Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1 | ---------------------- |
| 2 | HAProxy |
| 3 | Configuration Manual |
| 4 | ---------------------- |
Willy Tarreau | 21475e3 | 2010-05-23 08:46:08 +0200 | [diff] [blame] | 5 | version 1.5 |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 6 | willy tarreau |
Willy Tarreau | 02c7c14 | 2012-06-04 00:43:45 +0200 | [diff] [blame] | 7 | 2012/06/04 |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 8 | |
| 9 | |
| 10 | This document covers the configuration language as implemented in the version |
| 11 | specified above. It does not provide any hint, example or advice. For such |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 12 | documentation, please refer to the Reference Manual or the Architecture Manual. |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 13 | The summary below is meant to help you search sections by name and navigate |
| 14 | through the document. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 15 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 16 | Note to documentation contributors : |
| 17 | This document is formated with 80 columns per line, with even number of |
| 18 | spaces for indentation and without tabs. Please follow these rules strictly |
| 19 | so that it remains easily printable everywhere. If a line needs to be |
| 20 | printed verbatim and does not fit, please end each line with a backslash |
Willy Tarreau | 62a36c4 | 2010-08-17 15:53:10 +0200 | [diff] [blame] | 21 | ('\') and continue on next line, indented by two characters. It is also |
| 22 | sometimes useful to prefix all output lines (logs, console outs) with 3 |
| 23 | closing angle brackets ('>>>') in order to help get the difference between |
| 24 | inputs and outputs when it can become ambiguous. If you add sections, |
| 25 | please update the summary below for easier searching. |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 26 | |
| 27 | |
| 28 | Summary |
| 29 | ------- |
| 30 | |
| 31 | 1. Quick reminder about HTTP |
| 32 | 1.1. The HTTP transaction model |
| 33 | 1.2. HTTP request |
| 34 | 1.2.1. The Request line |
| 35 | 1.2.2. The request headers |
| 36 | 1.3. HTTP response |
| 37 | 1.3.1. The Response line |
| 38 | 1.3.2. The response headers |
| 39 | |
| 40 | 2. Configuring HAProxy |
| 41 | 2.1. Configuration file format |
| 42 | 2.2. Time format |
Patrick Mezard | 35da19c | 2010-06-12 17:02:47 +0200 | [diff] [blame] | 43 | 2.3. Examples |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 44 | |
| 45 | 3. Global parameters |
| 46 | 3.1. Process management and security |
| 47 | 3.2. Performance tuning |
| 48 | 3.3. Debugging |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 49 | 3.4. Userlists |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 50 | 3.5. Peers |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 51 | |
| 52 | 4. Proxies |
| 53 | 4.1. Proxy keywords matrix |
| 54 | 4.2. Alphabetically sorted keywords reference |
| 55 | |
Krzysztof Piotr Oledzki | c6df066 | 2010-01-05 16:38:49 +0100 | [diff] [blame] | 56 | 5. Server and default-server options |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 57 | |
| 58 | 6. HTTP header manipulation |
| 59 | |
Cyril Bonté | 7d38afb | 2010-02-03 20:41:26 +0100 | [diff] [blame] | 60 | 7. Using ACLs and pattern extraction |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 61 | 7.1. Matching integers |
| 62 | 7.2. Matching strings |
| 63 | 7.3. Matching regular expressions (regexes) |
Willy Tarreau | ceb4ac9 | 2012-04-28 00:41:46 +0200 | [diff] [blame] | 64 | 7.4. Matching IPv4 and IPv6 addresses |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 65 | 7.5. Available matching criteria |
| 66 | 7.5.1. Matching at Layer 4 and below |
| 67 | 7.5.2. Matching contents at Layer 4 |
| 68 | 7.5.3. Matching at Layer 7 |
| 69 | 7.6. Pre-defined ACLs |
| 70 | 7.7. Using ACLs to form conditions |
Cyril Bonté | 7d38afb | 2010-02-03 20:41:26 +0100 | [diff] [blame] | 71 | 7.8. Pattern extraction |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 72 | |
| 73 | 8. Logging |
| 74 | 8.1. Log levels |
| 75 | 8.2. Log formats |
| 76 | 8.2.1. Default log format |
| 77 | 8.2.2. TCP log format |
| 78 | 8.2.3. HTTP log format |
William Lallemand | 4894040 | 2012-01-30 16:47:22 +0100 | [diff] [blame] | 79 | 8.2.4. Custom log format |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 80 | 8.3. Advanced logging options |
| 81 | 8.3.1. Disabling logging of external tests |
| 82 | 8.3.2. Logging before waiting for the session to terminate |
| 83 | 8.3.3. Raising log level upon errors |
| 84 | 8.3.4. Disabling logging of successful connections |
| 85 | 8.4. Timing events |
| 86 | 8.5. Session state at disconnection |
| 87 | 8.6. Non-printable characters |
| 88 | 8.7. Capturing HTTP cookies |
| 89 | 8.8. Capturing HTTP headers |
| 90 | 8.9. Examples of logs |
| 91 | |
| 92 | 9. Statistics and monitoring |
| 93 | 9.1. CSV format |
| 94 | 9.2. Unix Socket commands |
| 95 | |
| 96 | |
| 97 | 1. Quick reminder about HTTP |
| 98 | ---------------------------- |
| 99 | |
| 100 | When haproxy is running in HTTP mode, both the request and the response are |
| 101 | fully analyzed and indexed, thus it becomes possible to build matching criteria |
| 102 | on almost anything found in the contents. |
| 103 | |
| 104 | However, it is important to understand how HTTP requests and responses are |
| 105 | formed, and how HAProxy decomposes them. It will then become easier to write |
| 106 | correct rules and to debug existing configurations. |
| 107 | |
| 108 | |
| 109 | 1.1. The HTTP transaction model |
| 110 | ------------------------------- |
| 111 | |
| 112 | The HTTP protocol is transaction-driven. This means that each request will lead |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 113 | to one and only one response. Traditionally, a TCP connection is established |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 114 | from the client to the server, a request is sent by the client on the |
| 115 | connection, the server responds and the connection is closed. A new request |
| 116 | will involve a new connection : |
| 117 | |
| 118 | [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ... |
| 119 | |
| 120 | In this mode, called the "HTTP close" mode, there are as many connection |
| 121 | establishments as there are HTTP transactions. Since the connection is closed |
| 122 | by the server after the response, the client does not need to know the content |
| 123 | length. |
| 124 | |
| 125 | Due to the transactional nature of the protocol, it was possible to improve it |
| 126 | to avoid closing a connection between two subsequent transactions. In this mode |
| 127 | however, it is mandatory that the server indicates the content length for each |
| 128 | response so that the client does not wait indefinitely. For this, a special |
| 129 | header is used: "Content-length". This mode is called the "keep-alive" mode : |
| 130 | |
| 131 | [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ... |
| 132 | |
| 133 | Its advantages are a reduced latency between transactions, and less processing |
| 134 | power required on the server side. It is generally better than the close mode, |
| 135 | but not always because the clients often limit their concurrent connections to |
Patrick Mezard | 9ec2ec4 | 2010-06-12 17:02:45 +0200 | [diff] [blame] | 136 | a smaller value. |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 137 | |
| 138 | A last improvement in the communications is the pipelining mode. It still uses |
| 139 | keep-alive, but the client does not wait for the first response to send the |
| 140 | second request. This is useful for fetching large number of images composing a |
| 141 | page : |
| 142 | |
| 143 | [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ... |
| 144 | |
| 145 | This can obviously have a tremendous benefit on performance because the network |
| 146 | latency is eliminated between subsequent requests. Many HTTP agents do not |
| 147 | correctly support pipelining since there is no way to associate a response with |
| 148 | the corresponding request in HTTP. For this reason, it is mandatory for the |
Cyril Bonté | 78caf84 | 2010-03-10 22:41:43 +0100 | [diff] [blame] | 149 | server to reply in the exact same order as the requests were received. |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 150 | |
Patrick Mezard | 9ec2ec4 | 2010-06-12 17:02:45 +0200 | [diff] [blame] | 151 | By default HAProxy operates in a tunnel-like mode with regards to persistent |
| 152 | connections: for each connection it processes the first request and forwards |
| 153 | everything else (including additional requests) to selected server. Once |
| 154 | established, the connection is persisted both on the client and server |
| 155 | sides. Use "option http-server-close" to preserve client persistent connections |
| 156 | while handling every incoming request individually, dispatching them one after |
| 157 | another to servers, in HTTP close mode. Use "option httpclose" to switch both |
| 158 | sides to HTTP close mode. "option forceclose" and "option |
| 159 | http-pretend-keepalive" help working around servers misbehaving in HTTP close |
| 160 | mode. |
| 161 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 162 | |
| 163 | 1.2. HTTP request |
| 164 | ----------------- |
| 165 | |
| 166 | First, let's consider this HTTP request : |
| 167 | |
| 168 | Line Contents |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 169 | number |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 170 | 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1 |
| 171 | 2 Host: www.mydomain.com |
| 172 | 3 User-agent: my small browser |
| 173 | 4 Accept: image/jpeg, image/gif |
| 174 | 5 Accept: image/png |
| 175 | |
| 176 | |
| 177 | 1.2.1. The Request line |
| 178 | ----------------------- |
| 179 | |
| 180 | Line 1 is the "request line". It is always composed of 3 fields : |
| 181 | |
| 182 | - a METHOD : GET |
| 183 | - a URI : /serv/login.php?lang=en&profile=2 |
| 184 | - a version tag : HTTP/1.1 |
| 185 | |
| 186 | All of them are delimited by what the standard calls LWS (linear white spaces), |
| 187 | which are commonly spaces, but can also be tabs or line feeds/carriage returns |
| 188 | followed by spaces/tabs. The method itself cannot contain any colon (':') and |
| 189 | is limited to alphabetic letters. All those various combinations make it |
| 190 | desirable that HAProxy performs the splitting itself rather than leaving it to |
| 191 | the user to write a complex or inaccurate regular expression. |
| 192 | |
| 193 | The URI itself can have several forms : |
| 194 | |
| 195 | - A "relative URI" : |
| 196 | |
| 197 | /serv/login.php?lang=en&profile=2 |
| 198 | |
| 199 | It is a complete URL without the host part. This is generally what is |
| 200 | received by servers, reverse proxies and transparent proxies. |
| 201 | |
| 202 | - An "absolute URI", also called a "URL" : |
| 203 | |
| 204 | http://192.168.0.12:8080/serv/login.php?lang=en&profile=2 |
| 205 | |
| 206 | It is composed of a "scheme" (the protocol name followed by '://'), a host |
| 207 | name or address, optionally a colon (':') followed by a port number, then |
| 208 | a relative URI beginning at the first slash ('/') after the address part. |
| 209 | This is generally what proxies receive, but a server supporting HTTP/1.1 |
| 210 | must accept this form too. |
| 211 | |
| 212 | - a star ('*') : this form is only accepted in association with the OPTIONS |
| 213 | method and is not relayable. It is used to inquiry a next hop's |
| 214 | capabilities. |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 215 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 216 | - an address:port combination : 192.168.0.12:80 |
| 217 | This is used with the CONNECT method, which is used to establish TCP |
| 218 | tunnels through HTTP proxies, generally for HTTPS, but sometimes for |
| 219 | other protocols too. |
| 220 | |
| 221 | In a relative URI, two sub-parts are identified. The part before the question |
| 222 | mark is called the "path". It is typically the relative path to static objects |
| 223 | on the server. The part after the question mark is called the "query string". |
| 224 | It is mostly used with GET requests sent to dynamic scripts and is very |
| 225 | specific to the language, framework or application in use. |
| 226 | |
| 227 | |
| 228 | 1.2.2. The request headers |
| 229 | -------------------------- |
| 230 | |
| 231 | The headers start at the second line. They are composed of a name at the |
| 232 | beginning of the line, immediately followed by a colon (':'). Traditionally, |
| 233 | an LWS is added after the colon but that's not required. Then come the values. |
| 234 | Multiple identical headers may be folded into one single line, delimiting the |
| 235 | values with commas, provided that their order is respected. This is commonly |
| 236 | encountered in the "Cookie:" field. A header may span over multiple lines if |
| 237 | the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5 |
| 238 | define a total of 3 values for the "Accept:" header. |
| 239 | |
| 240 | Contrary to a common mis-conception, header names are not case-sensitive, and |
| 241 | their values are not either if they refer to other header names (such as the |
| 242 | "Connection:" header). |
| 243 | |
| 244 | The end of the headers is indicated by the first empty line. People often say |
| 245 | that it's a double line feed, which is not exact, even if a double line feed |
| 246 | is one valid form of empty line. |
| 247 | |
| 248 | Fortunately, HAProxy takes care of all these complex combinations when indexing |
| 249 | headers, checking values and counting them, so there is no reason to worry |
| 250 | about the way they could be written, but it is important not to accuse an |
| 251 | application of being buggy if it does unusual, valid things. |
| 252 | |
| 253 | Important note: |
| 254 | As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks |
| 255 | in the middle of headers by LWS in order to join multi-line headers. This |
| 256 | is necessary for proper analysis and helps less capable HTTP parsers to work |
| 257 | correctly and not to be fooled by such complex constructs. |
| 258 | |
| 259 | |
| 260 | 1.3. HTTP response |
| 261 | ------------------ |
| 262 | |
| 263 | An HTTP response looks very much like an HTTP request. Both are called HTTP |
| 264 | messages. Let's consider this HTTP response : |
| 265 | |
| 266 | Line Contents |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 267 | number |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 268 | 1 HTTP/1.1 200 OK |
| 269 | 2 Content-length: 350 |
| 270 | 3 Content-Type: text/html |
| 271 | |
Willy Tarreau | 816b979 | 2009-09-15 21:25:21 +0200 | [diff] [blame] | 272 | As a special case, HTTP supports so called "Informational responses" as status |
| 273 | codes 1xx. These messages are special in that they don't convey any part of the |
| 274 | response, they're just used as sort of a signaling message to ask a client to |
Willy Tarreau | 5843d1a | 2010-02-01 15:13:32 +0100 | [diff] [blame] | 275 | continue to post its request for instance. In the case of a status 100 response |
| 276 | the requested information will be carried by the next non-100 response message |
| 277 | following the informational one. This implies that multiple responses may be |
| 278 | sent to a single request, and that this only works when keep-alive is enabled |
| 279 | (1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to |
| 280 | correctly forward and skip them, and only process the next non-100 response. As |
| 281 | such, these messages are neither logged nor transformed, unless explicitly |
| 282 | state otherwise. Status 101 messages indicate that the protocol is changing |
| 283 | over the same connection and that haproxy must switch to tunnel mode, just as |
| 284 | if a CONNECT had occurred. Then the Upgrade header would contain additional |
| 285 | information about the type of protocol the connection is switching to. |
Willy Tarreau | 816b979 | 2009-09-15 21:25:21 +0200 | [diff] [blame] | 286 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 287 | |
| 288 | 1.3.1. The Response line |
| 289 | ------------------------ |
| 290 | |
| 291 | Line 1 is the "response line". It is always composed of 3 fields : |
| 292 | |
| 293 | - a version tag : HTTP/1.1 |
| 294 | - a status code : 200 |
| 295 | - a reason : OK |
| 296 | |
| 297 | The status code is always 3-digit. The first digit indicates a general status : |
Willy Tarreau | 816b979 | 2009-09-15 21:25:21 +0200 | [diff] [blame] | 298 | - 1xx = informational message to be skipped (eg: 100, 101) |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 299 | - 2xx = OK, content is following (eg: 200, 206) |
| 300 | - 3xx = OK, no content following (eg: 302, 304) |
| 301 | - 4xx = error caused by the client (eg: 401, 403, 404) |
| 302 | - 5xx = error caused by the server (eg: 500, 502, 503) |
| 303 | |
| 304 | Please refer to RFC2616 for the detailed meaning of all such codes. The |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 305 | "reason" field is just a hint, but is not parsed by clients. Anything can be |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 306 | found there, but it's a common practice to respect the well-established |
| 307 | messages. It can be composed of one or multiple words, such as "OK", "Found", |
| 308 | or "Authentication Required". |
| 309 | |
| 310 | Haproxy may emit the following status codes by itself : |
| 311 | |
| 312 | Code When / reason |
| 313 | 200 access to stats page, and when replying to monitoring requests |
| 314 | 301 when performing a redirection, depending on the configured code |
| 315 | 302 when performing a redirection, depending on the configured code |
| 316 | 303 when performing a redirection, depending on the configured code |
| 317 | 400 for an invalid or too large request |
| 318 | 401 when an authentication is required to perform the action (when |
| 319 | accessing the stats page) |
| 320 | 403 when a request is forbidden by a "block" ACL or "reqdeny" filter |
| 321 | 408 when the request timeout strikes before the request is complete |
| 322 | 500 when haproxy encounters an unrecoverable internal error, such as a |
| 323 | memory allocation failure, which should never happen |
| 324 | 502 when the server returns an empty, invalid or incomplete response, or |
| 325 | when an "rspdeny" filter blocks the response. |
| 326 | 503 when no server was available to handle the request, or in response to |
| 327 | monitoring requests which match the "monitor fail" condition |
| 328 | 504 when the response timeout strikes before the server responds |
| 329 | |
| 330 | The error 4xx and 5xx codes above may be customized (see "errorloc" in section |
| 331 | 4.2). |
| 332 | |
| 333 | |
| 334 | 1.3.2. The response headers |
| 335 | --------------------------- |
| 336 | |
| 337 | Response headers work exactly like request headers, and as such, HAProxy uses |
| 338 | the same parsing function for both. Please refer to paragraph 1.2.2 for more |
| 339 | details. |
| 340 | |
| 341 | |
| 342 | 2. Configuring HAProxy |
| 343 | ---------------------- |
| 344 | |
| 345 | 2.1. Configuration file format |
| 346 | ------------------------------ |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 347 | |
| 348 | HAProxy's configuration process involves 3 major sources of parameters : |
| 349 | |
| 350 | - the arguments from the command-line, which always take precedence |
| 351 | - the "global" section, which sets process-wide parameters |
| 352 | - the proxies sections which can take form of "defaults", "listen", |
| 353 | "frontend" and "backend". |
| 354 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 355 | The configuration file syntax consists in lines beginning with a keyword |
| 356 | referenced in this manual, optionally followed by one or several parameters |
| 357 | delimited by spaces. If spaces have to be entered in strings, then they must be |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 358 | preceded by a backslash ('\') to be escaped. Backslashes also have to be |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 359 | escaped by doubling them. |
| 360 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 361 | |
| 362 | 2.2. Time format |
| 363 | ---------------- |
| 364 | |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 365 | Some parameters involve values representing time, such as timeouts. These |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 366 | values are generally expressed in milliseconds (unless explicitly stated |
| 367 | otherwise) but may be expressed in any other unit by suffixing the unit to the |
| 368 | numeric value. It is important to consider this because it will not be repeated |
| 369 | for every keyword. Supported units are : |
| 370 | |
| 371 | - us : microseconds. 1 microsecond = 1/1000000 second |
| 372 | - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default. |
| 373 | - s : seconds. 1s = 1000ms |
| 374 | - m : minutes. 1m = 60s = 60000ms |
| 375 | - h : hours. 1h = 60m = 3600s = 3600000ms |
| 376 | - d : days. 1d = 24h = 1440m = 86400s = 86400000ms |
| 377 | |
| 378 | |
Patrick Mezard | 35da19c | 2010-06-12 17:02:47 +0200 | [diff] [blame] | 379 | 2.3. Examples |
| 380 | ------------- |
| 381 | |
