blob: 6e69fc7475cf05d776bb11ba5e2b96d409a6820c [file] [log] [blame]
Willy Tarreau6a06a402007-07-15 20:15:28 +02001 ----------------------
2 HAProxy
3 Configuration Manual
4 ----------------------
Willy Tarreau21475e32010-05-23 08:46:08 +02005 version 1.5
Willy Tarreau6a06a402007-07-15 20:15:28 +02006 willy tarreau
Willy Tarreau02c7c142012-06-04 00:43:45 +02007 2012/06/04
Willy Tarreau6a06a402007-07-15 20:15:28 +02008
9
10This document covers the configuration language as implemented in the version
11specified above. It does not provide any hint, example or advice. For such
Willy Tarreau0ba27502007-12-24 16:55:16 +010012documentation, please refer to the Reference Manual or the Architecture Manual.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013The summary below is meant to help you search sections by name and navigate
14through the document.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015
Willy Tarreauc57f0e22009-05-10 13:12:33 +020016Note to documentation contributors :
17 This document is formated with 80 columns per line, with even number of
18 spaces for indentation and without tabs. Please follow these rules strictly
19 so that it remains easily printable everywhere. If a line needs to be
20 printed verbatim and does not fit, please end each line with a backslash
Willy Tarreau62a36c42010-08-17 15:53:10 +020021 ('\') and continue on next line, indented by two characters. It is also
22 sometimes useful to prefix all output lines (logs, console outs) with 3
23 closing angle brackets ('>>>') in order to help get the difference between
24 inputs and outputs when it can become ambiguous. If you add sections,
25 please update the summary below for easier searching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020026
27
28Summary
29-------
30
311. Quick reminder about HTTP
321.1. The HTTP transaction model
331.2. HTTP request
341.2.1. The Request line
351.2.2. The request headers
361.3. HTTP response
371.3.1. The Response line
381.3.2. The response headers
39
402. Configuring HAProxy
412.1. Configuration file format
422.2. Time format
Patrick Mezard35da19c2010-06-12 17:02:47 +0200432.3. Examples
Willy Tarreauc57f0e22009-05-10 13:12:33 +020044
453. Global parameters
463.1. Process management and security
473.2. Performance tuning
483.3. Debugging
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100493.4. Userlists
Cyril Bontédc4d9032012-04-08 21:57:39 +0200503.5. Peers
Willy Tarreauc57f0e22009-05-10 13:12:33 +020051
524. Proxies
534.1. Proxy keywords matrix
544.2. Alphabetically sorted keywords reference
55
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +0100565. Server and default-server options
Willy Tarreauc57f0e22009-05-10 13:12:33 +020057
586. HTTP header manipulation
59
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100607. Using ACLs and pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200617.1. Matching integers
627.2. Matching strings
637.3. Matching regular expressions (regexes)
Willy Tarreauceb4ac92012-04-28 00:41:46 +0200647.4. Matching IPv4 and IPv6 addresses
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200657.5. Available matching criteria
667.5.1. Matching at Layer 4 and below
677.5.2. Matching contents at Layer 4
687.5.3. Matching at Layer 7
697.6. Pre-defined ACLs
707.7. Using ACLs to form conditions
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100717.8. Pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +020072
738. Logging
748.1. Log levels
758.2. Log formats
768.2.1. Default log format
778.2.2. TCP log format
788.2.3. HTTP log format
William Lallemand48940402012-01-30 16:47:22 +0100798.2.4. Custom log format
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200808.3. Advanced logging options
818.3.1. Disabling logging of external tests
828.3.2. Logging before waiting for the session to terminate
838.3.3. Raising log level upon errors
848.3.4. Disabling logging of successful connections
858.4. Timing events
868.5. Session state at disconnection
878.6. Non-printable characters
888.7. Capturing HTTP cookies
898.8. Capturing HTTP headers
908.9. Examples of logs
91
929. Statistics and monitoring
939.1. CSV format
949.2. Unix Socket commands
95
96
971. Quick reminder about HTTP
98----------------------------
99
100When haproxy is running in HTTP mode, both the request and the response are
101fully analyzed and indexed, thus it becomes possible to build matching criteria
102on almost anything found in the contents.
103
104However, it is important to understand how HTTP requests and responses are
105formed, and how HAProxy decomposes them. It will then become easier to write
106correct rules and to debug existing configurations.
107
108
1091.1. The HTTP transaction model
110-------------------------------
111
112The HTTP protocol is transaction-driven. This means that each request will lead
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100113to one and only one response. Traditionally, a TCP connection is established
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200114from the client to the server, a request is sent by the client on the
115connection, the server responds and the connection is closed. A new request
116will involve a new connection :
117
118 [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
119
120In this mode, called the "HTTP close" mode, there are as many connection
121establishments as there are HTTP transactions. Since the connection is closed
122by the server after the response, the client does not need to know the content
123length.
124
125Due to the transactional nature of the protocol, it was possible to improve it
126to avoid closing a connection between two subsequent transactions. In this mode
127however, it is mandatory that the server indicates the content length for each
128response so that the client does not wait indefinitely. For this, a special
129header is used: "Content-length". This mode is called the "keep-alive" mode :
130
131 [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ...
132
133Its advantages are a reduced latency between transactions, and less processing
134power required on the server side. It is generally better than the close mode,
135but not always because the clients often limit their concurrent connections to
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200136a smaller value.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200137
138A last improvement in the communications is the pipelining mode. It still uses
139keep-alive, but the client does not wait for the first response to send the
140second request. This is useful for fetching large number of images composing a
141page :
142
143 [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ...
144
145This can obviously have a tremendous benefit on performance because the network
146latency is eliminated between subsequent requests. Many HTTP agents do not
147correctly support pipelining since there is no way to associate a response with
148the corresponding request in HTTP. For this reason, it is mandatory for the
Cyril Bonté78caf842010-03-10 22:41:43 +0100149server to reply in the exact same order as the requests were received.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200150
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200151By default HAProxy operates in a tunnel-like mode with regards to persistent
152connections: for each connection it processes the first request and forwards
153everything else (including additional requests) to selected server. Once
154established, the connection is persisted both on the client and server
155sides. Use "option http-server-close" to preserve client persistent connections
156while handling every incoming request individually, dispatching them one after
157another to servers, in HTTP close mode. Use "option httpclose" to switch both
158sides to HTTP close mode. "option forceclose" and "option
159http-pretend-keepalive" help working around servers misbehaving in HTTP close
160mode.
161
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200162
1631.2. HTTP request
164-----------------
165
166First, let's consider this HTTP request :
167
168 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100169 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200170 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1
171 2 Host: www.mydomain.com
172 3 User-agent: my small browser
173 4 Accept: image/jpeg, image/gif
174 5 Accept: image/png
175
176
1771.2.1. The Request line
178-----------------------
179
180Line 1 is the "request line". It is always composed of 3 fields :
181
182 - a METHOD : GET
183 - a URI : /serv/login.php?lang=en&profile=2
184 - a version tag : HTTP/1.1
185
186All of them are delimited by what the standard calls LWS (linear white spaces),
187which are commonly spaces, but can also be tabs or line feeds/carriage returns
188followed by spaces/tabs. The method itself cannot contain any colon (':') and
189is limited to alphabetic letters. All those various combinations make it
190desirable that HAProxy performs the splitting itself rather than leaving it to
191the user to write a complex or inaccurate regular expression.
192
193The URI itself can have several forms :
194
195 - A "relative URI" :
196
197 /serv/login.php?lang=en&profile=2
198
199 It is a complete URL without the host part. This is generally what is
200 received by servers, reverse proxies and transparent proxies.
201
202 - An "absolute URI", also called a "URL" :
203
204 http://192.168.0.12:8080/serv/login.php?lang=en&profile=2
205
206 It is composed of a "scheme" (the protocol name followed by '://'), a host
207 name or address, optionally a colon (':') followed by a port number, then
208 a relative URI beginning at the first slash ('/') after the address part.
209 This is generally what proxies receive, but a server supporting HTTP/1.1
210 must accept this form too.
211
212 - a star ('*') : this form is only accepted in association with the OPTIONS
213 method and is not relayable. It is used to inquiry a next hop's
214 capabilities.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100215
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200216 - an address:port combination : 192.168.0.12:80
217 This is used with the CONNECT method, which is used to establish TCP
218 tunnels through HTTP proxies, generally for HTTPS, but sometimes for
219 other protocols too.
220
221In a relative URI, two sub-parts are identified. The part before the question
222mark is called the "path". It is typically the relative path to static objects
223on the server. The part after the question mark is called the "query string".
224It is mostly used with GET requests sent to dynamic scripts and is very
225specific to the language, framework or application in use.
226
227
2281.2.2. The request headers
229--------------------------
230
231The headers start at the second line. They are composed of a name at the
232beginning of the line, immediately followed by a colon (':'). Traditionally,
233an LWS is added after the colon but that's not required. Then come the values.
234Multiple identical headers may be folded into one single line, delimiting the
235values with commas, provided that their order is respected. This is commonly
236encountered in the "Cookie:" field. A header may span over multiple lines if
237the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5
238define a total of 3 values for the "Accept:" header.
239
240Contrary to a common mis-conception, header names are not case-sensitive, and
241their values are not either if they refer to other header names (such as the
242"Connection:" header).
243
244The end of the headers is indicated by the first empty line. People often say
245that it's a double line feed, which is not exact, even if a double line feed
246is one valid form of empty line.
247
248Fortunately, HAProxy takes care of all these complex combinations when indexing
249headers, checking values and counting them, so there is no reason to worry
250about the way they could be written, but it is important not to accuse an
251application of being buggy if it does unusual, valid things.
252
253Important note:
254 As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks
255 in the middle of headers by LWS in order to join multi-line headers. This
256 is necessary for proper analysis and helps less capable HTTP parsers to work
257 correctly and not to be fooled by such complex constructs.
258
259
2601.3. HTTP response
261------------------
262
263An HTTP response looks very much like an HTTP request. Both are called HTTP
264messages. Let's consider this HTTP response :
265
266 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100267 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200268 1 HTTP/1.1 200 OK
269 2 Content-length: 350
270 3 Content-Type: text/html
271
Willy Tarreau816b9792009-09-15 21:25:21 +0200272As a special case, HTTP supports so called "Informational responses" as status
273codes 1xx. These messages are special in that they don't convey any part of the
274response, they're just used as sort of a signaling message to ask a client to
Willy Tarreau5843d1a2010-02-01 15:13:32 +0100275continue to post its request for instance. In the case of a status 100 response
276the requested information will be carried by the next non-100 response message
277following the informational one. This implies that multiple responses may be
278sent to a single request, and that this only works when keep-alive is enabled
279(1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to
280correctly forward and skip them, and only process the next non-100 response. As
281such, these messages are neither logged nor transformed, unless explicitly
282state otherwise. Status 101 messages indicate that the protocol is changing
283over the same connection and that haproxy must switch to tunnel mode, just as
284if a CONNECT had occurred. Then the Upgrade header would contain additional
285information about the type of protocol the connection is switching to.
Willy Tarreau816b9792009-09-15 21:25:21 +0200286
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200287
2881.3.1. The Response line
289------------------------
290
291Line 1 is the "response line". It is always composed of 3 fields :
292
293 - a version tag : HTTP/1.1
294 - a status code : 200
295 - a reason : OK
296
297The status code is always 3-digit. The first digit indicates a general status :
Willy Tarreau816b9792009-09-15 21:25:21 +0200298 - 1xx = informational message to be skipped (eg: 100, 101)
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200299 - 2xx = OK, content is following (eg: 200, 206)
300 - 3xx = OK, no content following (eg: 302, 304)
301 - 4xx = error caused by the client (eg: 401, 403, 404)
302 - 5xx = error caused by the server (eg: 500, 502, 503)
303
304Please refer to RFC2616 for the detailed meaning of all such codes. The
Willy Tarreaud72758d2010-01-12 10:42:19 +0100305"reason" field is just a hint, but is not parsed by clients. Anything can be
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200306found there, but it's a common practice to respect the well-established
307messages. It can be composed of one or multiple words, such as "OK", "Found",
308or "Authentication Required".
309
310Haproxy may emit the following status codes by itself :
311
312 Code When / reason
313 200 access to stats page, and when replying to monitoring requests
314 301 when performing a redirection, depending on the configured code
315 302 when performing a redirection, depending on the configured code
316 303 when performing a redirection, depending on the configured code
317 400 for an invalid or too large request
318 401 when an authentication is required to perform the action (when
319 accessing the stats page)
320 403 when a request is forbidden by a "block" ACL or "reqdeny" filter
321 408 when the request timeout strikes before the request is complete
322 500 when haproxy encounters an unrecoverable internal error, such as a
323 memory allocation failure, which should never happen
324 502 when the server returns an empty, invalid or incomplete response, or
325 when an "rspdeny" filter blocks the response.
326 503 when no server was available to handle the request, or in response to
327 monitoring requests which match the "monitor fail" condition
328 504 when the response timeout strikes before the server responds
329
330The error 4xx and 5xx codes above may be customized (see "errorloc" in section
3314.2).
332
333
3341.3.2. The response headers
335---------------------------
336
337Response headers work exactly like request headers, and as such, HAProxy uses
338the same parsing function for both. Please refer to paragraph 1.2.2 for more
339details.
340
341
3422. Configuring HAProxy
343----------------------
344
3452.1. Configuration file format
346------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200347
348HAProxy's configuration process involves 3 major sources of parameters :
349
350 - the arguments from the command-line, which always take precedence
351 - the "global" section, which sets process-wide parameters
352 - the proxies sections which can take form of "defaults", "listen",
353 "frontend" and "backend".
354
Willy Tarreau0ba27502007-12-24 16:55:16 +0100355The configuration file syntax consists in lines beginning with a keyword
356referenced in this manual, optionally followed by one or several parameters
357delimited by spaces. If spaces have to be entered in strings, then they must be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100358preceded by a backslash ('\') to be escaped. Backslashes also have to be
Willy Tarreau0ba27502007-12-24 16:55:16 +0100359escaped by doubling them.
360
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200361
3622.2. Time format
363----------------
364
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100365Some parameters involve values representing time, such as timeouts. These
Willy Tarreau0ba27502007-12-24 16:55:16 +0100366values are generally expressed in milliseconds (unless explicitly stated
367otherwise) but may be expressed in any other unit by suffixing the unit to the
368numeric value. It is important to consider this because it will not be repeated
369for every keyword. Supported units are :
370
371 - us : microseconds. 1 microsecond = 1/1000000 second
372 - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
373 - s : seconds. 1s = 1000ms
374 - m : minutes. 1m = 60s = 60000ms
375 - h : hours. 1h = 60m = 3600s = 3600000ms
376 - d : days. 1d = 24h = 1440m = 86400s = 86400000ms
377
378
Patrick Mezard35da19c2010-06-12 17:02:47 +02003792.3. Examples
380-------------
381
382 # Simple configuration for an HTTP proxy listening on port 80 on all
383 # interfaces and forwarding requests to a single backend "servers" with a
384 # single server "server1" listening on 127.0.0.1:8000
385 global
386 daemon
387 maxconn 256
388
389 defaults
390 mode http
391 timeout connect 5000ms
392 timeout client 50000ms
393 timeout server 50000ms
394
395 frontend http-in
396 bind *:80
397 default_backend servers
398
399 backend servers
400 server server1 127.0.0.1:8000 maxconn 32
401
402
403 # The same configuration defined with a single listen block. Shorter but
404 # less expressive, especially in HTTP mode.
