blob: 8a91e7b8fb645ac0de3c94695a3e2326444507aa [file] [log] [blame]
Willy Tarreau6a06a402007-07-15 20:15:28 +02001 ----------------------
2 HAProxy
3 Configuration Manual
4 ----------------------
Willy Tarreau21475e32010-05-23 08:46:08 +02005 version 1.5
Willy Tarreau6a06a402007-07-15 20:15:28 +02006 willy tarreau
Willy Tarreau37242fa2010-08-28 19:21:00 +02007 2010/08/28
Willy Tarreau6a06a402007-07-15 20:15:28 +02008
9
10This document covers the configuration language as implemented in the version
11specified above. It does not provide any hint, example or advice. For such
Willy Tarreau0ba27502007-12-24 16:55:16 +010012documentation, please refer to the Reference Manual or the Architecture Manual.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013The summary below is meant to help you search sections by name and navigate
14through the document.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015
Willy Tarreauc57f0e22009-05-10 13:12:33 +020016Note to documentation contributors :
17 This document is formated with 80 columns per line, with even number of
18 spaces for indentation and without tabs. Please follow these rules strictly
19 so that it remains easily printable everywhere. If a line needs to be
20 printed verbatim and does not fit, please end each line with a backslash
Willy Tarreau62a36c42010-08-17 15:53:10 +020021 ('\') and continue on next line, indented by two characters. It is also
22 sometimes useful to prefix all output lines (logs, console outs) with 3
23 closing angle brackets ('>>>') in order to help get the difference between
24 inputs and outputs when it can become ambiguous. If you add sections,
25 please update the summary below for easier searching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020026
27
28Summary
29-------
30
311. Quick reminder about HTTP
321.1. The HTTP transaction model
331.2. HTTP request
341.2.1. The Request line
351.2.2. The request headers
361.3. HTTP response
371.3.1. The Response line
381.3.2. The response headers
39
402. Configuring HAProxy
412.1. Configuration file format
422.2. Time format
Patrick Mezard35da19c2010-06-12 17:02:47 +0200432.3. Examples
Willy Tarreauc57f0e22009-05-10 13:12:33 +020044
453. Global parameters
463.1. Process management and security
473.2. Performance tuning
483.3. Debugging
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100493.4. Userlists
Willy Tarreauc57f0e22009-05-10 13:12:33 +020050
514. Proxies
524.1. Proxy keywords matrix
534.2. Alphabetically sorted keywords reference
54
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +0100555. Server and default-server options
Willy Tarreauc57f0e22009-05-10 13:12:33 +020056
576. HTTP header manipulation
58
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100597. Using ACLs and pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200607.1. Matching integers
617.2. Matching strings
627.3. Matching regular expressions (regexes)
637.4. Matching IPv4 addresses
647.5. Available matching criteria
657.5.1. Matching at Layer 4 and below
667.5.2. Matching contents at Layer 4
677.5.3. Matching at Layer 7
687.6. Pre-defined ACLs
697.7. Using ACLs to form conditions
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100707.8. Pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +020071
728. Logging
738.1. Log levels
748.2. Log formats
758.2.1. Default log format
768.2.2. TCP log format
778.2.3. HTTP log format
788.3. Advanced logging options
798.3.1. Disabling logging of external tests
808.3.2. Logging before waiting for the session to terminate
818.3.3. Raising log level upon errors
828.3.4. Disabling logging of successful connections
838.4. Timing events
848.5. Session state at disconnection
858.6. Non-printable characters
868.7. Capturing HTTP cookies
878.8. Capturing HTTP headers
888.9. Examples of logs
89
909. Statistics and monitoring
919.1. CSV format
929.2. Unix Socket commands
93
94
951. Quick reminder about HTTP
96----------------------------
97
98When haproxy is running in HTTP mode, both the request and the response are
99fully analyzed and indexed, thus it becomes possible to build matching criteria
100on almost anything found in the contents.