| 382 | # Simple configuration for an HTTP proxy listening on port 80 on all |
| 383 | # interfaces and forwarding requests to a single backend "servers" with a |
| 384 | # single server "server1" listening on 127.0.0.1:8000 |
| 385 | global |
| 386 | daemon |
| 387 | maxconn 256 |
| 388 | |
| 389 | defaults |
| 390 | mode http |
| 391 | timeout connect 5000ms |
| 392 | timeout client 50000ms |
| 393 | timeout server 50000ms |
| 394 | |
| 395 | frontend http-in |
| 396 | bind *:80 |
| 397 | default_backend servers |
| 398 | |
| 399 | backend servers |
| 400 | server server1 127.0.0.1:8000 maxconn 32 |
| 401 | |
| 402 | |
| 403 | # The same configuration defined with a single listen block. Shorter but |
| 404 | # less expressive, especially in HTTP mode. |
| 405 | global |
| 406 | daemon |
| 407 | maxconn 256 |
| 408 | |
| 409 | defaults |
| 410 | mode http |
| 411 | timeout connect 5000ms |
| 412 | timeout client 50000ms |
| 413 | timeout server 50000ms |
| 414 | |
| 415 | listen http-in |
| 416 | bind *:80 |
| 417 | server server1 127.0.0.1:8000 maxconn 32 |
| 418 | |
| 419 | |
| 420 | Assuming haproxy is in $PATH, test these configurations in a shell with: |
| 421 | |
Willy Tarreau | ccb289d | 2010-12-11 20:19:38 +0100 | [diff] [blame] | 422 | $ sudo haproxy -f configuration.conf -c |
Patrick Mezard | 35da19c | 2010-06-12 17:02:47 +0200 | [diff] [blame] | 423 | |
| 424 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 425 | 3. Global parameters |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 426 | -------------------- |
| 427 | |
| 428 | Parameters in the "global" section are process-wide and often OS-specific. They |
| 429 | are generally set once for all and do not need being changed once correct. Some |
| 430 | of them have command-line equivalents. |
| 431 | |
| 432 | The following keywords are supported in the "global" section : |
| 433 | |
| 434 | * Process management and security |
| 435 | - chroot |
| 436 | - daemon |
| 437 | - gid |
| 438 | - group |
| 439 | - log |
Joe Williams | df5b38f | 2010-12-29 17:05:48 +0100 | [diff] [blame] | 440 | - log-send-hostname |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 441 | - nbproc |
| 442 | - pidfile |
| 443 | - uid |
| 444 | - ulimit-n |
| 445 | - user |
Willy Tarreau | fbee713 | 2007-10-18 13:53:22 +0200 | [diff] [blame] | 446 | - stats |
Krzysztof Piotr Oledzki | 48cb2ae | 2009-10-02 22:51:14 +0200 | [diff] [blame] | 447 | - node |
| 448 | - description |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 449 | - unix-bind |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 450 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 451 | * Performance tuning |
| 452 | - maxconn |
Willy Tarreau | 81c25d0 | 2011-09-07 15:17:21 +0200 | [diff] [blame] | 453 | - maxconnrate |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 454 | - maxpipes |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 455 | - noepoll |
| 456 | - nokqueue |
| 457 | - nopoll |
| 458 | - nosepoll |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 459 | - nosplice |
Willy Tarreau | fe255b7 | 2007-10-14 23:09:26 +0200 | [diff] [blame] | 460 | - spread-checks |
Willy Tarreau | 27a674e | 2009-08-17 07:23:33 +0200 | [diff] [blame] | 461 | - tune.bufsize |
Willy Tarreau | 43961d5 | 2010-10-04 20:39:20 +0200 | [diff] [blame] | 462 | - tune.chksize |
Willy Tarreau | ac1932d | 2011-10-24 19:14:41 +0200 | [diff] [blame] | 463 | - tune.http.maxhdr |
Willy Tarreau | a0250ba | 2008-01-06 11:22:57 +0100 | [diff] [blame] | 464 | - tune.maxaccept |
| 465 | - tune.maxpollevents |
Willy Tarreau | 27a674e | 2009-08-17 07:23:33 +0200 | [diff] [blame] | 466 | - tune.maxrewrite |
Willy Tarreau | bd9a0a7 | 2011-10-23 21:14:29 +0200 | [diff] [blame] | 467 | - tune.pipesize |
Willy Tarreau | e803de2 | 2010-01-21 17:43:04 +0100 | [diff] [blame] | 468 | - tune.rcvbuf.client |
| 469 | - tune.rcvbuf.server |
| 470 | - tune.sndbuf.client |
| 471 | - tune.sndbuf.server |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 472 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 473 | * Debugging |
| 474 | - debug |
| 475 | - quiet |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 476 | |
| 477 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 478 | 3.1. Process management and security |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 479 | ------------------------------------ |
| 480 | |
| 481 | chroot <jail dir> |
| 482 | Changes current directory to <jail dir> and performs a chroot() there before |
| 483 | dropping privileges. This increases the security level in case an unknown |
| 484 | vulnerability would be exploited, since it would make it very hard for the |
| 485 | attacker to exploit the system. This only works when the process is started |
| 486 | with superuser privileges. It is important to ensure that <jail_dir> is both |
| 487 | empty and unwritable to anyone. |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 488 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 489 | daemon |
| 490 | Makes the process fork into background. This is the recommended mode of |
| 491 | operation. It is equivalent to the command line "-D" argument. It can be |
| 492 | disabled by the command line "-db" argument. |
| 493 | |
| 494 | gid <number> |
| 495 | Changes the process' group ID to <number>. It is recommended that the group |
| 496 | ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must |
| 497 | be started with a user belonging to this group, or with superuser privileges. |
| 498 | See also "group" and "uid". |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 499 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 500 | group <group name> |
| 501 | Similar to "gid" but uses the GID of group name <group name> from /etc/group. |
| 502 | See also "gid" and "user". |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 503 | |
Willy Tarreau | f7edefa | 2009-05-10 17:20:05 +0200 | [diff] [blame] | 504 | log <address> <facility> [max level [min level]] |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 505 | Adds a global syslog server. Up to two global servers can be defined. They |
| 506 | will receive logs for startups and exits, as well as all logs from proxies |
Robert Tsai | 81ae195 | 2007-12-05 10:47:29 +0100 | [diff] [blame] | 507 | configured with "log global". |
| 508 | |
| 509 | <address> can be one of: |
| 510 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 511 | - An IPv4 address optionally followed by a colon and a UDP port. If |
Robert Tsai | 81ae195 | 2007-12-05 10:47:29 +0100 | [diff] [blame] | 512 | no port is specified, 514 is used by default (the standard syslog |
| 513 | port). |
| 514 | |
David du Colombier | 24bb5f5 | 2011-03-17 10:40:23 +0100 | [diff] [blame] | 515 | - An IPv6 address followed by a colon and optionally a UDP port. If |
| 516 | no port is specified, 514 is used by default (the standard syslog |
| 517 | port). |
| 518 | |
Robert Tsai | 81ae195 | 2007-12-05 10:47:29 +0100 | [diff] [blame] | 519 | - A filesystem path to a UNIX domain socket, keeping in mind |
| 520 | considerations for chroot (be sure the path is accessible inside |
| 521 | the chroot) and uid/gid (be sure the path is appropriately |
| 522 | writeable). |
| 523 | |
| 524 | <facility> must be one of the 24 standard syslog facilities : |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 525 | |
| 526 | kern user mail daemon auth syslog lpr news |
| 527 | uucp cron auth2 ftp ntp audit alert cron2 |
| 528 | local0 local1 local2 local3 local4 local5 local6 local7 |
| 529 | |
| 530 | An optional level can be specified to filter outgoing messages. By default, |
Willy Tarreau | f7edefa | 2009-05-10 17:20:05 +0200 | [diff] [blame] | 531 | all messages are sent. If a maximum level is specified, only messages with a |
| 532 | severity at least as important as this level will be sent. An optional minimum |
| 533 | level can be specified. If it is set, logs emitted with a more severe level |
| 534 | than this one will be capped to this level. This is used to avoid sending |
| 535 | "emerg" messages on all terminals on some default syslog configurations. |
| 536 | Eight levels are known : |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 537 | |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 538 | emerg alert crit err warning notice info debug |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 539 | |
Joe Williams | df5b38f | 2010-12-29 17:05:48 +0100 | [diff] [blame] | 540 | log-send-hostname [<string>] |
| 541 | Sets the hostname field in the syslog header. If optional "string" parameter |
| 542 | is set the header is set to the string contents, otherwise uses the hostname |
| 543 | of the system. Generally used if one is not relaying logs through an |
| 544 | intermediate syslog server or for simply customizing the hostname printed in |
| 545 | the logs. |
| 546 | |
Kevinm | 48936af | 2010-12-22 16:08:21 +0000 | [diff] [blame] | 547 | log-tag <string> |
| 548 | Sets the tag field in the syslog header to this string. It defaults to the |
| 549 | program name as launched from the command line, which usually is "haproxy". |
| 550 | Sometimes it can be useful to differentiate between multiple processes |
| 551 | running on the same host. |
| 552 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 553 | nbproc <number> |
| 554 | Creates <number> processes when going daemon. This requires the "daemon" |
| 555 | mode. By default, only one process is created, which is the recommended mode |
| 556 | of operation. For systems limited to small sets of file descriptors per |
| 557 | process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES |
| 558 | IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon". |
| 559 | |
| 560 | pidfile <pidfile> |
| 561 | Writes pids of all daemons into file <pidfile>. This option is equivalent to |
| 562 | the "-p" command line argument. The file must be accessible to the user |
| 563 | starting the process. See also "daemon". |
| 564 | |
Willy Tarreau | fbee713 | 2007-10-18 13:53:22 +0200 | [diff] [blame] | 565 | stats socket <path> [{uid | user} <uid>] [{gid | group} <gid>] [mode <mode>] |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 566 | [level <level>] |
Willy Tarreau | 6162db2 | 2009-10-10 17:13:00 +0200 | [diff] [blame] | 567 | |
Willy Tarreau | fbee713 | 2007-10-18 13:53:22 +0200 | [diff] [blame] | 568 | Creates a UNIX socket in stream mode at location <path>. Any previously |
| 569 | existing socket will be backed up then replaced. Connections to this socket |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 570 | will return various statistics outputs and even allow some commands to be |
Willy Tarreau | 6162db2 | 2009-10-10 17:13:00 +0200 | [diff] [blame] | 571 | issued. Please consult section 9.2 "Unix Socket commands" for more details. |
| 572 | |
| 573 | An optional "level" parameter can be specified to restrict the nature of |
| 574 | the commands that can be issued on the socket : |
| 575 | - "user" is the least privileged level ; only non-sensitive stats can be |
| 576 | read, and no change is allowed. It would make sense on systems where it |
| 577 | is not easy to restrict access to the socket. |
| 578 | |
| 579 | - "operator" is the default level and fits most common uses. All data can |
Willy Tarreau | 3c92c5f | 2011-08-28 09:45:47 +0200 | [diff] [blame] | 580 | be read, and only non-sensitive changes are permitted (eg: clear max |
Willy Tarreau | 6162db2 | 2009-10-10 17:13:00 +0200 | [diff] [blame] | 581 | counters). |
| 582 | |
| 583 | - "admin" should be used with care, as everything is permitted (eg: clear |
| 584 | all counters). |
Willy Tarreau | a8efd36 | 2008-01-03 10:19:15 +0100 | [diff] [blame] | 585 | |
| 586 | On platforms which support it, it is possible to restrict access to this |
| 587 | socket by specifying numerical IDs after "uid" and "gid", or valid user and |
| 588 | group names after the "user" and "group" keywords. It is also possible to |
| 589 | restrict permissions on the socket by passing an octal value after the "mode" |
| 590 | keyword (same syntax as chmod). Depending on the platform, the permissions on |
| 591 | the socket will be inherited from the directory which hosts it, or from the |
| 592 | user the process is started with. |
Willy Tarreau | fbee713 | 2007-10-18 13:53:22 +0200 | [diff] [blame] | 593 | |
| 594 | stats timeout <timeout, in milliseconds> |
| 595 | The default timeout on the stats socket is set to 10 seconds. It is possible |
| 596 | to change this value with "stats timeout". The value must be passed in |
Willy Tarreau | befdff1 | 2007-12-02 22:27:38 +0100 | [diff] [blame] | 597 | milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }. |
Willy Tarreau | fbee713 | 2007-10-18 13:53:22 +0200 | [diff] [blame] | 598 | |
| 599 | stats maxconn <connections> |
| 600 | By default, the stats socket is limited to 10 concurrent connections. It is |
| 601 | possible to change this value with "stats maxconn". |
| 602 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 603 | uid <number> |
| 604 | Changes the process' user ID to <number>. It is recommended that the user ID |
| 605 | is dedicated to HAProxy or to a small set of similar daemons. HAProxy must |
| 606 | be started with superuser privileges in order to be able to switch to another |
| 607 | one. See also "gid" and "user". |
| 608 | |
| 609 | ulimit-n <number> |
| 610 | Sets the maximum number of per-process file-descriptors to <number>. By |
| 611 | default, it is automatically computed, so it is recommended not to use this |
| 612 | option. |
| 613 | |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 614 | unix-bind [ prefix <prefix> ] [ mode <mode> ] [ user <user> ] [ uid <uid> ] |
| 615 | [ group <group> ] [ gid <gid> ] |
| 616 | |
| 617 | Fixes common settings to UNIX listening sockets declared in "bind" statements. |
| 618 | This is mainly used to simplify declaration of those UNIX sockets and reduce |
| 619 | the risk of errors, since those settings are most commonly required but are |
| 620 | also process-specific. The <prefix> setting can be used to force all socket |
| 621 | path to be relative to that directory. This might be needed to access another |
| 622 | component's chroot. Note that those paths are resolved before haproxy chroots |
| 623 | itself, so they are absolute. The <mode>, <user>, <uid>, <group> and <gid> |
| 624 | all have the same meaning as their homonyms used by the "bind" statement. If |
| 625 | both are specified, the "bind" statement has priority, meaning that the |
| 626 | "unix-bind" settings may be seen as process-wide default settings. |
| 627 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 628 | user <user name> |
| 629 | Similar to "uid" but uses the UID of user name <user name> from /etc/passwd. |
| 630 | See also "uid" and "group". |
| 631 | |
Krzysztof Piotr Oledzki | 48cb2ae | 2009-10-02 22:51:14 +0200 | [diff] [blame] | 632 | node <name> |
| 633 | Only letters, digits, hyphen and underscore are allowed, like in DNS names. |
| 634 | |
| 635 | This statement is useful in HA configurations where two or more processes or |
| 636 | servers share the same IP address. By setting a different node-name on all |
| 637 | nodes, it becomes easy to immediately spot what server is handling the |
| 638 | traffic. |
| 639 | |
| 640 | description <text> |
| 641 | Add a text that describes the instance. |
| 642 | |
| 643 | Please note that it is required to escape certain characters (# for example) |
| 644 | and this text is inserted into a html page so you should avoid using |
| 645 | "<" and ">" characters. |
| 646 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 647 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 648 | 3.2. Performance tuning |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 649 | ----------------------- |
| 650 | |
| 651 | maxconn <number> |
| 652 | Sets the maximum per-process number of concurrent connections to <number>. It |
| 653 | is equivalent to the command-line argument "-n". Proxies will stop accepting |
| 654 | connections when this limit is reached. The "ulimit-n" parameter is |
| 655 | automatically adjusted according to this value. See also "ulimit-n". |
| 656 | |
Willy Tarreau | 81c25d0 | 2011-09-07 15:17:21 +0200 | [diff] [blame] | 657 | maxconnrate <number> |
| 658 | Sets the maximum per-process number of connections per second to <number>. |
| 659 | Proxies will stop accepting connections when this limit is reached. It can be |
| 660 | used to limit the global capacity regardless of each frontend capacity. It is |
| 661 | important to note that this can only be used as a service protection measure, |
| 662 | as there will not necessarily be a fair share between frontends when the |
| 663 | limit is reached, so it's a good idea to also limit each frontend to some |
| 664 | value close to its expected share. Also, lowering tune.maxaccept can improve |
| 665 | fairness. |
| 666 | |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 667 | maxpipes <number> |
| 668 | Sets the maximum per-process number of pipes to <number>. Currently, pipes |
| 669 | are only used by kernel-based tcp splicing. Since a pipe contains two file |
| 670 | descriptors, the "ulimit-n" value will be increased accordingly. The default |
| 671 | value is maxconn/4, which seems to be more than enough for most heavy usages. |
| 672 | The splice code dynamically allocates and releases pipes, and can fall back |
| 673 | to standard copy, so setting this value too low may only impact performance. |
| 674 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 675 | noepoll |
| 676 | Disables the use of the "epoll" event polling system on Linux. It is |
| 677 | equivalent to the command-line argument "-de". The next polling system |
| 678 | used will generally be "poll". See also "nosepoll", and "nopoll". |
| 679 | |
| 680 | nokqueue |
| 681 | Disables the use of the "kqueue" event polling system on BSD. It is |
| 682 | equivalent to the command-line argument "-dk". The next polling system |
| 683 | used will generally be "poll". See also "nopoll". |
| 684 | |
| 685 | nopoll |
| 686 | Disables the use of the "poll" event polling system. It is equivalent to the |
| 687 | command-line argument "-dp". The next polling system used will be "select". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 688 | It should never be needed to disable "poll" since it's available on all |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 689 | platforms supported by HAProxy. See also "nosepoll", and "nopoll" and |
| 690 | "nokqueue". |
| 691 | |
| 692 | nosepoll |
| 693 | Disables the use of the "speculative epoll" event polling system on Linux. It |
| 694 | is equivalent to the command-line argument "-ds". The next polling system |
| 695 | used will generally be "epoll". See also "nosepoll", and "nopoll". |
| 696 | |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 697 | nosplice |
| 698 | Disables the use of kernel tcp splicing between sockets on Linux. It is |
| 699 | equivalent to the command line argument "-dS". Data will then be copied |
| 700 | using conventional and more portable recv/send calls. Kernel tcp splicing is |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 701 | limited to some very recent instances of kernel 2.6. Most versions between |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 702 | 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not |
| 703 | be used. This option makes it easier to globally disable kernel splicing in |
| 704 | case of doubt. See also "option splice-auto", "option splice-request" and |
| 705 | "option splice-response". |
| 706 | |
Willy Tarreau | fe255b7 | 2007-10-14 23:09:26 +0200 | [diff] [blame] | 707 | spread-checks <0..50, in percent> |
| 708 | Sometimes it is desirable to avoid sending health checks to servers at exact |
| 709 | intervals, for instance when many logical servers are located on the same |
| 710 | physical server. With the help of this parameter, it becomes possible to add |
| 711 | some randomness in the check interval between 0 and +/- 50%. A value between |
| 712 | 2 and 5 seems to show good results. The default value remains at 0. |
| 713 | |
Willy Tarreau | 27a674e | 2009-08-17 07:23:33 +0200 | [diff] [blame] | 714 | tune.bufsize <number> |
| 715 | Sets the buffer size to this size (in bytes). Lower values allow more |
| 716 | sessions to coexist in the same amount of RAM, and higher values allow some |
| 717 | applications with very large cookies to work. The default value is 16384 and |
| 718 | can be changed at build time. It is strongly recommended not to change this |
| 719 | from the default value, as very low values will break some services such as |
| 720 | statistics, and values larger than default size will increase memory usage, |
| 721 | possibly causing the system to run out of memory. At least the global maxconn |
| 722 | parameter should be decreased by the same factor as this one is increased. |
| 723 | |
Willy Tarreau | 43961d5 | 2010-10-04 20:39:20 +0200 | [diff] [blame] | 724 | tune.chksize <number> |
| 725 | Sets the check buffer size to this size (in bytes). Higher values may help |
| 726 | find string or regex patterns in very large pages, though doing so may imply |
| 727 | more memory and CPU usage. The default value is 16384 and can be changed at |
| 728 | build time. It is not recommended to change this value, but to use better |
| 729 | checks whenever possible. |