405 global
406 daemon
407 maxconn 256
408
409 defaults
410 mode http
411 timeout connect 5000ms
412 timeout client 50000ms
413 timeout server 50000ms
414
415 listen http-in
416 bind *:80
417 server server1 127.0.0.1:8000 maxconn 32
418
419
420Assuming haproxy is in $PATH, test these configurations in a shell with:
421
Willy Tarreauccb289d2010-12-11 20:19:38 +0100422 $ sudo haproxy -f configuration.conf -c
Patrick Mezard35da19c2010-06-12 17:02:47 +0200423
424
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004253. Global parameters
Willy Tarreau6a06a402007-07-15 20:15:28 +0200426--------------------
427
428Parameters in the "global" section are process-wide and often OS-specific. They
429are generally set once for all and do not need being changed once correct. Some
430of them have command-line equivalents.
431
432The following keywords are supported in the "global" section :
433
434 * Process management and security
435 - chroot
436 - daemon
437 - gid
438 - group
439 - log
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100440 - log-send-hostname
Willy Tarreau6a06a402007-07-15 20:15:28 +0200441 - nbproc
442 - pidfile
443 - uid
444 - ulimit-n
445 - user
Willy Tarreaufbee7132007-10-18 13:53:22 +0200446 - stats
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200447 - node
448 - description
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100449 - unix-bind
Willy Tarreaud72758d2010-01-12 10:42:19 +0100450
Willy Tarreau6a06a402007-07-15 20:15:28 +0200451 * Performance tuning
452 - maxconn
Willy Tarreau81c25d02011-09-07 15:17:21 +0200453 - maxconnrate
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100454 - maxpipes
Willy Tarreau6a06a402007-07-15 20:15:28 +0200455 - noepoll
456 - nokqueue
457 - nopoll
458 - nosepoll
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100459 - nosplice
Willy Tarreaufe255b72007-10-14 23:09:26 +0200460 - spread-checks
Willy Tarreau27a674e2009-08-17 07:23:33 +0200461 - tune.bufsize
Willy Tarreau43961d52010-10-04 20:39:20 +0200462 - tune.chksize
Willy Tarreauac1932d2011-10-24 19:14:41 +0200463 - tune.http.maxhdr
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100464 - tune.maxaccept
465 - tune.maxpollevents
Willy Tarreau27a674e2009-08-17 07:23:33 +0200466 - tune.maxrewrite
Willy Tarreaubd9a0a72011-10-23 21:14:29 +0200467 - tune.pipesize
Willy Tarreaue803de22010-01-21 17:43:04 +0100468 - tune.rcvbuf.client
469 - tune.rcvbuf.server
470 - tune.sndbuf.client
471 - tune.sndbuf.server
Willy Tarreaud72758d2010-01-12 10:42:19 +0100472
Willy Tarreau6a06a402007-07-15 20:15:28 +0200473 * Debugging
474 - debug
475 - quiet
Willy Tarreau6a06a402007-07-15 20:15:28 +0200476
477
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004783.1. Process management and security
Willy Tarreau6a06a402007-07-15 20:15:28 +0200479------------------------------------
480
481chroot <jail dir>
482 Changes current directory to <jail dir> and performs a chroot() there before
483 dropping privileges. This increases the security level in case an unknown
484 vulnerability would be exploited, since it would make it very hard for the
485 attacker to exploit the system. This only works when the process is started
486 with superuser privileges. It is important to ensure that <jail_dir> is both
487 empty and unwritable to anyone.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100488
Willy Tarreau6a06a402007-07-15 20:15:28 +0200489daemon
490 Makes the process fork into background. This is the recommended mode of
491 operation. It is equivalent to the command line "-D" argument. It can be
492 disabled by the command line "-db" argument.
493
494gid <number>
495 Changes the process' group ID to <number>. It is recommended that the group
496 ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
497 be started with a user belonging to this group, or with superuser privileges.
498 See also "group" and "uid".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100499
Willy Tarreau6a06a402007-07-15 20:15:28 +0200500group <group name>
501 Similar to "gid" but uses the GID of group name <group name> from /etc/group.
502 See also "gid" and "user".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100503
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200504log <address> <facility> [max level [min level]]
Willy Tarreau6a06a402007-07-15 20:15:28 +0200505 Adds a global syslog server. Up to two global servers can be defined. They
506 will receive logs for startups and exits, as well as all logs from proxies
Robert Tsai81ae1952007-12-05 10:47:29 +0100507 configured with "log global".
508
509 <address> can be one of:
510
Willy Tarreau2769aa02007-12-27 18:26:09 +0100511 - An IPv4 address optionally followed by a colon and a UDP port. If
Robert Tsai81ae1952007-12-05 10:47:29 +0100512 no port is specified, 514 is used by default (the standard syslog
513 port).
514
David du Colombier24bb5f52011-03-17 10:40:23 +0100515 - An IPv6 address followed by a colon and optionally a UDP port. If
516 no port is specified, 514 is used by default (the standard syslog
517 port).
518
Robert Tsai81ae1952007-12-05 10:47:29 +0100519 - A filesystem path to a UNIX domain socket, keeping in mind
520 considerations for chroot (be sure the path is accessible inside
521 the chroot) and uid/gid (be sure the path is appropriately
522 writeable).
523
524 <facility> must be one of the 24 standard syslog facilities :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200525
526 kern user mail daemon auth syslog lpr news
527 uucp cron auth2 ftp ntp audit alert cron2
528 local0 local1 local2 local3 local4 local5 local6 local7
529
530 An optional level can be specified to filter outgoing messages. By default,
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200531 all messages are sent. If a maximum level is specified, only messages with a
532 severity at least as important as this level will be sent. An optional minimum
533 level can be specified. If it is set, logs emitted with a more severe level
534 than this one will be capped to this level. This is used to avoid sending
535 "emerg" messages on all terminals on some default syslog configurations.
536 Eight levels are known :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200537
Cyril Bontédc4d9032012-04-08 21:57:39 +0200538 emerg alert crit err warning notice info debug
Willy Tarreau6a06a402007-07-15 20:15:28 +0200539
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100540log-send-hostname [<string>]
541 Sets the hostname field in the syslog header. If optional "string" parameter
542 is set the header is set to the string contents, otherwise uses the hostname
543 of the system. Generally used if one is not relaying logs through an
544 intermediate syslog server or for simply customizing the hostname printed in
545 the logs.
546
Kevinm48936af2010-12-22 16:08:21 +0000547log-tag <string>
548 Sets the tag field in the syslog header to this string. It defaults to the
549 program name as launched from the command line, which usually is "haproxy".
550 Sometimes it can be useful to differentiate between multiple processes
551 running on the same host.
552
Willy Tarreau6a06a402007-07-15 20:15:28 +0200553nbproc <number>
554 Creates <number> processes when going daemon. This requires the "daemon"
555 mode. By default, only one process is created, which is the recommended mode
556 of operation. For systems limited to small sets of file descriptors per
557 process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES
558 IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon".
559
560pidfile <pidfile>
561 Writes pids of all daemons into file <pidfile>. This option is equivalent to
562 the "-p" command line argument. The file must be accessible to the user
563 starting the process. See also "daemon".
564
Willy Tarreaufbee7132007-10-18 13:53:22 +0200565stats socket <path> [{uid | user} <uid>] [{gid | group} <gid>] [mode <mode>]
Cyril Bontédc4d9032012-04-08 21:57:39 +0200566 [level <level>]
Willy Tarreau6162db22009-10-10 17:13:00 +0200567
Willy Tarreaufbee7132007-10-18 13:53:22 +0200568 Creates a UNIX socket in stream mode at location <path>. Any previously
569 existing socket will be backed up then replaced. Connections to this socket
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100570 will return various statistics outputs and even allow some commands to be
Willy Tarreau6162db22009-10-10 17:13:00 +0200571 issued. Please consult section 9.2 "Unix Socket commands" for more details.
572
573 An optional "level" parameter can be specified to restrict the nature of
574 the commands that can be issued on the socket :
575 - "user" is the least privileged level ; only non-sensitive stats can be
576 read, and no change is allowed. It would make sense on systems where it
577 is not easy to restrict access to the socket.
578
579 - "operator" is the default level and fits most common uses. All data can
Willy Tarreau3c92c5f2011-08-28 09:45:47 +0200580 be read, and only non-sensitive changes are permitted (eg: clear max
Willy Tarreau6162db22009-10-10 17:13:00 +0200581 counters).
582
583 - "admin" should be used with care, as everything is permitted (eg: clear
584 all counters).
Willy Tarreaua8efd362008-01-03 10:19:15 +0100585
586 On platforms which support it, it is possible to restrict access to this
587 socket by specifying numerical IDs after "uid" and "gid", or valid user and
588 group names after the "user" and "group" keywords. It is also possible to
589 restrict permissions on the socket by passing an octal value after the "mode"
590 keyword (same syntax as chmod). Depending on the platform, the permissions on
591 the socket will be inherited from the directory which hosts it, or from the
592 user the process is started with.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200593
594stats timeout <timeout, in milliseconds>
595 The default timeout on the stats socket is set to 10 seconds. It is possible
596 to change this value with "stats timeout". The value must be passed in
Willy Tarreaubefdff12007-12-02 22:27:38 +0100597 milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200598
599stats maxconn <connections>
600 By default, the stats socket is limited to 10 concurrent connections. It is
601 possible to change this value with "stats maxconn".
602
Willy Tarreau6a06a402007-07-15 20:15:28 +0200603uid <number>
604 Changes the process' user ID to <number>. It is recommended that the user ID
605 is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
606 be started with superuser privileges in order to be able to switch to another
607 one. See also "gid" and "user".
608
609ulimit-n <number>
610 Sets the maximum number of per-process file-descriptors to <number>. By
611 default, it is automatically computed, so it is recommended not to use this
612 option.
613
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100614unix-bind [ prefix <prefix> ] [ mode <mode> ] [ user <user> ] [ uid <uid> ]
615 [ group <group> ] [ gid <gid> ]
616
617 Fixes common settings to UNIX listening sockets declared in "bind" statements.
618 This is mainly used to simplify declaration of those UNIX sockets and reduce
619 the risk of errors, since those settings are most commonly required but are
620 also process-specific. The <prefix> setting can be used to force all socket
621 path to be relative to that directory. This might be needed to access another
622 component's chroot. Note that those paths are resolved before haproxy chroots
623 itself, so they are absolute. The <mode>, <user>, <uid>, <group> and <gid>
624 all have the same meaning as their homonyms used by the "bind" statement. If
625 both are specified, the "bind" statement has priority, meaning that the
626 "unix-bind" settings may be seen as process-wide default settings.
627
Willy Tarreau6a06a402007-07-15 20:15:28 +0200628user <user name>
629 Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
630 See also "uid" and "group".
631
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200632node <name>
633 Only letters, digits, hyphen and underscore are allowed, like in DNS names.
634
635 This statement is useful in HA configurations where two or more processes or
636 servers share the same IP address. By setting a different node-name on all
637 nodes, it becomes easy to immediately spot what server is handling the
638 traffic.
639
640description <text>
641 Add a text that describes the instance.
642
643 Please note that it is required to escape certain characters (# for example)
644 and this text is inserted into a html page so you should avoid using
645 "<" and ">" characters.
646
Willy Tarreau6a06a402007-07-15 20:15:28 +0200647
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006483.2. Performance tuning
Willy Tarreau6a06a402007-07-15 20:15:28 +0200649-----------------------
650
651maxconn <number>
652 Sets the maximum per-process number of concurrent connections to <number>. It
653 is equivalent to the command-line argument "-n". Proxies will stop accepting
654 connections when this limit is reached. The "ulimit-n" parameter is
655 automatically adjusted according to this value. See also "ulimit-n".
656
Willy Tarreau81c25d02011-09-07 15:17:21 +0200657maxconnrate <number>
658 Sets the maximum per-process number of connections per second to <number>.
659 Proxies will stop accepting connections when this limit is reached. It can be
660 used to limit the global capacity regardless of each frontend capacity. It is
661 important to note that this can only be used as a service protection measure,
662 as there will not necessarily be a fair share between frontends when the
663 limit is reached, so it's a good idea to also limit each frontend to some
664 value close to its expected share. Also, lowering tune.maxaccept can improve
665 fairness.
666
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100667maxpipes <number>
668 Sets the maximum per-process number of pipes to <number>. Currently, pipes
669 are only used by kernel-based tcp splicing. Since a pipe contains two file
670 descriptors, the "ulimit-n" value will be increased accordingly. The default
671 value is maxconn/4, which seems to be more than enough for most heavy usages.
672 The splice code dynamically allocates and releases pipes, and can fall back
673 to standard copy, so setting this value too low may only impact performance.
674
Willy Tarreau6a06a402007-07-15 20:15:28 +0200675noepoll
676 Disables the use of the "epoll" event polling system on Linux. It is
677 equivalent to the command-line argument "-de". The next polling system
678 used will generally be "poll". See also "nosepoll", and "nopoll".
679
680nokqueue
681 Disables the use of the "kqueue" event polling system on BSD. It is
682 equivalent to the command-line argument "-dk". The next polling system
683 used will generally be "poll". See also "nopoll".
684
685nopoll
686 Disables the use of the "poll" event polling system. It is equivalent to the
687 command-line argument "-dp". The next polling system used will be "select".
Willy Tarreau0ba27502007-12-24 16:55:16 +0100688 It should never be needed to disable "poll" since it's available on all
Willy Tarreau6a06a402007-07-15 20:15:28 +0200689 platforms supported by HAProxy. See also "nosepoll", and "nopoll" and
690 "nokqueue".
691
692nosepoll
693 Disables the use of the "speculative epoll" event polling system on Linux. It
694 is equivalent to the command-line argument "-ds". The next polling system
695 used will generally be "epoll". See also "nosepoll", and "nopoll".
696
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100697nosplice
698 Disables the use of kernel tcp splicing between sockets on Linux. It is
699 equivalent to the command line argument "-dS". Data will then be copied
700 using conventional and more portable recv/send calls. Kernel tcp splicing is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100701 limited to some very recent instances of kernel 2.6. Most versions between
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100702 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not
703 be used. This option makes it easier to globally disable kernel splicing in
704 case of doubt. See also "option splice-auto", "option splice-request" and
705 "option splice-response".
706
Willy Tarreaufe255b72007-10-14 23:09:26 +0200707spread-checks <0..50, in percent>
708 Sometimes it is desirable to avoid sending health checks to servers at exact
709 intervals, for instance when many logical servers are located on the same
710 physical server. With the help of this parameter, it becomes possible to add
711 some randomness in the check interval between 0 and +/- 50%. A value between
712 2 and 5 seems to show good results. The default value remains at 0.
713
Willy Tarreau27a674e2009-08-17 07:23:33 +0200714tune.bufsize <number>
715 Sets the buffer size to this size (in bytes). Lower values allow more
716 sessions to coexist in the same amount of RAM, and higher values allow some
717 applications with very large cookies to work. The default value is 16384 and
718 can be changed at build time. It is strongly recommended not to change this
719 from the default value, as very low values will break some services such as
720 statistics, and values larger than default size will increase memory usage,
721 possibly causing the system to run out of memory. At least the global maxconn
722 parameter should be decreased by the same factor as this one is increased.
723
Willy Tarreau43961d52010-10-04 20:39:20 +0200724tune.chksize <number>
725 Sets the check buffer size to this size (in bytes). Higher values may help
726 find string or regex patterns in very large pages, though doing so may imply
727 more memory and CPU usage. The default value is 16384 and can be changed at
728 build time. It is not recommended to change this value, but to use better
729 checks whenever possible.