101
102However, it is important to understand how HTTP requests and responses are
103formed, and how HAProxy decomposes them. It will then become easier to write
104correct rules and to debug existing configurations.
105
106
1071.1. The HTTP transaction model
108-------------------------------
109
110The HTTP protocol is transaction-driven. This means that each request will lead
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100111to one and only one response. Traditionally, a TCP connection is established
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200112from the client to the server, a request is sent by the client on the
113connection, the server responds and the connection is closed. A new request
114will involve a new connection :
115
116 [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
117
118In this mode, called the "HTTP close" mode, there are as many connection
119establishments as there are HTTP transactions. Since the connection is closed
120by the server after the response, the client does not need to know the content
121length.
122
123Due to the transactional nature of the protocol, it was possible to improve it
124to avoid closing a connection between two subsequent transactions. In this mode
125however, it is mandatory that the server indicates the content length for each
126response so that the client does not wait indefinitely. For this, a special
127header is used: "Content-length". This mode is called the "keep-alive" mode :
128
129 [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ...
130
131Its advantages are a reduced latency between transactions, and less processing
132power required on the server side. It is generally better than the close mode,
133but not always because the clients often limit their concurrent connections to
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200134a smaller value.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200135
136A last improvement in the communications is the pipelining mode. It still uses
137keep-alive, but the client does not wait for the first response to send the
138second request. This is useful for fetching large number of images composing a
139page :
140
141 [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ...
142
143This can obviously have a tremendous benefit on performance because the network
144latency is eliminated between subsequent requests. Many HTTP agents do not
145correctly support pipelining since there is no way to associate a response with
146the corresponding request in HTTP. For this reason, it is mandatory for the
Cyril Bonté78caf842010-03-10 22:41:43 +0100147server to reply in the exact same order as the requests were received.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200148
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200149By default HAProxy operates in a tunnel-like mode with regards to persistent
150connections: for each connection it processes the first request and forwards
151everything else (including additional requests) to selected server. Once
152established, the connection is persisted both on the client and server
153sides. Use "option http-server-close" to preserve client persistent connections
154while handling every incoming request individually, dispatching them one after
155another to servers, in HTTP close mode. Use "option httpclose" to switch both
156sides to HTTP close mode. "option forceclose" and "option
157http-pretend-keepalive" help working around servers misbehaving in HTTP close
158mode.
159
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200160
1611.2. HTTP request
162-----------------
163
164First, let's consider this HTTP request :
165
166 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100167 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200168 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1
169 2 Host: www.mydomain.com
170 3 User-agent: my small browser
171 4 Accept: image/jpeg, image/gif
172 5 Accept: image/png
173
174
1751.2.1. The Request line
176-----------------------
177
178Line 1 is the "request line". It is always composed of 3 fields :
179
180 - a METHOD : GET
181 - a URI : /serv/login.php?lang=en&profile=2
182 - a version tag : HTTP/1.1
183
184All of them are delimited by what the standard calls LWS (linear white spaces),
185which are commonly spaces, but can also be tabs or line feeds/carriage returns
186followed by spaces/tabs. The method itself cannot contain any colon (':') and
187is limited to alphabetic letters. All those various combinations make it
188desirable that HAProxy performs the splitting itself rather than leaving it to
189the user to write a complex or inaccurate regular expression.
190
191The URI itself can have several forms :
192
193 - A "relative URI" :
194
195 /serv/login.php?lang=en&profile=2
196
197 It is a complete URL without the host part. This is generally what is
198 received by servers, reverse proxies and transparent proxies.
199
200 - An "absolute URI", also called a "URL" :
201
202 http://192.168.0.12:8080/serv/login.php?lang=en&profile=2
203
204 It is composed of a "scheme" (the protocol name followed by '://'), a host
205 name or address, optionally a colon (':') followed by a port number, then
206 a relative URI beginning at the first slash ('/') after the address part.