| 730 | |
Willy Tarreau | ac1932d | 2011-10-24 19:14:41 +0200 | [diff] [blame] | 731 | tune.http.maxhdr <number> |
| 732 | Sets the maximum number of headers in a request. When a request comes with a |
| 733 | number of headers greater than this value (including the first line), it is |
| 734 | rejected with a "400 Bad Request" status code. Similarly, too large responses |
| 735 | are blocked with "502 Bad Gateway". The default value is 101, which is enough |
| 736 | for all usages, considering that the widely deployed Apache server uses the |
| 737 | same limit. It can be useful to push this limit further to temporarily allow |
| 738 | a buggy application to work by the time it gets fixed. Keep in mind that each |
| 739 | new header consumes 32bits of memory for each session, so don't push this |
| 740 | limit too high. |
| 741 | |
Willy Tarreau | a0250ba | 2008-01-06 11:22:57 +0100 | [diff] [blame] | 742 | tune.maxaccept <number> |
| 743 | Sets the maximum number of consecutive accepts that a process may perform on |
| 744 | a single wake up. High values give higher priority to high connection rates, |
| 745 | while lower values give higher priority to already established connections. |
Willy Tarreau | f49d1df | 2009-03-01 08:35:41 +0100 | [diff] [blame] | 746 | This value is limited to 100 by default in single process mode. However, in |
Willy Tarreau | a0250ba | 2008-01-06 11:22:57 +0100 | [diff] [blame] | 747 | multi-process mode (nbproc > 1), it defaults to 8 so that when one process |
| 748 | wakes up, it does not take all incoming connections for itself and leaves a |
Willy Tarreau | f49d1df | 2009-03-01 08:35:41 +0100 | [diff] [blame] | 749 | part of them to other processes. Setting this value to -1 completely disables |
Willy Tarreau | a0250ba | 2008-01-06 11:22:57 +0100 | [diff] [blame] | 750 | the limitation. It should normally not be needed to tweak this value. |
| 751 | |
| 752 | tune.maxpollevents <number> |
| 753 | Sets the maximum amount of events that can be processed at once in a call to |
| 754 | the polling system. The default value is adapted to the operating system. It |
| 755 | has been noticed that reducing it below 200 tends to slightly decrease |
| 756 | latency at the expense of network bandwidth, and increasing it above 200 |
| 757 | tends to trade latency for slightly increased bandwidth. |
| 758 | |
Willy Tarreau | 27a674e | 2009-08-17 07:23:33 +0200 | [diff] [blame] | 759 | tune.maxrewrite <number> |
| 760 | Sets the reserved buffer space to this size in bytes. The reserved space is |
| 761 | used for header rewriting or appending. The first reads on sockets will never |
| 762 | fill more than bufsize-maxrewrite. Historically it has defaulted to half of |
| 763 | bufsize, though that does not make much sense since there are rarely large |
| 764 | numbers of headers to add. Setting it too high prevents processing of large |
| 765 | requests or responses. Setting it too low prevents addition of new headers |
| 766 | to already large requests or to POST requests. It is generally wise to set it |
| 767 | to about 1024. It is automatically readjusted to half of bufsize if it is |
| 768 | larger than that. This means you don't have to worry about it when changing |
| 769 | bufsize. |
| 770 | |
Willy Tarreau | bd9a0a7 | 2011-10-23 21:14:29 +0200 | [diff] [blame] | 771 | tune.pipesize <number> |
| 772 | Sets the kernel pipe buffer size to this size (in bytes). By default, pipes |
| 773 | are the default size for the system. But sometimes when using TCP splicing, |
| 774 | it can improve performance to increase pipe sizes, especially if it is |
| 775 | suspected that pipes are not filled and that many calls to splice() are |
| 776 | performed. This has an impact on the kernel's memory footprint, so this must |
| 777 | not be changed if impacts are not understood. |
| 778 | |
Willy Tarreau | e803de2 | 2010-01-21 17:43:04 +0100 | [diff] [blame] | 779 | tune.rcvbuf.client <number> |
| 780 | tune.rcvbuf.server <number> |
| 781 | Forces the kernel socket receive buffer size on the client or the server side |
| 782 | to the specified value in bytes. This value applies to all TCP/HTTP frontends |
| 783 | and backends. It should normally never be set, and the default size (0) lets |
| 784 | the kernel autotune this value depending on the amount of available memory. |
| 785 | However it can sometimes help to set it to very low values (eg: 4096) in |
| 786 | order to save kernel memory by preventing it from buffering too large amounts |
| 787 | of received data. Lower values will significantly increase CPU usage though. |
| 788 | |
| 789 | tune.sndbuf.client <number> |
| 790 | tune.sndbuf.server <number> |
| 791 | Forces the kernel socket send buffer size on the client or the server side to |
| 792 | the specified value in bytes. This value applies to all TCP/HTTP frontends |
| 793 | and backends. It should normally never be set, and the default size (0) lets |
| 794 | the kernel autotune this value depending on the amount of available memory. |
| 795 | However it can sometimes help to set it to very low values (eg: 4096) in |
| 796 | order to save kernel memory by preventing it from buffering too large amounts |
| 797 | of received data. Lower values will significantly increase CPU usage though. |
| 798 | Another use case is to prevent write timeouts with extremely slow clients due |
| 799 | to the kernel waiting for a large part of the buffer to be read before |
| 800 | notifying haproxy again. |
| 801 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 802 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 803 | 3.3. Debugging |
| 804 | -------------- |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 805 | |
| 806 | debug |
| 807 | Enables debug mode which dumps to stdout all exchanges, and disables forking |
| 808 | into background. It is the equivalent of the command-line argument "-d". It |
| 809 | should never be used in a production configuration since it may prevent full |
| 810 | system startup. |
| 811 | |
| 812 | quiet |
| 813 | Do not display any message during startup. It is equivalent to the command- |
| 814 | line argument "-q". |
| 815 | |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 816 | |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 817 | 3.4. Userlists |
| 818 | -------------- |
| 819 | It is possible to control access to frontend/backend/listen sections or to |
| 820 | http stats by allowing only authenticated and authorized users. To do this, |
| 821 | it is required to create at least one userlist and to define users. |
| 822 | |
| 823 | userlist <listname> |
Cyril Bonté | 78caf84 | 2010-03-10 22:41:43 +0100 | [diff] [blame] | 824 | Creates new userlist with name <listname>. Many independent userlists can be |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 825 | used to store authentication & authorization data for independent customers. |
| 826 | |
| 827 | group <groupname> [users <user>,<user>,(...)] |
Cyril Bonté | 78caf84 | 2010-03-10 22:41:43 +0100 | [diff] [blame] | 828 | Adds group <groupname> to the current userlist. It is also possible to |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 829 | attach users to this group by using a comma separated list of names |
| 830 | proceeded by "users" keyword. |
| 831 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 832 | user <username> [password|insecure-password <password>] |
| 833 | [groups <group>,<group>,(...)] |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 834 | Adds user <username> to the current userlist. Both secure (encrypted) and |
| 835 | insecure (unencrypted) passwords can be used. Encrypted passwords are |
Cyril Bonté | 78caf84 | 2010-03-10 22:41:43 +0100 | [diff] [blame] | 836 | evaluated using the crypt(3) function so depending of the system's |
| 837 | capabilities, different algorithms are supported. For example modern Glibc |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 838 | based Linux system supports MD5, SHA-256, SHA-512 and of course classic, |
| 839 | DES-based method of crypting passwords. |
| 840 | |
| 841 | |
| 842 | Example: |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 843 | userlist L1 |
| 844 | group G1 users tiger,scott |
| 845 | group G2 users xdb,scott |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 846 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 847 | user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91 |
| 848 | user scott insecure-password elgato |
| 849 | user xdb insecure-password hello |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 850 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 851 | userlist L2 |
| 852 | group G1 |
| 853 | group G2 |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 854 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 855 | user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1 |
| 856 | user scott insecure-password elgato groups G1,G2 |
| 857 | user xdb insecure-password hello groups G2 |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 858 | |
| 859 | Please note that both lists are functionally identical. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 860 | |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 861 | |
| 862 | 3.5. Peers |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 863 | ---------- |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 864 | It is possible to synchronize server entries in stick tables between several |
| 865 | haproxy instances over TCP connections in a multi-master fashion. Each instance |
| 866 | pushes its local updates and insertions to remote peers. Server IDs are used to |
| 867 | identify servers remotely, so it is important that configurations look similar |
| 868 | or at least that the same IDs are forced on each server on all participants. |
| 869 | Interrupted exchanges are automatically detected and recovered from the last |
| 870 | known point. In addition, during a soft restart, the old process connects to |
| 871 | the new one using such a TCP connection to push all its entries before the new |
| 872 | process tries to connect to other peers. That ensures very fast replication |
| 873 | during a reload, it typically takes a fraction of a second even for large |
| 874 | tables. |
| 875 | |
| 876 | peers <peersect> |
| 877 | Creates a new peer list with name <peersect>. It is an independant section, |
| 878 | which is referenced by one or more stick-tables. |
| 879 | |
| 880 | peer <peername> <ip>:<port> |
| 881 | Defines a peer inside a peers section. |
| 882 | If <peername> is set to the local peer name (by default hostname, or forced |
| 883 | using "-L" command line option), haproxy will listen for incoming remote peer |
| 884 | connection on <ip>:<port>. Otherwise, <ip>:<port> defines where to connect to |
| 885 | to join the remote peer, and <peername> is used at the protocol level to |
| 886 | identify and validate the remote peer on the server side. |
| 887 | |
| 888 | During a soft restart, local peer <ip>:<port> is used by the old instance to |
| 889 | connect the new one and initiate a complete replication (teaching process). |
| 890 | |
| 891 | It is strongly recommended to have the exact same peers declaration on all |
| 892 | peers and to only rely on the "-L" command line argument to change the local |
| 893 | peer name. This makes it easier to maintain coherent configuration files |
| 894 | across all peers. |
| 895 | |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 896 | Example: |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 897 | peers mypeers |
Willy Tarreau | f7b30a9 | 2010-12-06 22:59:17 +0100 | [diff] [blame] | 898 | peer haproxy1 192.168.0.1:1024 |
| 899 | peer haproxy2 192.168.0.2:1024 |
| 900 | peer haproxy3 10.2.0.1:1024 |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 901 | |
| 902 | backend mybackend |
| 903 | mode tcp |
| 904 | balance roundrobin |
| 905 | stick-table type ip size 20k peers mypeers |
| 906 | stick on src |
| 907 | |
Willy Tarreau | f7b30a9 | 2010-12-06 22:59:17 +0100 | [diff] [blame] | 908 | server srv1 192.168.0.30:80 |
| 909 | server srv2 192.168.0.31:80 |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 910 | |
| 911 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 912 | 4. Proxies |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 913 | ---------- |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 914 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 915 | Proxy configuration can be located in a set of sections : |
| 916 | - defaults <name> |
| 917 | - frontend <name> |
| 918 | - backend <name> |
| 919 | - listen <name> |
| 920 | |
| 921 | A "defaults" section sets default parameters for all other sections following |
| 922 | its declaration. Those default parameters are reset by the next "defaults" |
| 923 | section. See below for the list of parameters which can be set in a "defaults" |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 924 | section. The name is optional but its use is encouraged for better readability. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 925 | |
| 926 | A "frontend" section describes a set of listening sockets accepting client |
| 927 | connections. |
| 928 | |
| 929 | A "backend" section describes a set of servers to which the proxy will connect |
| 930 | to forward incoming connections. |
| 931 | |
| 932 | A "listen" section defines a complete proxy with its frontend and backend |
| 933 | parts combined in one section. It is generally useful for TCP-only traffic. |
| 934 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 935 | All proxy names must be formed from upper and lower case letters, digits, |
| 936 | '-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are |
| 937 | case-sensitive, which means that "www" and "WWW" are two different proxies. |
| 938 | |
| 939 | Historically, all proxy names could overlap, it just caused troubles in the |
| 940 | logs. Since the introduction of content switching, it is mandatory that two |
| 941 | proxies with overlapping capabilities (frontend/backend) have different names. |
| 942 | However, it is still permitted that a frontend and a backend share the same |
| 943 | name, as this configuration seems to be commonly encountered. |
| 944 | |
| 945 | Right now, two major proxy modes are supported : "tcp", also known as layer 4, |
| 946 | and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 947 | bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 948 | protocol, and can interact with it by allowing, blocking, switching, adding, |
| 949 | modifying, or removing arbitrary contents in requests or responses, based on |
| 950 | arbitrary criteria. |
| 951 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 952 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 953 | 4.1. Proxy keywords matrix |
| 954 | -------------------------- |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 955 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 956 | The following list of keywords is supported. Most of them may only be used in a |
| 957 | limited set of section types. Some of them are marked as "deprecated" because |
| 958 | they are inherited from an old syntax which may be confusing or functionally |
| 959 | limited, and there are new recommended keywords to replace them. Keywords |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 960 | marked with "(*)" can be optionally inverted using the "no" prefix, eg. "no |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 961 | option contstats". This makes sense when the option has been enabled by default |
Willy Tarreau | 3842f00 | 2009-06-14 11:39:52 +0200 | [diff] [blame] | 962 | and must be disabled for a specific instance. Such options may also be prefixed |
| 963 | with "default" in order to restore default settings regardless of what has been |
| 964 | specified in a previous "defaults" section. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 965 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 966 | |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 967 | keyword defaults frontend listen backend |
| 968 | ------------------------------------+----------+----------+---------+--------- |
| 969 | acl - X X X |
| 970 | appsession - - X X |
| 971 | backlog X X X - |
| 972 | balance X - X X |
| 973 | bind - X X - |
| 974 | bind-process X X X X |
| 975 | block - X X X |
| 976 | capture cookie - X X - |
| 977 | capture request header - X X - |
| 978 | capture response header - X X - |
| 979 | clitimeout (deprecated) X X X - |
| 980 | contimeout (deprecated) X - X X |
| 981 | cookie X - X X |
| 982 | default-server X - X X |
| 983 | default_backend X X X - |
| 984 | description - X X X |
| 985 | disabled X X X X |
| 986 | dispatch - - X X |
| 987 | enabled X X X X |
| 988 | errorfile X X X X |
| 989 | errorloc X X X X |
| 990 | errorloc302 X X X X |
| 991 | -- keyword -------------------------- defaults - frontend - listen -- backend - |
| 992 | errorloc303 X X X X |
Cyril Bonté | 0d4bf01 | 2010-04-25 23:21:46 +0200 | [diff] [blame] | 993 | force-persist - X X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 994 | fullconn X - X X |
| 995 | grace X X X X |
| 996 | hash-type X - X X |
| 997 | http-check disable-on-404 X - X X |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 998 | http-check expect - - X X |
Willy Tarreau | 7ab6aff | 2010-10-12 06:30:16 +0200 | [diff] [blame] | 999 | http-check send-state X - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1000 | http-request - X X X |
| 1001 | id - X X X |
Cyril Bonté | 0d4bf01 | 2010-04-25 23:21:46 +0200 | [diff] [blame] | 1002 | ignore-persist - X X X |
William Lallemand | 0f99e34 | 2011-10-12 17:50:54 +0200 | [diff] [blame] | 1003 | log (*) X X X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1004 | maxconn X X X - |
| 1005 | mode X X X X |
| 1006 | monitor fail - X X - |
| 1007 | monitor-net X X X - |
| 1008 | monitor-uri X X X - |
| 1009 | option abortonclose (*) X - X X |
| 1010 | option accept-invalid-http-request (*) X X X - |
| 1011 | option accept-invalid-http-response (*) X - X X |
| 1012 | option allbackups (*) X - X X |
| 1013 | option checkcache (*) X - X X |
| 1014 | option clitcpka (*) X X X - |
| 1015 | option contstats (*) X X X - |
| 1016 | option dontlog-normal (*) X X X - |
| 1017 | option dontlognull (*) X X X - |
| 1018 | option forceclose (*) X X X X |
| 1019 | -- keyword -------------------------- defaults - frontend - listen -- backend - |
| 1020 | option forwardfor X X X X |
Willy Tarreau | 96e3121 | 2011-05-30 18:10:30 +0200 | [diff] [blame] | 1021 | option http-no-delay (*) X X X X |
Willy Tarreau | 8a8e1d9 | 2010-04-05 16:15:16 +0200 | [diff] [blame] | 1022 | option http-pretend-keepalive (*) X X X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1023 | option http-server-close (*) X X X X |
| 1024 | option http-use-proxy-header (*) X X X - |
| 1025 | option httpchk X - X X |
| 1026 | option httpclose (*) X X X X |
| 1027 | option httplog X X X X |
| 1028 | option http_proxy (*) X X X X |
| 1029 | option independant-streams (*) X X X X |
Gabor Lekeny | b4c81e4 | 2010-09-29 18:17:05 +0200 | [diff] [blame] | 1030 | option ldap-check X - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1031 | option log-health-checks (*) X - X X |
| 1032 | option log-separate-errors (*) X X X - |
| 1033 | option logasap (*) X X X - |
| 1034 | option mysql-check X - X X |
Rauf Kuliyev | 38b4156 | 2011-01-04 15:14:13 +0100 | [diff] [blame] | 1035 | option pgsql-check X - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1036 | option nolinger (*) X X X X |
| 1037 | option originalto X X X X |
| 1038 | option persist (*) X - X X |
| 1039 | option redispatch (*) X - X X |
Hervé COMMOWICK | ec032d6 | 2011-08-05 16:23:48 +0200 | [diff] [blame] | 1040 | option redis-check X - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1041 | option smtpchk X - X X |
| 1042 | option socket-stats (*) X X X - |
| 1043 | option splice-auto (*) X X X X |
| 1044 | option splice-request (*) X X X X |
| 1045 | option splice-response (*) X X X X |
| 1046 | option srvtcpka (*) X - X X |
| 1047 | option ssl-hello-chk X - X X |
| 1048 | -- keyword -------------------------- defaults - frontend - listen -- backend - |
| 1049 | option tcp-smart-accept (*) X X X - |
| 1050 | option tcp-smart-connect (*) X - X X |
| 1051 | option tcpka X X X X |
| 1052 | option tcplog X X X X |
| 1053 | option transparent (*) X - X X |
| 1054 | persist rdp-cookie X - X X |
| 1055 | rate-limit sessions X X X - |
| 1056 | redirect - X X X |
| 1057 | redisp (deprecated) X - X X |
| 1058 | redispatch (deprecated) X - X X |
| 1059 | reqadd - X X X |
| 1060 | reqallow - X X X |
| 1061 | reqdel - X X X |
| 1062 | reqdeny - X X X |
| 1063 | reqiallow - X X X |
| 1064 | reqidel - X X X |
| 1065 | reqideny - X X X |
| 1066 | reqipass - X X X |
| 1067 | reqirep - X X X |
| 1068 | reqisetbe - X X X |
| 1069 | reqitarpit - X X X |
| 1070 | reqpass - X X X |
| 1071 | reqrep - X X X |
| 1072 | -- keyword -------------------------- defaults - frontend - listen -- backend - |
| 1073 | reqsetbe - X X X |
| 1074 | reqtarpit - X X X |
| 1075 | retries X - X X |
| 1076 | rspadd - X X X |
| 1077 | rspdel - X X X |
| 1078 | rspdeny - X X X |
| 1079 | rspidel - X X X |
| 1080 | rspideny - X X X |
| 1081 | rspirep - X X X |
| 1082 | rsprep - X X X |
| 1083 | server - - X X |
| 1084 | source X - X X |
| 1085 | srvtimeout (deprecated) X - X X |