730
Willy Tarreauac1932d2011-10-24 19:14:41 +0200731tune.http.maxhdr <number>
732 Sets the maximum number of headers in a request. When a request comes with a
733 number of headers greater than this value (including the first line), it is
734 rejected with a "400 Bad Request" status code. Similarly, too large responses
735 are blocked with "502 Bad Gateway". The default value is 101, which is enough
736 for all usages, considering that the widely deployed Apache server uses the
737 same limit. It can be useful to push this limit further to temporarily allow
738 a buggy application to work by the time it gets fixed. Keep in mind that each
739 new header consumes 32bits of memory for each session, so don't push this
740 limit too high.
741
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100742tune.maxaccept <number>
743 Sets the maximum number of consecutive accepts that a process may perform on
744 a single wake up. High values give higher priority to high connection rates,
745 while lower values give higher priority to already established connections.
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100746 This value is limited to 100 by default in single process mode. However, in
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100747 multi-process mode (nbproc > 1), it defaults to 8 so that when one process
748 wakes up, it does not take all incoming connections for itself and leaves a
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100749 part of them to other processes. Setting this value to -1 completely disables
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100750 the limitation. It should normally not be needed to tweak this value.
751
752tune.maxpollevents <number>
753 Sets the maximum amount of events that can be processed at once in a call to
754 the polling system. The default value is adapted to the operating system. It
755 has been noticed that reducing it below 200 tends to slightly decrease
756 latency at the expense of network bandwidth, and increasing it above 200
757 tends to trade latency for slightly increased bandwidth.
758
Willy Tarreau27a674e2009-08-17 07:23:33 +0200759tune.maxrewrite <number>
760 Sets the reserved buffer space to this size in bytes. The reserved space is
761 used for header rewriting or appending. The first reads on sockets will never
762 fill more than bufsize-maxrewrite. Historically it has defaulted to half of
763 bufsize, though that does not make much sense since there are rarely large
764 numbers of headers to add. Setting it too high prevents processing of large
765 requests or responses. Setting it too low prevents addition of new headers
766 to already large requests or to POST requests. It is generally wise to set it
767 to about 1024. It is automatically readjusted to half of bufsize if it is
768 larger than that. This means you don't have to worry about it when changing
769 bufsize.
770
Willy Tarreaubd9a0a72011-10-23 21:14:29 +0200771tune.pipesize <number>
772 Sets the kernel pipe buffer size to this size (in bytes). By default, pipes
773 are the default size for the system. But sometimes when using TCP splicing,
774 it can improve performance to increase pipe sizes, especially if it is
775 suspected that pipes are not filled and that many calls to splice() are
776 performed. This has an impact on the kernel's memory footprint, so this must
777 not be changed if impacts are not understood.
778
Willy Tarreaue803de22010-01-21 17:43:04 +0100779tune.rcvbuf.client <number>
780tune.rcvbuf.server <number>
781 Forces the kernel socket receive buffer size on the client or the server side
782 to the specified value in bytes. This value applies to all TCP/HTTP frontends
783 and backends. It should normally never be set, and the default size (0) lets
784 the kernel autotune this value depending on the amount of available memory.
785 However it can sometimes help to set it to very low values (eg: 4096) in
786 order to save kernel memory by preventing it from buffering too large amounts
787 of received data. Lower values will significantly increase CPU usage though.
788
789tune.sndbuf.client <number>
790tune.sndbuf.server <number>
791 Forces the kernel socket send buffer size on the client or the server side to
792 the specified value in bytes. This value applies to all TCP/HTTP frontends
793 and backends. It should normally never be set, and the default size (0) lets
794 the kernel autotune this value depending on the amount of available memory.
795 However it can sometimes help to set it to very low values (eg: 4096) in
796 order to save kernel memory by preventing it from buffering too large amounts
797 of received data. Lower values will significantly increase CPU usage though.
798 Another use case is to prevent write timeouts with extremely slow clients due
799 to the kernel waiting for a large part of the buffer to be read before
800 notifying haproxy again.
801
Willy Tarreau6a06a402007-07-15 20:15:28 +0200802
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008033.3. Debugging
804--------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200805
806debug
807 Enables debug mode which dumps to stdout all exchanges, and disables forking
808 into background. It is the equivalent of the command-line argument "-d". It
809 should never be used in a production configuration since it may prevent full
810 system startup.
811
812quiet
813 Do not display any message during startup. It is equivalent to the command-
814 line argument "-q".
815
Emeric Brunf099e792010-09-27 12:05:28 +0200816
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01008173.4. Userlists
818--------------
819It is possible to control access to frontend/backend/listen sections or to
820http stats by allowing only authenticated and authorized users. To do this,
821it is required to create at least one userlist and to define users.
822
823userlist <listname>
Cyril Bonté78caf842010-03-10 22:41:43 +0100824 Creates new userlist with name <listname>. Many independent userlists can be
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100825 used to store authentication & authorization data for independent customers.
826
827group <groupname> [users <user>,<user>,(...)]
Cyril Bonté78caf842010-03-10 22:41:43 +0100828 Adds group <groupname> to the current userlist. It is also possible to
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100829 attach users to this group by using a comma separated list of names
830 proceeded by "users" keyword.
831
Cyril Bontéf0c60612010-02-06 14:44:47 +0100832user <username> [password|insecure-password <password>]
833 [groups <group>,<group>,(...)]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100834 Adds user <username> to the current userlist. Both secure (encrypted) and
835 insecure (unencrypted) passwords can be used. Encrypted passwords are
Cyril Bonté78caf842010-03-10 22:41:43 +0100836 evaluated using the crypt(3) function so depending of the system's
837 capabilities, different algorithms are supported. For example modern Glibc
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100838 based Linux system supports MD5, SHA-256, SHA-512 and of course classic,
839 DES-based method of crypting passwords.
840
841
842 Example:
Cyril Bontéf0c60612010-02-06 14:44:47 +0100843 userlist L1
844 group G1 users tiger,scott
845 group G2 users xdb,scott
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100846
Cyril Bontéf0c60612010-02-06 14:44:47 +0100847 user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91
848 user scott insecure-password elgato
849 user xdb insecure-password hello
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100850
Cyril Bontéf0c60612010-02-06 14:44:47 +0100851 userlist L2
852 group G1
853 group G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100854
Cyril Bontéf0c60612010-02-06 14:44:47 +0100855 user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1
856 user scott insecure-password elgato groups G1,G2
857 user xdb insecure-password hello groups G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100858
859 Please note that both lists are functionally identical.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200860
Emeric Brunf099e792010-09-27 12:05:28 +0200861
8623.5. Peers
Cyril Bontédc4d9032012-04-08 21:57:39 +0200863----------
Emeric Brunf099e792010-09-27 12:05:28 +0200864It is possible to synchronize server entries in stick tables between several
865haproxy instances over TCP connections in a multi-master fashion. Each instance
866pushes its local updates and insertions to remote peers. Server IDs are used to
867identify servers remotely, so it is important that configurations look similar
868or at least that the same IDs are forced on each server on all participants.
869Interrupted exchanges are automatically detected and recovered from the last
870known point. In addition, during a soft restart, the old process connects to
871the new one using such a TCP connection to push all its entries before the new
872process tries to connect to other peers. That ensures very fast replication
873during a reload, it typically takes a fraction of a second even for large
874tables.
875
876peers <peersect>
877 Creates a new peer list with name <peersect>. It is an independant section,
878 which is referenced by one or more stick-tables.
879
880peer <peername> <ip>:<port>
881 Defines a peer inside a peers section.
882 If <peername> is set to the local peer name (by default hostname, or forced
883 using "-L" command line option), haproxy will listen for incoming remote peer
884 connection on <ip>:<port>. Otherwise, <ip>:<port> defines where to connect to
885 to join the remote peer, and <peername> is used at the protocol level to
886 identify and validate the remote peer on the server side.
887
888 During a soft restart, local peer <ip>:<port> is used by the old instance to
889 connect the new one and initiate a complete replication (teaching process).
890
891 It is strongly recommended to have the exact same peers declaration on all
892 peers and to only rely on the "-L" command line argument to change the local
893 peer name. This makes it easier to maintain coherent configuration files
894 across all peers.
895
Cyril Bontédc4d9032012-04-08 21:57:39 +0200896 Example:
Emeric Brunf099e792010-09-27 12:05:28 +0200897 peers mypeers
Willy Tarreauf7b30a92010-12-06 22:59:17 +0100898 peer haproxy1 192.168.0.1:1024
899 peer haproxy2 192.168.0.2:1024
900 peer haproxy3 10.2.0.1:1024
Emeric Brunf099e792010-09-27 12:05:28 +0200901
902 backend mybackend
903 mode tcp
904 balance roundrobin
905 stick-table type ip size 20k peers mypeers
906 stick on src
907
Willy Tarreauf7b30a92010-12-06 22:59:17 +0100908 server srv1 192.168.0.30:80
909 server srv2 192.168.0.31:80
Emeric Brunf099e792010-09-27 12:05:28 +0200910
911
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009124. Proxies
Willy Tarreau6a06a402007-07-15 20:15:28 +0200913----------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100914
Willy Tarreau6a06a402007-07-15 20:15:28 +0200915Proxy configuration can be located in a set of sections :
916 - defaults <name>
917 - frontend <name>
918 - backend <name>
919 - listen <name>
920
921A "defaults" section sets default parameters for all other sections following
922its declaration. Those default parameters are reset by the next "defaults"
923section. See below for the list of parameters which can be set in a "defaults"
Willy Tarreau0ba27502007-12-24 16:55:16 +0100924section. The name is optional but its use is encouraged for better readability.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200925
926A "frontend" section describes a set of listening sockets accepting client
927connections.
928
929A "backend" section describes a set of servers to which the proxy will connect
930to forward incoming connections.
931
932A "listen" section defines a complete proxy with its frontend and backend
933parts combined in one section. It is generally useful for TCP-only traffic.
934
Willy Tarreau0ba27502007-12-24 16:55:16 +0100935All proxy names must be formed from upper and lower case letters, digits,
936'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
937case-sensitive, which means that "www" and "WWW" are two different proxies.
938
939Historically, all proxy names could overlap, it just caused troubles in the
940logs. Since the introduction of content switching, it is mandatory that two
941proxies with overlapping capabilities (frontend/backend) have different names.
942However, it is still permitted that a frontend and a backend share the same
943name, as this configuration seems to be commonly encountered.
944
945Right now, two major proxy modes are supported : "tcp", also known as layer 4,
946and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100947bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the
Willy Tarreau0ba27502007-12-24 16:55:16 +0100948protocol, and can interact with it by allowing, blocking, switching, adding,
949modifying, or removing arbitrary contents in requests or responses, based on
950arbitrary criteria.
951
Willy Tarreau0ba27502007-12-24 16:55:16 +0100952
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009534.1. Proxy keywords matrix
954--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100955
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200956The following list of keywords is supported. Most of them may only be used in a
957limited set of section types. Some of them are marked as "deprecated" because
958they are inherited from an old syntax which may be confusing or functionally
959limited, and there are new recommended keywords to replace them. Keywords
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100960marked with "(*)" can be optionally inverted using the "no" prefix, eg. "no
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200961option contstats". This makes sense when the option has been enabled by default
Willy Tarreau3842f002009-06-14 11:39:52 +0200962and must be disabled for a specific instance. Such options may also be prefixed
963with "default" in order to restore default settings regardless of what has been
964specified in a previous "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +0100965
Willy Tarreau6a06a402007-07-15 20:15:28 +0200966
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100967 keyword defaults frontend listen backend
968------------------------------------+----------+----------+---------+---------
969acl - X X X
970appsession - - X X
971backlog X X X -
972balance X - X X
973bind - X X -
974bind-process X X X X
975block - X X X
976capture cookie - X X -
977capture request header - X X -
978capture response header - X X -
979clitimeout (deprecated) X X X -
980contimeout (deprecated) X - X X
981cookie X - X X
982default-server X - X X
983default_backend X X X -
984description - X X X
985disabled X X X X
986dispatch - - X X
987enabled X X X X
988errorfile X X X X
989errorloc X X X X
990errorloc302 X X X X
991-- keyword -------------------------- defaults - frontend - listen -- backend -
992errorloc303 X X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +0200993force-persist - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100994fullconn X - X X
995grace X X X X
996hash-type X - X X
997http-check disable-on-404 X - X X
Willy Tarreaubd741542010-03-16 18:46:54 +0100998http-check expect - - X X
Willy Tarreau7ab6aff2010-10-12 06:30:16 +0200999http-check send-state X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001000http-request - X X X
1001id - X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001002ignore-persist - X X X
William Lallemand0f99e342011-10-12 17:50:54 +02001003log (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001004maxconn X X X -
1005mode X X X X
1006monitor fail - X X -
1007monitor-net X X X -
1008monitor-uri X X X -
1009option abortonclose (*) X - X X
1010option accept-invalid-http-request (*) X X X -
1011option accept-invalid-http-response (*) X - X X
1012option allbackups (*) X - X X
1013option checkcache (*) X - X X
1014option clitcpka (*) X X X -
1015option contstats (*) X X X -
1016option dontlog-normal (*) X X X -
1017option dontlognull (*) X X X -
1018option forceclose (*) X X X X
1019-- keyword -------------------------- defaults - frontend - listen -- backend -
1020option forwardfor X X X X
Willy Tarreau96e31212011-05-30 18:10:30 +02001021option http-no-delay (*) X X X X
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02001022option http-pretend-keepalive (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001023option http-server-close (*) X X X X
1024option http-use-proxy-header (*) X X X -
1025option httpchk X - X X
1026option httpclose (*) X X X X
1027option httplog X X X X
1028option http_proxy (*) X X X X
1029option independant-streams (*) X X X X
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02001030option ldap-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001031option log-health-checks (*) X - X X
1032option log-separate-errors (*) X X X -
1033option logasap (*) X X X -
1034option mysql-check X - X X
Rauf Kuliyev38b41562011-01-04 15:14:13 +01001035option pgsql-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001036option nolinger (*) X X X X
1037option originalto X X X X
1038option persist (*) X - X X
1039option redispatch (*) X - X X
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02001040option redis-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001041option smtpchk X - X X
1042option socket-stats (*) X X X -
1043option splice-auto (*) X X X X
1044option splice-request (*) X X X X
1045option splice-response (*) X X X X
1046option srvtcpka (*) X - X X
1047option ssl-hello-chk X - X X
1048-- keyword -------------------------- defaults - frontend - listen -- backend -
1049option tcp-smart-accept (*) X X X -
1050option tcp-smart-connect (*) X - X X
1051option tcpka X X X X
1052option tcplog X X X X
1053option transparent (*) X - X X
1054persist rdp-cookie X - X X
1055rate-limit sessions X X X -
1056redirect - X X X
1057redisp (deprecated) X - X X
1058redispatch (deprecated) X - X X
1059reqadd - X X X
1060reqallow - X X X
1061reqdel - X X X
1062reqdeny - X X X
1063reqiallow - X X X
1064reqidel - X X X
1065reqideny - X X X
1066reqipass - X X X
1067reqirep - X X X
1068reqisetbe - X X X
1069reqitarpit - X X X
1070reqpass - X X X
1071reqrep - X X X
1072-- keyword -------------------------- defaults - frontend - listen -- backend -
1073reqsetbe - X X X
1074reqtarpit - X X X
1075retries X - X X
1076rspadd - X X X
1077rspdel - X X X
1078rspdeny - X X X
1079rspidel - X X X
1080rspideny - X X X
1081rspirep - X X X
1082rsprep - X X X
1083server - - X X
1084source X - X X
1085srvtimeout (deprecated) X - X X
Cyril Bonté66c327d2010-10-12 00:14:37 +02001086stats admin - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001087stats auth X - X X
1088stats enable X - X X
1089stats hide-version X - X X
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02001090stats http-request - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001091stats realm X - X X
1092stats refresh X - X X
1093stats scope X - X X
1094stats show-desc X - X X
1095stats show-legends X - X X
1096stats show-node X - X X
1097stats uri X - X X
1098-- keyword -------------------------- defaults - frontend - listen -- backend -
1099stick match - - X X
1100stick on - - X X
1101stick store-request - - X X
Willy Tarreaud8dc99f2011-07-01 11:33:25 +02001102stick store-response - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001103stick-table - - X X
Willy Tarreaue9656522010-08-17 15:40:09 +02001104tcp-request connection - X X -
1105tcp-request content - X X X
Willy Tarreaua56235c2010-09-14 11:31:36 +02001106tcp-request inspect-delay - X X X
Emeric Brun0a3b67f2010-09-24 15:34:53 +02001107tcp-response content - - X X
1108tcp-response inspect-delay - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001109timeout check X - X X
1110timeout client X X X -
1111timeout clitimeout (deprecated) X X X -
1112timeout connect X - X X
1113timeout contimeout (deprecated) X - X X
1114timeout http-keep-alive X X X X
1115timeout http-request X X X X
1116timeout queue X - X X
1117timeout server X - X X
1118timeout srvtimeout (deprecated) X - X X
1119timeout tarpit X X X X
Willy Tarreauce887fd2012-05-12 12:50:00 +02001120timeout tunnel X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001121transparent (deprecated) X - X X
William Lallemanda73203e2012-03-12 12:48:57 +01001122unique-id-format X X X -
1123unique-id-header X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001124use_backend - X X -
Willy Tarreau4a5cade2012-04-05 21:09:48 +02001125use-server - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001126------------------------------------+----------+----------+---------+---------
1127 keyword defaults frontend listen backend
Willy Tarreau6a06a402007-07-15 20:15:28 +02001128
Willy Tarreau0ba27502007-12-24 16:55:16 +01001129
Willy Tarreauc57f0e22009-05-10 13:12:33 +020011304.2. Alphabetically sorted keywords reference
1131---------------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001132
1133This section provides a description of each keyword and its usage.
