will either ask them to finish (-sf) their work then softly
585exit, or immediately terminate (-st), breaking existing sessions. A typical use
586of this allows a configuration reload without service interruption :
587
588 # haproxy -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)
589
willy tarreau22739ef2006-01-20 20:43:32 +0100590
willy tarreaueedaa9f2005-12-17 14:08:03 +01005912.5) Connections expiration time
592--------------------------------
593It is possible (and recommended) to configure several time-outs on TCP
594connections. Three independant timers are adjustable with values specified
595in milliseconds. A session will be terminated if either one of these timers
596expire.
597
598 - the time we accept to wait for data from the client, or for the client to
599 accept data : 'clitimeout' :
600
willy tarreauc5f73ed2005-12-18 01:26:38 +0100601 # client time-out set to 2mn30.
602 clitimeout 150000
willy tarreaueedaa9f2005-12-17 14:08:03 +0100603
604 - the time we accept to wait for data from the server, or for the server to
605 accept data : 'srvtimeout' :
606
willy tarreauc5f73ed2005-12-18 01:26:38 +0100607 # server time-out set to 30s.
608 srvtimeout 30000
willy tarreaueedaa9f2005-12-17 14:08:03 +0100609
610 - the time we accept to wait for a connection to establish on a server :
611 'contimeout' :
612
613 # we give up if the connection does not complete within 4 seconds
willy tarreauc5f73ed2005-12-18 01:26:38 +0100614 contimeout 4000
willy tarreaueedaa9f2005-12-17 14:08:03 +0100615
616Notes :
617-------
618 - 'contimeout' and 'srvtimeout' have no sense on 'health' mode servers ;
619 - under high loads, or with a saturated or defective network, it's possible
620 that some packets get lost. Since the first TCP retransmit only happens
621 after 3 seconds, a time-out equal to, or lower than 3 seconds cannot
622 compensate for a packet loss. A 4 seconds time-out seems a reasonable
623 minimum which will considerably reduce connection failures.
624
willy tarreauc5f73ed2005-12-18 01:26:38 +0100625
willy tarreaueedaa9f2005-12-17 14:08:03 +01006262.6) Attempts to reconnect
627--------------------------
628After a connection failure to a server, it is possible to retry, potentially
629on another server. This is useful if health-checks are too rare and you don't
630want the clients to see the failures. The number of attempts to reconnect is
631set by the 'retries' paramter.
632
633Example :
634---------
willy tarreauc5f73ed2005-12-18 01:26:38 +0100635 # we can retry 3 times max after a failure
636 retries 3
willy tarreaueedaa9f2005-12-17 14:08:03 +0100637
willy tarreau34f45302006-04-15 21:37:14 +0200638Please note that the reconnection attempt may lead to getting the connection
639sent to a new server if the original one died between connection attempts.
640
willy tarreaueedaa9f2005-12-17 14:08:03 +0100641
6422.7) Address of the dispatch server (deprecated)
643------------------------------------------------
644The server which will be sent all new connections is defined by the 'dispatch'
645parameter, in the form <address>:<port>. It generally is dedicated to unknown
646connections and will assign them a cookie, in case of HTTP persistence mode,
647or simply is a single server in case of generic TCP proxy. This old mode is only
648provided for backwards compatibility, but doesn't allow to check remote servers
649state, and has a rather limited usage. All new setups should switch to 'balance'
650mode. The principle of the dispatcher is to be able to perform the load
651balancing itself, but work only on new clients so that the server doesn't need
652to be a big machine.
653
654Example :
655---------
willy tarreauc5f73ed2005-12-18 01:26:38 +0100656 # all new connections go there
657 dispatch 192.168.1.2:80
willy tarreaueedaa9f2005-12-17 14:08:03 +0100658
659Note :
660------
661This parameter has no sense for 'health' servers, and is incompatible with
662'balance' mode.
663
664
6652.8) Outgoing source address
666----------------------------
667It is often necessary to bind to a particular address when connecting to some
668remote hosts. This is done via the 'source' parameter which is a per-proxy
669parameter. A newer version may allow to fix different sources to reach different
670servers. The syntax is 'source <address>[:<port>]', where <address> is a valid
671local address (or '0.0.0.0' or '*' or empty to let the system choose), and
672<port> is an optional parameter allowing the user to force the source port for
673very specific needs. If the port is not specified or is '0', the system will
674choose a free port. Note that as of version 1.1.18, the servers health checks
675are also performed from the same source.
676
677Examples :
678----------
679 listen http_proxy *:80
willy tarreauc5f73ed2005-12-18 01:26:38 +0100680 # all connections take 192.168.1.200 as source address
681 source 192.168.1.200:0
willy tarreaueedaa9f2005-12-17 14:08:03 +0100682
683 listen rlogin_proxy *:513
willy tarreauc5f73ed2005-12-18 01:26:38 +0100684 # use address 192.168.1.200 and the reserved port 900 (needs to be root)
685 source 192.168.1.200:900
willy tarreaueedaa9f2005-12-17 14:08:03 +0100686
687
6882.9) Setting the cookie name
689----------------------------
690In HTTP mode, it is possible to look for a particular cookie which will contain
691a server identifier which should handle the connection. The cookie name is set
692via the 'cookie' parameter.
693
694Example :
695---------
696 listen http_proxy :80
willy tarreauc5f73ed2005-12-18 01:26:38 +0100697 mode http
698 cookie SERVERID
willy tarreaueedaa9f2005-12-17 14:08:03 +0100699
700It is possible to change the cookie behaviour to get a smarter persistence,
701depending on applications. It is notably possible to delete or modify a cookie
702emitted by a server, insert a cookie identifying the server in an HTTP response
703and even add a header to tell upstream caches not to cache this response.
704
705Examples :
706----------
707
708To remove the cookie for direct accesses (ie when the server matches the one
709which was specified in the client cookie) :
710
willy tarreauc5f73ed2005-12-18 01:26:38 +0100711 cookie SERVERID indirect
willy tarreaueedaa9f2005-12-17 14:08:03 +0100712
713To replace the cookie value with the one assigned to the server if any (no
714cookie will be created if the server does not provide one, nor if the
715configuration does not provide one). This lets the application put the cookie
716exactly on certain pages (eg: successful authentication) :
717
willy tarreauc5f73ed2005-12-18 01:26:38 +0100718 cookie SERVERID rewrite
willy tarreaueedaa9f2005-12-17 14:08:03 +0100719
720To create a new cookie and assign the server identifier to it (in this case, all
721servers should be associated with a valid cookie, since no cookie will simply
722delete the cookie from the client's browser) :
723
willy tarreauc5f73ed2005-12-18 01:26:38 +0100724 cookie SERVERID insert
willy tarreaueedaa9f2005-12-17 14:08:03 +0100725
willy tarreau0174f312005-12-18 01:02:42 +0100726To reuse an existing application cookie and prefix it with the server's
727identifier, and remove it in the request, use the 'prefix' option. This allows
728to insert a haproxy in front of an application without risking to break clients
729which does not support more than one cookie :
730
willy tarreauc5f73ed2005-12-18 01:26:38 +0100731 cookie JSESSIONID prefix
willy tarreau0174f312005-12-18 01:02:42 +0100732
willy tarreaueedaa9f2005-12-17 14:08:03 +0100733To insert a cookie and ensure that no upstream cache will store it, add the
734'nocache' option :
735
willy tarreauc5f73ed2005-12-18 01:26:38 +0100736 cookie SERVERID insert nocache
willy tarreaueedaa9f2005-12-17 14:08:03 +0100737
738To insert a cookie only after a POST request, add 'postonly' after 'insert'.
739This has the advantage that there's no risk of caching, and that all pages
740seen before the POST one can still be cached :
741
willy tarreauc5f73ed2005-12-18 01:26:38 +0100742 cookie SERVERID insert postonly
willy tarreaueedaa9f2005-12-17 14:08:03 +0100743
744Notes :
745-----------
746- it is possible to combine 'insert' with 'indirect' or 'rewrite' to adapt to
747 applications which already generate the cookie with an invalid content.
748
749- in the case where 'insert' and 'indirect' are both specified, the cookie is
willy tarreau0174f312005-12-18 01:02:42 +0100750 never transmitted to the server, since it wouldn't understand it. This is the
751 most application-transparent mode.
willy tarreaueedaa9f2005-12-17 14:08:03 +0100752
753- it is particularly recommended to use 'nocache' in 'insert' mode if any
754 upstream HTTP/1.0 cache is susceptible to cache the result, because this may
755 lead to many clients going to the same server, or even worse, some clients
756 having their server changed while retrieving a page from the cache.
757
willy tarreau0174f312005-12-18 01:02:42 +0100758- the 'prefix' mode normally does not need 'indirect', 'nocache', nor
759 'postonly', because just as in the 'rewrite' mode, it relies on the
760 application to know when a cookie can be emitted. However, since it has to
761 fix the cookie name in every subsequent requests, you must ensure that the
762 proxy will be used without any "HTTP keep-alive". Use option "httpclose" if
763 unsure.
764
willy tarreaueedaa9f2005-12-17 14:08:03 +0100765- when the application is well known and controlled, the best method is to
766 only add the persistence cookie on a POST form because it's up to the
willy tarreau0174f312005-12-18 01:02:42 +0100767 application to select which page it wants the upstream servers to cache. In
768 this case, you would use 'insert postonly indirect'.
willy tarreaueedaa9f2005-12-17 14:08:03 +0100769
willy tarreauc5f73ed2005-12-18 01:26:38 +0100770
willy tarreaueedaa9f2005-12-17 14:08:03 +01007712.10) Associating a cookie value with a server
772----------------------------------------------
773In HTTP mode, it's possible to associate a cookie value to each server. This
774was initially used in combination with 'dispatch' mode to handle direct accesses
775but it is now the standard way of doing the load balancing. The syntax is :
776
777 server <identifier> <address>:<port> cookie <value>
778
779- <identifier> is any name which can be used to identify the server in the logs.
780- <address>:<port> specifies where the server is bound.
781- <value> is the value to put in or to read from the cookie.
782
783Example : the 'SERVERID' cookie can be either 'server01' or 'server02'
784---------
785 listen http_proxy :80
willy tarreauc5f73ed2005-12-18 01:26:38 +0100786 mode http
787 cookie SERVERID
788 dispatch 192.168.1.100:80
789 server web1 192.168.1.1:80 cookie server01
790 server web2 192.168.1.2:80 cookie server02
willy tarreaueedaa9f2005-12-17 14:08:03 +0100791
792Warning : the syntax has changed since version 1.0 !
793---------
794
willy tarreauc5f73ed2005-12-18 01:26:38 +0100795
willy tarreau598da412005-12-18 01:07:29 +01007962.11) Application Cookies
797-------------------------
798Since 1.2.4 it is possible to catch the cookie that comes from an
799application server in order to apply "application session stickyness".
800The server's response is searched for 'appsession' cookie, the first
801'len' bytes are used for matching and it is stored for a period of
802'timeout'.
803The syntax is:
804
willy tarreau532bb552006-05-13 18:40:37 +0200805 appsession <session_cookie> len <match_length> timeout <holdtime>
willy tarreau598da412005-12-18 01:07:29 +0100806
willy tarreau532bb552006-05-13 18:40:37 +0200807- <session_cookie> is the cookie, the server uses for it's session-handling
808- <match_length> how many bytes/characters should be used for matching equal
willy tarreau598da412005-12-18 01:07:29 +0100809 sessions
willy tarreau532bb552006-05-13 18:40:37 +0200810- <holdtime> after this inactivaty time, in ms, the cookie will be deleted
willy tarreau598da412005-12-18 01:07:29 +0100811 from the sessionstore
812
813The appsession is only per 'listen' section possible.
814
815Example :
816---------
willy tarreau532bb552006-05-13 18:40:37 +0200817 listen http_lb1 192.168.3.4:80
818 mode http
819 capture request header Cookie len 200
820 # Havind a ServerID cookie on the client allows him to reach
821 # the right server even after expiration of the appsession.
822 cookie ServerID insert nocache indirect
823 # Will memorize 52 bytes of the cookie 'JSESSIONID' and keep them
824 # for 3 hours. It will match it in the cookie and the URL field.
825 appsession JSESSIONID len 52 timeout 10800000
826 server first1 10.3.9.2:10805 check inter 3000 cookie first
827 server secon1 10.3.9.3:10805 check inter 3000 cookie secon
828 server first1 10.3.9.4:10805 check inter 3000 cookie first
829 server secon2 10.3.9.5:10805 check inter 3000 cookie secon
830 option httpchk GET /test.jsp
willy tarreau598da412005-12-18 01:07:29 +0100831
willy tarreauc5f73ed2005-12-18 01:26:38 +0100832
willy tarreaueedaa9f2005-12-17 14:08:03 +01008333) Autonomous load balancer
834===========================
835
836The proxy can perform the load-balancing itself, both in TCP and in HTTP modes.
837This is the most interesting mode which obsoletes the old 'dispatch' mode
838described above. It has advantages such as server health monitoring, multiple
839port binding and port mapping. To use this mode, the 'balance' keyword is used,
willy tarreau34f45302006-04-15 21:37:14 +0200840followed by the selected algorithm. Up to version 1.2.11, only 'roundrobin' was
841available, which is also the default value if unspecified. Starting with
842version 1.2.12, a new 'source' keyword appeared. In this mode, there will be no
843dispatch address, but the proxy needs at least one server.
willy tarreaueedaa9f2005-12-17 14:08:03 +0100844
845Example : same as the last one, with internal load balancer
846---------
847
848 listen http_proxy :80
willy tarreauc5f73ed2005-12-18 01:26:38 +0100849 mode http
850 cookie SERVERID
851 balance roundrobin
852 server web1 192.168.1.1:80 cookie server01
853 server web2 192.168.1.2:80 cookie server02
willy tarreaueedaa9f2005-12-17 14:08:03 +0100854
855
856Since version 1.1.22, it is possible to automatically determine on which port
857the server will get the connection, depending on the port the client connected
858to. Indeed, there now are 4 possible combinations for the server's <port> field:
859
860 - unspecified or '0' :
861 the connection will be sent to the same port as the one on which the proxy
862 received the client connection itself.