Cyril Bonté | 66c327d | 2010-10-12 00:14:37 +0200 | [diff] [blame] | 1086 | stats admin - - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1087 | stats auth X - X X |
| 1088 | stats enable X - X X |
| 1089 | stats hide-version X - X X |
Cyril Bonté | 2be1b3f | 2010-09-30 23:46:30 +0200 | [diff] [blame] | 1090 | stats http-request - - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1091 | stats realm X - X X |
| 1092 | stats refresh X - X X |
| 1093 | stats scope X - X X |
| 1094 | stats show-desc X - X X |
| 1095 | stats show-legends X - X X |
| 1096 | stats show-node X - X X |
| 1097 | stats uri X - X X |
| 1098 | -- keyword -------------------------- defaults - frontend - listen -- backend - |
| 1099 | stick match - - X X |
| 1100 | stick on - - X X |
| 1101 | stick store-request - - X X |
Willy Tarreau | d8dc99f | 2011-07-01 11:33:25 +0200 | [diff] [blame] | 1102 | stick store-response - - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1103 | stick-table - - X X |
Willy Tarreau | e965652 | 2010-08-17 15:40:09 +0200 | [diff] [blame] | 1104 | tcp-request connection - X X - |
| 1105 | tcp-request content - X X X |
Willy Tarreau | a56235c | 2010-09-14 11:31:36 +0200 | [diff] [blame] | 1106 | tcp-request inspect-delay - X X X |
Emeric Brun | 0a3b67f | 2010-09-24 15:34:53 +0200 | [diff] [blame] | 1107 | tcp-response content - - X X |
| 1108 | tcp-response inspect-delay - - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1109 | timeout check X - X X |
| 1110 | timeout client X X X - |
| 1111 | timeout clitimeout (deprecated) X X X - |
| 1112 | timeout connect X - X X |
| 1113 | timeout contimeout (deprecated) X - X X |
| 1114 | timeout http-keep-alive X X X X |
| 1115 | timeout http-request X X X X |
| 1116 | timeout queue X - X X |
| 1117 | timeout server X - X X |
| 1118 | timeout srvtimeout (deprecated) X - X X |
| 1119 | timeout tarpit X X X X |
Willy Tarreau | ce887fd | 2012-05-12 12:50:00 +0200 | [diff] [blame] | 1120 | timeout tunnel X - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1121 | transparent (deprecated) X - X X |
William Lallemand | a73203e | 2012-03-12 12:48:57 +0100 | [diff] [blame] | 1122 | unique-id-format X X X - |
| 1123 | unique-id-header X X X - |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1124 | use_backend - X X - |
Willy Tarreau | 4a5cade | 2012-04-05 21:09:48 +0200 | [diff] [blame] | 1125 | use-server - - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1126 | ------------------------------------+----------+----------+---------+--------- |
| 1127 | keyword defaults frontend listen backend |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1128 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1129 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1130 | 4.2. Alphabetically sorted keywords reference |
| 1131 | --------------------------------------------- |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1132 | |
| 1133 | This section provides a description of each keyword and its usage. |
| 1134 | |
| 1135 | |
| 1136 | acl <aclname> <criterion> [flags] [operator] <value> ... |
| 1137 | Declare or complete an access list. |
| 1138 | May be used in sections : defaults | frontend | listen | backend |
| 1139 | no | yes | yes | yes |
| 1140 | Example: |
| 1141 | acl invalid_src src 0.0.0.0/7 224.0.0.0/3 |
| 1142 | acl invalid_src src_port 0:1023 |
| 1143 | acl local_dst hdr(host) -i localhost |
| 1144 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1145 | See section 7 about ACL usage. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1146 | |
| 1147 | |
Cyril Bonté | b21570a | 2009-11-29 20:04:48 +0100 | [diff] [blame] | 1148 | appsession <cookie> len <length> timeout <holdtime> |
| 1149 | [request-learn] [prefix] [mode <path-parameters|query-string>] |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1150 | Define session stickiness on an existing application cookie. |
| 1151 | May be used in sections : defaults | frontend | listen | backend |
| 1152 | no | no | yes | yes |
| 1153 | Arguments : |
| 1154 | <cookie> this is the name of the cookie used by the application and which |
| 1155 | HAProxy will have to learn for each new session. |
| 1156 | |
Cyril Bonté | b21570a | 2009-11-29 20:04:48 +0100 | [diff] [blame] | 1157 | <length> this is the max number of characters that will be memorized and |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1158 | checked in each cookie value. |
| 1159 | |
| 1160 | <holdtime> this is the time after which the cookie will be removed from |
| 1161 | memory if unused. If no unit is specified, this time is in |
| 1162 | milliseconds. |
| 1163 | |
Cyril Bonté | bf47aeb | 2009-10-15 00:15:40 +0200 | [diff] [blame] | 1164 | request-learn |
| 1165 | If this option is specified, then haproxy will be able to learn |
| 1166 | the cookie found in the request in case the server does not |
| 1167 | specify any in response. This is typically what happens with |
| 1168 | PHPSESSID cookies, or when haproxy's session expires before |
| 1169 | the application's session and the correct server is selected. |
| 1170 | It is recommended to specify this option to improve reliability. |
| 1171 | |
Cyril Bonté | b21570a | 2009-11-29 20:04:48 +0100 | [diff] [blame] | 1172 | prefix When this option is specified, haproxy will match on the cookie |
| 1173 | prefix (or URL parameter prefix). The appsession value is the |
| 1174 | data following this prefix. |
| 1175 | |
| 1176 | Example : |
| 1177 | appsession ASPSESSIONID len 64 timeout 3h prefix |
| 1178 | |
| 1179 | This will match the cookie ASPSESSIONIDXXXX=XXXXX, |
| 1180 | the appsession value will be XXXX=XXXXX. |
| 1181 | |
| 1182 | mode This option allows to change the URL parser mode. |
| 1183 | 2 modes are currently supported : |
| 1184 | - path-parameters : |
| 1185 | The parser looks for the appsession in the path parameters |
| 1186 | part (each parameter is separated by a semi-colon), which is |
| 1187 | convenient for JSESSIONID for example. |
| 1188 | This is the default mode if the option is not set. |
| 1189 | - query-string : |
| 1190 | In this mode, the parser will look for the appsession in the |
| 1191 | query string. |
| 1192 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1193 | When an application cookie is defined in a backend, HAProxy will check when |
| 1194 | the server sets such a cookie, and will store its value in a table, and |
| 1195 | associate it with the server's identifier. Up to <length> characters from |
| 1196 | the value will be retained. On each connection, haproxy will look for this |
Cyril Bonté | b21570a | 2009-11-29 20:04:48 +0100 | [diff] [blame] | 1197 | cookie both in the "Cookie:" headers, and as a URL parameter (depending on |
| 1198 | the mode used). If a known value is found, the client will be directed to the |
| 1199 | server associated with this value. Otherwise, the load balancing algorithm is |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1200 | applied. Cookies are automatically removed from memory when they have been |
| 1201 | unused for a duration longer than <holdtime>. |
| 1202 | |
| 1203 | The definition of an application cookie is limited to one per backend. |
| 1204 | |
Cyril Bonté | 02ff8ef | 2010-12-14 22:48:49 +0100 | [diff] [blame] | 1205 | Note : Consider not using this feature in multi-process mode (nbproc > 1) |
| 1206 | unless you know what you do : memory is not shared between the |
| 1207 | processes, which can result in random behaviours. |
| 1208 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1209 | Example : |
| 1210 | appsession JSESSIONID len 52 timeout 3h |
| 1211 | |
Cyril Bonté | 02ff8ef | 2010-12-14 22:48:49 +0100 | [diff] [blame] | 1212 | See also : "cookie", "capture cookie", "balance", "stick", "stick-table", |
| 1213 | "ignore-persist", "nbproc" and "bind-process". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1214 | |
| 1215 | |
Willy Tarreau | c73ce2b | 2008-01-06 10:55:10 +0100 | [diff] [blame] | 1216 | backlog <conns> |
| 1217 | Give hints to the system about the approximate listen backlog desired size |
| 1218 | May be used in sections : defaults | frontend | listen | backend |
| 1219 | yes | yes | yes | no |
| 1220 | Arguments : |
| 1221 | <conns> is the number of pending connections. Depending on the operating |
| 1222 | system, it may represent the number of already acknowledged |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 1223 | connections, of non-acknowledged ones, or both. |
Willy Tarreau | c73ce2b | 2008-01-06 10:55:10 +0100 | [diff] [blame] | 1224 | |
| 1225 | In order to protect against SYN flood attacks, one solution is to increase |
| 1226 | the system's SYN backlog size. Depending on the system, sometimes it is just |
| 1227 | tunable via a system parameter, sometimes it is not adjustable at all, and |
| 1228 | sometimes the system relies on hints given by the application at the time of |
| 1229 | the listen() syscall. By default, HAProxy passes the frontend's maxconn value |
| 1230 | to the listen() syscall. On systems which can make use of this value, it can |
| 1231 | sometimes be useful to be able to specify a different value, hence this |
| 1232 | backlog parameter. |
| 1233 | |
| 1234 | On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is |
| 1235 | used as a hint and the system accepts up to the smallest greater power of |
| 1236 | two, and never more than some limits (usually 32768). |
| 1237 | |
| 1238 | See also : "maxconn" and the target operating system's tuning guide. |
| 1239 | |
| 1240 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1241 | balance <algorithm> [ <arguments> ] |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1242 | balance url_param <param> [check_post [<max_wait>]] |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1243 | Define the load balancing algorithm to be used in a backend. |
| 1244 | May be used in sections : defaults | frontend | listen | backend |
| 1245 | yes | no | yes | yes |
| 1246 | Arguments : |
| 1247 | <algorithm> is the algorithm used to select a server when doing load |
| 1248 | balancing. This only applies when no persistence information |
| 1249 | is available, or when a connection is redispatched to another |
| 1250 | server. <algorithm> may be one of the following : |
| 1251 | |
| 1252 | roundrobin Each server is used in turns, according to their weights. |
| 1253 | This is the smoothest and fairest algorithm when the server's |
| 1254 | processing time remains equally distributed. This algorithm |
| 1255 | is dynamic, which means that server weights may be adjusted |
Willy Tarreau | 9757a38 | 2009-10-03 12:56:50 +0200 | [diff] [blame] | 1256 | on the fly for slow starts for instance. It is limited by |
| 1257 | design to 4128 active servers per backend. Note that in some |
| 1258 | large farms, when a server becomes up after having been down |
| 1259 | for a very short time, it may sometimes take a few hundreds |
| 1260 | requests for it to be re-integrated into the farm and start |
| 1261 | receiving traffic. This is normal, though very rare. It is |
| 1262 | indicated here in case you would have the chance to observe |
| 1263 | it, so that you don't worry. |
| 1264 | |
| 1265 | static-rr Each server is used in turns, according to their weights. |
| 1266 | This algorithm is as similar to roundrobin except that it is |
| 1267 | static, which means that changing a server's weight on the |
| 1268 | fly will have no effect. On the other hand, it has no design |
| 1269 | limitation on the number of servers, and when a server goes |
| 1270 | up, it is always immediately reintroduced into the farm, once |
| 1271 | the full map is recomputed. It also uses slightly less CPU to |
| 1272 | run (around -1%). |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1273 | |
Willy Tarreau | 2d2a7f8 | 2008-03-17 12:07:56 +0100 | [diff] [blame] | 1274 | leastconn The server with the lowest number of connections receives the |
| 1275 | connection. Round-robin is performed within groups of servers |
| 1276 | of the same load to ensure that all servers will be used. Use |
| 1277 | of this algorithm is recommended where very long sessions are |
| 1278 | expected, such as LDAP, SQL, TSE, etc... but is not very well |
| 1279 | suited for protocols using short sessions such as HTTP. This |
| 1280 | algorithm is dynamic, which means that server weights may be |
| 1281 | adjusted on the fly for slow starts for instance. |
| 1282 | |
Willy Tarreau | f09c660 | 2012-02-13 17:12:08 +0100 | [diff] [blame] | 1283 | first The first server with available connection slots receives the |
| 1284 | connection. The servers are choosen from the lowest numeric |
| 1285 | identifier to the highest (see server parameter "id"), which |
| 1286 | defaults to the server's position in the farm. Once a server |
Willy Tarreau | 64559c5 | 2012-04-07 09:08:45 +0200 | [diff] [blame] | 1287 | reaches its maxconn value, the next server is used. It does |
Willy Tarreau | f09c660 | 2012-02-13 17:12:08 +0100 | [diff] [blame] | 1288 | not make sense to use this algorithm without setting maxconn. |
| 1289 | The purpose of this algorithm is to always use the smallest |
| 1290 | number of servers so that extra servers can be powered off |
| 1291 | during non-intensive hours. This algorithm ignores the server |
| 1292 | weight, and brings more benefit to long session such as RDP |
Willy Tarreau | 64559c5 | 2012-04-07 09:08:45 +0200 | [diff] [blame] | 1293 | or IMAP than HTTP, though it can be useful there too. In |
| 1294 | order to use this algorithm efficiently, it is recommended |
| 1295 | that a cloud controller regularly checks server usage to turn |
| 1296 | them off when unused, and regularly checks backend queue to |
| 1297 | turn new servers on when the queue inflates. Alternatively, |
| 1298 | using "http-check send-state" may inform servers on the load. |
Willy Tarreau | f09c660 | 2012-02-13 17:12:08 +0100 | [diff] [blame] | 1299 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1300 | source The source IP address is hashed and divided by the total |
| 1301 | weight of the running servers to designate which server will |
| 1302 | receive the request. This ensures that the same client IP |
| 1303 | address will always reach the same server as long as no |
| 1304 | server goes down or up. If the hash result changes due to the |
| 1305 | number of running servers changing, many clients will be |
| 1306 | directed to a different server. This algorithm is generally |
| 1307 | used in TCP mode where no cookie may be inserted. It may also |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1308 | be used on the Internet to provide a best-effort stickiness |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1309 | to clients which refuse session cookies. This algorithm is |
Willy Tarreau | 6b2e11b | 2009-10-01 07:52:15 +0200 | [diff] [blame] | 1310 | static by default, which means that changing a server's |
| 1311 | weight on the fly will have no effect, but this can be |
| 1312 | changed using "hash-type". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1313 | |
Oskar Stolc | 8dc4184 | 2012-05-19 10:19:54 +0100 | [diff] [blame] | 1314 | uri This algorithm hashes either the left part of the URI (before |
| 1315 | the question mark) or the whole URI (if the "whole" parameter |
| 1316 | is present) and divides the hash value by the total weight of |
| 1317 | the running servers. The result designates which server will |
| 1318 | receive the request. This ensures that the same URI will |
| 1319 | always be directed to the same server as long as no server |
| 1320 | goes up or down. This is used with proxy caches and |
| 1321 | anti-virus proxies in order to maximize the cache hit rate. |
| 1322 | Note that this algorithm may only be used in an HTTP backend. |
| 1323 | This algorithm is static by default, which means that |
| 1324 | changing a server's weight on the fly will have no effect, |
| 1325 | but this can be changed using "hash-type". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1326 | |
Oskar Stolc | 8dc4184 | 2012-05-19 10:19:54 +0100 | [diff] [blame] | 1327 | This algorithm supports two optional parameters "len" and |
Marek Majkowski | 9c30fc1 | 2008-04-27 23:25:55 +0200 | [diff] [blame] | 1328 | "depth", both followed by a positive integer number. These |
| 1329 | options may be helpful when it is needed to balance servers |
| 1330 | based on the beginning of the URI only. The "len" parameter |
| 1331 | indicates that the algorithm should only consider that many |
| 1332 | characters at the beginning of the URI to compute the hash. |
| 1333 | Note that having "len" set to 1 rarely makes sense since most |
| 1334 | URIs start with a leading "/". |
| 1335 | |
| 1336 | The "depth" parameter indicates the maximum directory depth |
| 1337 | to be used to compute the hash. One level is counted for each |
| 1338 | slash in the request. If both parameters are specified, the |
| 1339 | evaluation stops when either is reached. |
| 1340 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1341 | url_param The URL parameter specified in argument will be looked up in |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1342 | the query string of each HTTP GET request. |
| 1343 | |
| 1344 | If the modifier "check_post" is used, then an HTTP POST |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 1345 | request entity will be searched for the parameter argument, |
| 1346 | when it is not found in a query string after a question mark |
| 1347 | ('?') in the URL. Optionally, specify a number of octets to |
| 1348 | wait for before attempting to search the message body. If the |
| 1349 | entity can not be searched, then round robin is used for each |
| 1350 | request. For instance, if your clients always send the LB |
| 1351 | parameter in the first 128 bytes, then specify that. The |
| 1352 | default is 48. The entity data will not be scanned until the |
| 1353 | required number of octets have arrived at the gateway, this |
| 1354 | is the minimum of: (default/max_wait, Content-Length or first |
| 1355 | chunk length). If Content-Length is missing or zero, it does |
| 1356 | not need to wait for more data than the client promised to |
| 1357 | send. When Content-Length is present and larger than |
| 1358 | <max_wait>, then waiting is limited to <max_wait> and it is |
| 1359 | assumed that this will be enough data to search for the |
| 1360 | presence of the parameter. In the unlikely event that |
| 1361 | Transfer-Encoding: chunked is used, only the first chunk is |
| 1362 | scanned. Parameter values separated by a chunk boundary, may |
| 1363 | be randomly balanced if at all. |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1364 | |
| 1365 | If the parameter is found followed by an equal sign ('=') and |
| 1366 | a value, then the value is hashed and divided by the total |
| 1367 | weight of the running servers. The result designates which |
| 1368 | server will receive the request. |
| 1369 | |
| 1370 | This is used to track user identifiers in requests and ensure |
| 1371 | that a same user ID will always be sent to the same server as |
| 1372 | long as no server goes up or down. If no value is found or if |
| 1373 | the parameter is not found, then a round robin algorithm is |
| 1374 | applied. Note that this algorithm may only be used in an HTTP |
Willy Tarreau | 6b2e11b | 2009-10-01 07:52:15 +0200 | [diff] [blame] | 1375 | backend. This algorithm is static by default, which means |
| 1376 | that changing a server's weight on the fly will have no |
| 1377 | effect, but this can be changed using "hash-type". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1378 | |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 1379 | hdr(<name>) The HTTP header <name> will be looked up in each HTTP |
| 1380 | request. Just as with the equivalent ACL 'hdr()' function, |
| 1381 | the header name in parenthesis is not case sensitive. If the |
| 1382 | header is absent or if it does not contain any value, the |
| 1383 | roundrobin algorithm is applied instead. |
Benoit | affb481 | 2009-03-25 13:02:10 +0100 | [diff] [blame] | 1384 | |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1385 | An optional 'use_domain_only' parameter is available, for |
Benoit | affb481 | 2009-03-25 13:02:10 +0100 | [diff] [blame] | 1386 | reducing the hash algorithm to the main domain part with some |
| 1387 | specific headers such as 'Host'. For instance, in the Host |
| 1388 | value "haproxy.1wt.eu", only "1wt" will be considered. |
| 1389 | |
Willy Tarreau | 6b2e11b | 2009-10-01 07:52:15 +0200 | [diff] [blame] | 1390 | This algorithm is static by default, which means that |
| 1391 | changing a server's weight on the fly will have no effect, |
| 1392 | but this can be changed using "hash-type". |
| 1393 | |
Emeric Brun | 736aa23 | 2009-06-30 17:56:00 +0200 | [diff] [blame] | 1394 | rdp-cookie |
Hervé COMMOWICK | a3eb39c | 2011-08-05 18:48:51 +0200 | [diff] [blame] | 1395 | rdp-cookie(<name>) |
Emeric Brun | 736aa23 | 2009-06-30 17:56:00 +0200 | [diff] [blame] | 1396 | The RDP cookie <name> (or "mstshash" if omitted) will be |
| 1397 | looked up and hashed for each incoming TCP request. Just as |
| 1398 | with the equivalent ACL 'req_rdp_cookie()' function, the name |
| 1399 | is not case-sensitive. This mechanism is useful as a degraded |
| 1400 | persistence mode, as it makes it possible to always send the |