1134
1135
1136acl <aclname> <criterion> [flags] [operator] <value> ...
1137 Declare or complete an access list.
1138 May be used in sections : defaults | frontend | listen | backend
1139 no | yes | yes | yes
1140 Example:
1141 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1142 acl invalid_src src_port 0:1023
1143 acl local_dst hdr(host) -i localhost
1144
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001145 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001146
1147
Cyril Bontéb21570a2009-11-29 20:04:48 +01001148appsession <cookie> len <length> timeout <holdtime>
1149 [request-learn] [prefix] [mode <path-parameters|query-string>]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001150 Define session stickiness on an existing application cookie.
1151 May be used in sections : defaults | frontend | listen | backend
1152 no | no | yes | yes
1153 Arguments :
1154 <cookie> this is the name of the cookie used by the application and which
1155 HAProxy will have to learn for each new session.
1156
Cyril Bontéb21570a2009-11-29 20:04:48 +01001157 <length> this is the max number of characters that will be memorized and
Willy Tarreau0ba27502007-12-24 16:55:16 +01001158 checked in each cookie value.
1159
1160 <holdtime> this is the time after which the cookie will be removed from
1161 memory if unused. If no unit is specified, this time is in
1162 milliseconds.
1163
Cyril Bontébf47aeb2009-10-15 00:15:40 +02001164 request-learn
1165 If this option is specified, then haproxy will be able to learn
1166 the cookie found in the request in case the server does not
1167 specify any in response. This is typically what happens with
1168 PHPSESSID cookies, or when haproxy's session expires before
1169 the application's session and the correct server is selected.
1170 It is recommended to specify this option to improve reliability.
1171
Cyril Bontéb21570a2009-11-29 20:04:48 +01001172 prefix When this option is specified, haproxy will match on the cookie
1173 prefix (or URL parameter prefix). The appsession value is the
1174 data following this prefix.
1175
1176 Example :
1177 appsession ASPSESSIONID len 64 timeout 3h prefix
1178
1179 This will match the cookie ASPSESSIONIDXXXX=XXXXX,
1180 the appsession value will be XXXX=XXXXX.
1181
1182 mode This option allows to change the URL parser mode.
1183 2 modes are currently supported :
1184 - path-parameters :
1185 The parser looks for the appsession in the path parameters
1186 part (each parameter is separated by a semi-colon), which is
1187 convenient for JSESSIONID for example.
1188 This is the default mode if the option is not set.
1189 - query-string :
1190 In this mode, the parser will look for the appsession in the
1191 query string.
1192
Willy Tarreau0ba27502007-12-24 16:55:16 +01001193 When an application cookie is defined in a backend, HAProxy will check when
1194 the server sets such a cookie, and will store its value in a table, and
1195 associate it with the server's identifier. Up to <length> characters from
1196 the value will be retained. On each connection, haproxy will look for this
Cyril Bontéb21570a2009-11-29 20:04:48 +01001197 cookie both in the "Cookie:" headers, and as a URL parameter (depending on
1198 the mode used). If a known value is found, the client will be directed to the
1199 server associated with this value. Otherwise, the load balancing algorithm is
Willy Tarreau0ba27502007-12-24 16:55:16 +01001200 applied. Cookies are automatically removed from memory when they have been
1201 unused for a duration longer than <holdtime>.
1202
1203 The definition of an application cookie is limited to one per backend.
1204
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01001205 Note : Consider not using this feature in multi-process mode (nbproc > 1)
1206 unless you know what you do : memory is not shared between the
1207 processes, which can result in random behaviours.
1208
Willy Tarreau0ba27502007-12-24 16:55:16 +01001209 Example :
1210 appsession JSESSIONID len 52 timeout 3h
1211
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01001212 See also : "cookie", "capture cookie", "balance", "stick", "stick-table",
1213 "ignore-persist", "nbproc" and "bind-process".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001214
1215
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001216backlog <conns>
1217 Give hints to the system about the approximate listen backlog desired size
1218 May be used in sections : defaults | frontend | listen | backend
1219 yes | yes | yes | no
1220 Arguments :
1221 <conns> is the number of pending connections. Depending on the operating
1222 system, it may represent the number of already acknowledged
Cyril Bontédc4d9032012-04-08 21:57:39 +02001223 connections, of non-acknowledged ones, or both.
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001224
1225 In order to protect against SYN flood attacks, one solution is to increase
1226 the system's SYN backlog size. Depending on the system, sometimes it is just
1227 tunable via a system parameter, sometimes it is not adjustable at all, and
1228 sometimes the system relies on hints given by the application at the time of
1229 the listen() syscall. By default, HAProxy passes the frontend's maxconn value
1230 to the listen() syscall. On systems which can make use of this value, it can
1231 sometimes be useful to be able to specify a different value, hence this
1232 backlog parameter.
1233
1234 On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
1235 used as a hint and the system accepts up to the smallest greater power of
1236 two, and never more than some limits (usually 32768).
1237
1238 See also : "maxconn" and the target operating system's tuning guide.
1239
1240
Willy Tarreau0ba27502007-12-24 16:55:16 +01001241balance <algorithm> [ <arguments> ]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001242balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001243 Define the load balancing algorithm to be used in a backend.
1244 May be used in sections : defaults | frontend | listen | backend
1245 yes | no | yes | yes
1246 Arguments :
1247 <algorithm> is the algorithm used to select a server when doing load
1248 balancing. This only applies when no persistence information
1249 is available, or when a connection is redispatched to another
1250 server. <algorithm> may be one of the following :
1251
1252 roundrobin Each server is used in turns, according to their weights.
1253 This is the smoothest and fairest algorithm when the server's
1254 processing time remains equally distributed. This algorithm
1255 is dynamic, which means that server weights may be adjusted
Willy Tarreau9757a382009-10-03 12:56:50 +02001256 on the fly for slow starts for instance. It is limited by
1257 design to 4128 active servers per backend. Note that in some
1258 large farms, when a server becomes up after having been down
1259 for a very short time, it may sometimes take a few hundreds
1260 requests for it to be re-integrated into the farm and start
1261 receiving traffic. This is normal, though very rare. It is
1262 indicated here in case you would have the chance to observe
1263 it, so that you don't worry.
1264
1265 static-rr Each server is used in turns, according to their weights.
1266 This algorithm is as similar to roundrobin except that it is
1267 static, which means that changing a server's weight on the
1268 fly will have no effect. On the other hand, it has no design
1269 limitation on the number of servers, and when a server goes
1270 up, it is always immediately reintroduced into the farm, once
1271 the full map is recomputed. It also uses slightly less CPU to
1272 run (around -1%).
Willy Tarreau0ba27502007-12-24 16:55:16 +01001273
Willy Tarreau2d2a7f82008-03-17 12:07:56 +01001274 leastconn The server with the lowest number of connections receives the
1275 connection. Round-robin is performed within groups of servers
1276 of the same load to ensure that all servers will be used. Use
1277 of this algorithm is recommended where very long sessions are
1278 expected, such as LDAP, SQL, TSE, etc... but is not very well
1279 suited for protocols using short sessions such as HTTP. This
1280 algorithm is dynamic, which means that server weights may be
1281 adjusted on the fly for slow starts for instance.
1282
Willy Tarreauf09c6602012-02-13 17:12:08 +01001283 first The first server with available connection slots receives the
1284 connection. The servers are choosen from the lowest numeric
1285 identifier to the highest (see server parameter "id"), which
1286 defaults to the server's position in the farm. Once a server
Willy Tarreau64559c52012-04-07 09:08:45 +02001287 reaches its maxconn value, the next server is used. It does
Willy Tarreauf09c6602012-02-13 17:12:08 +01001288 not make sense to use this algorithm without setting maxconn.
1289 The purpose of this algorithm is to always use the smallest
1290 number of servers so that extra servers can be powered off
1291 during non-intensive hours. This algorithm ignores the server
1292 weight, and brings more benefit to long session such as RDP
Willy Tarreau64559c52012-04-07 09:08:45 +02001293 or IMAP than HTTP, though it can be useful there too. In
1294 order to use this algorithm efficiently, it is recommended
1295 that a cloud controller regularly checks server usage to turn
1296 them off when unused, and regularly checks backend queue to
1297 turn new servers on when the queue inflates. Alternatively,
1298 using "http-check send-state" may inform servers on the load.
Willy Tarreauf09c6602012-02-13 17:12:08 +01001299
Willy Tarreau0ba27502007-12-24 16:55:16 +01001300 source The source IP address is hashed and divided by the total
1301 weight of the running servers to designate which server will
1302 receive the request. This ensures that the same client IP
1303 address will always reach the same server as long as no
1304 server goes down or up. If the hash result changes due to the
1305 number of running servers changing, many clients will be
1306 directed to a different server. This algorithm is generally
1307 used in TCP mode where no cookie may be inserted. It may also
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001308 be used on the Internet to provide a best-effort stickiness
Willy Tarreau0ba27502007-12-24 16:55:16 +01001309 to clients which refuse session cookies. This algorithm is
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001310 static by default, which means that changing a server's
1311 weight on the fly will have no effect, but this can be
1312 changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001313
Oskar Stolc8dc41842012-05-19 10:19:54 +01001314 uri This algorithm hashes either the left part of the URI (before
1315 the question mark) or the whole URI (if the "whole" parameter
1316 is present) and divides the hash value by the total weight of
1317 the running servers. The result designates which server will
1318 receive the request. This ensures that the same URI will
1319 always be directed to the same server as long as no server
1320 goes up or down. This is used with proxy caches and
1321 anti-virus proxies in order to maximize the cache hit rate.
1322 Note that this algorithm may only be used in an HTTP backend.
1323 This algorithm is static by default, which means that
1324 changing a server's weight on the fly will have no effect,
1325 but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001326
Oskar Stolc8dc41842012-05-19 10:19:54 +01001327 This algorithm supports two optional parameters "len" and
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001328 "depth", both followed by a positive integer number. These
1329 options may be helpful when it is needed to balance servers
1330 based on the beginning of the URI only. The "len" parameter
1331 indicates that the algorithm should only consider that many
1332 characters at the beginning of the URI to compute the hash.
1333 Note that having "len" set to 1 rarely makes sense since most
1334 URIs start with a leading "/".
1335
1336 The "depth" parameter indicates the maximum directory depth
1337 to be used to compute the hash. One level is counted for each
1338 slash in the request. If both parameters are specified, the
1339 evaluation stops when either is reached.
1340
Willy Tarreau0ba27502007-12-24 16:55:16 +01001341 url_param The URL parameter specified in argument will be looked up in
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001342 the query string of each HTTP GET request.
1343
1344 If the modifier "check_post" is used, then an HTTP POST
Cyril Bontédc4d9032012-04-08 21:57:39 +02001345 request entity will be searched for the parameter argument,
1346 when it is not found in a query string after a question mark
1347 ('?') in the URL. Optionally, specify a number of octets to
1348 wait for before attempting to search the message body. If the
1349 entity can not be searched, then round robin is used for each
1350 request. For instance, if your clients always send the LB
1351 parameter in the first 128 bytes, then specify that. The
1352 default is 48. The entity data will not be scanned until the
1353 required number of octets have arrived at the gateway, this
1354 is the minimum of: (default/max_wait, Content-Length or first
1355 chunk length). If Content-Length is missing or zero, it does
1356 not need to wait for more data than the client promised to
1357 send. When Content-Length is present and larger than
1358 <max_wait>, then waiting is limited to <max_wait> and it is
1359 assumed that this will be enough data to search for the
1360 presence of the parameter. In the unlikely event that
1361 Transfer-Encoding: chunked is used, only the first chunk is
1362 scanned. Parameter values separated by a chunk boundary, may
1363 be randomly balanced if at all.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001364
1365 If the parameter is found followed by an equal sign ('=') and
1366 a value, then the value is hashed and divided by the total
1367 weight of the running servers. The result designates which
1368 server will receive the request.
1369
1370 This is used to track user identifiers in requests and ensure
1371 that a same user ID will always be sent to the same server as
1372 long as no server goes up or down. If no value is found or if
1373 the parameter is not found, then a round robin algorithm is
1374 applied. Note that this algorithm may only be used in an HTTP
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001375 backend. This algorithm is static by default, which means
1376 that changing a server's weight on the fly will have no
1377 effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001378
Cyril Bontédc4d9032012-04-08 21:57:39 +02001379 hdr(<name>) The HTTP header <name> will be looked up in each HTTP
1380 request. Just as with the equivalent ACL 'hdr()' function,
1381 the header name in parenthesis is not case sensitive. If the
1382 header is absent or if it does not contain any value, the
1383 roundrobin algorithm is applied instead.
Benoitaffb4812009-03-25 13:02:10 +01001384
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001385 An optional 'use_domain_only' parameter is available, for
Benoitaffb4812009-03-25 13:02:10 +01001386 reducing the hash algorithm to the main domain part with some
1387 specific headers such as 'Host'. For instance, in the Host
1388 value "haproxy.1wt.eu", only "1wt" will be considered.