207 This is generally what proxies receive, but a server supporting HTTP/1.1
208 must accept this form too.
209
210 - a star ('*') : this form is only accepted in association with the OPTIONS
211 method and is not relayable. It is used to inquiry a next hop's
212 capabilities.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100213
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200214 - an address:port combination : 192.168.0.12:80
215 This is used with the CONNECT method, which is used to establish TCP
216 tunnels through HTTP proxies, generally for HTTPS, but sometimes for
217 other protocols too.
218
219In a relative URI, two sub-parts are identified. The part before the question
220mark is called the "path". It is typically the relative path to static objects
221on the server. The part after the question mark is called the "query string".
222It is mostly used with GET requests sent to dynamic scripts and is very
223specific to the language, framework or application in use.
224
225
2261.2.2. The request headers
227--------------------------
228
229The headers start at the second line. They are composed of a name at the
230beginning of the line, immediately followed by a colon (':'). Traditionally,
231an LWS is added after the colon but that's not required. Then come the values.
232Multiple identical headers may be folded into one single line, delimiting the
233values with commas, provided that their order is respected. This is commonly
234encountered in the "Cookie:" field. A header may span over multiple lines if
235the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5
236define a total of 3 values for the "Accept:" header.
237
238Contrary to a common mis-conception, header names are not case-sensitive, and
239their values are not either if they refer to other header names (such as the
240"Connection:" header).
241
242The end of the headers is indicated by the first empty line. People often say
243that it's a double line feed, which is not exact, even if a double line feed
244is one valid form of empty line.
245
246Fortunately, HAProxy takes care of all these complex combinations when indexing
247headers, checking values and counting them, so there is no reason to worry
248about the way they could be written, but it is important not to accuse an
249application of being buggy if it does unusual, valid things.
250
251Important note:
252 As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks
253 in the middle of headers by LWS in order to join multi-line headers. This
254 is necessary for proper analysis and helps less capable HTTP parsers to work
255 correctly and not to be fooled by such complex constructs.
256
257
2581.3. HTTP response
259------------------
260
261An HTTP response looks very much like an HTTP request. Both are called HTTP
262messages. Let's consider this HTTP response :
263
264 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100265 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200266 1 HTTP/1.1 200 OK
267 2 Content-length: 350
268 3 Content-Type: text/html
269
Willy Tarreau816b9792009-09-15 21:25:21 +0200270As a special case, HTTP supports so called "Informational responses" as status
271codes 1xx. These messages are special in that they don't convey any part of the
272response, they're just used as sort of a signaling message to ask a client to
Willy Tarreau5843d1a2010-02-01 15:13:32 +0100273continue to post its request for instance. In the case of a status 100 response
274the requested information will be carried by the next non-100 response message
275following the informational one. This implies that multiple responses may be
276sent to a single request, and that this only works when keep-alive is enabled
277(1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to
278correctly forward and skip them, and only process the next non-100 response. As
279such, these messages are neither logged nor transformed, unless explicitly
280state otherwise. Status 101 messages indicate that the protocol is changing
281over the same connection and that haproxy must switch to tunnel mode, just as
282if a CONNECT had occurred. Then the Upgrade header would contain additional
283information about the type of protocol the connection is switching to.
Willy Tarreau816b9792009-09-15 21:25:21 +0200284
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200285
2861.3.1. The Response line
287------------------------
288
289Line 1 is the "response line". It is always composed of 3 fields :
290
291 - a version tag : HTTP/1.1
292 - a status code : 200
293 - a reason : OK
294
295The status code is always 3-digit. The first digit indicates a general status :
Willy Tarreau816b9792009-09-15 21:25:21 +0200296 - 1xx = informational message to be skipped (eg: 100, 101)
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200297 - 2xx = OK, content is following (eg: 200, 206)
298 - 3xx = OK, no content following (eg: 302, 304)
299 - 4xx = error caused by the client (eg: 401, 403, 404)
300 - 5xx = error caused by the server (eg: 500, 502, 503)
301
302Please refer to RFC2616 for the detailed meaning of all such codes. The
Willy Tarreaud72758d2010-01-12 10:42:19 +0100303"reason" field is just a hint, but is not parsed by clients. Anything can be
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200304found there, but it's a common practice to respect the well-established
305messages. It can be composed of one or multiple words, such as "OK", "Found",
306or "Authentication Required".