| 1401 | same user (or the same session ID) to the same server. If the |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1402 | cookie is not found, the normal roundrobin algorithm is |
Emeric Brun | 736aa23 | 2009-06-30 17:56:00 +0200 | [diff] [blame] | 1403 | used instead. |
| 1404 | |
| 1405 | Note that for this to work, the frontend must ensure that an |
| 1406 | RDP cookie is already present in the request buffer. For this |
| 1407 | you must use 'tcp-request content accept' rule combined with |
| 1408 | a 'req_rdp_cookie_cnt' ACL. |
| 1409 | |
Willy Tarreau | 6b2e11b | 2009-10-01 07:52:15 +0200 | [diff] [blame] | 1410 | This algorithm is static by default, which means that |
| 1411 | changing a server's weight on the fly will have no effect, |
| 1412 | but this can be changed using "hash-type". |
| 1413 | |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 1414 | See also the rdp_cookie pattern fetch function. |
Simon Horman | ab814e0 | 2011-06-24 14:50:20 +0900 | [diff] [blame] | 1415 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1416 | <arguments> is an optional list of arguments which may be needed by some |
Marek Majkowski | 9c30fc1 | 2008-04-27 23:25:55 +0200 | [diff] [blame] | 1417 | algorithms. Right now, only "url_param" and "uri" support an |
| 1418 | optional argument. |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1419 | |
Marek Majkowski | 9c30fc1 | 2008-04-27 23:25:55 +0200 | [diff] [blame] | 1420 | balance uri [len <len>] [depth <depth>] |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1421 | balance url_param <param> [check_post [<max_wait>]] |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1422 | |
Willy Tarreau | 3cd9af2 | 2009-03-15 14:06:41 +0100 | [diff] [blame] | 1423 | The load balancing algorithm of a backend is set to roundrobin when no other |
| 1424 | algorithm, mode nor option have been set. The algorithm may only be set once |
| 1425 | for each backend. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1426 | |
| 1427 | Examples : |
| 1428 | balance roundrobin |
| 1429 | balance url_param userid |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1430 | balance url_param session_id check_post 64 |
Benoit | affb481 | 2009-03-25 13:02:10 +0100 | [diff] [blame] | 1431 | balance hdr(User-Agent) |
| 1432 | balance hdr(host) |
| 1433 | balance hdr(Host) use_domain_only |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1434 | |
| 1435 | Note: the following caveats and limitations on using the "check_post" |
| 1436 | extension with "url_param" must be considered : |
| 1437 | |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1438 | - all POST requests are eligible for consideration, because there is no way |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1439 | to determine if the parameters will be found in the body or entity which |
| 1440 | may contain binary data. Therefore another method may be required to |
| 1441 | restrict consideration of POST requests that have no URL parameters in |
| 1442 | the body. (see acl reqideny http_end) |
| 1443 | |
| 1444 | - using a <max_wait> value larger than the request buffer size does not |
| 1445 | make sense and is useless. The buffer size is set at build time, and |
| 1446 | defaults to 16 kB. |
| 1447 | |
| 1448 | - Content-Encoding is not supported, the parameter search will probably |
| 1449 | fail; and load balancing will fall back to Round Robin. |
| 1450 | |
| 1451 | - Expect: 100-continue is not supported, load balancing will fall back to |
| 1452 | Round Robin. |
| 1453 | |
| 1454 | - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk. |
| 1455 | If the entire parameter value is not present in the first chunk, the |
| 1456 | selection of server is undefined (actually, defined by how little |
| 1457 | actually appeared in the first chunk). |
| 1458 | |
| 1459 | - This feature does not support generation of a 100, 411 or 501 response. |
| 1460 | |
| 1461 | - In some cases, requesting "check_post" MAY attempt to scan the entire |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1462 | contents of a message body. Scanning normally terminates when linear |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1463 | white space or control characters are found, indicating the end of what |
| 1464 | might be a URL parameter list. This is probably not a concern with SGML |
| 1465 | type message bodies. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1466 | |
Willy Tarreau | 6b2e11b | 2009-10-01 07:52:15 +0200 | [diff] [blame] | 1467 | See also : "dispatch", "cookie", "appsession", "transparent", "hash-type" and |
| 1468 | "http_proxy". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1469 | |
| 1470 | |
Willy Tarreau | c5011ca | 2010-03-22 11:53:56 +0100 | [diff] [blame] | 1471 | bind [<address>]:<port_range> [, ...] |
| 1472 | bind [<address>]:<port_range> [, ...] interface <interface> |
| 1473 | bind [<address>]:<port_range> [, ...] mss <maxseg> |
| 1474 | bind [<address>]:<port_range> [, ...] transparent |
| 1475 | bind [<address>]:<port_range> [, ...] id <id> |
| 1476 | bind [<address>]:<port_range> [, ...] name <name> |
| 1477 | bind [<address>]:<port_range> [, ...] defer-accept |
Willy Tarreau | 71c814e | 2010-10-29 21:56:16 +0200 | [diff] [blame] | 1478 | bind [<address>]:<port_range> [, ...] accept-proxy |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 1479 | bind /<path> [, ...] |
| 1480 | bind /<path> [, ...] mode <mode> |
| 1481 | bind /<path> [, ...] [ user <user> | uid <uid> ] |
| 1482 | bind /<path> [, ...] [ group <user> | gid <gid> ] |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1483 | Define one or several listening addresses and/or ports in a frontend. |
| 1484 | May be used in sections : defaults | frontend | listen | backend |
| 1485 | no | yes | yes | no |
| 1486 | Arguments : |
Willy Tarreau | b1e52e8 | 2008-01-13 14:49:51 +0100 | [diff] [blame] | 1487 | <address> is optional and can be a host name, an IPv4 address, an IPv6 |
| 1488 | address, or '*'. It designates the address the frontend will |
| 1489 | listen on. If unset, all IPv4 addresses of the system will be |
| 1490 | listened on. The same will apply for '*' or the system's |
David du Colombier | 9c938da | 2011-03-17 10:40:27 +0100 | [diff] [blame] | 1491 | special address "0.0.0.0". The IPv6 equivalent is '::'. |
Willy Tarreau | b1e52e8 | 2008-01-13 14:49:51 +0100 | [diff] [blame] | 1492 | |
Willy Tarreau | c5011ca | 2010-03-22 11:53:56 +0100 | [diff] [blame] | 1493 | <port_range> is either a unique TCP port, or a port range for which the |
| 1494 | proxy will accept connections for the IP address specified |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 1495 | above. The port is mandatory for TCP listeners. Note that in |
| 1496 | the case of an IPv6 address, the port is always the number |
| 1497 | after the last colon (':'). A range can either be : |
Willy Tarreau | c5011ca | 2010-03-22 11:53:56 +0100 | [diff] [blame] | 1498 | - a numerical port (ex: '80') |
| 1499 | - a dash-delimited ports range explicitly stating the lower |
| 1500 | and upper bounds (ex: '2000-2100') which are included in |
| 1501 | the range. |
| 1502 | |
| 1503 | Particular care must be taken against port ranges, because |
| 1504 | every <address:port> couple consumes one socket (= a file |
| 1505 | descriptor), so it's easy to consume lots of descriptors |
| 1506 | with a simple range, and to run out of sockets. Also, each |
| 1507 | <address:port> couple must be used only once among all |
| 1508 | instances running on a same system. Please note that binding |
| 1509 | to ports lower than 1024 generally require particular |
| 1510 | privileges to start the program, which are independant of |
| 1511 | the 'uid' parameter. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1512 | |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 1513 | <path> is a UNIX socket path beginning with a slash ('/'). This is |
| 1514 | alternative to the TCP listening port. Haproxy will then |
| 1515 | receive UNIX connections on the socket located at this place. |
| 1516 | The path must begin with a slash and by default is absolute. |
| 1517 | It can be relative to the prefix defined by "unix-bind" in |
| 1518 | the global section. Note that the total length of the prefix |
| 1519 | followed by the socket path cannot exceed some system limits |
| 1520 | for UNIX sockets, which commonly are set to 107 characters. |
| 1521 | |
Willy Tarreau | 5e6e204 | 2009-02-04 17:19:29 +0100 | [diff] [blame] | 1522 | <interface> is an optional physical interface name. This is currently |
| 1523 | only supported on Linux. The interface must be a physical |
| 1524 | interface, not an aliased interface. When specified, all |
| 1525 | addresses on the same line will only be accepted if the |
| 1526 | incoming packet physically come through the designated |
| 1527 | interface. It is also possible to bind multiple frontends to |
| 1528 | the same address if they are bound to different interfaces. |
| 1529 | Note that binding to a physical interface requires root |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 1530 | privileges. This parameter is only compatible with TCP |
| 1531 | sockets. |
Willy Tarreau | 5e6e204 | 2009-02-04 17:19:29 +0100 | [diff] [blame] | 1532 | |
Willy Tarreau | be1b918 | 2009-06-14 18:48:19 +0200 | [diff] [blame] | 1533 | <maxseg> is an optional TCP Maximum Segment Size (MSS) value to be |
| 1534 | advertised on incoming connections. This can be used to force |
| 1535 | a lower MSS for certain specific ports, for instance for |
| 1536 | connections passing through a VPN. Note that this relies on a |
| 1537 | kernel feature which is theorically supported under Linux but |
| 1538 | was buggy in all versions prior to 2.6.28. It may or may not |
Willy Tarreau | 48a7e72 | 2010-12-24 15:26:39 +0100 | [diff] [blame] | 1539 | work on other operating systems. It may also not change the |
| 1540 | advertised value but change the effective size of outgoing |
| 1541 | segments. The commonly advertised value on Ethernet networks |
| 1542 | is 1460 = 1500(MTU) - 40(IP+TCP). If this value is positive, |
| 1543 | it will be used as the advertised MSS. If it is negative, it |
| 1544 | will indicate by how much to reduce the incoming connection's |
| 1545 | advertised MSS for outgoing segments. This parameter is only |
| 1546 | compatible with TCP sockets. |
Willy Tarreau | be1b918 | 2009-06-14 18:48:19 +0200 | [diff] [blame] | 1547 | |
Willy Tarreau | 53fb4ae | 2009-10-04 23:04:08 +0200 | [diff] [blame] | 1548 | <id> is a persistent value for socket ID. Must be positive and |
| 1549 | unique in the proxy. An unused value will automatically be |
| 1550 | assigned if unset. Can only be used when defining only a |
| 1551 | single socket. |
Krzysztof Piotr Oledzki | aeebf9b | 2009-10-04 15:43:17 +0200 | [diff] [blame] | 1552 | |
| 1553 | <name> is an optional name provided for stats |
| 1554 | |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 1555 | <mode> is the octal mode used to define access permissions on the |
| 1556 | UNIX socket. It can also be set by default in the global |
| 1557 | section's "unix-bind" statement. Note that some platforms |
| 1558 | simply ignore this. |
| 1559 | |
| 1560 | <user> is the name of user that will be marked owner of the UNIX |
| 1561 | socket. It can also be set by default in the global |
| 1562 | section's "unix-bind" statement. Note that some platforms |
| 1563 | simply ignore this. |
| 1564 | |
| 1565 | <group> is the name of a group that will be used to create the UNIX |
| 1566 | socket. It can also be set by default in the global section's |
| 1567 | "unix-bind" statement. Note that some platforms simply ignore |
| 1568 | this. |
| 1569 | |
| 1570 | <uid> is the uid of user that will be marked owner of the UNIX |
| 1571 | socket. It can also be set by default in the global section's |
| 1572 | "unix-bind" statement. Note that some platforms simply ignore |
| 1573 | this. |
| 1574 | |
| 1575 | <gid> is the gid of a group that will be used to create the UNIX |
| 1576 | socket. It can also be set by default in the global section's |
| 1577 | "unix-bind" statement. Note that some platforms simply ignore |
| 1578 | this. |
| 1579 | |
Willy Tarreau | b1e52e8 | 2008-01-13 14:49:51 +0100 | [diff] [blame] | 1580 | transparent is an optional keyword which is supported only on certain |
| 1581 | Linux kernels. It indicates that the addresses will be bound |
| 1582 | even if they do not belong to the local machine. Any packet |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1583 | targeting any of these addresses will be caught just as if |
Willy Tarreau | b1e52e8 | 2008-01-13 14:49:51 +0100 | [diff] [blame] | 1584 | the address was locally configured. This normally requires |
| 1585 | that IP forwarding is enabled. Caution! do not use this with |
| 1586 | the default address '*', as it would redirect any traffic for |
| 1587 | the specified port. This keyword is available only when |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 1588 | HAProxy is built with USE_LINUX_TPROXY=1. This parameter is |
| 1589 | only compatible with TCP sockets. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1590 | |
Willy Tarreau | 59f8920 | 2010-10-02 11:54:00 +0200 | [diff] [blame] | 1591 | defer-accept is an optional keyword which is supported only on certain |
Willy Tarreau | cb6cd43 | 2009-10-13 07:34:14 +0200 | [diff] [blame] | 1592 | Linux kernels. It states that a connection will only be |
| 1593 | accepted once some data arrive on it, or at worst after the |
| 1594 | first retransmit. This should be used only on protocols for |
| 1595 | which the client talks first (eg: HTTP). It can slightly |
| 1596 | improve performance by ensuring that most of the request is |
| 1597 | already available when the connection is accepted. On the |
| 1598 | other hand, it will not be able to detect connections which |
| 1599 | don't talk. It is important to note that this option is |
| 1600 | broken in all kernels up to 2.6.31, as the connection is |
| 1601 | never accepted until the client talks. This can cause issues |
| 1602 | with front firewalls which would see an established |
| 1603 | connection while the proxy will only see it in SYN_RECV. |
| 1604 | |
Willy Tarreau | 71c814e | 2010-10-29 21:56:16 +0200 | [diff] [blame] | 1605 | accept-proxy is an optional keyword which enforces use of the PROXY |
| 1606 | protocol over any connection accepted by this listener. The |
| 1607 | PROXY protocol dictates the layer 3/4 addresses of the |
| 1608 | incoming connection to be used everywhere an address is used, |
| 1609 | with the only exception of "tcp-request connection" rules |
| 1610 | which will only see the real connection address. Logs will |
| 1611 | reflect the addresses indicated in the protocol, unless it is |
| 1612 | violated, in which case the real address will still be used. |
| 1613 | This keyword combined with support from external components |
| 1614 | can be used as an efficient and reliable alternative to the |
| 1615 | X-Forwarded-For mechanism which is not always reliable and |
| 1616 | not even always usable. |
| 1617 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1618 | It is possible to specify a list of address:port combinations delimited by |
| 1619 | commas. The frontend will then listen on all of these addresses. There is no |
| 1620 | fixed limit to the number of addresses and ports which can be listened on in |
| 1621 | a frontend, as well as there is no limit to the number of "bind" statements |
| 1622 | in a frontend. |
| 1623 | |
| 1624 | Example : |
| 1625 | listen http_proxy |
| 1626 | bind :80,:443 |
| 1627 | bind 10.0.0.1:10080,10.0.0.1:10443 |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 1628 | bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1629 | |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 1630 | See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol |
Willy Tarreau | 71c814e | 2010-10-29 21:56:16 +0200 | [diff] [blame] | 1631 | documentation. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1632 | |
| 1633 | |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1634 | bind-process [ all | odd | even | <number 1-32> ] ... |
| 1635 | Limit visibility of an instance to a certain set of processes numbers. |
| 1636 | May be used in sections : defaults | frontend | listen | backend |
| 1637 | yes | yes | yes | yes |
| 1638 | Arguments : |
| 1639 | all All process will see this instance. This is the default. It |
| 1640 | may be used to override a default value. |
| 1641 | |
| 1642 | odd This instance will be enabled on processes 1,3,5,...31. This |
| 1643 | option may be combined with other numbers. |
| 1644 | |
| 1645 | even This instance will be enabled on processes 2,4,6,...32. This |
| 1646 | option may be combined with other numbers. Do not use it |
| 1647 | with less than 2 processes otherwise some instances might be |
| 1648 | missing from all processes. |
| 1649 | |
| 1650 | number The instance will be enabled on this process number, between |
| 1651 | 1 and 32. You must be careful not to reference a process |
| 1652 | number greater than the configured global.nbproc, otherwise |
| 1653 | some instances might be missing from all processes. |
| 1654 | |
| 1655 | This keyword limits binding of certain instances to certain processes. This |
| 1656 | is useful in order not to have too many processes listening to the same |
| 1657 | ports. For instance, on a dual-core machine, it might make sense to set |
| 1658 | 'nbproc 2' in the global section, then distributes the listeners among 'odd' |
| 1659 | and 'even' instances. |
| 1660 | |
| 1661 | At the moment, it is not possible to reference more than 32 processes using |
| 1662 | this keyword, but this should be more than enough for most setups. Please |
| 1663 | note that 'all' really means all processes and is not limited to the first |
| 1664 | 32. |
| 1665 | |
| 1666 | If some backends are referenced by frontends bound to other processes, the |
| 1667 | backend automatically inherits the frontend's processes. |
| 1668 | |
| 1669 | Example : |
| 1670 | listen app_ip1 |
| 1671 | bind 10.0.0.1:80 |
Willy Tarreau | bfcd311 | 2010-10-23 11:22:08 +0200 | [diff] [blame] | 1672 | bind-process odd |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1673 | |
| 1674 | listen app_ip2 |
| 1675 | bind 10.0.0.2:80 |
Willy Tarreau | bfcd311 | 2010-10-23 11:22:08 +0200 | [diff] [blame] | 1676 | bind-process even |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1677 | |
| 1678 | listen management |
| 1679 | bind 10.0.0.3:80 |
Willy Tarreau | bfcd311 | 2010-10-23 11:22:08 +0200 | [diff] [blame] | 1680 | bind-process 1 2 3 4 |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1681 | |
| 1682 | See also : "nbproc" in global section. |
| 1683 | |
| 1684 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1685 | block { if | unless } <condition> |
| 1686 | Block a layer 7 request if/unless a condition is matched |
| 1687 | May be used in sections : defaults | frontend | listen | backend |
| 1688 | no | yes | yes | yes |
| 1689 | |
| 1690 | The HTTP request will be blocked very early in the layer 7 processing |
| 1691 | if/unless <condition> is matched. A 403 error will be returned if the request |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1692 | is blocked. The condition has to reference ACLs (see section 7). This is |
Willy Tarreau | 3c92c5f | 2011-08-28 09:45:47 +0200 | [diff] [blame] | 1693 | typically used to deny access to certain sensitive resources if some |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1694 | conditions are met or not met. There is no fixed limit to the number of |
| 1695 | "block" statements per instance. |
| 1696 | |
| 1697 | Example: |
| 1698 | acl invalid_src src 0.0.0.0/7 224.0.0.0/3 |
| 1699 | acl invalid_src src_port 0:1023 |
| 1700 | acl local_dst hdr(host) -i localhost |
| 1701 | block if invalid_src || local_dst |
| 1702 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1703 | See section 7 about ACL usage. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1704 | |
| 1705 | |
| 1706 | capture cookie <name> len <length> |
| 1707 | Capture and log a cookie in the request and in the response. |
| 1708 | May be used in sections : defaults | frontend | listen | backend |
| 1709 | no | yes | yes | no |
| 1710 | Arguments : |
| 1711 | <name> is the beginning of the name of the cookie to capture. In order |
| 1712 | to match the exact name, simply suffix the name with an equal |
| 1713 | sign ('='). The full name will appear in the logs, which is |
| 1714 | useful with application servers which adjust both the cookie name |
| 1715 | and value (eg: ASPSESSIONXXXXX). |
| 1716 | |
| 1717 | <length> is the maximum number of characters to report in the logs, which |
| 1718 | include the cookie name, the equal sign and the value, all in the |
| 1719 | standard "name=value" form. The string will be truncated on the |
| 1720 | right if it exceeds <length>. |
| 1721 | |
| 1722 | Only the first cookie is captured. Both the "cookie" request headers and the |
| 1723 | "set-cookie" response headers are monitored. This is particularly useful to |
| 1724 | check for application bugs causing session crossing or stealing between |
| 1725 | users, because generally the user's cookies can only change on a login page. |
| 1726 | |
| 1727 | When the cookie was not presented by the client, the associated log column |