1389
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001390 This algorithm is static by default, which means that
1391 changing a server's weight on the fly will have no effect,
1392 but this can be changed using "hash-type".
1393
Emeric Brun736aa232009-06-30 17:56:00 +02001394 rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02001395 rdp-cookie(<name>)
Emeric Brun736aa232009-06-30 17:56:00 +02001396 The RDP cookie <name> (or "mstshash" if omitted) will be
1397 looked up and hashed for each incoming TCP request. Just as
1398 with the equivalent ACL 'req_rdp_cookie()' function, the name
1399 is not case-sensitive. This mechanism is useful as a degraded
1400 persistence mode, as it makes it possible to always send the
1401 same user (or the same session ID) to the same server. If the
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001402 cookie is not found, the normal roundrobin algorithm is
Emeric Brun736aa232009-06-30 17:56:00 +02001403 used instead.
1404
1405 Note that for this to work, the frontend must ensure that an
1406 RDP cookie is already present in the request buffer. For this
1407 you must use 'tcp-request content accept' rule combined with
1408 a 'req_rdp_cookie_cnt' ACL.
1409
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001410 This algorithm is static by default, which means that
1411 changing a server's weight on the fly will have no effect,
1412 but this can be changed using "hash-type".
1413
Cyril Bontédc4d9032012-04-08 21:57:39 +02001414 See also the rdp_cookie pattern fetch function.
Simon Hormanab814e02011-06-24 14:50:20 +09001415
Willy Tarreau0ba27502007-12-24 16:55:16 +01001416 <arguments> is an optional list of arguments which may be needed by some
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001417 algorithms. Right now, only "url_param" and "uri" support an
1418 optional argument.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001419
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001420 balance uri [len <len>] [depth <depth>]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001421 balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001422
Willy Tarreau3cd9af22009-03-15 14:06:41 +01001423 The load balancing algorithm of a backend is set to roundrobin when no other
1424 algorithm, mode nor option have been set. The algorithm may only be set once
1425 for each backend.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001426
1427 Examples :
1428 balance roundrobin
1429 balance url_param userid
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001430 balance url_param session_id check_post 64
Benoitaffb4812009-03-25 13:02:10 +01001431 balance hdr(User-Agent)
1432 balance hdr(host)
1433 balance hdr(Host) use_domain_only
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001434
1435 Note: the following caveats and limitations on using the "check_post"
1436 extension with "url_param" must be considered :
1437
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001438 - all POST requests are eligible for consideration, because there is no way
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001439 to determine if the parameters will be found in the body or entity which
1440 may contain binary data. Therefore another method may be required to
1441 restrict consideration of POST requests that have no URL parameters in
1442 the body. (see acl reqideny http_end)
1443
1444 - using a <max_wait> value larger than the request buffer size does not
1445 make sense and is useless. The buffer size is set at build time, and
1446 defaults to 16 kB.
1447
1448 - Content-Encoding is not supported, the parameter search will probably
1449 fail; and load balancing will fall back to Round Robin.
1450
1451 - Expect: 100-continue is not supported, load balancing will fall back to
1452 Round Robin.
1453
1454 - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk.
1455 If the entire parameter value is not present in the first chunk, the
1456 selection of server is undefined (actually, defined by how little
1457 actually appeared in the first chunk).
1458
1459 - This feature does not support generation of a 100, 411 or 501 response.
1460
1461 - In some cases, requesting "check_post" MAY attempt to scan the entire
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001462 contents of a message body. Scanning normally terminates when linear
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001463 white space or control characters are found, indicating the end of what
1464 might be a URL parameter list. This is probably not a concern with SGML
1465 type message bodies.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001466
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001467 See also : "dispatch", "cookie", "appsession", "transparent", "hash-type" and
1468 "http_proxy".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001469
1470
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001471bind [<address>]:<port_range> [, ...]
1472bind [<address>]:<port_range> [, ...] interface <interface>
1473bind [<address>]:<port_range> [, ...] mss <maxseg>
1474bind [<address>]:<port_range> [, ...] transparent
1475bind [<address>]:<port_range> [, ...] id <id>
1476bind [<address>]:<port_range> [, ...] name <name>
1477bind [<address>]:<port_range> [, ...] defer-accept
Willy Tarreau71c814e2010-10-29 21:56:16 +02001478bind [<address>]:<port_range> [, ...] accept-proxy
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001479bind /<path> [, ...]
1480bind /<path> [, ...] mode <mode>
1481bind /<path> [, ...] [ user <user> | uid <uid> ]
1482bind /<path> [, ...] [ group <user> | gid <gid> ]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001483 Define one or several listening addresses and/or ports in a frontend.
1484 May be used in sections : defaults | frontend | listen | backend
1485 no | yes | yes | no
1486 Arguments :
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001487 <address> is optional and can be a host name, an IPv4 address, an IPv6
1488 address, or '*'. It designates the address the frontend will
1489 listen on. If unset, all IPv4 addresses of the system will be
1490 listened on. The same will apply for '*' or the system's
David du Colombier9c938da2011-03-17 10:40:27 +01001491 special address "0.0.0.0". The IPv6 equivalent is '::'.
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001492
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001493 <port_range> is either a unique TCP port, or a port range for which the
1494 proxy will accept connections for the IP address specified
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001495 above. The port is mandatory for TCP listeners. Note that in
1496 the case of an IPv6 address, the port is always the number
1497 after the last colon (':'). A range can either be :
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001498 - a numerical port (ex: '80')
1499 - a dash-delimited ports range explicitly stating the lower
1500 and upper bounds (ex: '2000-2100') which are included in
1501 the range.
1502
1503 Particular care must be taken against port ranges, because
1504 every <address:port> couple consumes one socket (= a file
1505 descriptor), so it's easy to consume lots of descriptors
1506 with a simple range, and to run out of sockets. Also, each
1507 <address:port> couple must be used only once among all
1508 instances running on a same system. Please note that binding
1509 to ports lower than 1024 generally require particular
1510 privileges to start the program, which are independant of
1511 the 'uid' parameter.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001512
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001513 <path> is a UNIX socket path beginning with a slash ('/'). This is
1514 alternative to the TCP listening port. Haproxy will then
1515 receive UNIX connections on the socket located at this place.
1516 The path must begin with a slash and by default is absolute.
1517 It can be relative to the prefix defined by "unix-bind" in
1518 the global section. Note that the total length of the prefix
1519 followed by the socket path cannot exceed some system limits
1520 for UNIX sockets, which commonly are set to 107 characters.
1521
Willy Tarreau5e6e2042009-02-04 17:19:29 +01001522 <interface> is an optional physical interface name. This is currently
1523 only supported on Linux. The interface must be a physical
1524 interface, not an aliased interface. When specified, all
1525 addresses on the same line will only be accepted if the
1526 incoming packet physically come through the designated
1527 interface. It is also possible to bind multiple frontends to
1528 the same address if they are bound to different interfaces.
1529 Note that binding to a physical interface requires root
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001530 privileges. This parameter is only compatible with TCP
1531 sockets.
Willy Tarreau5e6e2042009-02-04 17:19:29 +01001532
Willy Tarreaube1b9182009-06-14 18:48:19 +02001533 <maxseg> is an optional TCP Maximum Segment Size (MSS) value to be
1534 advertised on incoming connections. This can be used to force
1535 a lower MSS for certain specific ports, for instance for
1536 connections passing through a VPN. Note that this relies on a
1537 kernel feature which is theorically supported under Linux but
1538 was buggy in all versions prior to 2.6.28. It may or may not
Willy Tarreau48a7e722010-12-24 15:26:39 +01001539 work on other operating systems. It may also not change the
1540 advertised value but change the effective size of outgoing
1541 segments. The commonly advertised value on Ethernet networks
1542 is 1460 = 1500(MTU) - 40(IP+TCP). If this value is positive,
1543 it will be used as the advertised MSS. If it is negative, it
1544 will indicate by how much to reduce the incoming connection's
1545 advertised MSS for outgoing segments. This parameter is only
1546 compatible with TCP sockets.
Willy Tarreaube1b9182009-06-14 18:48:19 +02001547
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02001548 <id> is a persistent value for socket ID. Must be positive and
1549 unique in the proxy. An unused value will automatically be
1550 assigned if unset. Can only be used when defining only a
1551 single socket.
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02001552
1553 <name> is an optional name provided for stats
1554
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001555 <mode> is the octal mode used to define access permissions on the
1556 UNIX socket. It can also be set by default in the global
1557 section's "unix-bind" statement. Note that some platforms
1558 simply ignore this.
1559
1560 <user> is the name of user that will be marked owner of the UNIX
1561 socket. It can also be set by default in the global
1562 section's "unix-bind" statement. Note that some platforms
1563 simply ignore this.
1564
1565 <group> is the name of a group that will be used to create the UNIX
1566 socket. It can also be set by default in the global section's
1567 "unix-bind" statement. Note that some platforms simply ignore
1568 this.
1569
1570 <uid> is the uid of user that will be marked owner of the UNIX
1571 socket. It can also be set by default in the global section's
1572 "unix-bind" statement. Note that some platforms simply ignore
1573 this.
1574
1575 <gid> is the gid of a group that will be used to create the UNIX
1576 socket. It can also be set by default in the global section's
1577 "unix-bind" statement. Note that some platforms simply ignore
1578 this.
1579
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001580 transparent is an optional keyword which is supported only on certain
1581 Linux kernels. It indicates that the addresses will be bound
1582 even if they do not belong to the local machine. Any packet
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001583 targeting any of these addresses will be caught just as if
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001584 the address was locally configured. This normally requires
1585 that IP forwarding is enabled. Caution! do not use this with
1586 the default address '*', as it would redirect any traffic for
1587 the specified port. This keyword is available only when
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001588 HAProxy is built with USE_LINUX_TPROXY=1. This parameter is
1589 only compatible with TCP sockets.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001590
Willy Tarreau59f89202010-10-02 11:54:00 +02001591 defer-accept is an optional keyword which is supported only on certain
Willy Tarreaucb6cd432009-10-13 07:34:14 +02001592 Linux kernels. It states that a connection will only be
1593 accepted once some data arrive on it, or at worst after the
1594 first retransmit. This should be used only on protocols for
1595 which the client talks first (eg: HTTP). It can slightly
1596 improve performance by ensuring that most of the request is
1597 already available when the connection is accepted. On the
1598 other hand, it will not be able to detect connections which
1599 don't talk. It is important to note that this option is
1600 broken in all kernels up to 2.6.31, as the connection is
1601 never accepted until the client talks. This can cause issues
1602 with front firewalls which would see an established
1603 connection while the proxy will only see it in SYN_RECV.
1604
Willy Tarreau71c814e2010-10-29 21:56:16 +02001605 accept-proxy is an optional keyword which enforces use of the PROXY
1606 protocol over any connection accepted by this listener. The
1607 PROXY protocol dictates the layer 3/4 addresses of the
1608 incoming connection to be used everywhere an address is used,
1609 with the only exception of "tcp-request connection" rules
1610 which will only see the real connection address. Logs will
1611 reflect the addresses indicated in the protocol, unless it is
1612 violated, in which case the real address will still be used.
1613 This keyword combined with support from external components
1614 can be used as an efficient and reliable alternative to the
1615 X-Forwarded-For mechanism which is not always reliable and
1616 not even always usable.
1617
Willy Tarreau0ba27502007-12-24 16:55:16 +01001618 It is possible to specify a list of address:port combinations delimited by
1619 commas. The frontend will then listen on all of these addresses. There is no
1620 fixed limit to the number of addresses and ports which can be listened on in
1621 a frontend, as well as there is no limit to the number of "bind" statements
1622 in a frontend.
1623
1624 Example :
1625 listen http_proxy
1626 bind :80,:443
1627 bind 10.0.0.1:10080,10.0.0.1:10443
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001628 bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy
Willy Tarreau0ba27502007-12-24 16:55:16 +01001629
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001630 See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol
Willy Tarreau71c814e2010-10-29 21:56:16 +02001631 documentation.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001632
1633
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001634bind-process [ all | odd | even | <number 1-32> ] ...
1635 Limit visibility of an instance to a certain set of processes numbers.
1636 May be used in sections : defaults | frontend | listen | backend
1637 yes | yes | yes | yes
1638 Arguments :
1639 all All process will see this instance. This is the default. It
1640 may be used to override a default value.
1641
1642 odd This instance will be enabled on processes 1,3,5,...31. This
1643 option may be combined with other numbers.
1644
1645 even This instance will be enabled on processes 2,4,6,...32. This
1646 option may be combined with other numbers. Do not use it
1647 with less than 2 processes otherwise some instances might be
1648 missing from all processes.
1649
1650 number The instance will be enabled on this process number, between
1651 1 and 32. You must be careful not to reference a process
1652 number greater than the configured global.nbproc, otherwise
1653 some instances might be missing from all processes.
1654
1655 This keyword limits binding of certain instances to certain processes. This
1656 is useful in order not to have too many processes listening to the same
1657 ports. For instance, on a dual-core machine, it might make sense to set
1658 'nbproc 2' in the global section, then distributes the listeners among 'odd'
1659 and 'even' instances.
1660
1661 At the moment, it is not possible to reference more than 32 processes using
1662 this keyword, but this should be more than enough for most setups. Please
1663 note that 'all' really means all processes and is not limited to the first
1664 32.
1665
1666 If some backends are referenced by frontends bound to other processes, the
1667 backend automatically inherits the frontend's processes.
1668
1669 Example :
1670 listen app_ip1
1671 bind 10.0.0.1:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001672 bind-process odd
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001673
1674 listen app_ip2
1675 bind 10.0.0.2:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001676 bind-process even
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001677
1678 listen management
1679 bind 10.0.0.3:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001680 bind-process 1 2 3 4
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001681
1682 See also : "nbproc" in global section.
1683
1684
Willy Tarreau0ba27502007-12-24 16:55:16 +01001685block { if | unless } <condition>
1686 Block a layer 7 request if/unless a condition is matched
1687 May be used in sections : defaults | frontend | listen | backend
1688 no | yes | yes | yes
1689
1690 The HTTP request will be blocked very early in the layer 7 processing
1691 if/unless <condition> is matched. A 403 error will be returned if the request
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001692 is blocked. The condition has to reference ACLs (see section 7). This is
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02001693 typically used to deny access to certain sensitive resources if some
Willy Tarreau0ba27502007-12-24 16:55:16 +01001694 conditions are met or not met. There is no fixed limit to the number of
1695 "block" statements per instance.
1696
1697 Example:
1698 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1699 acl invalid_src src_port 0:1023
1700 acl local_dst hdr(host) -i localhost
1701 block if invalid_src || local_dst
1702
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001703 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001704
1705
1706capture cookie <name> len <length>
1707 Capture and log a cookie in the request and in the response.
1708 May be used in sections : defaults | frontend | listen | backend
1709 no | yes | yes | no
1710 Arguments :
1711 <name> is the beginning of the name of the cookie to capture. In order
1712 to match the exact name, simply suffix the name with an equal
1713 sign ('='). The full name will appear in the logs, which is
1714 useful with application servers which adjust both the cookie name
1715 and value (eg: ASPSESSIONXXXXX).
1716
1717 <length> is the maximum number of characters to report in the logs, which
1718 include the cookie name, the equal sign and the value, all in the
1719 standard "name=value" form. The string will be truncated on the
1720 right if it exceeds <length>.
1721
1722 Only the first cookie is captured. Both the "cookie" request headers and the
1723 "set-cookie" response headers are monitored. This is particularly useful to
1724 check for application bugs causing session crossing or stealing between
1725 users, because generally the user's cookies can only change on a login page.