863
864 - numerical value (the only one supported in versions earlier than 1.1.22) :
865 the connection will always be sent to the specified port.
866
867 - '+' followed by a numerical value :
868 the connection will be sent to the same port as the one on which the proxy
869 received the connection, plus this value.
870
871 - '-' followed by a numerical value :
872 the connection will be sent to the same port as the one on which the proxy
873 received the connection, minus this value.
874
875Examples :
876----------
877
878# same as previous example
879
880 listen http_proxy :80
willy tarreauc5f73ed2005-12-18 01:26:38 +0100881 mode http
882 cookie SERVERID
883 balance roundrobin
884 server web1 192.168.1.1 cookie server01
885 server web2 192.168.1.2 cookie server02
willy tarreaueedaa9f2005-12-17 14:08:03 +0100886
887# simultaneous relaying of ports 80, 81 and 8080-8089
888
889 listen http_proxy :80,:81,:8080-8089
willy tarreauc5f73ed2005-12-18 01:26:38 +0100890 mode http
891 cookie SERVERID
892 balance roundrobin
893 server web1 192.168.1.1 cookie server01
894 server web2 192.168.1.2 cookie server02
willy tarreaueedaa9f2005-12-17 14:08:03 +0100895
896# relaying of TCP ports 25, 389 and 663 to ports 1025, 1389 and 1663
897
898 listen http_proxy :25,:389,:663
willy tarreauc5f73ed2005-12-18 01:26:38 +0100899 mode tcp
900 balance roundrobin
901 server srv1 192.168.1.1:+1000
902 server srv2 192.168.1.2:+1000
willy tarreaueedaa9f2005-12-17 14:08:03 +0100903
willy tarreau34f45302006-04-15 21:37:14 +0200904As previously stated, version 1.2.12 brought the 'source' keyword. When this
905keyword is used, the client's IP address is hashed and evenly distributed among
906the available servers so that a same source IP will always go to the same
907server as long as there are no change in the number of available servers. This
908can be used for instance to bind HTTP and HTTPS to the same server. It can also
909be used to improve stickyness when one part of the client population does not
910accept cookies. In this case, only those ones will be perturbated should a
911server fail.
912
913NOTE: It is important to consider the fact that many clients surf the net
914 through proxy farms which assign different IP addresses for each
915 request. Others use dialup connections with a different IP at each
916 connection. Thus, the 'source' parameter should be used with extreme
917 care.
918
919Examples :
920----------
921
922# make a same IP go to the same server whatever the service
923
924 listen http_proxy
925 bind :80,:443
926 mode http
927 balance source
928 server web1 192.168.1.1
929 server web2 192.168.1.2
930
931# try to improve client-server binding by using both source IP and cookie :
932
933 listen http_proxy :80
934 mode http
935 cookie SERVERID
936 balance source
937 server web1 192.168.1.1 cookie server01
938 server web2 192.168.1.2 cookie server02
939
willy tarreaueedaa9f2005-12-17 14:08:03 +0100940
willy tarreau197e8ec2005-12-17 14:10:59 +01009413.1) Server monitoring
942----------------------
willy tarreaueedaa9f2005-12-17 14:08:03 +0100943It is possible to check the servers status by trying to establish TCP
944connections or even sending HTTP requests to them. A server which fails to
945reply to health checks as expected will not be used by the load balancing
946algorithms. To enable monitoring, add the 'check' keyword on a server line.
947It is possible to specify the interval between tests (in milliseconds) with
948the 'inter' parameter, the number of failures supported before declaring that
949the server has fallen down with the 'fall' parameter, and the number of valid
950checks needed for the server to fully get up with the 'rise' parameter. Since
951version 1.1.22, it is also possible to send checks to a different port
952(mandatory when none is specified) with the 'port' parameter. The default
953values are the following ones :
954
955 - inter : 2000
956 - rise : 2
957 - fall : 3
958 - port : default server port
959
960The default mode consists in establishing TCP connections only. But in certain
961types of application failures, it is often that the server continues to accept
962connections because the system does it itself while the application is running
963an endless loop, or is completely stuck. So in version 1.1.16 were introduced
964HTTP health checks which only performed simple lightweight requests and analysed
965the response. Now, as of version 1.1.23, it is possible to change the HTTP
966method, the URI, and the HTTP version string (which even allows to send headers
967with a dirty trick). To enable HTTP health-checks, use 'option httpchk'.
968
969By default, requests use the 'OPTIONS' method because it's very light and easy
970to filter from logs, and does it on '/'. Only HTTP responses 2xx and 3xx are
971considered valid ones, and only if they come before the time to send a new
972request is reached ('inter' parameter). If some servers block this type of
973request, 3 other forms help to forge a request :
974
975 - option httpchk -> OPTIONS / HTTP/1.0
976 - option httpchk URI -> OPTIONS <URI> HTTP/1.0
977 - option httpchk METH URI -> <METH> <URI> HTTP/1.0
978 - option httpchk METH URI VER -> <METH> <URI> <VER>
979
Willy Tarreauf3c69202006-07-09 16:42:34 +0200980Some people are using HAProxy to relay various TCP-based protocols such as
981HTTPS, SMTP or LDAP, with the most common one being HTTPS. One problem commonly
982encountered in data centers is the need to forward the traffic to far remote
983servers while providing server fail-over. Often, TCP-only checks are not enough
984because intermediate firewalls, load balancers or proxies might acknowledge the
985connection before it reaches the real server. The only solution to this problem
986is to send application-level health checks. Since the demand for HTTPS checks
987is high, it has been implemented in 1.2.15 based on SSLv3 Client Hello packets.
988To enable it, use 'option ssl-hello-chk'. It will send SSL CLIENT HELLO packets
989to the servers, announcing support for most common cipher suites. If the server
990responds what looks like a SERVER HELLO or an ALERT (refuses the ciphers) then
991the response is considered as valid. Note that Apache does not generate a log
992when it receives only an HELLO message, which makes this type of message
993perfectly suit this need.
994
willy tarreaueedaa9f2005-12-17 14:08:03 +0100995See examples below.
996
997Since version 1.1.17, it is possible to specify backup servers. These servers
998are only sollicited when no other server is available. This may only be useful
999to serve a maintenance page, or define one active and one backup server (seldom
1000used in TCP mode). To make a server a backup one, simply add the 'backup' option
1001on its line. These servers also support cookies, so if a cookie is specified for
1002a backup server, clients assigned to this server will stick to it even when the
1003other ones come back. Conversely, if no cookie is assigned to such a server,
1004the clients will get their cookies removed (empty cookie = removal), and will
1005be balanced against other servers once they come back. Please note that there
Willy TARREAU3481c462006-03-01 22:37:57 +01001006is no load-balancing among backup servers by default. If there are several
1007backup servers, the second one will only be used when the first one dies, and
1008so on. To force load-balancing between backup servers, specify the 'allbackups'
1009option.
willy tarreaueedaa9f2005-12-17 14:08:03 +01001010
1011Since version 1.1.17, it is also possible to visually check the status of all
1012servers at once. For this, you just have to send a SIGHUP signal to the proxy.
1013The servers status will be dumped into the logs at the 'notice' level, as well
1014as on <stderr> if not closed. For this reason, it's always a good idea to have
1015one local log server at the 'notice' level.
1016
willy tarreau982249e2005-12-18 00:57:06 +01001017Since version 1.1.28 and 1.2.1, if an instance loses all its servers, an
willy tarreau0174f312005-12-18 01:02:42 +01001018emergency message will be sent in the logs to inform the administator that an
willy tarreau982249e2005-12-18 00:57:06 +01001019immediate action must be taken.
1020
willy tarreau0174f312005-12-18 01:02:42 +01001021Since version 1.1.30 and 1.2.3, several servers can share the same cookie
1022value. This is particularly useful in backup mode, to select alternate paths
1023for a given server for example, to provide soft-stop, or to direct the clients
1024to a temporary page during an application restart. The principle is that when
1025a server is dead, the proxy will first look for another server which shares the
1026same cookie value for every client which presents the cookie. If there is no
1027standard server for this cookie, it will then look for a backup server which
1028shares the same name. Please consult the architecture guide for more information.
willy tarreau982249e2005-12-18 00:57:06 +01001029
willy tarreaueedaa9f2005-12-17 14:08:03 +01001030Examples :
1031----------
1032# same setup as in paragraph 3) with TCP monitoring
1033 listen http_proxy 0.0.0.0:80
willy tarreauc5f73ed2005-12-18 01:26:38 +01001034 mode http
1035 cookie SERVERID
1036 balance roundrobin
1037 server web1 192.168.1.1:80 cookie server01 check
1038 server web2 192.168.1.2:80 cookie server02 check inter 500 rise 1 fall 2
willy tarreaueedaa9f2005-12-17 14:08:03 +01001039
1040# same with HTTP monitoring via 'OPTIONS / HTTP/1.0'
1041 listen http_proxy 0.0.0.0:80
willy tarreauc5f73ed2005-12-18 01:26:38 +01001042 mode http
1043 cookie SERVERID
1044 balance roundrobin
1045 option httpchk
1046 server web1 192.168.1.1:80 cookie server01 check
1047 server web2 192.168.1.2:80 cookie server02 check inter 500 rise 1 fall 2
willy tarreaueedaa9f2005-12-17 14:08:03 +01001048
1049# same with HTTP monitoring via 'OPTIONS /index.html HTTP/1.0'
1050 listen http_proxy 0.0.0.0:80
willy tarreauc5f73ed2005-12-18 01:26:38 +01001051 mode http
1052 cookie SERVERID
1053 balance roundrobin
1054 option httpchk /index.html
1055 server web1 192.168.1.1:80 cookie server01 check
1056 server web2 192.168.1.2:80 cookie server02 check inter 500 rise 1 fall 2
willy tarreaueedaa9f2005-12-17 14:08:03 +01001057
1058# same with HTTP monitoring via 'HEAD /index.jsp? HTTP/1.1\r\nHost: www'
1059 listen http_proxy 0.0.0.0:80
willy tarreauc5f73ed2005-12-18 01:26:38 +01001060 mode http
1061 cookie SERVERID
1062 balance roundrobin
1063 option httpchk HEAD /index.jsp? HTTP/1.1\r\nHost:\ www
1064 server web1 192.168.1.1:80 cookie server01 check
1065 server web2 192.168.1.2:80 cookie server02 check inter 500 rise 1 fall 2
willy tarreaueedaa9f2005-12-17 14:08:03 +01001066
willy tarreau0174f312005-12-18 01:02:42 +01001067# Load-balancing with 'prefixed cookie' persistence, and soft-stop using an
1068# alternate port 81 on the server for health-checks.
1069 listen http_proxy 0.0.0.0:80
willy tarreauc5f73ed2005-12-18 01:26:38 +01001070 mode http
1071 cookie JSESSIONID prefix
1072 balance roundrobin
1073 option httpchk HEAD /index.jsp? HTTP/1.1\r\nHost:\ www
1074 server web1-norm 192.168.1.1:80 cookie s1 check port 81
1075 server web2-norm 192.168.1.2:80 cookie s2 check port 81
1076 server web1-stop 192.168.1.1:80 cookie s1 check port 80 backup
1077 server web2-stop 192.168.1.2:80 cookie s2 check port 80 backup
willy tarreau0174f312005-12-18 01:02:42 +01001078
willy tarreaueedaa9f2005-12-17 14:08:03 +01001079# automatic insertion of a cookie in the server's response, and automatic
1080# deletion of the cookie in the client request, while asking upstream caches
1081# not to cache replies.
1082 listen web_appl 0.0.0.0:80
willy tarreauc5f73ed2005-12-18 01:26:38 +01001083 mode http
1084 cookie SERVERID insert nocache indirect
1085 balance roundrobin
1086 server web1 192.168.1.1:80 cookie server01 check
1087 server web2 192.168.1.2:80 cookie server02 check
willy tarreaueedaa9f2005-12-17 14:08:03 +01001088
1089# same with off-site application backup and local error pages server
1090 listen web_appl 0.0.0.0:80
willy tarreauc5f73ed2005-12-18 01:26:38 +01001091 mode http
1092 cookie SERVERID insert nocache indirect
1093 balance roundrobin
1094 server web1 192.168.1.1:80 cookie server01 check
1095 server web2 192.168.1.2:80 cookie server02 check
1096 server web-backup 192.168.2.1:80 cookie server03 check backup
1097 server web-excuse 192.168.3.1:80 check backup
willy tarreaueedaa9f2005-12-17 14:08:03 +01001098
willy tarreauc5f73ed2005-12-18 01:26:38 +01001099# SMTP+TLS relaying with health-checks and backup servers
willy tarreaueedaa9f2005-12-17 14:08:03 +01001100
1101 listen http_proxy :25,:587
willy tarreauc5f73ed2005-12-18 01:26:38 +01001102 mode tcp
1103 balance roundrobin
1104 server srv1 192.168.1.1 check port 25 inter 30000 rise 1 fall 2
1105 server srv2 192.168.1.2 backup
willy tarreaueedaa9f2005-12-17 14:08:03 +01001106
Willy Tarreauf3c69202006-07-09 16:42:34 +02001107# HTTPS relaying with health-checks and backup servers
1108
1109 listen http_proxy :443
1110 mode tcp
1111 option ssl-hello-chk
1112 balance roundrobin
1113 server srv1 192.168.1.1 check inter 30000 rise 1 fall 2
1114 server srv2 192.168.1.2 backup
1115
Willy TARREAU3481c462006-03-01 22:37:57 +01001116# Load-balancing using a backup pool (requires haproxy 1.2.9)
1117 listen http_proxy 0.0.0.0:80
1118 mode http
1119 balance roundrobin
1120 option httpchk
1121 server inst1 192.168.1.1:80 cookie s1 check
1122 server inst2 192.168.1.2:80 cookie s2 check
1123 server inst3 192.168.1.3:80 cookie s3 check
1124 server back1 192.168.1.10:80 check backup
1125 server back2 192.168.1.11:80 check backup
1126 option allbackups # all backups will be used
1127
willy tarreaueedaa9f2005-12-17 14:08:03 +01001128
11293.2) Redistribute connections in case of failure
1130------------------------------------------------
1131In HTTP mode, if a server designated by a cookie does not respond, the clients
1132may definitely stick to it because they cannot flush the cookie, so they will
1133not be able to access the service anymore. Specifying 'redispatch' will allow
1134the proxy to break their persistence and redistribute them to working servers.