| 1728 | will report "-". When a request does not cause a cookie to be assigned by the |
| 1729 | server, a "-" is reported in the response column. |
| 1730 | |
| 1731 | The capture is performed in the frontend only because it is necessary that |
| 1732 | the log format does not change for a given frontend depending on the |
| 1733 | backends. This may change in the future. Note that there can be only one |
| 1734 | "capture cookie" statement in a frontend. The maximum capture length is |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1735 | configured in the sources by default to 64 characters. It is not possible to |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1736 | specify a capture in a "defaults" section. |
| 1737 | |
| 1738 | Example: |
| 1739 | capture cookie ASPSESSION len 32 |
| 1740 | |
| 1741 | See also : "capture request header", "capture response header" as well as |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1742 | section 8 about logging. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1743 | |
| 1744 | |
| 1745 | capture request header <name> len <length> |
| 1746 | Capture and log the first occurrence of the specified request header. |
| 1747 | May be used in sections : defaults | frontend | listen | backend |
| 1748 | no | yes | yes | no |
| 1749 | Arguments : |
| 1750 | <name> is the name of the header to capture. The header names are not |
Willy Tarreau | d2a4aa2 | 2008-01-31 15:28:22 +0100 | [diff] [blame] | 1751 | case-sensitive, but it is a common practice to write them as they |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1752 | appear in the requests, with the first letter of each word in |
| 1753 | upper case. The header name will not appear in the logs, only the |
| 1754 | value is reported, but the position in the logs is respected. |
| 1755 | |
| 1756 | <length> is the maximum number of characters to extract from the value and |
| 1757 | report in the logs. The string will be truncated on the right if |
| 1758 | it exceeds <length>. |
| 1759 | |
Willy Tarreau | cc6c891 | 2009-02-22 10:53:55 +0100 | [diff] [blame] | 1760 | Only the first value of the last occurrence of the header is captured. The |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1761 | value will be added to the logs between braces ('{}'). If multiple headers |
| 1762 | are captured, they will be delimited by a vertical bar ('|') and will appear |
Willy Tarreau | cc6c891 | 2009-02-22 10:53:55 +0100 | [diff] [blame] | 1763 | in the same order they were declared in the configuration. Non-existent |
| 1764 | headers will be logged just as an empty string. Common uses for request |
| 1765 | header captures include the "Host" field in virtual hosting environments, the |
| 1766 | "Content-length" when uploads are supported, "User-agent" to quickly |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1767 | differentiate between real users and robots, and "X-Forwarded-For" in proxied |
Willy Tarreau | cc6c891 | 2009-02-22 10:53:55 +0100 | [diff] [blame] | 1768 | environments to find where the request came from. |
| 1769 | |
| 1770 | Note that when capturing headers such as "User-agent", some spaces may be |
| 1771 | logged, making the log analysis more difficult. Thus be careful about what |
| 1772 | you log if you know your log parser is not smart enough to rely on the |
| 1773 | braces. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1774 | |
| 1775 | There is no limit to the number of captured request headers, but each capture |
| 1776 | is limited to 64 characters. In order to keep log format consistent for a |
| 1777 | same frontend, header captures can only be declared in a frontend. It is not |
| 1778 | possible to specify a capture in a "defaults" section. |
| 1779 | |
| 1780 | Example: |
| 1781 | capture request header Host len 15 |
| 1782 | capture request header X-Forwarded-For len 15 |
| 1783 | capture request header Referrer len 15 |
| 1784 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1785 | See also : "capture cookie", "capture response header" as well as section 8 |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1786 | about logging. |
| 1787 | |
| 1788 | |
| 1789 | capture response header <name> len <length> |
| 1790 | Capture and log the first occurrence of the specified response header. |
| 1791 | May be used in sections : defaults | frontend | listen | backend |
| 1792 | no | yes | yes | no |
| 1793 | Arguments : |
| 1794 | <name> is the name of the header to capture. The header names are not |
Willy Tarreau | d2a4aa2 | 2008-01-31 15:28:22 +0100 | [diff] [blame] | 1795 | case-sensitive, but it is a common practice to write them as they |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1796 | appear in the response, with the first letter of each word in |
| 1797 | upper case. The header name will not appear in the logs, only the |
| 1798 | value is reported, but the position in the logs is respected. |
| 1799 | |
| 1800 | <length> is the maximum number of characters to extract from the value and |
| 1801 | report in the logs. The string will be truncated on the right if |
| 1802 | it exceeds <length>. |
| 1803 | |
Willy Tarreau | cc6c891 | 2009-02-22 10:53:55 +0100 | [diff] [blame] | 1804 | Only the first value of the last occurrence of the header is captured. The |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1805 | result will be added to the logs between braces ('{}') after the captured |
| 1806 | request headers. If multiple headers are captured, they will be delimited by |
| 1807 | a vertical bar ('|') and will appear in the same order they were declared in |
Willy Tarreau | cc6c891 | 2009-02-22 10:53:55 +0100 | [diff] [blame] | 1808 | the configuration. Non-existent headers will be logged just as an empty |
| 1809 | string. Common uses for response header captures include the "Content-length" |
| 1810 | header which indicates how many bytes are expected to be returned, the |
| 1811 | "Location" header to track redirections. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1812 | |
| 1813 | There is no limit to the number of captured response headers, but each |
| 1814 | capture is limited to 64 characters. In order to keep log format consistent |
| 1815 | for a same frontend, header captures can only be declared in a frontend. It |
| 1816 | is not possible to specify a capture in a "defaults" section. |
| 1817 | |
| 1818 | Example: |
| 1819 | capture response header Content-length len 9 |
| 1820 | capture response header Location len 15 |
| 1821 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1822 | See also : "capture cookie", "capture request header" as well as section 8 |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1823 | about logging. |
| 1824 | |
| 1825 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 1826 | clitimeout <timeout> (deprecated) |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1827 | Set the maximum inactivity time on the client side. |
| 1828 | May be used in sections : defaults | frontend | listen | backend |
| 1829 | yes | yes | yes | no |
| 1830 | Arguments : |
| 1831 | <timeout> is the timeout value is specified in milliseconds by default, but |
| 1832 | can be in any other unit if the number is suffixed by the unit, |
| 1833 | as explained at the top of this document. |
| 1834 | |
| 1835 | The inactivity timeout applies when the client is expected to acknowledge or |
| 1836 | send data. In HTTP mode, this timeout is particularly important to consider |
| 1837 | during the first phase, when the client sends the request, and during the |
| 1838 | response while it is reading data sent by the server. The value is specified |
| 1839 | in milliseconds by default, but can be in any other unit if the number is |
| 1840 | suffixed by the unit, as specified at the top of this document. In TCP mode |
| 1841 | (and to a lesser extent, in HTTP mode), it is highly recommended that the |
| 1842 | client timeout remains equal to the server timeout in order to avoid complex |
Willy Tarreau | d2a4aa2 | 2008-01-31 15:28:22 +0100 | [diff] [blame] | 1843 | situations to debug. It is a good practice to cover one or several TCP packet |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1844 | losses by specifying timeouts that are slightly above multiples of 3 seconds |
| 1845 | (eg: 4 or 5 seconds). |
| 1846 | |
| 1847 | This parameter is specific to frontends, but can be specified once for all in |
| 1848 | "defaults" sections. This is in fact one of the easiest solutions not to |
| 1849 | forget about it. An unspecified timeout results in an infinite timeout, which |
| 1850 | is not recommended. Such a usage is accepted and works but reports a warning |
| 1851 | during startup because it may results in accumulation of expired sessions in |
| 1852 | the system if the system's timeouts are not configured either. |
| 1853 | |
| 1854 | This parameter is provided for compatibility but is currently deprecated. |
| 1855 | Please use "timeout client" instead. |
| 1856 | |
Willy Tarreau | 036fae0 | 2008-01-06 13:24:40 +0100 | [diff] [blame] | 1857 | See also : "timeout client", "timeout http-request", "timeout server", and |
| 1858 | "srvtimeout". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1859 | |
| 1860 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 1861 | contimeout <timeout> (deprecated) |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1862 | Set the maximum time to wait for a connection attempt to a server to succeed. |
| 1863 | May be used in sections : defaults | frontend | listen | backend |
| 1864 | yes | no | yes | yes |
| 1865 | Arguments : |
| 1866 | <timeout> is the timeout value is specified in milliseconds by default, but |
| 1867 | can be in any other unit if the number is suffixed by the unit, |
| 1868 | as explained at the top of this document. |
| 1869 | |
| 1870 | If the server is located on the same LAN as haproxy, the connection should be |
Willy Tarreau | d2a4aa2 | 2008-01-31 15:28:22 +0100 | [diff] [blame] | 1871 | immediate (less than a few milliseconds). Anyway, it is a good practice to |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 1872 | cover one or several TCP packet losses by specifying timeouts that are |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1873 | slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the |
| 1874 | connect timeout also presets the queue timeout to the same value if this one |
| 1875 | has not been specified. Historically, the contimeout was also used to set the |
| 1876 | tarpit timeout in a listen section, which is not possible in a pure frontend. |
| 1877 | |
| 1878 | This parameter is specific to backends, but can be specified once for all in |
| 1879 | "defaults" sections. This is in fact one of the easiest solutions not to |
| 1880 | forget about it. An unspecified timeout results in an infinite timeout, which |
| 1881 | is not recommended. Such a usage is accepted and works but reports a warning |
| 1882 | during startup because it may results in accumulation of failed sessions in |
| 1883 | the system if the system's timeouts are not configured either. |
| 1884 | |
| 1885 | This parameter is provided for backwards compatibility but is currently |
| 1886 | deprecated. Please use "timeout connect", "timeout queue" or "timeout tarpit" |
| 1887 | instead. |
| 1888 | |
| 1889 | See also : "timeout connect", "timeout queue", "timeout tarpit", |
| 1890 | "timeout server", "contimeout". |
| 1891 | |
| 1892 | |
Willy Tarreau | 55165fe | 2009-05-10 12:02:55 +0200 | [diff] [blame] | 1893 | cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ] |
Willy Tarreau | 4992dd2 | 2012-05-31 21:02:17 +0200 | [diff] [blame] | 1894 | [ postonly ] [ preserve ] [ httponly ] [ secure ] |
| 1895 | [ domain <domain> ]* [ maxidle <idle> ] [ maxlife <life> ] |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1896 | Enable cookie-based persistence in a backend. |
| 1897 | May be used in sections : defaults | frontend | listen | backend |
| 1898 | yes | no | yes | yes |
| 1899 | Arguments : |
| 1900 | <name> is the name of the cookie which will be monitored, modified or |
| 1901 | inserted in order to bring persistence. This cookie is sent to |
| 1902 | the client via a "Set-Cookie" header in the response, and is |
| 1903 | brought back by the client in a "Cookie" header in all requests. |
| 1904 | Special care should be taken to choose a name which does not |
| 1905 | conflict with any likely application cookie. Also, if the same |
| 1906 | backends are subject to be used by the same clients (eg: |
| 1907 | HTTP/HTTPS), care should be taken to use different cookie names |
| 1908 | between all backends if persistence between them is not desired. |
| 1909 | |
| 1910 | rewrite This keyword indicates that the cookie will be provided by the |
| 1911 | server and that haproxy will have to modify its value to set the |
| 1912 | server's identifier in it. This mode is handy when the management |
| 1913 | of complex combinations of "Set-cookie" and "Cache-control" |
| 1914 | headers is left to the application. The application can then |
| 1915 | decide whether or not it is appropriate to emit a persistence |
| 1916 | cookie. Since all responses should be monitored, this mode only |
| 1917 | works in HTTP close mode. Unless the application behaviour is |
| 1918 | very complex and/or broken, it is advised not to start with this |
| 1919 | mode for new deployments. This keyword is incompatible with |
| 1920 | "insert" and "prefix". |
| 1921 | |
| 1922 | insert This keyword indicates that the persistence cookie will have to |
Willy Tarreau | a79094d | 2010-08-31 22:54:15 +0200 | [diff] [blame] | 1923 | be inserted by haproxy in server responses if the client did not |
Willy Tarreau | ba4c5be | 2010-10-23 12:46:42 +0200 | [diff] [blame] | 1924 | |
Willy Tarreau | a79094d | 2010-08-31 22:54:15 +0200 | [diff] [blame] | 1925 | already have a cookie that would have permitted it to access this |
Willy Tarreau | ba4c5be | 2010-10-23 12:46:42 +0200 | [diff] [blame] | 1926 | server. When used without the "preserve" option, if the server |
| 1927 | emits a cookie with the same name, it will be remove before |
| 1928 | processing. For this reason, this mode can be used to upgrade |
| 1929 | existing configurations running in the "rewrite" mode. The cookie |
| 1930 | will only be a session cookie and will not be stored on the |
| 1931 | client's disk. By default, unless the "indirect" option is added, |
| 1932 | the server will see the cookies emitted by the client. Due to |
| 1933 | caching effects, it is generally wise to add the "nocache" or |
| 1934 | "postonly" keywords (see below). The "insert" keyword is not |
| 1935 | compatible with "rewrite" and "prefix". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1936 | |
| 1937 | prefix This keyword indicates that instead of relying on a dedicated |
| 1938 | cookie for the persistence, an existing one will be completed. |
| 1939 | This may be needed in some specific environments where the client |
| 1940 | does not support more than one single cookie and the application |
| 1941 | already needs it. In this case, whenever the server sets a cookie |
| 1942 | named <name>, it will be prefixed with the server's identifier |
| 1943 | and a delimiter. The prefix will be removed from all client |
| 1944 | requests so that the server still finds the cookie it emitted. |
| 1945 | Since all requests and responses are subject to being modified, |
| 1946 | this mode requires the HTTP close mode. The "prefix" keyword is |
Willy Tarreau | 37229df | 2011-10-17 12:24:55 +0200 | [diff] [blame] | 1947 | not compatible with "rewrite" and "insert". Note: it is highly |
| 1948 | recommended not to use "indirect" with "prefix", otherwise server |
| 1949 | cookie updates would not be sent to clients. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1950 | |
Willy Tarreau | a79094d | 2010-08-31 22:54:15 +0200 | [diff] [blame] | 1951 | indirect When this option is specified, no cookie will be emitted to a |
| 1952 | client which already has a valid one for the server which has |
| 1953 | processed the request. If the server sets such a cookie itself, |
Willy Tarreau | ba4c5be | 2010-10-23 12:46:42 +0200 | [diff] [blame] | 1954 | it will be removed, unless the "preserve" option is also set. In |
| 1955 | "insert" mode, this will additionally remove cookies from the |
| 1956 | requests transmitted to the server, making the persistence |
| 1957 | mechanism totally transparent from an application point of view. |
Willy Tarreau | 37229df | 2011-10-17 12:24:55 +0200 | [diff] [blame] | 1958 | Note: it is highly recommended not to use "indirect" with |
| 1959 | "prefix", otherwise server cookie updates would not be sent to |
| 1960 | clients. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1961 | |
| 1962 | nocache This option is recommended in conjunction with the insert mode |
| 1963 | when there is a cache between the client and HAProxy, as it |
| 1964 | ensures that a cacheable response will be tagged non-cacheable if |
| 1965 | a cookie needs to be inserted. This is important because if all |
| 1966 | persistence cookies are added on a cacheable home page for |
| 1967 | instance, then all customers will then fetch the page from an |
| 1968 | outer cache and will all share the same persistence cookie, |
| 1969 | leading to one server receiving much more traffic than others. |
| 1970 | See also the "insert" and "postonly" options. |
| 1971 | |
| 1972 | postonly This option ensures that cookie insertion will only be performed |
| 1973 | on responses to POST requests. It is an alternative to the |
| 1974 | "nocache" option, because POST responses are not cacheable, so |
| 1975 | this ensures that the persistence cookie will never get cached. |
| 1976 | Since most sites do not need any sort of persistence before the |
| 1977 | first POST which generally is a login request, this is a very |
| 1978 | efficient method to optimize caching without risking to find a |
| 1979 | persistence cookie in the cache. |
| 1980 | See also the "insert" and "nocache" options. |
| 1981 | |
Willy Tarreau | ba4c5be | 2010-10-23 12:46:42 +0200 | [diff] [blame] | 1982 | preserve This option may only be used with "insert" and/or "indirect". It |
| 1983 | allows the server to emit the persistence cookie itself. In this |
| 1984 | case, if a cookie is found in the response, haproxy will leave it |
| 1985 | untouched. This is useful in order to end persistence after a |
| 1986 | logout request for instance. For this, the server just has to |
| 1987 | emit a cookie with an invalid value (eg: empty) or with a date in |
| 1988 | the past. By combining this mechanism with the "disable-on-404" |
| 1989 | check option, it is possible to perform a completely graceful |
| 1990 | shutdown because users will definitely leave the server after |
| 1991 | they logout. |
| 1992 | |
Willy Tarreau | 4992dd2 | 2012-05-31 21:02:17 +0200 | [diff] [blame] | 1993 | httponly This option tells haproxy to add an "HttpOnly" cookie attribute |
| 1994 | when a cookie is inserted. This attribute is used so that a |
| 1995 | user agent doesn't share the cookie with non-HTTP components. |
| 1996 | Please check RFC6265 for more information on this attribute. |
| 1997 | |
| 1998 | secure This option tells haproxy to add a "Secure" cookie attribute when |
| 1999 | a cookie is inserted. This attribute is used so that a user agent |
| 2000 | never emits this cookie over non-secure channels, which means |
| 2001 | that a cookie learned with this flag will be presented only over |
| 2002 | SSL/TLS connections. Please check RFC6265 for more information on |
| 2003 | this attribute. |
| 2004 | |
Krzysztof Piotr Oledzki | efe3b6f | 2008-05-23 23:49:32 +0200 | [diff] [blame] | 2005 | domain This option allows to specify the domain at which a cookie is |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 2006 | inserted. It requires exactly one parameter: a valid domain |
Willy Tarreau | 68a897b | 2009-12-03 23:28:34 +0100 | [diff] [blame] | 2007 | name. If the domain begins with a dot, the browser is allowed to |
| 2008 | use it for any host ending with that name. It is also possible to |
| 2009 | specify several domain names by invoking this option multiple |
| 2010 | times. Some browsers might have small limits on the number of |
| 2011 | domains, so be careful when doing that. For the record, sending |
| 2012 | 10 domains to MSIE 6 or Firefox 2 works as expected. |
Krzysztof Piotr Oledzki | efe3b6f | 2008-05-23 23:49:32 +0200 | [diff] [blame] | 2013 | |
Willy Tarreau | 996a92c | 2010-10-13 19:30:47 +0200 | [diff] [blame] | 2014 | maxidle This option allows inserted cookies to be ignored after some idle |
| 2015 | time. It only works with insert-mode cookies. When a cookie is |
| 2016 | sent to the client, the date this cookie was emitted is sent too. |
| 2017 | Upon further presentations of this cookie, if the date is older |
| 2018 | than the delay indicated by the parameter (in seconds), it will |
| 2019 | be ignored. Otherwise, it will be refreshed if needed when the |
| 2020 | response is sent to the client. This is particularly useful to |
| 2021 | prevent users who never close their browsers from remaining for |
| 2022 | too long on the same server (eg: after a farm size change). When |
| 2023 | this option is set and a cookie has no date, it is always |