1726
1727 When the cookie was not presented by the client, the associated log column
1728 will report "-". When a request does not cause a cookie to be assigned by the
1729 server, a "-" is reported in the response column.
1730
1731 The capture is performed in the frontend only because it is necessary that
1732 the log format does not change for a given frontend depending on the
1733 backends. This may change in the future. Note that there can be only one
1734 "capture cookie" statement in a frontend. The maximum capture length is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001735 configured in the sources by default to 64 characters. It is not possible to
Willy Tarreau0ba27502007-12-24 16:55:16 +01001736 specify a capture in a "defaults" section.
1737
1738 Example:
1739 capture cookie ASPSESSION len 32
1740
1741 See also : "capture request header", "capture response header" as well as
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001742 section 8 about logging.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001743
1744
1745capture request header <name> len <length>
1746 Capture and log the first occurrence of the specified request header.
1747 May be used in sections : defaults | frontend | listen | backend
1748 no | yes | yes | no
1749 Arguments :
1750 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001751 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001752 appear in the requests, with the first letter of each word in
1753 upper case. The header name will not appear in the logs, only the
1754 value is reported, but the position in the logs is respected.
1755
1756 <length> is the maximum number of characters to extract from the value and
1757 report in the logs. The string will be truncated on the right if
1758 it exceeds <length>.
1759
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001760 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001761 value will be added to the logs between braces ('{}'). If multiple headers
1762 are captured, they will be delimited by a vertical bar ('|') and will appear
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001763 in the same order they were declared in the configuration. Non-existent
1764 headers will be logged just as an empty string. Common uses for request
1765 header captures include the "Host" field in virtual hosting environments, the
1766 "Content-length" when uploads are supported, "User-agent" to quickly
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001767 differentiate between real users and robots, and "X-Forwarded-For" in proxied
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001768 environments to find where the request came from.
1769
1770 Note that when capturing headers such as "User-agent", some spaces may be
1771 logged, making the log analysis more difficult. Thus be careful about what
1772 you log if you know your log parser is not smart enough to rely on the
1773 braces.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001774
1775 There is no limit to the number of captured request headers, but each capture
1776 is limited to 64 characters. In order to keep log format consistent for a
1777 same frontend, header captures can only be declared in a frontend. It is not
1778 possible to specify a capture in a "defaults" section.
1779
1780 Example:
1781 capture request header Host len 15
1782 capture request header X-Forwarded-For len 15
1783 capture request header Referrer len 15
1784
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001785 See also : "capture cookie", "capture response header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001786 about logging.
1787
1788
1789capture response header <name> len <length>
1790 Capture and log the first occurrence of the specified response header.
1791 May be used in sections : defaults | frontend | listen | backend
1792 no | yes | yes | no
1793 Arguments :
1794 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001795 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001796 appear in the response, with the first letter of each word in
1797 upper case. The header name will not appear in the logs, only the
1798 value is reported, but the position in the logs is respected.
1799
1800 <length> is the maximum number of characters to extract from the value and
1801 report in the logs. The string will be truncated on the right if
1802 it exceeds <length>.
1803
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001804 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001805 result will be added to the logs between braces ('{}') after the captured
1806 request headers. If multiple headers are captured, they will be delimited by
1807 a vertical bar ('|') and will appear in the same order they were declared in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001808 the configuration. Non-existent headers will be logged just as an empty
1809 string. Common uses for response header captures include the "Content-length"
1810 header which indicates how many bytes are expected to be returned, the
1811 "Location" header to track redirections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001812
1813 There is no limit to the number of captured response headers, but each
1814 capture is limited to 64 characters. In order to keep log format consistent
1815 for a same frontend, header captures can only be declared in a frontend. It
1816 is not possible to specify a capture in a "defaults" section.
1817
1818 Example:
1819 capture response header Content-length len 9
1820 capture response header Location len 15
1821
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001822 See also : "capture cookie", "capture request header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001823 about logging.
1824
1825
Cyril Bontéf0c60612010-02-06 14:44:47 +01001826clitimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01001827 Set the maximum inactivity time on the client side.
1828 May be used in sections : defaults | frontend | listen | backend
1829 yes | yes | yes | no
1830 Arguments :
1831 <timeout> is the timeout value is specified in milliseconds by default, but
1832 can be in any other unit if the number is suffixed by the unit,
1833 as explained at the top of this document.
1834
1835 The inactivity timeout applies when the client is expected to acknowledge or
1836 send data. In HTTP mode, this timeout is particularly important to consider
1837 during the first phase, when the client sends the request, and during the
1838 response while it is reading data sent by the server. The value is specified
1839 in milliseconds by default, but can be in any other unit if the number is
1840 suffixed by the unit, as specified at the top of this document. In TCP mode
1841 (and to a lesser extent, in HTTP mode), it is highly recommended that the
1842 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001843 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01001844 losses by specifying timeouts that are slightly above multiples of 3 seconds
1845 (eg: 4 or 5 seconds).
1846
1847 This parameter is specific to frontends, but can be specified once for all in
1848 "defaults" sections. This is in fact one of the easiest solutions not to
1849 forget about it. An unspecified timeout results in an infinite timeout, which
1850 is not recommended. Such a usage is accepted and works but reports a warning
1851 during startup because it may results in accumulation of expired sessions in
1852 the system if the system's timeouts are not configured either.
1853
1854 This parameter is provided for compatibility but is currently deprecated.
1855 Please use "timeout client" instead.
1856
Willy Tarreau036fae02008-01-06 13:24:40 +01001857 See also : "timeout client", "timeout http-request", "timeout server", and
1858 "srvtimeout".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001859
1860
Cyril Bontéf0c60612010-02-06 14:44:47 +01001861contimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01001862 Set the maximum time to wait for a connection attempt to a server to succeed.
1863 May be used in sections : defaults | frontend | listen | backend
1864 yes | no | yes | yes
1865 Arguments :
1866 <timeout> is the timeout value is specified in milliseconds by default, but
1867 can be in any other unit if the number is suffixed by the unit,
1868 as explained at the top of this document.
1869
1870 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001871 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01001872 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01001873 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
1874 connect timeout also presets the queue timeout to the same value if this one
1875 has not been specified. Historically, the contimeout was also used to set the
1876 tarpit timeout in a listen section, which is not possible in a pure frontend.
1877
1878 This parameter is specific to backends, but can be specified once for all in
1879 "defaults" sections. This is in fact one of the easiest solutions not to
1880 forget about it. An unspecified timeout results in an infinite timeout, which
1881 is not recommended. Such a usage is accepted and works but reports a warning
1882 during startup because it may results in accumulation of failed sessions in
1883 the system if the system's timeouts are not configured either.
1884
1885 This parameter is provided for backwards compatibility but is currently
1886 deprecated. Please use "timeout connect", "timeout queue" or "timeout tarpit"
1887 instead.
1888
1889 See also : "timeout connect", "timeout queue", "timeout tarpit",
1890 "timeout server", "contimeout".
1891
1892
Willy Tarreau55165fe2009-05-10 12:02:55 +02001893cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
Willy Tarreau4992dd22012-05-31 21:02:17 +02001894 [ postonly ] [ preserve ] [ httponly ] [ secure ]
1895 [ domain <domain> ]* [ maxidle <idle> ] [ maxlife <life> ]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001896 Enable cookie-based persistence in a backend.
1897 May be used in sections : defaults | frontend | listen | backend
1898 yes | no | yes | yes
1899 Arguments :
1900 <name> is the name of the cookie which will be monitored, modified or
1901 inserted in order to bring persistence. This cookie is sent to
1902 the client via a "Set-Cookie" header in the response, and is
1903 brought back by the client in a "Cookie" header in all requests.
1904 Special care should be taken to choose a name which does not
1905 conflict with any likely application cookie. Also, if the same
1906 backends are subject to be used by the same clients (eg:
1907 HTTP/HTTPS), care should be taken to use different cookie names
1908 between all backends if persistence between them is not desired.
1909
1910 rewrite This keyword indicates that the cookie will be provided by the
1911 server and that haproxy will have to modify its value to set the
1912 server's identifier in it. This mode is handy when the management
1913 of complex combinations of "Set-cookie" and "Cache-control"
1914 headers is left to the application. The application can then
1915 decide whether or not it is appropriate to emit a persistence
1916 cookie. Since all responses should be monitored, this mode only
1917 works in HTTP close mode. Unless the application behaviour is
1918 very complex and/or broken, it is advised not to start with this
1919 mode for new deployments. This keyword is incompatible with
1920 "insert" and "prefix".
1921
1922 insert This keyword indicates that the persistence cookie will have to
Willy Tarreaua79094d2010-08-31 22:54:15 +02001923 be inserted by haproxy in server responses if the client did not
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001924
Willy Tarreaua79094d2010-08-31 22:54:15 +02001925 already have a cookie that would have permitted it to access this
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001926 server. When used without the "preserve" option, if the server
1927 emits a cookie with the same name, it will be remove before
1928 processing. For this reason, this mode can be used to upgrade
1929 existing configurations running in the "rewrite" mode. The cookie
1930 will only be a session cookie and will not be stored on the
1931 client's disk. By default, unless the "indirect" option is added,
1932 the server will see the cookies emitted by the client. Due to
1933 caching effects, it is generally wise to add the "nocache" or
1934 "postonly" keywords (see below). The "insert" keyword is not
1935 compatible with "rewrite" and "prefix".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001936
1937 prefix This keyword indicates that instead of relying on a dedicated
1938 cookie for the persistence, an existing one will be completed.
1939 This may be needed in some specific environments where the client
1940 does not support more than one single cookie and the application
1941 already needs it. In this case, whenever the server sets a cookie
1942 named <name>, it will be prefixed with the server's identifier
1943 and a delimiter. The prefix will be removed from all client
1944 requests so that the server still finds the cookie it emitted.
1945 Since all requests and responses are subject to being modified,
1946 this mode requires the HTTP close mode. The "prefix" keyword is
Willy Tarreau37229df2011-10-17 12:24:55 +02001947 not compatible with "rewrite" and "insert". Note: it is highly
1948 recommended not to use "indirect" with "prefix", otherwise server
1949 cookie updates would not be sent to clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001950
Willy Tarreaua79094d2010-08-31 22:54:15 +02001951 indirect When this option is specified, no cookie will be emitted to a
1952 client which already has a valid one for the server which has
1953 processed the request. If the server sets such a cookie itself,
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001954 it will be removed, unless the "preserve" option is also set. In
1955 "insert" mode, this will additionally remove cookies from the
1956 requests transmitted to the server, making the persistence
1957 mechanism totally transparent from an application point of view.
Willy Tarreau37229df2011-10-17 12:24:55 +02001958 Note: it is highly recommended not to use "indirect" with
1959 "prefix", otherwise server cookie updates would not be sent to
1960 clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001961
1962 nocache This option is recommended in conjunction with the insert mode
1963 when there is a cache between the client and HAProxy, as it
1964 ensures that a cacheable response will be tagged non-cacheable if
1965 a cookie needs to be inserted. This is important because if all
1966 persistence cookies are added on a cacheable home page for
1967 instance, then all customers will then fetch the page from an
1968 outer cache and will all share the same persistence cookie,
1969 leading to one server receiving much more traffic than others.
1970 See also the "insert" and "postonly" options.
1971
1972 postonly This option ensures that cookie insertion will only be performed
1973 on responses to POST requests. It is an alternative to the
1974 "nocache" option, because POST responses are not cacheable, so
1975 this ensures that the persistence cookie will never get cached.
1976 Since most sites do not need any sort of persistence before the
1977 first POST which generally is a login request, this is a very
1978 efficient method to optimize caching without risking to find a
1979 persistence cookie in the cache.
1980 See also the "insert" and "nocache" options.
1981
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001982 preserve This option may only be used with "insert" and/or "indirect". It
1983 allows the server to emit the persistence cookie itself. In this
1984 case, if a cookie is found in the response, haproxy will leave it
1985 untouched. This is useful in order to end persistence after a
1986 logout request for instance. For this, the server just has to
1987 emit a cookie with an invalid value (eg: empty) or with a date in
1988 the past. By combining this mechanism with the "disable-on-404"
1989 check option, it is possible to perform a completely graceful
1990 shutdown because users will definitely leave the server after
1991 they logout.
1992
Willy Tarreau4992dd22012-05-31 21:02:17 +02001993 httponly This option tells haproxy to add an "HttpOnly" cookie attribute
1994 when a cookie is inserted. This attribute is used so that a
1995 user agent doesn't share the cookie with non-HTTP components.
1996 Please check RFC6265 for more information on this attribute.
1997
1998 secure This option tells haproxy to add a "Secure" cookie attribute when
1999 a cookie is inserted. This attribute is used so that a user agent
2000 never emits this cookie over non-secure channels, which means
2001 that a cookie learned with this flag will be presented only over
2002 SSL/TLS connections. Please check RFC6265 for more information on
2003 this attribute.
2004
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02002005 domain This option allows to specify the domain at which a cookie is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002006 inserted. It requires exactly one parameter: a valid domain
Willy Tarreau68a897b2009-12-03 23:28:34 +01002007 name. If the domain begins with a dot, the browser is allowed to
2008 use it for any host ending with that name. It is also possible to
2009 specify several domain names by invoking this option multiple
2010 times. Some browsers might have small limits on the number of
2011 domains, so be careful when doing that. For the record, sending
2012 10 domains to MSIE 6 or Firefox 2 works as expected.
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02002013
Willy Tarreau996a92c2010-10-13 19:30:47 +02002014 maxidle This option allows inserted cookies to be ignored after some idle
2015 time. It only works with insert-mode cookies. When a cookie is
2016 sent to the client, the date this cookie was emitted is sent too.
2017 Upon further presentations of this cookie, if the date is older
2018 than the delay indicated by the parameter (in seconds), it will
2019 be ignored. Otherwise, it will be refreshed if needed when the
2020 response is sent to the client. This is particularly useful to
2021 prevent users who never close their browsers from remaining for
2022 too long on the same server (eg: after a farm size change). When
2023 this option is set and a cookie has no date, it is always
2024 accepted, but gets refreshed in the response. This maintains the
2025 ability for admins to access their sites. Cookies that have a
2026 date in the future further than 24 hours are ignored. Doing so
2027 lets admins fix timezone issues without risking kicking users off
2028 the site.
2029
2030 maxlife This option allows inserted cookies to be ignored after some life
2031 time, whether they're in use or not. It only works with insert
2032 mode cookies. When a cookie is first sent to the client, the date
2033 this cookie was emitted is sent too. Upon further presentations
2034 of this cookie, if the date is older than the delay indicated by
2035 the parameter (in seconds), it will be ignored. If the cookie in
2036 the request has no date, it is accepted and a date will be set.
2037 Cookies that have a date in the future further than 24 hours are
2038 ignored. Doing so lets admins fix timezone issues without risking
2039 kicking users off the site. Contrary to maxidle, this value is
2040 not refreshed, only the first visit date counts. Both maxidle and
2041 maxlife may be used at the time. This is particularly useful to
2042 prevent users who never close their browsers from remaining for
2043 too long on the same server (eg: after a farm size change). This
2044 is stronger than the maxidle method in that it forces a
2045 redispatch after some absolute delay.
2046
Willy Tarreau0ba27502007-12-24 16:55:16 +01002047 There can be only one persistence cookie per HTTP backend, and it can be
2048 declared in a defaults section. The value of the cookie will be the value
2049 indicated after the "cookie" keyword in a "server" statement. If no cookie
2050 is declared for a given server, the cookie is not set.