1135
1136Example :
1137---------
1138 listen http_proxy 0.0.0.0:80
willy tarreauc5f73ed2005-12-18 01:26:38 +01001139 mode http
1140 cookie SERVERID
1141 dispatch 192.168.1.100:80
1142 server web1 192.168.1.1:80 cookie server01
1143 server web2 192.168.1.2:80 cookie server02
1144 redispatch # send back to dispatch in case of connection failure
willy tarreaueedaa9f2005-12-17 14:08:03 +01001145
1146Up to, and including version 1.1.16, this parameter only applied to connection
1147failures. Since version 1.1.17, it also applies to servers which have been
1148detected as failed by the health check mechanism. Indeed, a server may be broken
1149but still accepting connections, which would not solve every case. But it is
1150possible to conserve the old behaviour, that is, make a client insist on trying
1151to connect to a server even if it is said to be down, by setting the 'persist'
1152option :
1153
1154 listen http_proxy 0.0.0.0:80
willy tarreauc5f73ed2005-12-18 01:26:38 +01001155 mode http
1156 option persist
1157 cookie SERVERID
1158 dispatch 192.168.1.100:80
1159 server web1 192.168.1.1:80 cookie server01
1160 server web2 192.168.1.2:80 cookie server02
1161 redispatch # send back to dispatch in case of connection failure
willy tarreaueedaa9f2005-12-17 14:08:03 +01001162
1163
willy tarreau34f45302006-04-15 21:37:14 +020011643.3) Assigning different weights to servers
1165-------------------------------------------
1166Sometimes you will need to bring new servers to increase your server farm's
1167capacity, but the new server will be either smaller (emergency use of anything
1168that fits) or bigger (when investing in new hardware). For this reason, it
1169might be wise to be able to send more clients to biggest servers. Till version
11701.2.11, it was necessary to replicate the same server multiple times in the
1171configuration. Starting with 1.2.12, the 'weight' option is available. HAProxy
1172then computes the most homogenous possible map of servers based on their
willy tarreau532bb552006-05-13 18:40:37 +02001173weights so that the load gets distributed as smoothly as possible among them.
1174The weight, between 1 and 256, should reflect one server's capacity relative to
1175others. Weight 1 represents the lowest frequency and 256 the highest. This way,
1176if a server fails, the remaining capacities are still respected.
willy tarreau34f45302006-04-15 21:37:14 +02001177
1178Example :
1179---------
1180# fair distribution among two opterons and one old pentium3
1181
1182 listen web_appl 0.0.0.0:80
1183 mode http
1184 cookie SERVERID insert nocache indirect
1185 balance roundrobin
1186 server pentium3-800 192.168.1.1:80 cookie server01 weight 8 check
1187 server opteron-2.0G 192.168.1.2:80 cookie server02 weight 20 check
1188 server opteron-2.4G 192.168.1.3:80 cookie server03 weight 24 check
1189 server web-backup1 192.168.2.1:80 cookie server04 check backup
1190 server web-excuse 192.168.3.1:80 check backup
1191
1192Notes :
1193-------
1194 - if unspecified, the default weight is 1
1195
1196 - the weight does not impact health checks, so it is cleaner to use weights
1197 than replicating the same server several times
1198
1199 - weights also work on backup servers if the 'allbackups' option is used
1200
1201 - the weights also apply to the source address load balancing
1202 ('balance source').
1203
1204 - whatever the weights, the first server will always be assigned first. This
1205 is helpful for troubleshooting.
1206
1207 - for the purists, the map calculation algorithm gives precedence to first
1208 server, so the map is the most uniform when servers are declared in
1209 ascending order relative to their weights.
1210
willy tarreau532bb552006-05-13 18:40:37 +02001211The load distribution will follow exactly this sequence :
1212
1213 Request| 1 1 1 1
1214 number | 1 2 3 4 5 6 7 8 9 0 1 2 3
1215 --------+---------------------------
1216 p3-800 | X . . . . . . X . . . . .
1217 opt-20 | . X . X . X . . . X . X .
1218 opt-24 | . . X . X . X . X . X . X
1219
1220
12213.4) Limiting the number of concurrent sessions on each server
1222--------------------------------------------------------------
1223Some pre-forked servers such as Apache suffer from too many concurrent
1224sessions, because it's very expensive to run hundreds or thousands of
1225processes on one system. One solution is to increase the number of servers
1226and load-balance between them, but it is a problem when the only goal is
1227to resist to short surges.
1228
1229To solve this problem, a new feature was implemented in HAProxy 1.2.13.
1230It's a per-server 'maxconn', associated with a per-server and a per-proxy
1231queue. This transforms haproxy into a request buffer between the thousands of
1232clients and the few servers. On many circumstances, lowering the maxconn value
1233will increase the server's performance and decrease the overall response times
1234because the servers will be less congested.
1235
1236When a request tries to reach any server, the first non-saturated server is
1237used, respective to the load balancing algorithm. If all servers are saturated,
1238then the request gets queued into the instance's global queue. It will be
1239dequeued once a server will have freed a session and all previously queued
1240requests have been processed.
1241
1242If a request references a particular server (eg: source hashing, or persistence
1243cookie), and if this server is full, then the request will be queued into the
1244server's dedicated queue. This queue has higher priority than the global queue,
1245so it's easier for already registered users to enter the site than for new
1246users.
1247
1248For this, the logs have been enhanced to show the number of sessions per
1249server, the request's position in the queue and the time spent in the queue.
1250This helps doing capacity planning. See the 'logs' section below for more info.
1251
1252Example :
1253---------
1254 # be nice with P3 which only has 256 MB of RAM.
1255 listen web_appl 0.0.0.0:80
1256 maxconn 10000
1257 mode http
1258 cookie SERVERID insert nocache indirect
1259 balance roundrobin
1260 server pentium3-800 192.168.1.1:80 cookie s1 weight 8 maxconn 100 check
1261 server opteron-2.0G 192.168.1.2:80 cookie s2 weight 20 maxconn 300 check
1262 server opteron-2.4G 192.168.1.3:80 cookie s3 weight 24 maxconn 300 check
1263 server web-backup1 192.168.2.1:80 cookie s4 check maxconn 200 backup
1264 server web-excuse 192.168.3.1:80 check backup
1265
willy tarreauf76e6ca2006-05-21 21:09:55 +02001266
1267This was so much efficient at reducing the server's response time that some
1268users wanted to use low values to improve their server's performance. However,
1269they were not able anymore to handle very large loads because it was not
1270possible anymore to saturate the servers. For this reason, version 1.2.14 has
1271brought dynamic limitation with the addition of the parameter 'minconn'. When
1272this parameter is set along with maxconn, it will enable dynamic limitation
1273based on the instance's load. The maximum number of concurrent sessions on a
1274server will be proportionnal to the number of sessions on the instance relative
1275to its maxconn. A minimum of <minconn> will be allowed whatever the load. This
1276will ensure that servers will perform at their best level under normal loads,
1277while still handling surges when needed. The dynamic limit is computed like
1278this :
1279
1280 srv.dyn_limit = max(srv.minconn, srv.maxconn * inst.sess / inst.maxconn)
1281
1282Example :
1283---------
1284 # be nice with P3 which only has 256 MB of RAM.
1285 listen web_appl 0.0.0.0:80
1286 maxconn 10000
1287 mode http
1288 cookie SERVERID insert nocache indirect
1289 balance roundrobin
1290 server pentium3-800 192.168.1.1:80 cookie s1 weight 8 minconn 10 maxconn 100 check
1291 server opteron-2.0G 192.168.1.2:80 cookie s2 weight 20 minconn 30 maxconn 300 check
1292 server opteron-2.4G 192.168.1.3:80 cookie s3 weight 24 minconn 30 maxconn 300 check
1293 server web-backup1 192.168.2.1:80 cookie s4 check maxconn 200 backup
1294 server web-excuse 192.168.3.1:80 check backup
1295
1296In the example above, the server 'pentium3-800' will receive at most 100
1297simultaneous sessions when the proxy instance will reach 10000 sessions, and
1298will receive only 10 simultaneous sessions when the proxy will be under 1000
1299sessions.
1300
willy tarreau532bb552006-05-13 18:40:37 +02001301Notes :
1302-------
1303 - The requests will not stay indefinitely in the queue, they follow the
1304 'contimeout' parameter, and if a request cannot be dequeued within this
1305 timeout because the server is saturated or because the queue is filled,
1306 the session will expire with a 503 error.
1307
willy tarreauf76e6ca2006-05-21 21:09:55 +02001308 - if only <minconn> is specified, it has the same effect as <maxconn>
1309
willy tarreau532bb552006-05-13 18:40:37 +02001310 - setting too low values for maxconn might improve performance but might also
1311 allow slow users to block access to the server for other users.
1312
willy tarreau34f45302006-04-15 21:37:14 +02001313
willy tarreaue0bdd622006-05-21 20:51:54 +020013143.5) Dropping aborted requests
1315------------------------------
1316In presence of very high loads, the servers will take some time to respond. The
1317per-proxy's connection queue will inflate, and the response time will increase
1318respective to the size of the queue times the average per-session response
1319time. When clients will wait for more than a few seconds, they will often hit
1320the 'STOP' button on their browser, leaving a useless request in the queue, and
1321slowing down other users.
1322
1323As there is no way to distinguish between a full STOP and a simple
1324shutdown(SHUT_WR) on the client side, HTTP agents should be conservative and
1325consider that the client might only have closed its output channel while
1326waiting for the response. However, this introduces risks of congestion when
1327lots of users do the same, and is completely useless nowadays because probably
1328no client at all will close the session while waiting for the response. Some
1329HTTP agents support this (Squid, Apache, HAProxy), and others do not (TUX, most
1330hardware-based load balancers). So the probability for a closed input channel
1331to represent a user hitting the 'STOP' button is close to 100%, and it is very
1332tempting to be able to abort the session early without polluting the servers.
1333
1334For this reason, a new option "abortonclose" was introduced in version 1.2.14.
1335By default (without the option) the behaviour is HTTP-compliant. But when the
1336option is specified, a session with an incoming channel closed will be aborted
1337if it's still possible, which means that it's either waiting for a connect() to
1338establish or it is queued waiting for a connection slot. This considerably
1339reduces the queue size and the load on saturated servers when users are tempted
1340to click on STOP, which in turn reduces the response time for other users.
1341
1342Example :
1343---------
1344 listen web_appl 0.0.0.0:80
1345 maxconn 10000
1346 mode http
1347 cookie SERVERID insert nocache indirect
1348 balance roundrobin
1349 server web1 192.168.1.1:80 cookie s1 weight 10 maxconn 100 check
1350 server web2 192.168.1.2:80 cookie s2 weight 10 maxconn 100 check
1351 server web3 192.168.1.3:80 cookie s3 weight 10 maxconn 100 check
1352 server bck1 192.168.2.1:80 cookie s4 check maxconn 200 backup
1353 option abortonclose
1354
1355
willy tarreaueedaa9f2005-12-17 14:08:03 +010013564) Additionnal features
1357=======================
1358
willy tarreau481132e2006-05-21 21:43:10 +02001359Other features are available. They are transparent mode, event logging, header
1360rewriting/filtering, and the status as an HTML page.
willy tarreaueedaa9f2005-12-17 14:08:03 +01001361
willy tarreauc5f73ed2005-12-18 01:26:38 +01001362
willy tarreau0174f312005-12-18 01:02:42 +010013634.1) Network features
willy tarreaueedaa9f2005-12-17 14:08:03 +01001364---------------------
willy tarreau0174f312005-12-18 01:02:42 +010013654.1.1) Transparent mode
1366-----------------------
willy tarreaueedaa9f2005-12-17 14:08:03 +01001367In HTTP mode, the 'transparent' keyword allows to intercept sessions which are
1368routed through the system hosting the proxy. This mode was implemented as a
1369replacement for the 'dispatch' mode, since connections without cookie will be
1370sent to the original address while known cookies will be sent to the servers.
1371This mode implies that the system can redirect sessions to a local port.
1372
1373Example :
1374---------
1375 listen http_proxy 0.0.0.0:65000
willy tarreauc5f73ed2005-12-18 01:26:38 +01001376 mode http
1377 transparent
1378 cookie SERVERID
1379 server server01 192.168.1.1:80
1380 server server02 192.168.1.2:80
willy tarreaueedaa9f2005-12-17 14:08:03 +01001381
1382 # iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.1.100 \
1383 --dport 80 -j REDIRECT --to-ports 65000
1384
1385Note :
1386------
1387If the port is left unspecified on the server, the port the client connected to
1388will be used. This allows to relay a full port range without using transparent
1389mode nor thousands of file descriptors, provided that the system can redirect
1390sessions to local ports.
1391
1392Example :
1393---------
1394 # redirect all ports to local port 65000, then forward to the server on the
1395 # original port.