| 2024 | accepted, but gets refreshed in the response. This maintains the |
| 2025 | ability for admins to access their sites. Cookies that have a |
| 2026 | date in the future further than 24 hours are ignored. Doing so |
| 2027 | lets admins fix timezone issues without risking kicking users off |
| 2028 | the site. |
| 2029 | |
| 2030 | maxlife This option allows inserted cookies to be ignored after some life |
| 2031 | time, whether they're in use or not. It only works with insert |
| 2032 | mode cookies. When a cookie is first sent to the client, the date |
| 2033 | this cookie was emitted is sent too. Upon further presentations |
| 2034 | of this cookie, if the date is older than the delay indicated by |
| 2035 | the parameter (in seconds), it will be ignored. If the cookie in |
| 2036 | the request has no date, it is accepted and a date will be set. |
| 2037 | Cookies that have a date in the future further than 24 hours are |
| 2038 | ignored. Doing so lets admins fix timezone issues without risking |
| 2039 | kicking users off the site. Contrary to maxidle, this value is |
| 2040 | not refreshed, only the first visit date counts. Both maxidle and |
| 2041 | maxlife may be used at the time. This is particularly useful to |
| 2042 | prevent users who never close their browsers from remaining for |
| 2043 | too long on the same server (eg: after a farm size change). This |
| 2044 | is stronger than the maxidle method in that it forces a |
| 2045 | redispatch after some absolute delay. |
| 2046 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2047 | There can be only one persistence cookie per HTTP backend, and it can be |
| 2048 | declared in a defaults section. The value of the cookie will be the value |
| 2049 | indicated after the "cookie" keyword in a "server" statement. If no cookie |
| 2050 | is declared for a given server, the cookie is not set. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 2051 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2052 | Examples : |
| 2053 | cookie JSESSIONID prefix |
| 2054 | cookie SRV insert indirect nocache |
| 2055 | cookie SRV insert postonly indirect |
Willy Tarreau | 996a92c | 2010-10-13 19:30:47 +0200 | [diff] [blame] | 2056 | cookie SRV insert indirect nocache maxidle 30m maxlife 8h |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2057 | |
Cyril Bonté | a8e7bbc | 2010-04-25 22:29:29 +0200 | [diff] [blame] | 2058 | See also : "appsession", "balance source", "capture cookie", "server" |
Cyril Bonté | 0d4bf01 | 2010-04-25 23:21:46 +0200 | [diff] [blame] | 2059 | and "ignore-persist". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2060 | |
Willy Tarreau | 983e01e | 2010-01-11 18:42:06 +0100 | [diff] [blame] | 2061 | |
Krzysztof Piotr Oledzki | c6df066 | 2010-01-05 16:38:49 +0100 | [diff] [blame] | 2062 | default-server [param*] |
| 2063 | Change default options for a server in a backend |
| 2064 | May be used in sections : defaults | frontend | listen | backend |
| 2065 | yes | no | yes | yes |
| 2066 | Arguments: |
Willy Tarreau | 983e01e | 2010-01-11 18:42:06 +0100 | [diff] [blame] | 2067 | <param*> is a list of parameters for this server. The "default-server" |
| 2068 | keyword accepts an important number of options and has a complete |
| 2069 | section dedicated to it. Please refer to section 5 for more |
| 2070 | details. |
Krzysztof Piotr Oledzki | c6df066 | 2010-01-05 16:38:49 +0100 | [diff] [blame] | 2071 | |
Willy Tarreau | 983e01e | 2010-01-11 18:42:06 +0100 | [diff] [blame] | 2072 | Example : |
Krzysztof Piotr Oledzki | c6df066 | 2010-01-05 16:38:49 +0100 | [diff] [blame] | 2073 | default-server inter 1000 weight 13 |
| 2074 | |
| 2075 | See also: "server" and section 5 about server options |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2076 | |
Willy Tarreau | 983e01e | 2010-01-11 18:42:06 +0100 | [diff] [blame] | 2077 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2078 | default_backend <backend> |
| 2079 | Specify the backend to use when no "use_backend" rule has been matched. |
| 2080 | May be used in sections : defaults | frontend | listen | backend |
| 2081 | yes | yes | yes | no |
| 2082 | Arguments : |
| 2083 | <backend> is the name of the backend to use. |
| 2084 | |
| 2085 | When doing content-switching between frontend and backends using the |
| 2086 | "use_backend" keyword, it is often useful to indicate which backend will be |
| 2087 | used when no rule has matched. It generally is the dynamic backend which |
| 2088 | will catch all undetermined requests. |
| 2089 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2090 | Example : |
| 2091 | |
| 2092 | use_backend dynamic if url_dyn |
| 2093 | use_backend static if url_css url_img extension_img |
| 2094 | default_backend dynamic |
| 2095 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2096 | See also : "use_backend", "reqsetbe", "reqisetbe" |
| 2097 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2098 | |
| 2099 | disabled |
| 2100 | Disable a proxy, frontend or backend. |
| 2101 | May be used in sections : defaults | frontend | listen | backend |
| 2102 | yes | yes | yes | yes |
| 2103 | Arguments : none |
| 2104 | |
| 2105 | The "disabled" keyword is used to disable an instance, mainly in order to |
| 2106 | liberate a listening port or to temporarily disable a service. The instance |
| 2107 | will still be created and its configuration will be checked, but it will be |
| 2108 | created in the "stopped" state and will appear as such in the statistics. It |
| 2109 | will not receive any traffic nor will it send any health-checks or logs. It |
| 2110 | is possible to disable many instances at once by adding the "disabled" |
| 2111 | keyword in a "defaults" section. |
| 2112 | |
| 2113 | See also : "enabled" |
| 2114 | |
| 2115 | |
Willy Tarreau | 5ce9457 | 2010-06-07 14:35:41 +0200 | [diff] [blame] | 2116 | dispatch <address>:<port> |
| 2117 | Set a default server address |
| 2118 | May be used in sections : defaults | frontend | listen | backend |
| 2119 | no | no | yes | yes |
Cyril Bonté | 108cf6e | 2012-04-21 23:30:29 +0200 | [diff] [blame] | 2120 | Arguments : |
Willy Tarreau | 5ce9457 | 2010-06-07 14:35:41 +0200 | [diff] [blame] | 2121 | |
| 2122 | <address> is the IPv4 address of the default server. Alternatively, a |
| 2123 | resolvable hostname is supported, but this name will be resolved |
| 2124 | during start-up. |
| 2125 | |
| 2126 | <ports> is a mandatory port specification. All connections will be sent |
| 2127 | to this port, and it is not permitted to use port offsets as is |
| 2128 | possible with normal servers. |
| 2129 | |
Willy Tarreau | 787aed5 | 2011-04-15 06:45:37 +0200 | [diff] [blame] | 2130 | The "dispatch" keyword designates a default server for use when no other |
Willy Tarreau | 5ce9457 | 2010-06-07 14:35:41 +0200 | [diff] [blame] | 2131 | server can take the connection. In the past it was used to forward non |
| 2132 | persistent connections to an auxiliary load balancer. Due to its simple |
| 2133 | syntax, it has also been used for simple TCP relays. It is recommended not to |
| 2134 | use it for more clarity, and to use the "server" directive instead. |
| 2135 | |
| 2136 | See also : "server" |
| 2137 | |
| 2138 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2139 | enabled |
| 2140 | Enable a proxy, frontend or backend. |
| 2141 | May be used in sections : defaults | frontend | listen | backend |
| 2142 | yes | yes | yes | yes |
| 2143 | Arguments : none |
| 2144 | |
| 2145 | The "enabled" keyword is used to explicitly enable an instance, when the |
| 2146 | defaults has been set to "disabled". This is very rarely used. |
| 2147 | |
| 2148 | See also : "disabled" |
| 2149 | |
| 2150 | |
| 2151 | errorfile <code> <file> |
| 2152 | Return a file contents instead of errors generated by HAProxy |
| 2153 | May be used in sections : defaults | frontend | listen | backend |
| 2154 | yes | yes | yes | yes |
| 2155 | Arguments : |
| 2156 | <code> is the HTTP status code. Currently, HAProxy is capable of |
Willy Tarreau | ae94d4d | 2011-05-11 16:28:49 +0200 | [diff] [blame] | 2157 | generating codes 200, 400, 403, 408, 500, 502, 503, and 504. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2158 | |
| 2159 | <file> designates a file containing the full HTTP response. It is |
Willy Tarreau | d2a4aa2 | 2008-01-31 15:28:22 +0100 | [diff] [blame] | 2160 | recommended to follow the common practice of appending ".http" to |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2161 | the filename so that people do not confuse the response with HTML |
Willy Tarreau | 59140a2 | 2009-02-22 12:02:30 +0100 | [diff] [blame] | 2162 | error pages, and to use absolute paths, since files are read |
| 2163 | before any chroot is performed. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2164 | |
| 2165 | It is important to understand that this keyword is not meant to rewrite |
| 2166 | errors returned by the server, but errors detected and returned by HAProxy. |
| 2167 | This is why the list of supported errors is limited to a small set. |
| 2168 | |
Willy Tarreau | ae94d4d | 2011-05-11 16:28:49 +0200 | [diff] [blame] | 2169 | Code 200 is emitted in response to requests matching a "monitor-uri" rule. |
| 2170 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2171 | The files are returned verbatim on the TCP socket. This allows any trick such |
| 2172 | as redirections to another URL or site, as well as tricks to clean cookies, |
| 2173 | force enable or disable caching, etc... The package provides default error |
| 2174 | files returning the same contents as default errors. |
| 2175 | |
Willy Tarreau | 59140a2 | 2009-02-22 12:02:30 +0100 | [diff] [blame] | 2176 | The files should not exceed the configured buffer size (BUFSIZE), which |
| 2177 | generally is 8 or 16 kB, otherwise they will be truncated. It is also wise |
| 2178 | not to put any reference to local contents (eg: images) in order to avoid |
| 2179 | loops between the client and HAProxy when all servers are down, causing an |
| 2180 | error to be returned instead of an image. For better HTTP compliance, it is |
| 2181 | recommended that all header lines end with CR-LF and not LF alone. |
| 2182 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2183 | The files are read at the same time as the configuration and kept in memory. |
| 2184 | For this reason, the errors continue to be returned even when the process is |
| 2185 | chrooted, and no file change is considered while the process is running. A |
Willy Tarreau | c27debf | 2008-01-06 08:57:02 +0100 | [diff] [blame] | 2186 | simple method for developing those files consists in associating them to the |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2187 | 403 status code and interrogating a blocked URL. |
| 2188 | |
| 2189 | See also : "errorloc", "errorloc302", "errorloc303" |
| 2190 | |
Willy Tarreau | 59140a2 | 2009-02-22 12:02:30 +0100 | [diff] [blame] | 2191 | Example : |
| 2192 | errorfile 400 /etc/haproxy/errorfiles/400badreq.http |
| 2193 | errorfile 403 /etc/haproxy/errorfiles/403forbid.http |
| 2194 | errorfile 503 /etc/haproxy/errorfiles/503sorry.http |
| 2195 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2196 | |
| 2197 | errorloc <code> <url> |
| 2198 | errorloc302 <code> <url> |
| 2199 | Return an HTTP redirection to a URL instead of errors generated by HAProxy |
| 2200 | May be used in sections : defaults | frontend | listen | backend |
| 2201 | yes | yes | yes | yes |
| 2202 | Arguments : |
| 2203 | <code> is the HTTP status code. Currently, HAProxy is capable of |
Willy Tarreau | ae94d4d | 2011-05-11 16:28:49 +0200 | [diff] [blame] | 2204 | generating codes 200, 400, 403, 408, 500, 502, 503, and 504. |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2205 | |
| 2206 | <url> it is the exact contents of the "Location" header. It may contain |
| 2207 | either a relative URI to an error page hosted on the same site, |
| 2208 | or an absolute URI designating an error page on another site. |
| 2209 | Special care should be given to relative URIs to avoid redirect |
| 2210 | loops if the URI itself may generate the same error (eg: 500). |
| 2211 | |
| 2212 | It is important to understand that this keyword is not meant to rewrite |
| 2213 | errors returned by the server, but errors detected and returned by HAProxy. |
| 2214 | This is why the list of supported errors is limited to a small set. |
| 2215 | |
Willy Tarreau | ae94d4d | 2011-05-11 16:28:49 +0200 | [diff] [blame] | 2216 | Code 200 is emitted in response to requests matching a "monitor-uri" rule. |
| 2217 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2218 | Note that both keyword return the HTTP 302 status code, which tells the |
| 2219 | client to fetch the designated URL using the same HTTP method. This can be |
| 2220 | quite problematic in case of non-GET methods such as POST, because the URL |
| 2221 | sent to the client might not be allowed for something other than GET. To |
| 2222 | workaround this problem, please use "errorloc303" which send the HTTP 303 |
| 2223 | status code, indicating to the client that the URL must be fetched with a GET |
| 2224 | request. |
| 2225 | |
| 2226 | See also : "errorfile", "errorloc303" |
| 2227 | |
| 2228 | |
| 2229 | errorloc303 <code> <url> |
| 2230 | Return an HTTP redirection to a URL instead of errors generated by HAProxy |
| 2231 | May be used in sections : defaults | frontend | listen | backend |
| 2232 | yes | yes | yes | yes |
| 2233 | Arguments : |
| 2234 | <code> is the HTTP status code. Currently, HAProxy is capable of |
| 2235 | generating codes 400, 403, 408, 500, 502, 503, and 504. |
| 2236 | |
| 2237 | <url> it is the exact contents of the "Location" header. It may contain |
| 2238 | either a relative URI to an error page hosted on the same site, |
| 2239 | or an absolute URI designating an error page on another site. |
| 2240 | Special care should be given to relative URIs to avoid redirect |
| 2241 | loops if the URI itself may generate the same error (eg: 500). |
| 2242 | |
| 2243 | It is important to understand that this keyword is not meant to rewrite |
| 2244 | errors returned by the server, but errors detected and returned by HAProxy. |
| 2245 | This is why the list of supported errors is limited to a small set. |
| 2246 | |
Willy Tarreau | ae94d4d | 2011-05-11 16:28:49 +0200 | [diff] [blame] | 2247 | Code 200 is emitted in response to requests matching a "monitor-uri" rule. |
| 2248 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2249 | Note that both keyword return the HTTP 303 status code, which tells the |
| 2250 | client to fetch the designated URL using the same HTTP GET method. This |
| 2251 | solves the usual problems associated with "errorloc" and the 302 code. It is |
| 2252 | possible that some very old browsers designed before HTTP/1.1 do not support |
Willy Tarreau | d2a4aa2 | 2008-01-31 15:28:22 +0100 | [diff] [blame] | 2253 | it, but no such problem has been reported till now. |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2254 | |
| 2255 | See also : "errorfile", "errorloc", "errorloc302" |
| 2256 | |
| 2257 | |
Willy Tarreau | 4de9149 | 2010-01-22 19:10:05 +0100 | [diff] [blame] | 2258 | force-persist { if | unless } <condition> |
| 2259 | Declare a condition to force persistence on down servers |
| 2260 | May be used in sections: defaults | frontend | listen | backend |
| 2261 | no | yes | yes | yes |
| 2262 | |
| 2263 | By default, requests are not dispatched to down servers. It is possible to |
| 2264 | force this using "option persist", but it is unconditional and redispatches |
| 2265 | to a valid server if "option redispatch" is set. That leaves with very little |
| 2266 | possibilities to force some requests to reach a server which is artificially |
| 2267 | marked down for maintenance operations. |
| 2268 | |
| 2269 | The "force-persist" statement allows one to declare various ACL-based |
| 2270 | conditions which, when met, will cause a request to ignore the down status of |
| 2271 | a server and still try to connect to it. That makes it possible to start a |
| 2272 | server, still replying an error to the health checks, and run a specially |
| 2273 | configured browser to test the service. Among the handy methods, one could |
| 2274 | use a specific source IP address, or a specific cookie. The cookie also has |
| 2275 | the advantage that it can easily be added/removed on the browser from a test |
| 2276 | page. Once the service is validated, it is then possible to open the service |
| 2277 | to the world by returning a valid response to health checks. |
| 2278 | |
| 2279 | The forced persistence is enabled when an "if" condition is met, or unless an |
| 2280 | "unless" condition is met. The final redispatch is always disabled when this |
| 2281 | is used. |
| 2282 | |
Cyril Bonté | 0d4bf01 | 2010-04-25 23:21:46 +0200 | [diff] [blame] | 2283 | See also : "option redispatch", "ignore-persist", "persist", |
Cyril Bonté | a8e7bbc | 2010-04-25 22:29:29 +0200 | [diff] [blame] | 2284 | and section 7 about ACL usage. |
Willy Tarreau | 4de9149 | 2010-01-22 19:10:05 +0100 | [diff] [blame] | 2285 | |
| 2286 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2287 | fullconn <conns> |
| 2288 | Specify at what backend load the servers will reach their maxconn |
| 2289 | May be used in sections : defaults | frontend | listen | backend |
| 2290 | yes | no | yes | yes |
| 2291 | Arguments : |
| 2292 | <conns> is the number of connections on the backend which will make the |
| 2293 | servers use the maximal number of connections. |
| 2294 | |
Willy Tarreau | 198a744 | 2008-01-17 12:05:32 +0100 | [diff] [blame] | 2295 | When a server has a "maxconn" parameter specified, it means that its number |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2296 | of concurrent connections will never go higher. Additionally, if it has a |
Willy Tarreau | 198a744 | 2008-01-17 12:05:32 +0100 | [diff] [blame] | 2297 | "minconn" parameter, it indicates a dynamic limit following the backend's |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2298 | load. The server will then always accept at least <minconn> connections, |
| 2299 | never more than <maxconn>, and the limit will be on the ramp between both |
| 2300 | values when the backend has less than <conns> concurrent connections. This |
| 2301 | makes it possible to limit the load on the servers during normal loads, but |
| 2302 | push it further for important loads without overloading the servers during |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 2303 | exceptional loads. |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2304 | |
Willy Tarreau | fbb7842 | 2011-06-05 15:38:35 +0200 | [diff] [blame] | 2305 | Since it's hard to get this value right, haproxy automatically sets it to |
| 2306 | 10% of the sum of the maxconns of all frontends that may branch to this |
| 2307 | backend. That way it's safe to leave it unset. |
| 2308 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2309 | Example : |
| 2310 | # The servers will accept between 100 and 1000 concurrent connections each |
| 2311 | # and the maximum of 1000 will be reached when the backend reaches 10000 |
| 2312 | # connections. |
| 2313 | backend dynamic |
| 2314 | fullconn 10000 |
| 2315 | server srv1 dyn1:80 minconn 100 maxconn 1000 |
| 2316 | server srv2 dyn2:80 minconn 100 maxconn 1000 |
| 2317 | |
| 2318 | See also : "maxconn", "server" |
| 2319 | |
| 2320 | |
| 2321 | grace <time> |
| 2322 | Maintain a proxy operational for some time after a soft stop |
| 2323 | May be used in sections : defaults | frontend | listen | backend |
Cyril Bonté | 99ed327 | 2010-01-24 23:29:44 +0100 | [diff] [blame] | 2324 | yes | yes | yes | yes |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2325 | Arguments : |
| 2326 | <time> is the time (by default in milliseconds) for which the instance |
| 2327 | will remain operational with the frontend sockets still listening |
| 2328 | when a soft-stop is received via the SIGUSR1 signal. |
| 2329 | |
| 2330 | This may be used to ensure that the services disappear in a certain order. |
| 2331 | This was designed so that frontends which are dedicated to monitoring by an |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 2332 | external equipment fail immediately while other ones remain up for the time |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2333 | needed by the equipment to detect the failure. |
| 2334 | |
| 2335 | Note that currently, there is very little benefit in using this parameter, |
| 2336 | and it may in fact complicate the soft-reconfiguration process more than |
| 2337 | simplify it. |
| 2338 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2339 | |
Willy Tarreau | 6b2e11b | 2009-10-01 07:52:15 +0200 | [diff] [blame] | 2340 | hash-type <method> |
| 2341 | Specify a method to use for mapping hashes to servers |
| 2342 | May be used in sections : defaults | frontend | listen | backend |
| 2343 | yes | no | yes | yes |
| 2344 | Arguments : |
| 2345 | map-based the hash table is a static array containing all alive servers. |
| 2346 | The hashes will be very smooth, will consider weights, but will |
| 2347 | be static in that weight changes while a server is up will be |
| 2348 | ignored. This means that there will be no slow start. Also, |
| 2349 | since a server is selected by its position in the array, most |
| 2350 | mappings are changed when the server count changes. This means |