307
308Haproxy may emit the following status codes by itself :
309
310 Code When / reason
311 200 access to stats page, and when replying to monitoring requests
312 301 when performing a redirection, depending on the configured code
313 302 when performing a redirection, depending on the configured code
314 303 when performing a redirection, depending on the configured code
315 400 for an invalid or too large request
316 401 when an authentication is required to perform the action (when
317 accessing the stats page)
318 403 when a request is forbidden by a "block" ACL or "reqdeny" filter
319 408 when the request timeout strikes before the request is complete
320 500 when haproxy encounters an unrecoverable internal error, such as a
321 memory allocation failure, which should never happen
322 502 when the server returns an empty, invalid or incomplete response, or
323 when an "rspdeny" filter blocks the response.
324 503 when no server was available to handle the request, or in response to
325 monitoring requests which match the "monitor fail" condition
326 504 when the response timeout strikes before the server responds
327
328The error 4xx and 5xx codes above may be customized (see "errorloc" in section
3294.2).
330
331
3321.3.2. The response headers
333---------------------------
334
335Response headers work exactly like request headers, and as such, HAProxy uses
336the same parsing function for both. Please refer to paragraph 1.2.2 for more
337details.
338
339
3402. Configuring HAProxy
341----------------------
342
3432.1. Configuration file format
344------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200345
346HAProxy's configuration process involves 3 major sources of parameters :
347
348 - the arguments from the command-line, which always take precedence
349 - the "global" section, which sets process-wide parameters
350 - the proxies sections which can take form of "defaults", "listen",
351 "frontend" and "backend".
352
Willy Tarreau0ba27502007-12-24 16:55:16 +0100353The configuration file syntax consists in lines beginning with a keyword
354referenced in this manual, optionally followed by one or several parameters
355delimited by spaces. If spaces have to be entered in strings, then they must be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100356preceded by a backslash ('\') to be escaped. Backslashes also have to be
Willy Tarreau0ba27502007-12-24 16:55:16 +0100357escaped by doubling them.
358
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200359
3602.2. Time format
361----------------
362
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100363Some parameters involve values representing time, such as timeouts. These
Willy Tarreau0ba27502007-12-24 16:55:16 +0100364values are generally expressed in milliseconds (unless explicitly stated
365otherwise) but may be expressed in any other unit by suffixing the unit to the
366numeric value. It is important to consider this because it will not be repeated
367for every keyword. Supported units are :
368
369 - us : microseconds. 1 microsecond = 1/1000000 second
370 - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
371 - s : seconds. 1s = 1000ms
372 - m : minutes. 1m = 60s = 60000ms
373 - h : hours. 1h = 60m = 3600s = 3600000ms
374 - d : days. 1d = 24h = 1440m = 86400s = 86400000ms
375
376
Patrick Mezard35da19c2010-06-12 17:02:47 +02003772.3. Examples
378-------------
379
380 # Simple configuration for an HTTP proxy listening on port 80 on all
381 # interfaces and forwarding requests to a single backend "servers" with a
382 # single server "server1" listening on 127.0.0.1:8000
383 global
384 daemon
385 maxconn 256
386
387 defaults
388 mode http
389 timeout connect 5000ms
390 timeout client 50000ms
391 timeout server 50000ms
392
393 frontend http-in
394 bind *:80
395 default_backend servers
396
397 backend servers
398 server server1 127.0.0.1:8000 maxconn 32
399
400
401 # The same configuration defined with a single listen block. Shorter but
402 # less expressive, especially in HTTP mode.