1396 listen http_proxy 0.0.0.0:65000
willy tarreauc5f73ed2005-12-18 01:26:38 +01001397 mode tcp
1398 server server01 192.168.1.1 check port 60000
1399 server server02 192.168.1.2 check port 60000
willy tarreaueedaa9f2005-12-17 14:08:03 +01001400
1401 # iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.1.100 \
1402 -j REDIRECT --to-ports 65000
1403
willy tarreau0174f312005-12-18 01:02:42 +010014044.1.2) Per-server source address binding
1405----------------------------------------
1406As of versions 1.1.30 and 1.2.3, it is possible to specify a particular source
1407to reach each server. This is useful when reaching backup servers from a
1408different LAN, or to use an alternate path to reach the same server. It is also
1409usable to provide source load-balancing for outgoing connections. Obviously,
1410the same source address is used to send health-checks.
1411
1412Example :
1413---------
1414 # use a particular source to reach both servers
1415 listen http_proxy 0.0.0.0:65000
willy tarreauc5f73ed2005-12-18 01:26:38 +01001416 mode http
1417 balance roundrobin
1418 server server01 192.168.1.1:80 source 192.168.2.13
1419 server server02 192.168.1.2:80 source 192.168.2.13
willy tarreau0174f312005-12-18 01:02:42 +01001420
1421Example :
1422---------
1423 # use a particular source to reach each servers
1424 listen http_proxy 0.0.0.0:65000
willy tarreauc5f73ed2005-12-18 01:26:38 +01001425 mode http
1426 balance roundrobin
1427 server server01 192.168.1.1:80 source 192.168.1.1
1428 server server02 192.168.2.1:80 source 192.168.2.1
willy tarreau0174f312005-12-18 01:02:42 +01001429
1430Example :
1431---------
1432 # provide source load-balancing to reach the same proxy through 2 WAN links
1433 listen http_proxy 0.0.0.0:65000
willy tarreauc5f73ed2005-12-18 01:26:38 +01001434 mode http
1435 balance roundrobin
1436 server remote-proxy-way1 192.168.1.1:3128 source 192.168.2.1
1437 server remote-proxy-way2 192.168.1.1:3128 source 192.168.3.1
willy tarreau0174f312005-12-18 01:02:42 +01001438
1439Example :
1440---------
1441 # force a TCP connection to bind to a specific port
1442 listen http_proxy 0.0.0.0:2000
willy tarreauc5f73ed2005-12-18 01:26:38 +01001443 mode tcp
1444 balance roundrobin
1445 server srv1 192.168.1.1:80 source 192.168.2.1:20
1446 server srv2 192.168.1.2:80 source 192.168.2.1:20
willy tarreau0174f312005-12-18 01:02:42 +01001447
willy tarreaub952e1d2005-12-18 01:31:20 +010014484.1.3) TCP keep-alive
1449---------------------
1450With version 1.2.7, it becomes possible to enable TCP keep-alives on both the
1451client and server sides. This makes it possible to prevent long sessions from
1452expiring on external layer 4 components such as firewalls and load-balancers.
1453It also allows the system to terminate dead sessions when no timeout has been
1454set (not recommanded). The proxy cannot set the keep-alive probes intervals nor
1455maximal count, consult your operating system manual for this. There are 3
1456options to enable TCP keep-alive :
1457
1458 option tcpka # enables keep-alive both on client and server side
1459 option clitcpka # enables keep-alive only on client side
1460 option srvtcpka # enables keep-alive only on server side
1461
willy tarreaueedaa9f2005-12-17 14:08:03 +01001462
14634.2) Event logging
1464------------------
willy tarreauc5f73ed2005-12-18 01:26:38 +01001465
1466HAProxy's strength certainly lies in its precise logs. It probably provides the
1467finest level of information available for such a product, which is very
1468important for troubleshooting complex environments. Standard log information
1469include client ports, TCP/HTTP state timers, precise session state at
1470termination and precise termination cause, information about decisions to
1471direct trafic to a server, and of course the ability to capture arbitrary
1472headers.
1473
1474In order to improve administrators reactivity, it offers a great transparency
1475about encountered problems, both internal and external, and it is possible to
1476send logs to different sources at the same time with different level filters :
1477
1478 - global process-level logs (system errors, start/stop, etc..)
1479 - per-listener system and internal errors (lack of resource, bugs, ...)
1480 - per-listener external troubles (servers up/down, max connections)
1481 - per-listener activity (client connections), either at the establishment or
1482 at the termination.
1483
1484The ability to distribute different levels of logs to different log servers
1485allow several production teams to interact and to fix their problems as soon
1486as possible. For example, the system team might monitor system-wide errors,
1487while the application team might be monitoring the up/down for their servers in
1488real time, and the security team might analyze the activity logs with one hour
1489delay.
1490
willy tarreauc1cae632005-12-17 14:12:23 +010014914.2.1) Log levels
1492-----------------
willy tarreau197e8ec2005-12-17 14:10:59 +01001493TCP and HTTP connections can be logged with informations such as date, time,
1494source IP address, destination address, connection duration, response times,
1495HTTP request, the HTTP return code, number of bytes transmitted, the conditions
1496in which the session ended, and even exchanged cookies values, to track a
1497particular user's problems for example. All messages are sent to up to two
1498syslog servers. Consult section 1.1 for more info about log facilities. The
1499syntax follows :
willy tarreaueedaa9f2005-12-17 14:08:03 +01001500
willy tarreau197e8ec2005-12-17 14:10:59 +01001501 log <address_1> <facility_1> [max_level_1]
1502 log <address_2> <facility_2> [max_level_2]
1503or
willy tarreaueedaa9f2005-12-17 14:08:03 +01001504 log global
1505
willy tarreau197e8ec2005-12-17 14:10:59 +01001506Note :
1507------
1508The particular syntax 'log global' means that the same log configuration as the
1509'global' section will be used.
willy tarreaueedaa9f2005-12-17 14:08:03 +01001510
willy tarreau197e8ec2005-12-17 14:10:59 +01001511Example :
willy tarreaueedaa9f2005-12-17 14:08:03 +01001512---------
1513 listen http_proxy 0.0.0.0:80
willy tarreauc5f73ed2005-12-18 01:26:38 +01001514 mode http
1515 log 192.168.2.200 local3
1516 log 192.168.2.201 local4
willy tarreaueedaa9f2005-12-17 14:08:03 +01001517
willy tarreauc1cae632005-12-17 14:12:23 +010015184.2.2) Log format
1519-----------------
1520By default, connections are logged at the TCP level, as soon as the session
1521establishes between the client and the proxy. By enabling the 'tcplog' option,
1522the proxy will wait until the session ends to generate an enhanced log
1523containing more information such as session duration and its state during the
willy tarreau532bb552006-05-13 18:40:37 +02001524disconnection. The number of remaining session after disconnection is also
1525indicated (for the server, the listener, and the process).
willy tarreauc1cae632005-12-17 14:12:23 +01001526
willy tarreauc5f73ed2005-12-18 01:26:38 +01001527Example of TCP logging :
1528------------------------
willy tarreau982249e2005-12-18 00:57:06 +01001529 listen relais-tcp 0.0.0.0:8000
willy tarreauc5f73ed2005-12-18 01:26:38 +01001530 mode tcp
1531 option tcplog
1532 log 192.168.2.200 local3
willy tarreau982249e2005-12-18 00:57:06 +01001533
willy tarreau532bb552006-05-13 18:40:37 +02001534>>> haproxy[18989]: 127.0.0.1:34550 [15/Oct/2003:15:24:28] relais-tcp Srv1 0/0/5007 0 -- 1/1/1 0/0
willy tarreauc5f73ed2005-12-18 01:26:38 +01001535
willy tarreau532bb552006-05-13 18:40:37 +02001536 Field Format Example
willy tarreauc5f73ed2005-12-18 01:26:38 +01001537
willy tarreau532bb552006-05-13 18:40:37 +02001538 1 process_name '[' pid ']:' haproxy[18989]:
1539 2 client_ip ':' client_port 127.0.0.1:34550
1540 3 '[' date ']' [15/Oct/2003:15:24:28]
1541 4 listener_name relais-tcp
1542 5 server_name Srv1
1543 6 queue_time '/' connect_time '/' total_time 0/0/5007
1544 7 bytes_read 0
1545 8 termination_state --
1546 9 srv_conn '/' listener_conn '/' process_conn 1/1/1
1547 10 position in srv_queue / listener_queue 0/0
1548
willy tarreau982249e2005-12-18 00:57:06 +01001549
willy tarreauc1cae632005-12-17 14:12:23 +01001550Another option, 'httplog', provides more detailed information about HTTP
1551contents, such as the request and some cookies. In the event where an external
1552component would establish frequent connections to check the service, logs may be
1553full of useless lines. So it is possible not to log any session which didn't
1554transfer any data, by the setting of the 'dontlognull' option. This only has
1555effect on sessions which are established then closed.
willy tarreaueedaa9f2005-12-17 14:08:03 +01001556
willy tarreauc5f73ed2005-12-18 01:26:38 +01001557Example of HTTP logging :
1558-------------------------
willy tarreaueedaa9f2005-12-17 14:08:03 +01001559 listen http_proxy 0.0.0.0:80
willy tarreauc5f73ed2005-12-18 01:26:38 +01001560 mode http
1561 option httplog
1562 option dontlognull
1563 log 192.168.2.200 local3
1564
willy tarreau532bb552006-05-13 18:40:37 +02001565>>> haproxy[674]: 127.0.0.1:33319 [15/Oct/2003:08:31:57] relais-http Srv1 9/0/7/147/723 200 243 - - ---- 2/3/3 0/0 "HEAD / HTTP/1.0"
willy tarreaueedaa9f2005-12-17 14:08:03 +01001566
willy tarreauc5f73ed2005-12-18 01:26:38 +01001567More complete example
willy tarreau532bb552006-05-13 18:40:37 +02001568 haproxy[18989]: 10.0.0.1:34552 [15/Oct/2003:15:26:31] relais-http Srv1 3183/-1/-1/-1/11215 503 0 - - SC-- 137/202/205 0/0 {w.ods.org|Mozilla} {} "HEAD / HTTP/1.0"
willy tarreauc5f73ed2005-12-18 01:26:38 +01001569
willy tarreau532bb552006-05-13 18:40:37 +02001570 Field Format Example
willy tarreauc5f73ed2005-12-18 01:26:38 +01001571
willy tarreau532bb552006-05-13 18:40:37 +02001572 1 process_name '[' pid ']:' haproxy[18989]:
1573 2 client_ip ':' client_port 10.0.0.1:34552
1574 3 '[' date ']' [15/Oct/2003:15:26:31]
1575 4 listener_name relais-http
1576 5 server_name Srv1
1577 6 Tq '/' Tw '/' Tc '/' Tr '/' Tt 3183/-1/-1/-1/11215
1578 7 HTTP_return_code 503
1579 8 bytes_read 0
1580 9 captured_request_cookie -
1581 10 captured_response_cookie -
1582 11 termination_state SC--
1583 12 srv_conn '/' listener_conn '/' process_conn 137/202/205
1584 13 position in srv_queue / listener_queue 0/0
1585 14 '{' captured_request_headers '}' {w.ods.org|Mozilla}
1586 15 '{' captured_response_headers '}' {}
1587 16 '"' HTTP_request '"' "HEAD / HTTP/1.0"
willy tarreauc5f73ed2005-12-18 01:26:38 +01001588
1589Note for log parsers: the URI is ALWAYS the end of the line starting with the
1590 first double quote '"'.
willy tarreau982249e2005-12-18 00:57:06 +01001591
1592The problem when logging at end of connection is that you have no clue about
1593what is happening during very long sessions. To workaround this problem, a
1594new option 'logasap' has been introduced in 1.1.28/1.2.1. When specified, the
1595proxy will log as soon as possible, just before data transfer begins. This means
1596that in case of TCP, it will still log the connection status to the server, and
1597in case of HTTP, it will log just after processing the server headers. In this
1598case, the number of bytes reported is the number of header bytes sent to the
1599client.
1600
1601In order to avoid confusion with normal logs, the total time field and the
1602number of bytes are prefixed with a '+' sign which mean that real numbers are
1603certainly bigger.
1604
1605Example :
1606---------
1607
1608 listen http_proxy 0.0.0.0:80
willy tarreauc5f73ed2005-12-18 01:26:38 +01001609 mode http
1610 option httplog
1611 option dontlognull
1612 option logasap
1613 log 192.168.2.200 local3
willy tarreau982249e2005-12-18 00:57:06 +01001614
willy tarreau532bb552006-05-13 18:40:37 +02001615>>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17] relais-http Srv1 9/10/7/14/+30 200 +243 - - ---- 1/1/3 1/0 "GET /image.iso HTTP/1.0"
willy tarreau982249e2005-12-18 00:57:06 +01001616
willy tarreauc1cae632005-12-17 14:12:23 +010016174.2.3) Timing events
1618--------------------
1619Timers provide a great help in trouble shooting network problems. All values
1620are reported in milliseconds (ms). In HTTP mode, four control points are
willy tarreau532bb552006-05-13 18:40:37 +02001621reported under the form 'Tq/Tw/Tc/Tr/Tt' :
willy tarreauc1cae632005-12-17 14:12:23 +01001622
1623 - Tq: total time to get the client request.
1624 It's the time elapsed between the moment the client connection was accepted
1625 and the moment the proxy received the last HTTP header. The value '-1'
1626 indicates that the end of headers (empty line) has never been seen.
1627
willy tarreau532bb552006-05-13 18:40:37 +02001628 - Tw: total time spent in the queues waiting for a connection slot. It
1629 accounts for listener's queue as well as the server's queue, and depends
1630 on the queue size, and the time needed for the server to complete previous
1631 sessions. The value '-1' means that the request was killed before reaching
1632 the queue.
1633
willy tarreauc1cae632005-12-17 14:12:23 +01001634 - Tc: total time to establish the TCP connection to the server.