Willy Tarreau6a06a402007-07-15 20:15:28 +02002051
Willy Tarreau0ba27502007-12-24 16:55:16 +01002052 Examples :
2053 cookie JSESSIONID prefix
2054 cookie SRV insert indirect nocache
2055 cookie SRV insert postonly indirect
Willy Tarreau996a92c2010-10-13 19:30:47 +02002056 cookie SRV insert indirect nocache maxidle 30m maxlife 8h
Willy Tarreau0ba27502007-12-24 16:55:16 +01002057
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02002058 See also : "appsession", "balance source", "capture cookie", "server"
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002059 and "ignore-persist".
Willy Tarreau0ba27502007-12-24 16:55:16 +01002060
Willy Tarreau983e01e2010-01-11 18:42:06 +01002061
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002062default-server [param*]
2063 Change default options for a server in a backend
2064 May be used in sections : defaults | frontend | listen | backend
2065 yes | no | yes | yes
2066 Arguments:
Willy Tarreau983e01e2010-01-11 18:42:06 +01002067 <param*> is a list of parameters for this server. The "default-server"
2068 keyword accepts an important number of options and has a complete
2069 section dedicated to it. Please refer to section 5 for more
2070 details.
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002071
Willy Tarreau983e01e2010-01-11 18:42:06 +01002072 Example :
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002073 default-server inter 1000 weight 13
2074
2075 See also: "server" and section 5 about server options
Willy Tarreau0ba27502007-12-24 16:55:16 +01002076
Willy Tarreau983e01e2010-01-11 18:42:06 +01002077
Willy Tarreau0ba27502007-12-24 16:55:16 +01002078default_backend <backend>
2079 Specify the backend to use when no "use_backend" rule has been matched.
2080 May be used in sections : defaults | frontend | listen | backend
2081 yes | yes | yes | no
2082 Arguments :
2083 <backend> is the name of the backend to use.
2084
2085 When doing content-switching between frontend and backends using the
2086 "use_backend" keyword, it is often useful to indicate which backend will be
2087 used when no rule has matched. It generally is the dynamic backend which
2088 will catch all undetermined requests.
2089
Willy Tarreau0ba27502007-12-24 16:55:16 +01002090 Example :
2091
2092 use_backend dynamic if url_dyn
2093 use_backend static if url_css url_img extension_img
2094 default_backend dynamic
2095
Willy Tarreau2769aa02007-12-27 18:26:09 +01002096 See also : "use_backend", "reqsetbe", "reqisetbe"
2097
Willy Tarreau0ba27502007-12-24 16:55:16 +01002098
2099disabled
2100 Disable a proxy, frontend or backend.
2101 May be used in sections : defaults | frontend | listen | backend
2102 yes | yes | yes | yes
2103 Arguments : none
2104
2105 The "disabled" keyword is used to disable an instance, mainly in order to
2106 liberate a listening port or to temporarily disable a service. The instance
2107 will still be created and its configuration will be checked, but it will be
2108 created in the "stopped" state and will appear as such in the statistics. It
2109 will not receive any traffic nor will it send any health-checks or logs. It
2110 is possible to disable many instances at once by adding the "disabled"
2111 keyword in a "defaults" section.
2112
2113 See also : "enabled"
2114
2115
Willy Tarreau5ce94572010-06-07 14:35:41 +02002116dispatch <address>:<port>
2117 Set a default server address
2118 May be used in sections : defaults | frontend | listen | backend
2119 no | no | yes | yes
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002120 Arguments :
Willy Tarreau5ce94572010-06-07 14:35:41 +02002121
2122 <address> is the IPv4 address of the default server. Alternatively, a
2123 resolvable hostname is supported, but this name will be resolved
2124 during start-up.
2125
2126 <ports> is a mandatory port specification. All connections will be sent
2127 to this port, and it is not permitted to use port offsets as is
2128 possible with normal servers.
2129
Willy Tarreau787aed52011-04-15 06:45:37 +02002130 The "dispatch" keyword designates a default server for use when no other
Willy Tarreau5ce94572010-06-07 14:35:41 +02002131 server can take the connection. In the past it was used to forward non
2132 persistent connections to an auxiliary load balancer. Due to its simple
2133 syntax, it has also been used for simple TCP relays. It is recommended not to
2134 use it for more clarity, and to use the "server" directive instead.
2135
2136 See also : "server"
2137
2138
Willy Tarreau0ba27502007-12-24 16:55:16 +01002139enabled
2140 Enable a proxy, frontend or backend.
2141 May be used in sections : defaults | frontend | listen | backend
2142 yes | yes | yes | yes
2143 Arguments : none
2144
2145 The "enabled" keyword is used to explicitly enable an instance, when the
2146 defaults has been set to "disabled". This is very rarely used.
2147
2148 See also : "disabled"
2149
2150
2151errorfile <code> <file>
2152 Return a file contents instead of errors generated by HAProxy
2153 May be used in sections : defaults | frontend | listen | backend
2154 yes | yes | yes | yes
2155 Arguments :
2156 <code> is the HTTP status code. Currently, HAProxy is capable of
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002157 generating codes 200, 400, 403, 408, 500, 502, 503, and 504.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002158
2159 <file> designates a file containing the full HTTP response. It is
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002160 recommended to follow the common practice of appending ".http" to
Willy Tarreau0ba27502007-12-24 16:55:16 +01002161 the filename so that people do not confuse the response with HTML
Willy Tarreau59140a22009-02-22 12:02:30 +01002162 error pages, and to use absolute paths, since files are read
2163 before any chroot is performed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002164
2165 It is important to understand that this keyword is not meant to rewrite
2166 errors returned by the server, but errors detected and returned by HAProxy.
2167 This is why the list of supported errors is limited to a small set.
2168
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002169 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2170
Willy Tarreau0ba27502007-12-24 16:55:16 +01002171 The files are returned verbatim on the TCP socket. This allows any trick such
2172 as redirections to another URL or site, as well as tricks to clean cookies,
2173 force enable or disable caching, etc... The package provides default error
2174 files returning the same contents as default errors.
2175
Willy Tarreau59140a22009-02-22 12:02:30 +01002176 The files should not exceed the configured buffer size (BUFSIZE), which
2177 generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
2178 not to put any reference to local contents (eg: images) in order to avoid
2179 loops between the client and HAProxy when all servers are down, causing an
2180 error to be returned instead of an image. For better HTTP compliance, it is
2181 recommended that all header lines end with CR-LF and not LF alone.
2182
Willy Tarreau0ba27502007-12-24 16:55:16 +01002183 The files are read at the same time as the configuration and kept in memory.
2184 For this reason, the errors continue to be returned even when the process is
2185 chrooted, and no file change is considered while the process is running. A
Willy Tarreauc27debf2008-01-06 08:57:02 +01002186 simple method for developing those files consists in associating them to the
Willy Tarreau0ba27502007-12-24 16:55:16 +01002187 403 status code and interrogating a blocked URL.
2188
2189 See also : "errorloc", "errorloc302", "errorloc303"
2190
Willy Tarreau59140a22009-02-22 12:02:30 +01002191 Example :
2192 errorfile 400 /etc/haproxy/errorfiles/400badreq.http
2193 errorfile 403 /etc/haproxy/errorfiles/403forbid.http
2194 errorfile 503 /etc/haproxy/errorfiles/503sorry.http
2195
Willy Tarreau2769aa02007-12-27 18:26:09 +01002196
2197errorloc <code> <url>
2198errorloc302 <code> <url>
2199 Return an HTTP redirection to a URL instead of errors generated by HAProxy
2200 May be used in sections : defaults | frontend | listen | backend
2201 yes | yes | yes | yes
2202 Arguments :
2203 <code> is the HTTP status code. Currently, HAProxy is capable of
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002204 generating codes 200, 400, 403, 408, 500, 502, 503, and 504.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002205
2206 <url> it is the exact contents of the "Location" header. It may contain
2207 either a relative URI to an error page hosted on the same site,
2208 or an absolute URI designating an error page on another site.
2209 Special care should be given to relative URIs to avoid redirect
2210 loops if the URI itself may generate the same error (eg: 500).
2211
2212 It is important to understand that this keyword is not meant to rewrite
2213 errors returned by the server, but errors detected and returned by HAProxy.
2214 This is why the list of supported errors is limited to a small set.
2215
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002216 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2217
Willy Tarreau2769aa02007-12-27 18:26:09 +01002218 Note that both keyword return the HTTP 302 status code, which tells the
2219 client to fetch the designated URL using the same HTTP method. This can be
2220 quite problematic in case of non-GET methods such as POST, because the URL
2221 sent to the client might not be allowed for something other than GET. To
2222 workaround this problem, please use "errorloc303" which send the HTTP 303
2223 status code, indicating to the client that the URL must be fetched with a GET
2224 request.
2225
2226 See also : "errorfile", "errorloc303"
2227
2228
2229errorloc303 <code> <url>
2230 Return an HTTP redirection to a URL instead of errors generated by HAProxy
2231 May be used in sections : defaults | frontend | listen | backend
2232 yes | yes | yes | yes
2233 Arguments :
2234 <code> is the HTTP status code. Currently, HAProxy is capable of
2235 generating codes 400, 403, 408, 500, 502, 503, and 504.
2236
2237 <url> it is the exact contents of the "Location" header. It may contain
2238 either a relative URI to an error page hosted on the same site,
2239 or an absolute URI designating an error page on another site.
2240 Special care should be given to relative URIs to avoid redirect
2241 loops if the URI itself may generate the same error (eg: 500).
2242
2243 It is important to understand that this keyword is not meant to rewrite
2244 errors returned by the server, but errors detected and returned by HAProxy.
2245 This is why the list of supported errors is limited to a small set.
2246
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002247 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2248
Willy Tarreau2769aa02007-12-27 18:26:09 +01002249 Note that both keyword return the HTTP 303 status code, which tells the
2250 client to fetch the designated URL using the same HTTP GET method. This
2251 solves the usual problems associated with "errorloc" and the 302 code. It is
2252 possible that some very old browsers designed before HTTP/1.1 do not support
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002253 it, but no such problem has been reported till now.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002254
2255 See also : "errorfile", "errorloc", "errorloc302"
2256
2257
Willy Tarreau4de91492010-01-22 19:10:05 +01002258force-persist { if | unless } <condition>
2259 Declare a condition to force persistence on down servers
2260 May be used in sections: defaults | frontend | listen | backend
2261 no | yes | yes | yes
2262
2263 By default, requests are not dispatched to down servers. It is possible to
2264 force this using "option persist", but it is unconditional and redispatches
2265 to a valid server if "option redispatch" is set. That leaves with very little
2266 possibilities to force some requests to reach a server which is artificially
2267 marked down for maintenance operations.
2268
2269 The "force-persist" statement allows one to declare various ACL-based
2270 conditions which, when met, will cause a request to ignore the down status of
2271 a server and still try to connect to it. That makes it possible to start a
2272 server, still replying an error to the health checks, and run a specially
2273 configured browser to test the service. Among the handy methods, one could
2274 use a specific source IP address, or a specific cookie. The cookie also has
2275 the advantage that it can easily be added/removed on the browser from a test
2276 page. Once the service is validated, it is then possible to open the service
2277 to the world by returning a valid response to health checks.
2278
2279 The forced persistence is enabled when an "if" condition is met, or unless an
2280 "unless" condition is met. The final redispatch is always disabled when this
2281 is used.
2282
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002283 See also : "option redispatch", "ignore-persist", "persist",
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02002284 and section 7 about ACL usage.
Willy Tarreau4de91492010-01-22 19:10:05 +01002285
2286
Willy Tarreau2769aa02007-12-27 18:26:09 +01002287fullconn <conns>
2288 Specify at what backend load the servers will reach their maxconn
2289 May be used in sections : defaults | frontend | listen | backend
2290 yes | no | yes | yes
2291 Arguments :
2292 <conns> is the number of connections on the backend which will make the
2293 servers use the maximal number of connections.
2294
Willy Tarreau198a7442008-01-17 12:05:32 +01002295 When a server has a "maxconn" parameter specified, it means that its number
Willy Tarreau2769aa02007-12-27 18:26:09 +01002296 of concurrent connections will never go higher. Additionally, if it has a
Willy Tarreau198a7442008-01-17 12:05:32 +01002297 "minconn" parameter, it indicates a dynamic limit following the backend's
Willy Tarreau2769aa02007-12-27 18:26:09 +01002298 load. The server will then always accept at least <minconn> connections,
2299 never more than <maxconn>, and the limit will be on the ramp between both
2300 values when the backend has less than <conns> concurrent connections. This
2301 makes it possible to limit the load on the servers during normal loads, but
2302 push it further for important loads without overloading the servers during
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002303 exceptional loads.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002304
Willy Tarreaufbb78422011-06-05 15:38:35 +02002305 Since it's hard to get this value right, haproxy automatically sets it to
2306 10% of the sum of the maxconns of all frontends that may branch to this
2307 backend. That way it's safe to leave it unset.
2308
Willy Tarreau2769aa02007-12-27 18:26:09 +01002309 Example :
2310 # The servers will accept between 100 and 1000 concurrent connections each
2311 # and the maximum of 1000 will be reached when the backend reaches 10000
2312 # connections.
2313 backend dynamic
2314 fullconn 10000
2315 server srv1 dyn1:80 minconn 100 maxconn 1000
2316 server srv2 dyn2:80 minconn 100 maxconn 1000
2317
2318 See also : "maxconn", "server"
2319
2320
2321grace <time>
2322 Maintain a proxy operational for some time after a soft stop
2323 May be used in sections : defaults | frontend | listen | backend
Cyril Bonté99ed3272010-01-24 23:29:44 +01002324 yes | yes | yes | yes
Willy Tarreau2769aa02007-12-27 18:26:09 +01002325 Arguments :
2326 <time> is the time (by default in milliseconds) for which the instance
2327 will remain operational with the frontend sockets still listening
2328 when a soft-stop is received via the SIGUSR1 signal.
2329
2330 This may be used to ensure that the services disappear in a certain order.
2331 This was designed so that frontends which are dedicated to monitoring by an
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002332 external equipment fail immediately while other ones remain up for the time
Willy Tarreau2769aa02007-12-27 18:26:09 +01002333 needed by the equipment to detect the failure.
2334
2335 Note that currently, there is very little benefit in using this parameter,
2336 and it may in fact complicate the soft-reconfiguration process more than
2337 simplify it.
2338
Willy Tarreau0ba27502007-12-24 16:55:16 +01002339
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002340hash-type <method>
2341 Specify a method to use for mapping hashes to servers
2342 May be used in sections : defaults | frontend | listen | backend
2343 yes | no | yes | yes
2344 Arguments :
2345 map-based the hash table is a static array containing all alive servers.
2346 The hashes will be very smooth, will consider weights, but will
2347 be static in that weight changes while a server is up will be
2348 ignored. This means that there will be no slow start. Also,
2349 since a server is selected by its position in the array, most
2350 mappings are changed when the server count changes. This means
2351 that when a server goes up or down, or when a server is added
2352 to a farm, most connections will be redistributed to different
2353 servers. This can be inconvenient with caches for instance.
2354
Willy Tarreau798a39c2010-11-24 15:04:29 +01002355 avalanche this mechanism uses the default map-based hashing described
2356 above but applies a full avalanche hash before performing the
2357 mapping. The result is a slightly less smooth hash for most
2358 situations, but the hash becomes better than pure map-based
2359 hashes when the number of servers is a multiple of the size of
2360 the input set. When using URI hash with a number of servers
2361 multiple of 64, it's desirable to change the hash type to
2362 this value.