403 global
404 daemon
405 maxconn 256
406
407 defaults
408 mode http
409 timeout connect 5000ms
410 timeout client 50000ms
411 timeout server 50000ms
412
413 listen http-in
414 bind *:80
415 server server1 127.0.0.1:8000 maxconn 32
416
417
418Assuming haproxy is in $PATH, test these configurations in a shell with:
419
420 $ sudo haproxy -f configuration.conf -d
421
422
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004233. Global parameters
Willy Tarreau6a06a402007-07-15 20:15:28 +0200424--------------------
425
426Parameters in the "global" section are process-wide and often OS-specific. They
427are generally set once for all and do not need being changed once correct. Some
428of them have command-line equivalents.
429
430The following keywords are supported in the "global" section :
431
432 * Process management and security
433 - chroot
434 - daemon
435 - gid
436 - group
437 - log
438 - nbproc
439 - pidfile
440 - uid
441 - ulimit-n
442 - user
Willy Tarreaufbee7132007-10-18 13:53:22 +0200443 - stats
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200444 - node
445 - description
Willy Tarreaud72758d2010-01-12 10:42:19 +0100446
Willy Tarreau6a06a402007-07-15 20:15:28 +0200447 * Performance tuning
448 - maxconn
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100449 - maxpipes
Willy Tarreau6a06a402007-07-15 20:15:28 +0200450 - noepoll
451 - nokqueue
452 - nopoll
453 - nosepoll
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100454 - nosplice
Willy Tarreaufe255b72007-10-14 23:09:26 +0200455 - spread-checks
Willy Tarreau27a674e2009-08-17 07:23:33 +0200456 - tune.bufsize
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100457 - tune.maxaccept
458 - tune.maxpollevents
Willy Tarreau27a674e2009-08-17 07:23:33 +0200459 - tune.maxrewrite
Willy Tarreaue803de22010-01-21 17:43:04 +0100460 - tune.rcvbuf.client
461 - tune.rcvbuf.server
462 - tune.sndbuf.client
463 - tune.sndbuf.server
Willy Tarreaud72758d2010-01-12 10:42:19 +0100464
Willy Tarreau6a06a402007-07-15 20:15:28 +0200465 * Debugging
466 - debug
467 - quiet
Willy Tarreau6a06a402007-07-15 20:15:28 +0200468
469
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004703.1. Process management and security
Willy Tarreau6a06a402007-07-15 20:15:28 +0200471------------------------------------
472
473chroot <jail dir>
474 Changes current directory to <jail dir> and performs a chroot() there before
475 dropping privileges. This increases the security level in case an unknown
476 vulnerability would be exploited, since it would make it very hard for the
477 attacker to exploit the system. This only works when the process is started
478 with superuser privileges. It is important to ensure that <jail_dir> is both
479 empty and unwritable to anyone.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100480
Willy Tarreau6a06a402007-07-15 20:15:28 +0200481daemon
482 Makes the process fork into background. This is the recommended mode of
483 operation. It is equivalent to the command line "-D" argument. It can be
484 disabled by the command line "-db" argument.
485
486gid <number>
487 Changes the process' group ID to <number>. It is recommended that the group
488 ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
489 be started with a user belonging to this group, or with superuser privileges.
490 See also "group" and "uid".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100491
Willy Tarreau6a06a402007-07-15 20:15:28 +0200492group <group name>
493 Similar to "gid" but uses the GID of group name <group name> from /etc/group.
494 See also "gid" and "user".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100495
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200496log <address> <facility> [max level [min level]]
Willy Tarreau6a06a402007-07-15 20:15:28 +0200497 Adds a global syslog server. Up to two global servers can be defined. They
498 will receive logs for startups and exits, as well as all logs from proxies
Robert Tsai81ae1952007-12-05 10:47:29 +0100499 configured with "log global".