1635 It's the time elapsed between the moment the proxy sent the connection
1636 request, and the moment it was acknowledged, or between the TCP SYN packet
1637 and the matching SYN/ACK in return. The value '-1' means that the
1638 connection never established.
1639
1640 - Tr: server response time. It's the time elapsed between the moment the
1641 TCP connection was established to the server and the moment it send its
1642 complete response header. It purely shows its request processing time,
1643 without the network overhead due to the data transmission. The value '-1'
1644 means that the last the response header (empty line) was never seen.
1645
1646 - Tt: total session duration time, between the moment the proxy accepted it
willy tarreau982249e2005-12-18 00:57:06 +01001647 and the moment both ends were closed. The exception is when the 'logasap'
willy tarreau532bb552006-05-13 18:40:37 +02001648 option is specified. In this case, it only equals (Tq+Tw+Tc+Tr), and is
willy tarreau982249e2005-12-18 00:57:06 +01001649 prefixed with a '+' sign. From this field, we can deduce Td, the data
1650 transmission time, by substracting other timers when valid :
willy tarreauc1cae632005-12-17 14:12:23 +01001651
willy tarreau532bb552006-05-13 18:40:37 +02001652 Td = Tt - (Tq + Tw + Tc + Tr)
willy tarreauc1cae632005-12-17 14:12:23 +01001653
1654 Timers with '-1' values have to be excluded from this equation.
1655
willy tarreau532bb552006-05-13 18:40:37 +02001656In TCP mode ('option tcplog'), only Tw, Tc and Tt are reported.
willy tarreauc1cae632005-12-17 14:12:23 +01001657
1658These timers provide precious indications on trouble causes. Since the TCP
1659protocol defines retransmit delays of 3, 6, 12... seconds, we know for sure
1660that timers close to multiples of 3s are nearly always related to packets lost
1661due to network problems (wires or negociation). Moreover, if <Tt> is close to
1662a timeout value specified in the configuration, it often means that a session
1663has been aborted on time-out.
1664
1665Most common cases :
1666
1667 - If Tq is close to 3000, a packet has probably been lost between the client
1668 and the proxy.
1669 - If Tc is close to 3000, a packet has probably been lost between the server
1670 and the proxy during the server connection phase. This one should always be
1671 very low (less than a few tens).
1672 - If Tr is nearly always lower than 3000 except some rare values which seem to
1673 be the average majored by 3000, there are probably some packets lost between
1674 the proxy and the server.
1675 - If Tt is often slightly higher than a time-out, it's often because the
1676 client and the server use HTTP keep-alive and the session is maintained
1677 after the response ends. Se further for how to disable HTTP keep-alive.
1678
1679Other cases ('xx' means any value to be ignored) :
willy tarreau532bb552006-05-13 18:40:37 +02001680 -1/xx/xx/xx/Tt: the client was not able to send its complete request in time,
1681 or that it aborted it too early.
1682 Tq/-1/xx/xx/Tt: it was not possible to process the request, maybe because
1683 servers were out of order.
1684 Tq/Tw/-1/xx/Tt: the connection could not establish on the server. Either it
1685 refused it or it timed out after Tt-(Tq+Tw) ms.
1686 Tq/Tw/Tc/-1/Tt: the server has accepted the connection but did not return a
1687 complete response in time, or it closed its connexion
1688 unexpectedly, after Tt-(Tq+Tw+Tc) ms.
willy tarreauc1cae632005-12-17 14:12:23 +01001689
16904.2.4) Session state at disconnection
1691-------------------------------------
willy tarreauc5f73ed2005-12-18 01:26:38 +01001692TCP and HTTP logs provide a session completion indicator in the
1693<termination_state> field, just before the number of active
1694connections. It is 2-characters long in TCP, and 4-characters long in
1695HTTP, each of which has a special meaning :
1696
willy tarreau197e8ec2005-12-17 14:10:59 +01001697 - On the first character, a code reporting the first event which caused the
1698 session to terminate :
willy tarreaueedaa9f2005-12-17 14:08:03 +01001699
willy tarreauc5f73ed2005-12-18 01:26:38 +01001700 C : the TCP session was unexpectedly aborted by the client.
1701
1702 S : the TCP session was unexpectedly aborted by the server, or the
1703 server explicitly refused it.
1704
1705 P : the session was prematurely aborted by the proxy, because of a
1706 connection limit enforcement, because a DENY filter was matched,
1707 or because of a security check which detected and blocked a
1708 dangerous error in server response which might have caused
1709 information leak (eg: cacheable cookie).
1710
1711 R : a resource on the proxy has been exhausted (memory, sockets, source
1712 ports, ...). Usually, this appears during the connection phase, and
1713 system logs should contain a copy of the precise error.
willy tarreaueedaa9f2005-12-17 14:08:03 +01001714
willy tarreauc5f73ed2005-12-18 01:26:38 +01001715 I : an internal error was identified by the proxy during a self-check.
1716 This should NEVER happen, and you are encouraged to report any log
1717 containing this, because this is a bug.
willy tarreaueedaa9f2005-12-17 14:08:03 +01001718
willy tarreauc5f73ed2005-12-18 01:26:38 +01001719 c : the client-side time-out expired first.
1720
1721 s : the server-side time-out expired first.
1722
1723 - : normal session completion.
1724
1725 - on the second character, the TCP/HTTP session state when it was closed :
1726
1727 R : waiting for complete REQUEST from the client (HTTP only). Nothing
1728 was sent to any server.
1729
willy tarreau532bb552006-05-13 18:40:37 +02001730 Q : waiting in the QUEUE for a connection slot. This can only happen on
1731 servers which have a 'maxconn' parameter set. No connection attempt
1732 was made to any server.
1733
willy tarreauc5f73ed2005-12-18 01:26:38 +01001734 C : waiting for CONNECTION to establish on the server. The server might
1735 at most have noticed a connection attempt.
1736
1737 H : waiting for, receiving and processing server HEADERS (HTTP only).
1738
1739 D : the session was in the DATA phase.
1740
1741 L : the proxy was still transmitting LAST data to the client while the
1742 server had already finished.
1743
Willy Tarreau2272dc12006-09-03 10:19:38 +02001744 T : the request was tarpitted. It has been held open on with the client
Willy Tarreau08fa2e32006-09-03 10:47:37 +02001745 during the whole contimeout duration or untill the client closed.
Willy Tarreau2272dc12006-09-03 10:19:38 +02001746
willy tarreauc5f73ed2005-12-18 01:26:38 +01001747 - : normal session completion after end of data transfer.
willy tarreaueedaa9f2005-12-17 14:08:03 +01001748
willy tarreau197e8ec2005-12-17 14:10:59 +01001749 - the third character tells whether the persistence cookie was provided by
willy tarreauc1cae632005-12-17 14:12:23 +01001750 the client (only in HTTP mode) :
willy tarreaueedaa9f2005-12-17 14:08:03 +01001751
willy tarreauc5f73ed2005-12-18 01:26:38 +01001752 N : the client provided NO cookie. This is usually the case on new
1753 connections.
1754
1755 I : the client provided an INVALID cookie matching no known
1756 server. This might be caused by a recent configuration change,
1757 mixed cookies between HTTP/HTTPS sites, or an attack.
1758
1759 D : the client provided a cookie designating a server which was DOWN,
1760 so either the 'persist' option was used and the client was sent to
1761 this server, or it was not set and the client was redispatched to
1762 another server.
1763
1764 V : the client provided a valid cookie, and was sent to the associated
1765 server.
1766
1767 - : does not apply (no cookie set in configuration).
willy tarreaueedaa9f2005-12-17 14:08:03 +01001768
willy tarreau197e8ec2005-12-17 14:10:59 +01001769 - the last character reports what operations were performed on the persistence
willy tarreauc1cae632005-12-17 14:12:23 +01001770 cookie returned by the server (only in HTTP mode) :
willy tarreaueedaa9f2005-12-17 14:08:03 +01001771
willy tarreauc5f73ed2005-12-18 01:26:38 +01001772 N : NO cookie was provided by the server, and none was inserted either.
1773
1774 I : no cookie was provided by the server, and the proxy INSERTED one.
1775
willy tarreau197e8ec2005-12-17 14:10:59 +01001776 P : a cookie was PROVIDED by the server and transmitted as-is.
willy tarreaueedaa9f2005-12-17 14:08:03 +01001777
willy tarreauc5f73ed2005-12-18 01:26:38 +01001778 R : the cookie provided by the server was REWRITTEN by the proxy.
willy tarreaueedaa9f2005-12-17 14:08:03 +01001779
willy tarreauc5f73ed2005-12-18 01:26:38 +01001780 D : the cookie provided by the server was DELETED by the proxy.
willy tarreaueedaa9f2005-12-17 14:08:03 +01001781
willy tarreauc5f73ed2005-12-18 01:26:38 +01001782 - : does not apply (no cookie set in configuration).
willy tarreaueedaa9f2005-12-17 14:08:03 +01001783
willy tarreauc5f73ed2005-12-18 01:26:38 +01001784The combination of the two first flags give a lot of information about what was
1785happening when the session terminated. It can be helpful to detect server
1786saturation, network troubles, local system resource starvation, attacks, etc...
willy tarreaueedaa9f2005-12-17 14:08:03 +01001787
willy tarreauc5f73ed2005-12-18 01:26:38 +01001788The most common termination flags combinations are indicated here.
willy tarreaueedaa9f2005-12-17 14:08:03 +01001789
willy tarreauc5f73ed2005-12-18 01:26:38 +01001790 Flags Reason
1791 CR The client aborted before sending a full request. Most probably the
1792 request was done by hand using a telnet client, and aborted early.
willy tarreaueedaa9f2005-12-17 14:08:03 +01001793
willy tarreauc5f73ed2005-12-18 01:26:38 +01001794 cR The client timed out before sending a full request. This is sometimes
1795 caused by too large TCP MSS values on the client side for PPPoE
1796 networks which cannot transport full-sized packets, or by clients
1797 sending requests by hand and not typing fast enough.
willy tarreaueedaa9f2005-12-17 14:08:03 +01001798
willy tarreauc5f73ed2005-12-18 01:26:38 +01001799 SC The server explicitly refused the connection (the proxy received a
1800 TCP RST or an ICMP in return). Under some circumstances, it can
1801 also be the network stack telling the proxy that the server is
1802 unreachable (eg: no route, or no ARP response on local network).
willy tarreau982249e2005-12-18 00:57:06 +01001803
willy tarreauc5f73ed2005-12-18 01:26:38 +01001804 sC The connection to the server did not complete during contimeout.
willy tarreau982249e2005-12-18 00:57:06 +01001805
willy tarreauc5f73ed2005-12-18 01:26:38 +01001806 PC The proxy refused to establish a connection to the server because the
1807 maxconn limit has been reached. The listener's maxconn parameter may
1808 be increased in the proxy configuration, as well as the global
1809 maxconn parameter.
willy tarreauc1cae632005-12-17 14:12:23 +01001810
willy tarreauc5f73ed2005-12-18 01:26:38 +01001811 RC A local resource has been exhausted (memory, sockets, source ports)
1812 preventing the connection to the server from establishing. The error
1813 logs will tell precisely what was missing. Anyway, this can only be
1814 solved by system tuning.
willy tarreaueedaa9f2005-12-17 14:08:03 +01001815
willy tarreauc5f73ed2005-12-18 01:26:38 +01001816 cH The client timed out during a POST request. This is sometimes caused
1817 by too large TCP MSS values for PPPoE networks which cannot transport
1818 full-sized packets.
willy tarreauc1cae632005-12-17 14:12:23 +01001819
willy tarreau078c79a2006-05-13 12:23:58 +02001820 CH The client aborted while waiting for the server to start responding.
1821 It might be the server taking too long to respond or the client
1822 clicking the 'Stop' button too fast.
1823
1824 CQ The client aborted while its session was queued, waiting for a server
1825 with enough empty slots to accept it. It might be that either all the
1826 servers were saturated or the assigned server taking too long to
1827 respond.
1828
Willy Tarreau08fa2e32006-09-03 10:47:37 +02001829 CT The client aborted while its session was tarpitted.
1830
willy tarreau078c79a2006-05-13 12:23:58 +02001831 sQ The session spent too much time in queue and has been expired.
1832
willy tarreauc5f73ed2005-12-18 01:26:38 +01001833 SH The server aborted before sending its full headers, or it crashed.
willy tarreaueedaa9f2005-12-17 14:08:03 +01001834
willy tarreauc5f73ed2005-12-18 01:26:38 +01001835 sH The server failed to reply during the srvtimeout delay, which
1836 indicates too long transactions, probably caused by back-end
1837 saturation. The only solutions are to fix the problem on the
1838 application or to increase the 'srvtimeout' parameter to support
1839 longer delays (at the risk of the client giving up anyway).
1840
1841 PR The proxy blocked the client's request, either because of an invalid
1842 HTTP syntax, in which case it returned an HTTP 400 error to the
1843 client, or because a deny filter matched, in which case it returned
1844 an HTTP 403 error.
1845
1846 PH The proxy blocked the server's response, because it was invalid,
1847 incomplete, dangerous (cache control), or matched a security filter.
1848 In any case, an HTTP 502 error is sent to the client.
1849
Willy Tarreau2272dc12006-09-03 10:19:38 +02001850 PT The proxy blocked the client's request and has tarpitted its
1851 connection before returning it a 500 server error. Nothing was sent
1852 to the server.
1853
willy tarreauc5f73ed2005-12-18 01:26:38 +01001854 cD The client did not read any data for as long as the clitimeout delay.
1855 This is often caused by network failures on the client side.
1856
1857 CD The client unexpectedly aborted during data transfer. This is either
1858 caused by a browser crash, or by a keep-alive session between the
1859 server and the client terminated first by the client.
1860
1861 sD The server did nothing during the srvtimeout delay. This is often
1862 caused by too short timeouts on L4 equipements before the server
1863 (firewalls, load-balancers, ...).