2363
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002364 consistent the hash table is a tree filled with many occurrences of each
2365 server. The hash key is looked up in the tree and the closest
2366 server is chosen. This hash is dynamic, it supports changing
2367 weights while the servers are up, so it is compatible with the
2368 slow start feature. It has the advantage that when a server
2369 goes up or down, only its associations are moved. When a server
2370 is added to the farm, only a few part of the mappings are
2371 redistributed, making it an ideal algorithm for caches.
2372 However, due to its principle, the algorithm will never be very
2373 smooth and it may sometimes be necessary to adjust a server's
2374 weight or its ID to get a more balanced distribution. In order
2375 to get the same distribution on multiple load balancers, it is
2376 important that all servers have the same IDs.
2377
2378 The default hash type is "map-based" and is recommended for most usages.
2379
2380 See also : "balance", "server"
2381
2382
Willy Tarreau0ba27502007-12-24 16:55:16 +01002383http-check disable-on-404
2384 Enable a maintenance mode upon HTTP/404 response to health-checks
2385 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau2769aa02007-12-27 18:26:09 +01002386 yes | no | yes | yes
Willy Tarreau0ba27502007-12-24 16:55:16 +01002387 Arguments : none
2388
2389 When this option is set, a server which returns an HTTP code 404 will be
2390 excluded from further load-balancing, but will still receive persistent
2391 connections. This provides a very convenient method for Web administrators
2392 to perform a graceful shutdown of their servers. It is also important to note
2393 that a server which is detected as failed while it was in this mode will not
2394 generate an alert, just a notice. If the server responds 2xx or 3xx again, it
2395 will immediately be reinserted into the farm. The status on the stats page
2396 reports "NOLB" for a server in this mode. It is important to note that this
Willy Tarreaubd741542010-03-16 18:46:54 +01002397 option only works in conjunction with the "httpchk" option. If this option
2398 is used with "http-check expect", then it has precedence over it so that 404
2399 responses will still be considered as soft-stop.
2400
2401 See also : "option httpchk", "http-check expect"
2402
2403
2404http-check expect [!] <match> <pattern>
2405 Make HTTP health checks consider reponse contents or specific status codes
2406 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau1ee51a62011-08-19 20:04:17 +02002407 yes | no | yes | yes
Willy Tarreaubd741542010-03-16 18:46:54 +01002408 Arguments :
2409 <match> is a keyword indicating how to look for a specific pattern in the
2410 response. The keyword may be one of "status", "rstatus",
Cyril Bontédc4d9032012-04-08 21:57:39 +02002411 "string", or "rstring". The keyword may be preceeded by an
Willy Tarreaubd741542010-03-16 18:46:54 +01002412 exclamation mark ("!") to negate the match. Spaces are allowed
2413 between the exclamation mark and the keyword. See below for more
2414 details on the supported keywords.
2415
2416 <pattern> is the pattern to look for. It may be a string or a regular
2417 expression. If the pattern contains spaces, they must be escaped
2418 with the usual backslash ('\').
2419
2420 By default, "option httpchk" considers that response statuses 2xx and 3xx
2421 are valid, and that others are invalid. When "http-check expect" is used,
2422 it defines what is considered valid or invalid. Only one "http-check"
2423 statement is supported in a backend. If a server fails to respond or times
2424 out, the check obviously fails. The available matches are :
2425
2426 status <string> : test the exact string match for the HTTP status code.
2427 A health check respose will be considered valid if the
2428 response's status code is exactly this string. If the
2429 "status" keyword is prefixed with "!", then the response
2430 will be considered invalid if the status code matches.
2431
2432 rstatus <regex> : test a regular expression for the HTTP status code.
2433 A health check respose will be considered valid if the
2434 response's status code matches the expression. If the
2435 "rstatus" keyword is prefixed with "!", then the response
2436 will be considered invalid if the status code matches.
2437 This is mostly used to check for multiple codes.
2438
2439 string <string> : test the exact string match in the HTTP response body.
2440 A health check respose will be considered valid if the
2441 response's body contains this exact string. If the
2442 "string" keyword is prefixed with "!", then the response
2443 will be considered invalid if the body contains this
2444 string. This can be used to look for a mandatory word at
2445 the end of a dynamic page, or to detect a failure when a
2446 specific error appears on the check page (eg: a stack
2447 trace).
2448
2449 rstring <regex> : test a regular expression on the HTTP response body.
2450 A health check respose will be considered valid if the
2451 response's body matches this expression. If the "rstring"
2452 keyword is prefixed with "!", then the response will be
2453 considered invalid if the body matches the expression.
2454 This can be used to look for a mandatory word at the end
2455 of a dynamic page, or to detect a failure when a specific
2456 error appears on the check page (eg: a stack trace).
2457
2458 It is important to note that the responses will be limited to a certain size
2459 defined by the global "tune.chksize" option, which defaults to 16384 bytes.
2460 Thus, too large responses may not contain the mandatory pattern when using
2461 "string" or "rstring". If a large response is absolutely required, it is
2462 possible to change the default max size by setting the global variable.
2463 However, it is worth keeping in mind that parsing very large responses can
2464 waste some CPU cycles, especially when regular expressions are used, and that
2465 it is always better to focus the checks on smaller resources.
2466
2467 Last, if "http-check expect" is combined with "http-check disable-on-404",
2468 then this last one has precedence when the server responds with 404.
2469
2470 Examples :
2471 # only accept status 200 as valid
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002472 http-check expect status 200
Willy Tarreaubd741542010-03-16 18:46:54 +01002473
2474 # consider SQL errors as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002475 http-check expect ! string SQL\ Error
Willy Tarreaubd741542010-03-16 18:46:54 +01002476
2477 # consider status 5xx only as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002478 http-check expect ! rstatus ^5
Willy Tarreaubd741542010-03-16 18:46:54 +01002479
2480 # check that we have a correct hexadecimal tag before /html
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002481 http-check expect rstring <!--tag:[0-9a-f]*</html>
Willy Tarreau0ba27502007-12-24 16:55:16 +01002482
Willy Tarreaubd741542010-03-16 18:46:54 +01002483 See also : "option httpchk", "http-check disable-on-404"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002484
2485
Willy Tarreauef781042010-01-27 11:53:01 +01002486http-check send-state
2487 Enable emission of a state header with HTTP health checks
2488 May be used in sections : defaults | frontend | listen | backend
2489 yes | no | yes | yes
2490 Arguments : none
2491
2492 When this option is set, haproxy will systematically send a special header
2493 "X-Haproxy-Server-State" with a list of parameters indicating to each server
2494 how they are seen by haproxy. This can be used for instance when a server is
2495 manipulated without access to haproxy and the operator needs to know whether
2496 haproxy still sees it up or not, or if the server is the last one in a farm.
2497
2498 The header is composed of fields delimited by semi-colons, the first of which
2499 is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid
2500 checks on the total number before transition, just as appears in the stats
2501 interface. Next headers are in the form "<variable>=<value>", indicating in
2502 no specific order some values available in the stats interface :
2503 - a variable "name", containing the name of the backend followed by a slash
2504 ("/") then the name of the server. This can be used when a server is
2505 checked in multiple backends.
2506
2507 - a variable "node" containing the name of the haproxy node, as set in the
2508 global "node" variable, otherwise the system's hostname if unspecified.
2509
2510 - a variable "weight" indicating the weight of the server, a slash ("/")
2511 and the total weight of the farm (just counting usable servers). This
2512 helps to know if other servers are available to handle the load when this
2513 one fails.
2514
2515 - a variable "scur" indicating the current number of concurrent connections
2516 on the server, followed by a slash ("/") then the total number of
2517 connections on all servers of the same backend.
2518
2519 - a variable "qcur" indicating the current number of requests in the
2520 server's queue.
2521
2522 Example of a header received by the application server :
2523 >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \
2524 scur=13/22; qcur=0
2525
2526 See also : "option httpchk", "http-check disable-on-404"
2527
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02002528http-request { allow | deny | auth [realm <realm>] }
Cyril Bontéf0c60612010-02-06 14:44:47 +01002529 [ { if | unless } <condition> ]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002530 Access control for Layer 7 requests
2531
2532 May be used in sections: defaults | frontend | listen | backend
2533 no | yes | yes | yes
2534
2535 These set of options allow to fine control access to a
2536 frontend/listen/backend. Each option may be followed by if/unless and acl.
2537 First option with matched condition (or option without condition) is final.
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02002538 For "deny" a 403 error will be returned, for "allow" normal processing is
2539 performed, for "auth" a 401/407 error code is returned so the client
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002540 should be asked to enter a username and password.
2541
2542 There is no fixed limit to the number of http-request statements per
2543 instance.
2544
2545 Example:
Cyril Bonté78caf842010-03-10 22:41:43 +01002546 acl nagios src 192.168.129.3
2547 acl local_net src 192.168.0.0/16
2548 acl auth_ok http_auth(L1)
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002549
Cyril Bonté78caf842010-03-10 22:41:43 +01002550 http-request allow if nagios
2551 http-request allow if local_net auth_ok
2552 http-request auth realm Gimme if local_net auth_ok
2553 http-request deny
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002554
Cyril Bonté78caf842010-03-10 22:41:43 +01002555 Example:
2556 acl auth_ok http_auth_group(L1) G1
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002557
Cyril Bonté78caf842010-03-10 22:41:43 +01002558 http-request auth unless auth_ok
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002559
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02002560 See also : "stats http-request", section 3.4 about userlists and section 7
2561 about ACL usage.
Willy Tarreauef781042010-01-27 11:53:01 +01002562
Mark Lamourinec2247f02012-01-04 13:02:01 -05002563http-send-name-header [<header>]
2564 Add the server name to a request. Use the header string given by <header>
2565
2566 May be used in sections: defaults | frontend | listen | backend
2567 yes | no | yes | yes
2568
2569 Arguments :
2570
2571 <header> The header string to use to send the server name
2572
2573 The "http-send-name-header" statement causes the name of the target
2574 server to be added to the headers of an HTTP request. The name
2575 is added with the header string proved.
2576
2577 See also : "server"
2578
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01002579id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02002580 Set a persistent ID to a proxy.
2581 May be used in sections : defaults | frontend | listen | backend
2582 no | yes | yes | yes
2583 Arguments : none
2584
2585 Set a persistent ID for the proxy. This ID must be unique and positive.
2586 An unused ID will automatically be assigned if unset. The first assigned
2587 value will be 1. This ID is currently only returned in statistics.
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01002588
2589
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002590ignore-persist { if | unless } <condition>
2591 Declare a condition to ignore persistence
2592 May be used in sections: defaults | frontend | listen | backend
2593 no | yes | yes | yes
2594
2595 By default, when cookie persistence is enabled, every requests containing
2596 the cookie are unconditionally persistent (assuming the target server is up
2597 and running).
2598
2599 The "ignore-persist" statement allows one to declare various ACL-based
2600 conditions which, when met, will cause a request to ignore persistence.
2601 This is sometimes useful to load balance requests for static files, which
2602 oftenly don't require persistence. This can also be used to fully disable
2603 persistence for a specific User-Agent (for example, some web crawler bots).
2604
2605 Combined with "appsession", it can also help reduce HAProxy memory usage, as
2606 the appsession table won't grow if persistence is ignored.
2607
2608 The persistence is ignored when an "if" condition is met, or unless an
2609 "unless" condition is met.
2610
2611 See also : "force-persist", "cookie", and section 7 about ACL usage.
2612
2613
Willy Tarreau2769aa02007-12-27 18:26:09 +01002614log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002615log <address> <facility> [<level> [<minlevel>]]
William Lallemand0f99e342011-10-12 17:50:54 +02002616no log
Willy Tarreau2769aa02007-12-27 18:26:09 +01002617 Enable per-instance logging of events and traffic.
2618 May be used in sections : defaults | frontend | listen | backend
2619 yes | yes | yes | yes
William Lallemand0f99e342011-10-12 17:50:54 +02002620
2621 Prefix :
2622 no should be used when the logger list must be flushed. For example,
2623 if you don't want to inherit from the default logger list. This
2624 prefix does not allow arguments.
2625
Willy Tarreau2769aa02007-12-27 18:26:09 +01002626 Arguments :
2627 global should be used when the instance's logging parameters are the
2628 same as the global ones. This is the most common usage. "global"
2629 replaces <address>, <facility> and <level> with those of the log
2630 entries found in the "global" section. Only one "log global"
2631 statement may be used per instance, and this form takes no other
2632 parameter.
2633
2634 <address> indicates where to send the logs. It takes the same format as
2635 for the "global" section's logs, and can be one of :
2636
2637 - An IPv4 address optionally followed by a colon (':') and a UDP
2638 port. If no port is specified, 514 is used by default (the
2639 standard syslog port).
2640
David du Colombier24bb5f52011-03-17 10:40:23 +01002641 - An IPv6 address followed by a colon (':') and optionally a UDP
2642 port. If no port is specified, 514 is used by default (the
2643 standard syslog port).
2644
Willy Tarreau2769aa02007-12-27 18:26:09 +01002645 - A filesystem path to a UNIX domain socket, keeping in mind
2646 considerations for chroot (be sure the path is accessible
2647 inside the chroot) and uid/gid (be sure the path is
2648 appropriately writeable).
2649
2650 <facility> must be one of the 24 standard syslog facilities :
2651
2652 kern user mail daemon auth syslog lpr news
2653 uucp cron auth2 ftp ntp audit alert cron2
2654 local0 local1 local2 local3 local4 local5 local6 local7
2655
2656 <level> is optional and can be specified to filter outgoing messages. By
2657 default, all messages are sent. If a level is specified, only
2658 messages with a severity at least as important as this level
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002659 will be sent. An optional minimum level can be specified. If it
2660 is set, logs emitted with a more severe level than this one will
2661 be capped to this level. This is used to avoid sending "emerg"
2662 messages on all terminals on some default syslog configurations.
2663 Eight levels are known :
Willy Tarreau2769aa02007-12-27 18:26:09 +01002664
2665 emerg alert crit err warning notice info debug
2666
William Lallemand0f99e342011-10-12 17:50:54 +02002667 It is important to keep in mind that it is the frontend which decides what to
2668 log from a connection, and that in case of content switching, the log entries
2669 from the backend will be ignored. Connections are logged at level "info".
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002670
2671 However, backend log declaration define how and where servers status changes
2672 will be logged. Level "notice" will be used to indicate a server going up,
2673 "warning" will be used for termination signals and definitive service
2674 termination, and "alert" will be used for when a server goes down.
2675
2676 Note : According to RFC3164, messages are truncated to 1024 bytes before
2677 being emitted.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002678
2679 Example :
2680 log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002681 log 127.0.0.1:514 local0 notice # only send important events
2682 log 127.0.0.1:514 local0 notice notice # same but limit output level
Willy Tarreau2769aa02007-12-27 18:26:09 +01002683
William Lallemand48940402012-01-30 16:47:22 +01002684log-format <string>
2685 Allows you to custom a log line.
2686
2687 See also : Custom Log Format (8.2.4)
2688
Willy Tarreau2769aa02007-12-27 18:26:09 +01002689
2690maxconn <conns>
2691 Fix the maximum number of concurrent connections on a frontend
2692 May be used in sections : defaults | frontend | listen | backend
2693 yes | yes | yes | no
2694 Arguments :