| 2351 | that when a server goes up or down, or when a server is added |
| 2352 | to a farm, most connections will be redistributed to different |
| 2353 | servers. This can be inconvenient with caches for instance. |
| 2354 | |
Willy Tarreau | 798a39c | 2010-11-24 15:04:29 +0100 | [diff] [blame] | 2355 | avalanche this mechanism uses the default map-based hashing described |
| 2356 | above but applies a full avalanche hash before performing the |
| 2357 | mapping. The result is a slightly less smooth hash for most |
| 2358 | situations, but the hash becomes better than pure map-based |
| 2359 | hashes when the number of servers is a multiple of the size of |
| 2360 | the input set. When using URI hash with a number of servers |
| 2361 | multiple of 64, it's desirable to change the hash type to |
| 2362 | this value. |
| 2363 | |
Willy Tarreau | 6b2e11b | 2009-10-01 07:52:15 +0200 | [diff] [blame] | 2364 | consistent the hash table is a tree filled with many occurrences of each |
| 2365 | server. The hash key is looked up in the tree and the closest |
| 2366 | server is chosen. This hash is dynamic, it supports changing |
| 2367 | weights while the servers are up, so it is compatible with the |
| 2368 | slow start feature. It has the advantage that when a server |
| 2369 | goes up or down, only its associations are moved. When a server |
| 2370 | is added to the farm, only a few part of the mappings are |
| 2371 | redistributed, making it an ideal algorithm for caches. |
| 2372 | However, due to its principle, the algorithm will never be very |
| 2373 | smooth and it may sometimes be necessary to adjust a server's |
| 2374 | weight or its ID to get a more balanced distribution. In order |
| 2375 | to get the same distribution on multiple load balancers, it is |
| 2376 | important that all servers have the same IDs. |
| 2377 | |
| 2378 | The default hash type is "map-based" and is recommended for most usages. |
| 2379 | |
| 2380 | See also : "balance", "server" |
| 2381 | |
| 2382 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2383 | http-check disable-on-404 |
| 2384 | Enable a maintenance mode upon HTTP/404 response to health-checks |
| 2385 | May be used in sections : defaults | frontend | listen | backend |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2386 | yes | no | yes | yes |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2387 | Arguments : none |
| 2388 | |
| 2389 | When this option is set, a server which returns an HTTP code 404 will be |
| 2390 | excluded from further load-balancing, but will still receive persistent |
| 2391 | connections. This provides a very convenient method for Web administrators |
| 2392 | to perform a graceful shutdown of their servers. It is also important to note |
| 2393 | that a server which is detected as failed while it was in this mode will not |
| 2394 | generate an alert, just a notice. If the server responds 2xx or 3xx again, it |
| 2395 | will immediately be reinserted into the farm. The status on the stats page |
| 2396 | reports "NOLB" for a server in this mode. It is important to note that this |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 2397 | option only works in conjunction with the "httpchk" option. If this option |
| 2398 | is used with "http-check expect", then it has precedence over it so that 404 |
| 2399 | responses will still be considered as soft-stop. |
| 2400 | |
| 2401 | See also : "option httpchk", "http-check expect" |
| 2402 | |
| 2403 | |
| 2404 | http-check expect [!] <match> <pattern> |
| 2405 | Make HTTP health checks consider reponse contents or specific status codes |
| 2406 | May be used in sections : defaults | frontend | listen | backend |
Willy Tarreau | 1ee51a6 | 2011-08-19 20:04:17 +0200 | [diff] [blame] | 2407 | yes | no | yes | yes |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 2408 | Arguments : |
| 2409 | <match> is a keyword indicating how to look for a specific pattern in the |
| 2410 | response. The keyword may be one of "status", "rstatus", |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 2411 | "string", or "rstring". The keyword may be preceeded by an |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 2412 | exclamation mark ("!") to negate the match. Spaces are allowed |
| 2413 | between the exclamation mark and the keyword. See below for more |
| 2414 | details on the supported keywords. |
| 2415 | |
| 2416 | <pattern> is the pattern to look for. It may be a string or a regular |
| 2417 | expression. If the pattern contains spaces, they must be escaped |
| 2418 | with the usual backslash ('\'). |
| 2419 | |
| 2420 | By default, "option httpchk" considers that response statuses 2xx and 3xx |
| 2421 | are valid, and that others are invalid. When "http-check expect" is used, |
| 2422 | it defines what is considered valid or invalid. Only one "http-check" |
| 2423 | statement is supported in a backend. If a server fails to respond or times |
| 2424 | out, the check obviously fails. The available matches are : |
| 2425 | |
| 2426 | status <string> : test the exact string match for the HTTP status code. |
| 2427 | A health check respose will be considered valid if the |
| 2428 | response's status code is exactly this string. If the |
| 2429 | "status" keyword is prefixed with "!", then the response |
| 2430 | will be considered invalid if the status code matches. |
| 2431 | |
| 2432 | rstatus <regex> : test a regular expression for the HTTP status code. |
| 2433 | A health check respose will be considered valid if the |
| 2434 | response's status code matches the expression. If the |
| 2435 | "rstatus" keyword is prefixed with "!", then the response |
| 2436 | will be considered invalid if the status code matches. |
| 2437 | This is mostly used to check for multiple codes. |
| 2438 | |
| 2439 | string <string> : test the exact string match in the HTTP response body. |
| 2440 | A health check respose will be considered valid if the |
| 2441 | response's body contains this exact string. If the |
| 2442 | "string" keyword is prefixed with "!", then the response |
| 2443 | will be considered invalid if the body contains this |
| 2444 | string. This can be used to look for a mandatory word at |
| 2445 | the end of a dynamic page, or to detect a failure when a |
| 2446 | specific error appears on the check page (eg: a stack |
| 2447 | trace). |
| 2448 | |
| 2449 | rstring <regex> : test a regular expression on the HTTP response body. |
| 2450 | A health check respose will be considered valid if the |
| 2451 | response's body matches this expression. If the "rstring" |
| 2452 | keyword is prefixed with "!", then the response will be |
| 2453 | considered invalid if the body matches the expression. |
| 2454 | This can be used to look for a mandatory word at the end |
| 2455 | of a dynamic page, or to detect a failure when a specific |
| 2456 | error appears on the check page (eg: a stack trace). |
| 2457 | |
| 2458 | It is important to note that the responses will be limited to a certain size |
| 2459 | defined by the global "tune.chksize" option, which defaults to 16384 bytes. |
| 2460 | Thus, too large responses may not contain the mandatory pattern when using |
| 2461 | "string" or "rstring". If a large response is absolutely required, it is |
| 2462 | possible to change the default max size by setting the global variable. |
| 2463 | However, it is worth keeping in mind that parsing very large responses can |
| 2464 | waste some CPU cycles, especially when regular expressions are used, and that |
| 2465 | it is always better to focus the checks on smaller resources. |
| 2466 | |
| 2467 | Last, if "http-check expect" is combined with "http-check disable-on-404", |
| 2468 | then this last one has precedence when the server responds with 404. |
| 2469 | |
| 2470 | Examples : |
| 2471 | # only accept status 200 as valid |
Willy Tarreau | 8f2a1e7 | 2011-01-06 16:36:10 +0100 | [diff] [blame] | 2472 | http-check expect status 200 |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 2473 | |
| 2474 | # consider SQL errors as errors |
Willy Tarreau | 8f2a1e7 | 2011-01-06 16:36:10 +0100 | [diff] [blame] | 2475 | http-check expect ! string SQL\ Error |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 2476 | |
| 2477 | # consider status 5xx only as errors |
Willy Tarreau | 8f2a1e7 | 2011-01-06 16:36:10 +0100 | [diff] [blame] | 2478 | http-check expect ! rstatus ^5 |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 2479 | |
| 2480 | # check that we have a correct hexadecimal tag before /html |
Willy Tarreau | 8f2a1e7 | 2011-01-06 16:36:10 +0100 | [diff] [blame] | 2481 | http-check expect rstring <!--tag:[0-9a-f]*</html> |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2482 | |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 2483 | See also : "option httpchk", "http-check disable-on-404" |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2484 | |
| 2485 | |
Willy Tarreau | ef78104 | 2010-01-27 11:53:01 +0100 | [diff] [blame] | 2486 | http-check send-state |
| 2487 | Enable emission of a state header with HTTP health checks |
| 2488 | May be used in sections : defaults | frontend | listen | backend |
| 2489 | yes | no | yes | yes |
| 2490 | Arguments : none |
| 2491 | |
| 2492 | When this option is set, haproxy will systematically send a special header |
| 2493 | "X-Haproxy-Server-State" with a list of parameters indicating to each server |
| 2494 | how they are seen by haproxy. This can be used for instance when a server is |
| 2495 | manipulated without access to haproxy and the operator needs to know whether |
| 2496 | haproxy still sees it up or not, or if the server is the last one in a farm. |
| 2497 | |
| 2498 | The header is composed of fields delimited by semi-colons, the first of which |
| 2499 | is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid |
| 2500 | checks on the total number before transition, just as appears in the stats |
| 2501 | interface. Next headers are in the form "<variable>=<value>", indicating in |
| 2502 | no specific order some values available in the stats interface : |
| 2503 | - a variable "name", containing the name of the backend followed by a slash |
| 2504 | ("/") then the name of the server. This can be used when a server is |
| 2505 | checked in multiple backends. |
| 2506 | |
| 2507 | - a variable "node" containing the name of the haproxy node, as set in the |
| 2508 | global "node" variable, otherwise the system's hostname if unspecified. |
| 2509 | |
| 2510 | - a variable "weight" indicating the weight of the server, a slash ("/") |
| 2511 | and the total weight of the farm (just counting usable servers). This |
| 2512 | helps to know if other servers are available to handle the load when this |
| 2513 | one fails. |
| 2514 | |
| 2515 | - a variable "scur" indicating the current number of concurrent connections |
| 2516 | on the server, followed by a slash ("/") then the total number of |
| 2517 | connections on all servers of the same backend. |
| 2518 | |
| 2519 | - a variable "qcur" indicating the current number of requests in the |
| 2520 | server's queue. |
| 2521 | |
| 2522 | Example of a header received by the application server : |
| 2523 | >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \ |
| 2524 | scur=13/22; qcur=0 |
| 2525 | |
| 2526 | See also : "option httpchk", "http-check disable-on-404" |
| 2527 | |
Cyril Bonté | 2be1b3f | 2010-09-30 23:46:30 +0200 | [diff] [blame] | 2528 | http-request { allow | deny | auth [realm <realm>] } |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 2529 | [ { if | unless } <condition> ] |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 2530 | Access control for Layer 7 requests |
| 2531 | |
| 2532 | May be used in sections: defaults | frontend | listen | backend |
| 2533 | no | yes | yes | yes |
| 2534 | |
| 2535 | These set of options allow to fine control access to a |
| 2536 | frontend/listen/backend. Each option may be followed by if/unless and acl. |
| 2537 | First option with matched condition (or option without condition) is final. |
Cyril Bonté | 2be1b3f | 2010-09-30 23:46:30 +0200 | [diff] [blame] | 2538 | For "deny" a 403 error will be returned, for "allow" normal processing is |
| 2539 | performed, for "auth" a 401/407 error code is returned so the client |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 2540 | should be asked to enter a username and password. |
| 2541 | |
| 2542 | There is no fixed limit to the number of http-request statements per |
| 2543 | instance. |
| 2544 | |
| 2545 | Example: |
Cyril Bonté | 78caf84 | 2010-03-10 22:41:43 +0100 | [diff] [blame] | 2546 | acl nagios src 192.168.129.3 |
| 2547 | acl local_net src 192.168.0.0/16 |
| 2548 | acl auth_ok http_auth(L1) |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 2549 | |
Cyril Bonté | 78caf84 | 2010-03-10 22:41:43 +0100 | [diff] [blame] | 2550 | http-request allow if nagios |
| 2551 | http-request allow if local_net auth_ok |
| 2552 | http-request auth realm Gimme if local_net auth_ok |
| 2553 | http-request deny |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 2554 | |
Cyril Bonté | 78caf84 | 2010-03-10 22:41:43 +0100 | [diff] [blame] | 2555 | Example: |
| 2556 | acl auth_ok http_auth_group(L1) G1 |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 2557 | |
Cyril Bonté | 78caf84 | 2010-03-10 22:41:43 +0100 | [diff] [blame] | 2558 | http-request auth unless auth_ok |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 2559 | |
Cyril Bonté | 2be1b3f | 2010-09-30 23:46:30 +0200 | [diff] [blame] | 2560 | See also : "stats http-request", section 3.4 about userlists and section 7 |
| 2561 | about ACL usage. |
Willy Tarreau | ef78104 | 2010-01-27 11:53:01 +0100 | [diff] [blame] | 2562 | |
Mark Lamourine | c2247f0 | 2012-01-04 13:02:01 -0500 | [diff] [blame] | 2563 | http-send-name-header [<header>] |
| 2564 | Add the server name to a request. Use the header string given by <header> |
| 2565 | |
| 2566 | May be used in sections: defaults | frontend | listen | backend |
| 2567 | yes | no | yes | yes |
| 2568 | |
| 2569 | Arguments : |
| 2570 | |
| 2571 | <header> The header string to use to send the server name |
| 2572 | |
| 2573 | The "http-send-name-header" statement causes the name of the target |
| 2574 | server to be added to the headers of an HTTP request. The name |
| 2575 | is added with the header string proved. |
| 2576 | |
| 2577 | See also : "server" |
| 2578 | |
Krzysztof Piotr Oledzki | f58a962 | 2008-02-23 01:19:10 +0100 | [diff] [blame] | 2579 | id <value> |
Willy Tarreau | 53fb4ae | 2009-10-04 23:04:08 +0200 | [diff] [blame] | 2580 | Set a persistent ID to a proxy. |
| 2581 | May be used in sections : defaults | frontend | listen | backend |
| 2582 | no | yes | yes | yes |
| 2583 | Arguments : none |
| 2584 | |
| 2585 | Set a persistent ID for the proxy. This ID must be unique and positive. |
| 2586 | An unused ID will automatically be assigned if unset. The first assigned |
| 2587 | value will be 1. This ID is currently only returned in statistics. |
Krzysztof Piotr Oledzki | f58a962 | 2008-02-23 01:19:10 +0100 | [diff] [blame] | 2588 | |
| 2589 | |
Cyril Bonté | 0d4bf01 | 2010-04-25 23:21:46 +0200 | [diff] [blame] | 2590 | ignore-persist { if | unless } <condition> |
| 2591 | Declare a condition to ignore persistence |
| 2592 | May be used in sections: defaults | frontend | listen | backend |
| 2593 | no | yes | yes | yes |
| 2594 | |
| 2595 | By default, when cookie persistence is enabled, every requests containing |
| 2596 | the cookie are unconditionally persistent (assuming the target server is up |
| 2597 | and running). |
| 2598 | |
| 2599 | The "ignore-persist" statement allows one to declare various ACL-based |
| 2600 | conditions which, when met, will cause a request to ignore persistence. |
| 2601 | This is sometimes useful to load balance requests for static files, which |
| 2602 | oftenly don't require persistence. This can also be used to fully disable |
| 2603 | persistence for a specific User-Agent (for example, some web crawler bots). |
| 2604 | |
| 2605 | Combined with "appsession", it can also help reduce HAProxy memory usage, as |
| 2606 | the appsession table won't grow if persistence is ignored. |
| 2607 | |
| 2608 | The persistence is ignored when an "if" condition is met, or unless an |
| 2609 | "unless" condition is met. |
| 2610 | |
| 2611 | See also : "force-persist", "cookie", and section 7 about ACL usage. |
| 2612 | |
| 2613 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2614 | log global |
Willy Tarreau | f7edefa | 2009-05-10 17:20:05 +0200 | [diff] [blame] | 2615 | log <address> <facility> [<level> [<minlevel>]] |
William Lallemand | 0f99e34 | 2011-10-12 17:50:54 +0200 | [diff] [blame] | 2616 | no log |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2617 | Enable per-instance logging of events and traffic. |
| 2618 | May be used in sections : defaults | frontend | listen | backend |
| 2619 | yes | yes | yes | yes |
William Lallemand | 0f99e34 | 2011-10-12 17:50:54 +0200 | [diff] [blame] | 2620 | |
| 2621 | Prefix : |
| 2622 | no should be used when the logger list must be flushed. For example, |
| 2623 | if you don't want to inherit from the default logger list. This |
| 2624 | prefix does not allow arguments. |
| 2625 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2626 | Arguments : |
| 2627 | global should be used when the instance's logging parameters are the |
| 2628 | same as the global ones. This is the most common usage. "global" |
| 2629 | replaces <address>, <facility> and <level> with those of the log |
| 2630 | entries found in the "global" section. Only one "log global" |
| 2631 | statement may be used per instance, and this form takes no other |
| 2632 | parameter. |
| 2633 | |
| 2634 | <address> indicates where to send the logs. It takes the same format as |
| 2635 | for the "global" section's logs, and can be one of : |
| 2636 | |
| 2637 | - An IPv4 address optionally followed by a colon (':') and a UDP |
| 2638 | port. If no port is specified, 514 is used by default (the |
| 2639 | standard syslog port). |
| 2640 | |
David du Colombier | 24bb5f5 | 2011-03-17 10:40:23 +0100 | [diff] [blame] | 2641 | - An IPv6 address followed by a colon (':') and optionally a UDP |
| 2642 | port. If no port is specified, 514 is used by default (the |
| 2643 | standard syslog port). |
| 2644 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2645 | - A filesystem path to a UNIX domain socket, keeping in mind |
| 2646 | considerations for chroot (be sure the path is accessible |
| 2647 | inside the chroot) and uid/gid (be sure the path is |
| 2648 | appropriately writeable). |
| 2649 | |
| 2650 | <facility> must be one of the 24 standard syslog facilities : |
| 2651 | |
| 2652 | kern user mail daemon auth syslog lpr news |
| 2653 | uucp cron auth2 ftp ntp audit alert cron2 |
| 2654 | local0 local1 local2 local3 local4 local5 local6 local7 |
| 2655 | |
| 2656 | <level> is optional and can be specified to filter outgoing messages. By |
| 2657 | default, all messages are sent. If a level is specified, only |
| 2658 | messages with a severity at least as important as this level |
Willy Tarreau | f7edefa | 2009-05-10 17:20:05 +0200 | [diff] [blame] | 2659 | will be sent. An optional minimum level can be specified. If it |
| 2660 | is set, logs emitted with a more severe level than this one will |
| 2661 | be capped to this level. This is used to avoid sending "emerg" |
| 2662 | messages on all terminals on some default syslog configurations. |
| 2663 | Eight levels are known : |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2664 | |
| 2665 | emerg alert crit err warning notice info debug |
| 2666 | |
William Lallemand | 0f99e34 | 2011-10-12 17:50:54 +0200 | [diff] [blame] | 2667 | It is important to keep in mind that it is the frontend which decides what to |
| 2668 | log from a connection, and that in case of content switching, the log entries |
| 2669 | from the backend will be ignored. Connections are logged at level "info". |
Willy Tarreau | cc6c891 | 2009-02-22 10:53:55 +0100 | [diff] [blame] | 2670 | |
| 2671 | However, backend log declaration define how and where servers status changes |
| 2672 | will be logged. Level "notice" will be used to indicate a server going up, |
| 2673 | "warning" will be used for termination signals and definitive service |
| 2674 | termination, and "alert" will be used for when a server goes down. |
| 2675 | |
| 2676 | Note : According to RFC3164, messages are truncated to 1024 bytes before |
| 2677 | being emitted. |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2678 | |
| 2679 | Example : |
| 2680 | log global |
Willy Tarreau | f7edefa | 2009-05-10 17:20:05 +0200 | [diff] [blame] | 2681 | log 127.0.0.1:514 local0 notice # only send important events |
| 2682 | log 127.0.0.1:514 local0 notice notice # same but limit output level |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2683 | |
William Lallemand | 4894040 | 2012-01-30 16:47:22 +0100 | [diff] [blame] | 2684 | log-format <string> |
| 2685 | Allows you to custom a log line. |
| 2686 | |
| 2687 | See also : Custom Log Format (8.2.4) |
| 2688 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2689 | |
| 2690 | maxconn <conns> |
| 2691 | Fix the maximum number of concurrent connections on a frontend |
| 2692 | May be used in sections : defaults | frontend | listen | backend |
| 2693 | yes | yes | yes | no |
| 2694 | Arguments : |
|