1864
18654.2.5) Non-printable characters
willy tarreau4302f492005-12-18 01:00:37 +01001866-------------------------------
1867As of version 1.1.29, non-printable characters are not sent as-is into log
1868files, but are converted to their two-digits hexadecimal representation,
1869prefixed by the character '#'. The only characters that can now be logged
1870without being escaped are between 32 and 126 (inclusive). Obviously, the
1871escape character '#' is also encoded to avoid any ambiguity. It is the same for
1872the character '"', as well as '{', '|' and '}' when logging headers.
1873
willy tarreauc5f73ed2005-12-18 01:26:38 +010018744.2.6) Capturing HTTP headers and cookies
1875-----------------------------------------
1876Version 1.1.23 brought cookie capture, and 1.1.29 the header capture. All this
1877is performed using the 'capture' keyword.
1878
1879Cookie capture makes it easy to track a complete user session. The syntax is :
1880
1881 capture cookie <cookie_prefix> len <capture_length>
1882
1883This will enable cookie capture from both requests and responses. This way,
1884it's easy to detect when a user switches to a new session for example, because
1885the server will reassign it a new cookie.
1886
1887The FIRST cookie whose name starts with <cookie_prefix> will be captured, and
1888logged as 'NAME=value', without exceeding <capture_length> characters (64 max).
1889When the cookie name is fixed and known, it's preferable to suffix '=' to it to
1890ensure that no other cookie will be logged.
1891
1892Examples :
1893----------
1894 # capture the first cookie whose name starts with "ASPSESSION"
1895 capture cookie ASPSESSION len 32
1896
1897 # capture the first cookie whose name is exactly "vgnvisitor"
1898 capture cookie vgnvisitor= len 32
1899
1900In the logs, the field preceeding the completion indicator contains the cookie
1901value as sent by the server, preceeded by the cookie value as sent by the
1902client. Each of these field is replaced with '-' when no cookie was seen or
1903when the option is disabled.
1904
1905Header captures have a different goal. They are useful to track unique request
1906identifiers set by a previous proxy, virtual host names, user-agents, POST
1907content-length, referrers, etc. In the response, one can search for information
1908about the response length, how the server asked the cache to behave, or an
1909object location during a redirection. As for cookie captures, it is both
1910possible to include request headers and response headers at the same time. The
1911syntax is :
willy tarreau4302f492005-12-18 01:00:37 +01001912
1913 capture request header <name> len <max length>
1914 capture response header <name> len <max length>
1915
1916Note: Header names are not case-sensitive.
1917
1918Examples:
1919---------
1920 # keep the name of the virtual server
1921 capture request header Host len 20
1922 # keep the amount of data uploaded during a POST
1923 capture request header Content-Length len 10
1924
1925 # note the expected cache behaviour on the response
1926 capture response header Cache-Control len 8
1927 # note the URL location during a redirection
1928 capture response header Location len 20
1929
1930Non-existant headers are logged as empty strings, and if one header appears more
1931than once, only its last occurence will be kept. Request headers are grouped
1932within braces '{' and '}' in the same order as they were declared, and delimited
1933with a vertical bar '|' without any space. Response headers follow the same
1934representation, but are displayed after a space following the request headers
1935block. These blocks are displayed just before the HTTP request in the logs.
willy tarreauc5f73ed2005-12-18 01:26:38 +01001936
willy tarreau4302f492005-12-18 01:00:37 +01001937Example :
1938
willy tarreauc5f73ed2005-12-18 01:26:38 +01001939 Config:
1940
1941 capture request header Host len 20
1942 capture request header Content-Length len 10
1943 capture request header Referer len 20
1944 capture response header Server len 20
1945 capture response header Content-Length len 10
1946 capture response header Cache-Control len 8
1947 capture response header Via len 20
1948 capture response header Location len 20
1949
1950 Log :
1951
willy tarreau532bb552006-05-13 18:40:37 +02001952 Aug 9 20:26:09 localhost haproxy[2022]: 127.0.0.1:34014 [09/Aug/2004:20:26:09] relais-http netcache 0/0/0/162/+162 200 +350 - - ---- 0/0/0 0/0 {fr.adserver.yahoo.co||http://fr.f416.mail.} {|864|private||} "GET http://fr.adserver.yahoo.com/"
1953 Aug 9 20:30:46 localhost haproxy[2022]: 127.0.0.1:34020 [09/Aug/2004:20:30:46] relais-http netcache 0/0/0/182/+182 200 +279 - - ---- 0/0/0 0/0 {w.ods.org||} {Formilux/0.1.8|3495|||} "GET http://w.ods.org/sytadin.html HTTP/1.1"
1954 Aug 9 20:30:46 localhost haproxy[2022]: 127.0.0.1:34028 [09/Aug/2004:20:30:46] relais-http netcache 0/0/2/126/+128 200 +223 - - ---- 0/0/0 0/0 {www.infotrafic.com||http://w.ods.org/syt} {Apache/2.0.40 (Red H|9068|||} "GET http://www.infotrafic.com/images/live/cartesidf/grandes/idf_ne.png HTTP/1.1"
willy tarreauc5f73ed2005-12-18 01:26:38 +01001955
1956
19574.2.7) Examples of logs
1958-----------------------
willy tarreau532bb552006-05-13 18:40:37 +02001959- haproxy[674]: 127.0.0.1:33319 [15/Oct/2003:08:31:57] relais-http Srv1 6559/0/7/147/6723 200 243 - - ---- 1/3/5 0/0 "HEAD / HTTP/1.0"
willy tarreauc5f73ed2005-12-18 01:26:38 +01001960 => long request (6.5s) entered by hand through 'telnet'. The server replied
1961 in 147 ms, and the session ended normally ('----')
1962
willy tarreau532bb552006-05-13 18:40:37 +02001963- haproxy[674]: 127.0.0.1:33319 [15/Oct/2003:08:31:57] relais-http Srv1 6559/1230/7/147/6870 200 243 - - ---- 99/239/324 0/9 "HEAD / HTTP/1.0"
1964 => Idem, but the request was queued in the global queue behind 9 other
1965 requests, and waited there for 1230 ms.
1966
1967- haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17] relais-http Srv1 9/0/7/14/+30 200 +243 - - ---- 1/3/3 0/0 "GET /image.iso HTTP/1.0"
willy tarreauc5f73ed2005-12-18 01:26:38 +01001968 => request for a long data transfer. The 'logasap' option was specified, so
1969 the log was produced just before transfering data. The server replied in
1970 14 ms, 243 bytes of headers were sent to the client, and total time from
1971 accept to first data byte is 30 ms.
1972
willy tarreau532bb552006-05-13 18:40:37 +02001973- haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17] relais-http Srv1 9/0/7/14/30 502 243 - - PH-- 0/2/3 0/0 "GET /cgi-bin/bug.cgi? HTTP/1.0"
willy tarreauc5f73ed2005-12-18 01:26:38 +01001974 => the proxy blocked a server response either because of an 'rspdeny' or
1975 'rspideny' filter, or because it blocked sensible information which risked
1976 being cached. In this case, the response is replaced with a '502 bad
1977 gateway'.
1978
willy tarreau532bb552006-05-13 18:40:37 +02001979- haproxy[18113]: 127.0.0.1:34548 [15/Oct/2003:15:18:55] relais-http <NOSRV> -1/-1/-1/-1/8490 -1 0 - - CR-- 0/2/2 0/0 ""
willy tarreauc5f73ed2005-12-18 01:26:38 +01001980 => the client never completed its request and aborted itself ('C---') after
1981 8.5s, while the proxy was waiting for the request headers ('-R--').
1982 Nothing was sent to the server.
1983
willy tarreau532bb552006-05-13 18:40:37 +02001984- haproxy[18113]: 127.0.0.1:34549 [15/Oct/2003:15:19:06] relais-http <NOSRV> -1/-1/-1/-1/50001 408 0 - - cR-- 2/2 0/0 ""
willy tarreauc5f73ed2005-12-18 01:26:38 +01001985 => The client never completed its request, which was aborted by the time-out
1986 ('c---') after 50s, while the proxy was waiting for the request headers ('-R--').
1987 Nothing was sent to the server, but the proxy could send a 408 return code
1988 to the client.
willy tarreau4302f492005-12-18 01:00:37 +01001989
willy tarreau532bb552006-05-13 18:40:37 +02001990- haproxy[18989]: 127.0.0.1:34550 [15/Oct/2003:15:24:28] relais-tcp Srv1 0/0/5007 0 cD 0/0/0 0/0
willy tarreauc5f73ed2005-12-18 01:26:38 +01001991 => This is a 'tcplog' entry. Client-side time-out ('c----') occured after 5s.
willy tarreau4302f492005-12-18 01:00:37 +01001992
willy tarreau532bb552006-05-13 18:40:37 +02001993- haproxy[18989]: 10.0.0.1:34552 [15/Oct/2003:15:26:31] relais-http Srv1 3183/-1/-1/-1/11215 503 0 - - SC-- 115/202/205 0/0 "HEAD / HTTP/1.0"
willy tarreauc5f73ed2005-12-18 01:26:38 +01001994 => The request took 3s to complete (probably a network problem), and the
1995 connection to the server failed ('SC--') after 4 attemps of 2 seconds
1996 (config says 'retries 3'), then a 503 error code was sent to the client.
willy tarreau532bb552006-05-13 18:40:37 +02001997 There were 115 connections on this server, 202 connections on this proxy,
1998 and 205 on the global process. It is possible that the server refused the
1999 connection because of too many already established.
willy tarreau4302f492005-12-18 01:00:37 +01002000
willy tarreau4302f492005-12-18 01:00:37 +01002001
willy tarreau197e8ec2005-12-17 14:10:59 +010020024.3) HTTP header manipulation
2003-----------------------------
2004In HTTP mode, it is possible to rewrite, add or delete some of the request and
2005response headers based on regular expressions. It is also possible to block a
2006request or a response if a particular header matches a regular expression,
2007which is enough to stops most elementary protocol attacks, and to protect
2008against information leak from the internal network. But there is a limitation
2009to this : since haproxy's HTTP engine knows nothing about keep-alive, only
2010headers passed during the first request of a TCP session will be seen. All
2011subsequent headers will be considered data only and not analyzed. Furthermore,
2012haproxy doesn't touch data contents, it stops at the end of headers.
willy tarreaueedaa9f2005-12-17 14:08:03 +01002013
willy tarreau197e8ec2005-12-17 14:10:59 +01002014The syntax is :
2015 reqadd <string> to add a header to the request
2016 reqrep <search> <replace> to modify the request
2017 reqirep <search> <replace> same, but ignoring the case
2018 reqdel <search> to delete a header in the request
2019 reqidel <search> same, but ignoring the case
2020 reqallow <search> definitely allow a request if a header matches <search>
2021 reqiallow <search> same, but ignoring the case
2022 reqdeny <search> denies a request if a header matches <search>
2023 reqideny <search> same, but ignoring the case
2024 reqpass <search> ignore a header matching <search>
2025 reqipass <search> same, but ignoring the case
Willy Tarreau2272dc12006-09-03 10:19:38 +02002026 reqtarpit <search> tarpit a request matching <search>
2027 reqitarpit <search> same, but ignoring the case
willy tarreaueedaa9f2005-12-17 14:08:03 +01002028
willy tarreau197e8ec2005-12-17 14:10:59 +01002029 rspadd <string> to add a header to the response
2030 rsprep <search> <replace> to modify the response
2031 rspirep <search> <replace> same, but ignoring the case
2032 rspdel <search> to delete the response
2033 rspidel <search> same, but ignoring the case
willy tarreau982249e2005-12-18 00:57:06 +01002034 rspdeny <search> replaces a response with a HTTP 502 if a header matches <search>
2035 rspideny <search> same, but ignoring the case
willy tarreaueedaa9f2005-12-17 14:08:03 +01002036
2037
willy tarreau197e8ec2005-12-17 14:10:59 +01002038<search> is a POSIX regular expression (regex) which supports grouping through
2039parenthesis (without the backslash). Spaces and other delimiters must be
2040prefixed with a backslash ('\') to avoid confusion with a field delimiter.
2041Other characters may be prefixed with a backslash to change their meaning :
willy tarreaueedaa9f2005-12-17 14:08:03 +01002042
willy tarreau197e8ec2005-12-17 14:10:59 +01002043 \t for a tab
2044 \r for a carriage return (CR)
2045 \n for a new line (LF)
2046 \ to mark a space and differentiate it from a delimiter
2047 \# to mark a sharp and differentiate it from a comment
2048 \\ to use a backslash in a regex
2049 \\\\ to use a backslash in the text (*2 for regex, *2 for haproxy)
2050 \xXX to write the ASCII hex code XX as in the C language
willy tarreaueedaa9f2005-12-17 14:08:03 +01002051
2052
Willy Tarreau2272dc12006-09-03 10:19:38 +02002053<replace> contains the string to be used to replace the largest portion of text
willy tarreau197e8ec2005-12-17 14:10:59 +01002054matching the regex. It can make use of the special characters above, and can
2055reference a substring delimited by parenthesis in the regex, by the group
Willy Tarreau2272dc12006-09-03 10:19:38 +02002056numerical order from 0 to 9 (0 being the entire line). In this case, you would
2057write a backslash ('\') immediately followed by one digit indicating the group
2058position.
willy tarreaueedaa9f2005-12-17 14:08:03 +01002059
willy tarreau197e8ec2005-12-17 14:10:59 +01002060<string> represents the string which will systematically be added after the last
2061header line. It can also use special characters above.
willy tarreaueedaa9f2005-12-17 14:08:03 +01002062
willy tarreau197e8ec2005-12-17 14:10:59 +01002063Notes :
2064-------
2065 - the first line is considered as a header, which makes it possible to rewrite
2066 or filter HTTP requests URIs or response codes.
2067 - 'reqrep' is the equivalent of 'cliexp' in version 1.0, and 'rsprep' is the
2068 equivalent of 'srvexp' in 1.0. Those names are still supported but
2069 deprecated.
2070 - for performances reasons, the number of characters added to a request or to
2071 a response is limited to 4096 since version 1.1.5 (it was 256 before). This
2072 value is easy to modify in the code if needed (#define). If it is too short
2073 on occasional uses, it is possible to gain some space by removing some
2074 useless headers before adding new ones.
willy tarreau982249e2005-12-18 00:57:06 +01002075 - a denied request will generate an "HTTP 403 forbidden" response, while a
2076 denied response will generate an "HTTP 502 Bad gateway" response.
Willy Tarreau2272dc12006-09-03 10:19:38 +02002077 - a tarpitted request will be held open on the client side for a duration
Willy Tarreau08fa2e32006-09-03 10:47:37 +02002078 defined in the contimeout parameter, or untill the client aborts. Nothing
2079 will be sent to any server. When the timeout is reached, the proxy will
2080 reply with a 500 server error response so that the attacker does not
2081 suspect it has been tarpitted. The logs may report the 500, but the
2082 termination flags will indicate 'PT' in this case.
Willy Tarreau2272dc12006-09-03 10:19:38 +02002083
willy tarreaueedaa9f2005-12-17 14:08:03 +01002084
willy tarreau197e8ec2005-12-17 14:10:59 +01002085Examples :
2086----------
willy tarreauc5f73ed2005-12-18 01:26:38 +01002087 ###### a few examples ######
willy tarreau197e8ec2005-12-17 14:10:59 +01002088
willy tarreauc5f73ed2005-12-18 01:26:38 +01002089 # rewrite 'online.fr' instead of 'free.fr' for GET and POST requests
2090 reqrep ^(GET\ .*)(.free.fr)(.*) \1.online.fr\3
2091 reqrep ^(POST\ .*)(.free.fr)(.*) \1.online.fr\3
willy tarreau197e8ec2005-12-17 14:10:59 +01002092
willy tarreauc5f73ed2005-12-18 01:26:38 +01002093 # force proxy connections to close
2094 reqirep ^Proxy-Connection:.* Proxy-Connection:\ close
2095 # rewrite locations
2096 rspirep ^(Location:\ )([^:]*://[^/]*)(.*) \1\3
willy tarreaueedaa9f2005-12-17 14:08:03 +01002097
willy tarreauc5f73ed2005-12-18 01:26:38 +01002098 ###### A full configuration being used on production ######
willy tarreaueedaa9f2005-12-17 14:08:03 +01002099
willy tarreau197e8ec2005-12-17 14:10:59 +01002100 # Every header should end with a colon followed by one space.
willy tarreauc5f73ed2005-12-18 01:26:38 +01002101 reqideny ^[^:\ ]*[\ ]*$
willy tarreaueedaa9f2005-12-17 14:08:03 +01002102
willy tarreau197e8ec2005-12-17 14:10:59 +01002103 # block Apache chunk exploit
willy tarreauc5f73ed2005-12-18 01:26:38 +01002104 reqideny ^Transfer-Encoding:[\ ]*chunked
2105 reqideny ^Host:\ apache-
willy tarreaueedaa9f2005-12-17 14:08:03 +01002106
willy tarreau197e8ec2005-12-17 14:10:59 +01002107 # block annoying worms that fill the logs...
willy tarreauc5f73ed2005-12-18 01:26:38 +01002108 reqideny ^[^:\ ]*\ .*(\.|%2e)(\.|%2e)(%2f|%5c|/|\\\\)
2109 reqideny ^[^:\ ]*\ ([^\ ]*\ [^\ ]*\ |.*%00)
2110 reqideny ^[^:\ ]*\ .*<script
2111 reqideny ^[^:\ ]*\ .*/(root\.exe\?|cmd\.exe\?|default\.ida\?)
willy tarreau197e8ec2005-12-17 14:10:59 +01002112
Willy Tarreau2272dc12006-09-03 10:19:38 +02002113 # tarpit attacks on the login page.
2114 reqtarpit ^[^:\ ]*\ .*\.php?login=[^0-9]
2115
willy tarreau197e8ec2005-12-17 14:10:59 +01002116 # allow other syntactically valid requests, and block any other method
willy tarreauc5f73ed2005-12-18 01:26:38 +01002117 reqipass ^(GET|POST|HEAD|OPTIONS)\ /.*\ HTTP/1\.[01]$
2118 reqipass ^OPTIONS\ \\*\ HTTP/1\.[01]$
2119 reqideny ^[^:\ ]*\
willy tarreau197e8ec2005-12-17 14:10:59 +01002120
2121 # force connection:close, thus disabling HTTP keep-alive
willy tarreauc5f73ed2005-12-18 01:26:38 +01002122 option httpclose
willy tarreau197e8ec2005-12-17 14:10:59 +01002123
willy tarreauc5f73ed2005-12-18 01:26:38 +01002124 # change the server name
2125 rspidel ^Server:\
2126 rspadd Server:\ Formilux/0.1.8
willy tarreau197e8ec2005-12-17 14:10:59 +01002127
2128
willy tarreau982249e2005-12-18 00:57:06 +01002129Also, the 'forwardfor' option creates an HTTP 'X-Forwarded-For' header which
willy tarreauc1cae632005-12-17 14:12:23 +01002130contains the client's IP address. This is useful to let the final web server
2131know what the client address was (eg for statistics on domains).
2132
willy tarreau982249e2005-12-18 00:57:06 +01002133Last, the 'httpclose' option removes any 'Connection' header both ways, and
2134adds a 'Connection: close' header in each direction. This makes it easier to
Willy TARREAU767ba712006-03-01 22:40:50 +01002135disable HTTP keep-alive than the previous 4-rules block.
willy tarreau982249e2005-12-18 00:57:06 +01002136
willy tarreauc1cae632005-12-17 14:12:23 +01002137Example :
2138---------
2139 listen http_proxy 0.0.0.0:80
willy tarreauc5f73ed2005-12-18 01:26:38 +01002140 mode http
2141 log global
2142 option httplog
2143 option dontlognull
2144 option forwardfor
2145 option httpclose
2146
Willy TARREAU767ba712006-03-01 22:40:50 +01002147Note that some HTTP servers do not necessarily close the connections when they
2148receive the 'Connection: close', and if the client does not close either, then
2149the connection will be maintained up to the time-out. This translates into high
2150number of simultaneous sessions and high global session times in the logs. To
2151workaround this, a new option 'forceclose' appeared in version 1.2.9 to enforce
2152the closing of the outgoing server channel as soon as the server begins to
2153reply and only if the request buffer is empty. Note that this should NOT be
2154used if CONNECT requests are expected between the client and the server. The
2155'forceclose' option implies the 'httpclose' option.
2156
2157Example :
2158---------
2159 listen http_proxy 0.0.0.0:80
2160 mode http
2161 log global
2162 option httplog
2163 option dontlognull
2164 option forwardfor
2165 option forceclose
2166
willy tarreau197e8ec2005-12-17 14:10:59 +01002167
21684.4) Load balancing with persistence
2169------------------------------------
willy tarreau197e8ec2005-12-17 14:10:59 +01002170Combining cookie insertion with internal load balancing allows to transparently
2171bring persistence to applications. The principle is quite simple :
2172 - assign a cookie value to each server
2173 - enable the load balancing between servers
2174 - insert a cookie into responses resulting from the balancing algorithm
2175 (indirect accesses), end ensure that no upstream proxy will cache it.
2176 - remove the cookie in the request headers so that the application never sees
2177 it.
2178
2179Example :
willy tarreaueedaa9f2005-12-17 14:08:03 +01002180---------
2181 listen application 0.0.0.0:80
willy tarreauc5f73ed2005-12-18 01:26:38 +01002182 mode http
2183 cookie SERVERID insert nocache indirect
2184 balance roundrobin
2185 server srv1 192.168.1.1:80 cookie server01 check
2186 server srv2 192.168.1.2:80 cookie server02 check
willy tarreaueedaa9f2005-12-17 14:08:03 +01002187
willy tarreau0174f312005-12-18 01:02:42 +01002188The other solution brought by versions 1.1.30 and 1.2.3 is to reuse a cookie
2189from the server, and prefix the server's name to it. In this case, don't forget
2190to force "httpclose" mode so that you can be assured that every subsequent
2191request will have its cookie fixed.
2192
2193 listen application 0.0.0.0:80
willy tarreauc5f73ed2005-12-18 01:26:38 +01002194 mode http
2195 cookie JSESSIONID prefix
2196 balance roundrobin
2197 server srv1 192.168.1.1:80 cookie srv1 check
2198 server srv2 192.168.1.2:80 cookie srv2 check
2199 option httpclose
willy tarreau0174f312005-12-18 01:02:42 +01002200
2201
willy tarreau982249e2005-12-18 00:57:06 +010022024.5) Protection against information leak from the servers
2203---------------------------------------------------------
2204In versions 1.1.28/1.2.1, a new option 'checkcache' was created. It carefully
2205checks 'Cache-control', 'Pragma' and 'Set-cookie' headers in server response
2206to check if there's a risk of caching a cookie on a client-side proxy. When this
2207option is enabled, the only responses which can be delivered to the client are :
2208 - all those without 'Set-Cookie' header ;
2209 - all those with a return code other than 200, 203, 206, 300, 301, 410,
2210 provided that the server has not set a 'Cache-control: public' header ;
2211 - all those that come from a POST request, provided that the server has not
2212 set a 'Cache-Control: public' header ;
2213 - those with a 'Pragma: no-cache' header
2214 - those with a 'Cache-control: private' header
2215 - those with a 'Cache-control: no-store' header
2216 - those with a 'Cache-control: max-age=0' header
2217 - those with a 'Cache-control: s-maxage=0' header
2218 - those with a 'Cache-control: no-cache' header
2219 - those with a 'Cache-control: no-cache="set-cookie"' header
2220 - those with a 'Cache-control: no-cache="set-cookie,' header
2221 (allowing other fields after set-cookie)
willy tarreaueedaa9f2005-12-17 14:08:03 +01002222
willy tarreau982249e2005-12-18 00:57:06 +01002223If a response doesn't respect these requirements, then it will be blocked just
2224as if it was from an 'rspdeny' filter, with an "HTTP 502 bad gateway". The
2225session state shows "PH--" meaning that the proxy blocked the response during
2226headers processing. Additionnaly, an alert will be sent in the logs so that
2227admins are told that there's something to be done.
2228
willy tarreauc5f73ed2005-12-18 01:26:38 +01002229
willy tarreau982249e2005-12-18 00:57:06 +010022304.6) Customizing errors
2231-----------------------
willy tarreau197e8ec2005-12-17 14:10:59 +01002232Some situations can make haproxy return an HTTP error code to the client :
2233 - invalid or too long request => HTTP 400
2234 - request not completely sent in time => HTTP 408
2235 - forbidden request (matches a deny filter) => HTTP 403
2236 - internal error in haproxy => HTTP 500
2237 - the server returned an invalid or incomplete response => HTTP 502
2238 - no server was available to handle the request => HTTP 503
2239 - the server failed to reply in time => HTTP 504
willy tarreaueedaa9f2005-12-17 14:08:03 +01002240
willy tarreau197e8ec2005-12-17 14:10:59 +01002241A succint error message taken from the RFC accompanies these return codes.
2242But depending on the clients knowledge, it may be better to return custom, user
2243friendly, error pages. This is made possible through the use of the 'errorloc'
2244command :
willy tarreaueedaa9f2005-12-17 14:08:03 +01002245
willy tarreau197e8ec2005-12-17 14:10:59 +01002246 errorloc <HTTP_code> <location>
willy tarreaueedaa9f2005-12-17 14:08:03 +01002247
willy tarreau197e8ec2005-12-17 14:10:59 +01002248Instead of generating an HTTP error <HTTP_code> among those above, the proxy
2249will return a temporary redirection code (HTTP 302) towards the address
2250specified in <location>. This address may be either relative to the site or
2251absolute. Since this request will be handled by the client's browser, it's
2252mandatory that the returned address be reachable from the outside.
willy tarreaueedaa9f2005-12-17 14:08:03 +01002253
willy tarreau197e8ec2005-12-17 14:10:59 +01002254Example :
willy tarreaueedaa9f2005-12-17 14:08:03 +01002255---------
2256 listen application 0.0.0.0:80
2257 errorloc 400 /badrequest.html
2258 errorloc 403 /forbidden.html
2259 errorloc 408 /toolong.html
willy tarreauc5f73ed2005-12-18 01:26:38 +01002260 errorloc 500 http://haproxy.domain.net/bugreport.html
willy tarreaueedaa9f2005-12-17 14:08:03 +01002261 errorloc 502 http://192.168.114.58/error50x.html
2262 errorloc 503 http://192.168.114.58/error50x.html
2263 errorloc 504 http://192.168.114.58/error50x.html
2264
willy tarreauc1f47532005-12-18 01:08:26 +01002265Note: RFC2616 says that a client must reuse the same method to fetch the
2266Location returned by a 302, which causes problems with the POST method.
2267The return code 303 was designed explicitly to force the client to fetch the
2268Location URL with the GET method, but there are some browsers pre-dating
2269HTTP/1.1 which don't support it. Anyway, most browsers still behave with 302 as
willy tarreauc5f73ed2005-12-18 01:26:38 +01002270if it was a 303. In order to allow the user to chose, versions 1.1.31 and 1.2.5
2271bring two new keywords to replace 'errorloc' : 'errorloc302' and 'errorloc303'.
willy tarreauc1f47532005-12-18 01:08:26 +01002272
2273They are preffered over errorloc (which still does 302). Consider using
2274errorloc303 everytime you know that your clients support HTTP 303 responses..
2275
2276
willy tarreau982249e2005-12-18 00:57:06 +010022774.7) Modifying default values
willy tarreau197e8ec2005-12-17 14:10:59 +01002278-----------------------------
willy tarreau197e8ec2005-12-17 14:10:59 +01002279Version 1.1.22 introduced the notion of default values, which eliminates the
2280pain of often repeating common parameters between many instances, such as
2281logs, timeouts, modes, etc...
willy tarreaueedaa9f2005-12-17 14:08:03 +01002282
willy tarreau197e8ec2005-12-17 14:10:59 +01002283Default values are set in a 'defaults' section. Each of these section clears
2284all previously set default parameters, so there may be as many default
2285parameters as needed. Only the last one before a 'listen' section will be
2286used for this section. The 'defaults' section uses the same syntax as the
2287'listen' section, for the supported parameters. The 'defaults' keyword ignores
2288everything on its command line, so that fake instance names can be specified
2289there for better clarity.
willy tarreaueedaa9f2005-12-17 14:08:03 +01002290
willy tarreau982249e2005-12-18 00:57:06 +01002291In version 1.1.28/1.2.1, only those parameters can be preset in the 'default'
willy tarreau197e8ec2005-12-17 14:10:59 +01002292section :
2293 - log (the first and second one)
willy tarreaueedaa9f2005-12-17 14:08:03 +01002294 - mode { tcp, http, health }
2295 - balance { roundrobin }
willy tarreau197e8ec2005-12-17 14:10:59 +01002296 - disabled (to disable every further instances)
2297 - enabled (to enable every further instances, this is the default)
willy tarreaueedaa9f2005-12-17 14:08:03 +01002298 - contimeout, clitimeout, srvtimeout, grace, retries, maxconn
willy tarreau982249e2005-12-18 00:57:06 +01002299 - option { redispatch, transparent, keepalive, forwardfor, logasap, httpclose,
2300 checkcache, httplog, tcplog, dontlognull, persist, httpchk }
willy tarreaueedaa9f2005-12-17 14:08:03 +01002301 - redispatch, redisp, transparent, source { addr:port }
2302 - cookie, capture
2303 - errorloc
2304
willy tarreau197e8ec2005-12-17 14:10:59 +01002305As of 1.1.24, it is not possible to put certain parameters in a 'defaults'
2306section, mainly regular expressions and server configurations :
willy tarreaueedaa9f2005-12-17 14:08:03 +01002307 - dispatch, server,
willy tarreau197e8ec2005-12-17 14:10:59 +01002308 - req*, rsp*
willy tarreaueedaa9f2005-12-17 14:08:03 +01002309
willy tarreau197e8ec2005-12-17 14:10:59 +01002310Last, there's no way yet to change a boolean option from its assigned default
2311value. So if an 'option' statement is set in a 'defaults' section, the only
2312way to flush it is to redefine a new 'defaults' section without this 'option'.
willy tarreaueedaa9f2005-12-17 14:08:03 +01002313
willy tarreau197e8ec2005-12-17 14:10:59 +01002314Examples :
willy tarreaueedaa9f2005-12-17 14:08:03 +01002315----------
2316 defaults applications TCP
willy tarreauc5f73ed2005-12-18 01:26:38 +01002317 log global
2318 mode tcp
2319 balance roundrobin
2320 clitimeout 180000
2321 srvtimeout 180000
2322 contimeout 4000
2323 retries 3
2324 redispatch
willy tarreaueedaa9f2005-12-17 14:08:03 +01002325
2326 listen app_tcp1 10.0.0.1:6000-6063
willy tarreauc5f73ed2005-12-18 01:26:38 +01002327 server srv1 192.168.1.1 check port 6000 inter 10000
2328 server srv2 192.168.1.2 backup
willy tarreaueedaa9f2005-12-17 14:08:03 +01002329
2330 listen app_tcp2 10.0.0.2:6000-6063
willy tarreauc5f73ed2005-12-18 01:26:38 +01002331 server srv1 192.168.2.1 check port 6000 inter 10000
2332 server srv2 192.168.2.2 backup
willy tarreaueedaa9f2005-12-17 14:08:03 +01002333
2334 defaults applications HTTP
willy tarreauc5f73ed2005-12-18 01:26:38 +01002335 log global
2336 mode http
2337 option httplog
2338 option forwardfor
2339 option dontlognull
2340 balance roundrobin
2341 clitimeout 20000
2342 srvtimeout 20000
2343 contimeout 4000
2344 retries 3
willy tarreaueedaa9f2005-12-17 14:08:03 +01002345
2346 listen app_http1 10.0.0.1:80-81
willy tarreauc5f73ed2005-12-18 01:26:38 +01002347 cookie SERVERID postonly insert indirect
2348 capture cookie userid= len 10
2349 server srv1 192.168.1.1:+8000 cookie srv1 check port 8080 inter 1000
2350 server srv1 192.168.1.2:+8000 cookie srv2 check port 8080 inter 1000
willy tarreaueedaa9f2005-12-17 14:08:03 +01002351
2352 defaults
willy tarreauc5f73ed2005-12-18 01:26:38 +01002353 # this empty section voids all default parameters
willy tarreaueedaa9f2005-12-17 14:08:03 +01002354
willy tarreau481132e2006-05-21 21:43:10 +02002355
23564.8) Status report in HTML page
2357-------------------------------
2358Starting with 1.2.14, it is possible for HAProxy to intercept requests for a
2359particular URI and return a full report of the proxy's activity and servers
2360statistics. This is available through the 'stats' keyword, associated to any
2361such options :
2362
2363 - stats enable
2364 - stats uri <uri prefix>
2365 - stats realm <authentication realm>
2366 - stats auth <user:password>
2367 - stats scope <proxy_id> | '.'
2368
2369By default, the status report is disabled. Specifying any combination above
2370enables it for the proxy instance referencing it. The easiest solution is to
2371use "stats enable" which will enable the report with default parameters :
2372
2373 - default URI : "/haproxy?stats" (CONFIG_STATS_DEFAULT_URI)
2374 - default auth : unspecified (no authentication)
2375 - default realm : "HAProxy Statistics" (CONFIG_STATS_DEFAULT_REALM)
2376 - default scope : unspecified (access to all instances)
2377
2378The "stats uri <uri_prefix>" option allows one to intercept another URI prefix.
2379Note that any URI that BEGINS with this string will match. For instance, one
2380proxy instance might be dedicated to status page only and would reply to any
2381URI.
2382
2383Example :
2384---------
2385 # catches any URI and returns the status page.
2386 listen stats :8080
2387 mode http
2388 stats uri /
2389
2390The "stats auth <user:password>" option enables Basic authentication and adds a
2391valid user:password combination to the list of authorized accounts. The user
2392and password are passed in the configuration file as clear text, and since this
2393is HTTP Basic authentication, you should be aware that it transits as clear
2394text on the network, so you must not use any sensible account. The list is
2395unlimited in order to provide easy accesses to developpers or customers.
2396
2397The "stats realm <realm>" option defines the "realm" name which is displayed
2398in the popup box when the browser asks for a password. It's important to ensure
2399that this one is not used by the application, otherwise the browser will try to
2400use a cached one from the application. Note that any space in the realm name
2401should be escaped with a backslash ('\').
2402
2403The "stats scope <proxy_id>" option limits the scope of the status report. By
2404default, all proxy instances are listed. But under some circumstances, it would
2405be better to limit the listing to some proxies or only to the current one. This
2406is what this option does. The special proxy name "." (a single dot) references
2407the current proxy. The proxy name can be repeated multiple times, even for
2408proxies defined later in the configuration or some which do not exist. The name
2409is the one which appears after the 'listen' keyword.
2410
2411Example :
2412---------
2413 # simple application with authenticated embedded status report
2414 listen app1 192.168.1.100:80
2415 mode http
willy tarreaud4ba08d2006-05-21 21:54:14 +02002416 option httpclose
willy tarreau481132e2006-05-21 21:43:10 +02002417 balance roundrobin
2418 cookie SERVERID postonly insert indirect
2419 server srv1 192.168.1.1:8080 cookie srv1 check inter 1000
2420 server srv1 192.168.1.2:8080 cookie srv2 check inter 1000
2421 stats uri /my_stats
willy tarreaud4ba08d2006-05-21 21:54:14 +02002422 stats realm Statistics\ for\ MyApp1-2
2423 stats auth guest:guest
2424 stats auth admin:AdMiN123
2425 stats scope .
2426 stats scope app2
willy tarreau481132e2006-05-21 21:43:10 +02002427
2428 # simple application with anonymous embedded status report
2429 listen app2 192.168.2.100:80
2430 mode http
willy tarreaud4ba08d2006-05-21 21:54:14 +02002431 option httpclose
willy tarreau481132e2006-05-21 21:43:10 +02002432 balance roundrobin
2433 cookie SERVERID postonly insert indirect
2434 server srv1 192.168.2.1:8080 cookie srv1 check inter 1000
2435 server srv1 192.168.2.2:8080 cookie srv2 check inter 1000
2436 stats uri /my_stats
willy tarreaud4ba08d2006-05-21 21:54:14 +02002437 stats realm Statistics\ for\ MyApp2
2438 stats scope .
willy tarreau481132e2006-05-21 21:43:10 +02002439
2440 listen admin_page :8080
2441 mode http
2442 stats uri /my_stats
willy tarreaud4ba08d2006-05-21 21:54:14 +02002443 stats realm Global\ statistics
2444 stats auth admin:AdMiN123
willy tarreau481132e2006-05-21 21:43:10 +02002445
2446Notes :
2447-------
2448 - The 'stats' options can also be specified in the 'defaults' section, in
2449 which case it will provide the exact same configuration to all further
2450 instances (hence the usefulness of the scope "."). However, if an instance
2451 redefines any 'stats' parameter, defaults will not be used for this
2452 instance.
2453
2454 - HTTP Basic authentication is very basic and unsecure from snooping. No
2455 sensible password should be used, and be aware that there is no way to
2456 remove it from the browser so it will be sent to the whole application
2457 upon further accesses.
2458
willy tarreaud4ba08d2006-05-21 21:54:14 +02002459 - It is very important that the 'option httpclose' is specified, otherwise
2460 the proxy will not be able to detect the URI within keep-alive sessions
2461 maintained between the browser and the servers, so the stats URI will be
2462 forwarded unmodified to the server as if the option was not set.
2463
willy tarreau481132e2006-05-21 21:43:10 +02002464
willy tarreau197e8ec2005-12-17 14:10:59 +01002465=========================
2466| System-specific setup |
2467=========================
willy tarreaueedaa9f2005-12-17 14:08:03 +01002468
willy tarreau197e8ec2005-12-17 14:10:59 +01002469Linux 2.4
2470=========
willy tarreaueedaa9f2005-12-17 14:08:03 +01002471
2472-- cut here --
2473#!/bin/sh
2474# set this to about 256/4M (16384 for 256M machine)
2475MAXFILES=16384
2476echo $MAXFILES > /proc/sys/fs/file-max
2477ulimit -n $MAXFILES
2478
2479if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]; then
willy tarreauc5f73ed2005-12-18 01:26:38 +01002480 echo 65536 > /proc/sys/net/ipv4/ip_conntrack_max
willy tarreaueedaa9f2005-12-17 14:08:03 +01002481fi
2482
2483if [ -e /proc/sys/net/ipv4/netfilter/ip_ct_tcp_timeout_fin_wait ]; then
willy tarreauc5f73ed2005-12-18 01:26:38 +01002484 # 30 seconds for fin, 15 for time wait
2485 echo 3000 > /proc/sys/net/ipv4/netfilter/ip_ct_tcp_timeout_fin_wait
2486 echo 1500 > /proc/sys/net/ipv4/netfilter/ip_ct_tcp_timeout_time_wait
2487 echo 0 > /proc/sys/net/ipv4/netfilter/ip_ct_tcp_log_invalid_scale
2488 echo 0 > /proc/sys/net/ipv4/netfilter/ip_ct_tcp_log_out_of_window
willy tarreaueedaa9f2005-12-17 14:08:03 +01002489fi
2490
2491echo 1024 60999 > /proc/sys/net/ipv4/ip_local_port_range
2492echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
2493echo 4096 > /proc/sys/net/ipv4/tcp_max_syn_backlog
2494echo 262144 > /proc/sys/net/ipv4/tcp_max_tw_buckets
2495echo 262144 > /proc/sys/net/ipv4/tcp_max_orphans
2496echo 300 > /proc/sys/net/ipv4/tcp_keepalive_time
2497echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
2498echo 0 > /proc/sys/net/ipv4/tcp_timestamps
2499echo 0 > /proc/sys/net/ipv4/tcp_ecn
willy tarreauc5f73ed2005-12-18 01:26:38 +01002500echo 1 > /proc/sys/net/ipv4/tcp_sack
willy tarreaueedaa9f2005-12-17 14:08:03 +01002501echo 0 > /proc/sys/net/ipv4/tcp_dsack
2502
2503# auto-tuned on 2.4
2504#echo 262143 > /proc/sys/net/core/rmem_max
2505#echo 262143 > /proc/sys/net/core/rmem_default
2506
2507echo 16384 65536 524288 > /proc/sys/net/ipv4/tcp_rmem
2508echo 16384 349520 699040 > /proc/sys/net/ipv4/tcp_wmem
2509
2510-- cut here --
2511
willy tarreau197e8ec2005-12-17 14:10:59 +01002512
2513FreeBSD
2514=======
2515
2516A FreeBSD port of HA-Proxy is now available and maintained, thanks to
2517Clement Laforet <sheepkiller@cultdeadsheep.org>.
2518
2519For more information :
2520http://www.freebsd.org/cgi/url.cgi?ports/net/haproxy/pkg-descr
2521http://www.freebsd.org/cgi/cvsweb.cgi/ports/net/haproxy/
2522http://www.freshports.org/net/haproxy
2523
2524
2525-- end --