500
501 <address> can be one of:
502
Willy Tarreau2769aa02007-12-27 18:26:09 +0100503 - An IPv4 address optionally followed by a colon and a UDP port. If
Robert Tsai81ae1952007-12-05 10:47:29 +0100504 no port is specified, 514 is used by default (the standard syslog
505 port).
506
507 - A filesystem path to a UNIX domain socket, keeping in mind
508 considerations for chroot (be sure the path is accessible inside
509 the chroot) and uid/gid (be sure the path is appropriately
510 writeable).
511
512 <facility> must be one of the 24 standard syslog facilities :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200513
514 kern user mail daemon auth syslog lpr news
515 uucp cron auth2 ftp ntp audit alert cron2
516 local0 local1 local2 local3 local4 local5 local6 local7
517
518 An optional level can be specified to filter outgoing messages. By default,
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200519 all messages are sent. If a maximum level is specified, only messages with a
520 severity at least as important as this level will be sent. An optional minimum
521 level can be specified. If it is set, logs emitted with a more severe level
522 than this one will be capped to this level. This is used to avoid sending
523 "emerg" messages on all terminals on some default syslog configurations.
524 Eight levels are known :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200525
526 emerg alert crit err warning notice info debug
527
528nbproc <number>
529 Creates <number> processes when going daemon. This requires the "daemon"
530 mode. By default, only one process is created, which is the recommended mode
531 of operation. For systems limited to small sets of file descriptors per
532 process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES
533 IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon".
534
535pidfile <pidfile>
536 Writes pids of all daemons into file <pidfile>. This option is equivalent to
537 the "-p" command line argument. The file must be accessible to the user
538 starting the process. See also "daemon".
539
Willy Tarreaufbee7132007-10-18 13:53:22 +0200540stats socket <path> [{uid | user} <uid>] [{gid | group} <gid>] [mode <mode>]
Willy Tarreau6162db22009-10-10 17:13:00 +0200541 [level <level>]
542
Willy Tarreaufbee7132007-10-18 13:53:22 +0200543 Creates a UNIX socket in stream mode at location <path>. Any previously
544 existing socket will be backed up then replaced. Connections to this socket
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100545 will return various statistics outputs and even allow some commands to be
Willy Tarreau6162db22009-10-10 17:13:00 +0200546 issued. Please consult section 9.2 "Unix Socket commands" for more details.
547
548 An optional "level" parameter can be specified to restrict the nature of
549 the commands that can be issued on the socket :
550 - "user" is the least privileged level ; only non-sensitive stats can be
551 read, and no change is allowed. It would make sense on systems where it
552 is not easy to restrict access to the socket.
553
554 - "operator" is the default level and fits most common uses. All data can
555 be read, and only non-sensible changes are permitted (eg: clear max
556 counters).
557
558 - "admin" should be used with care, as everything is permitted (eg: clear
559 all counters).
Willy Tarreaua8efd362008-01-03 10:19:15 +0100560
561 On platforms which support it, it is possible to restrict access to this
562 socket by specifying numerical IDs after "uid" and "gid", or valid user and
563 group names after the "user" and "group" keywords. It is also possible to
564 restrict permissions on the socket by passing an octal value after the "mode"
565 keyword (same syntax as chmod). Depending on the platform, the permissions on
566 the socket will be inherited from the directory which hosts it, or from the
567 user the process is started with.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200568
569stats timeout <timeout, in milliseconds>
570 The default timeout on the stats socket is set to 10 seconds. It is possible
571 to change this value with "stats timeout". The value must be passed in
Willy Tarreaubefdff12007-12-02 22:27:38 +0100572 milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200573
574stats maxconn <connections>
575 By default, the stats socket is limited to 10 concurrent connections. It is
576 possible to change this value with "stats maxconn".
577
Willy Tarreau6a06a402007-07-15 20:15:28 +0200578uid <number>
579 Changes the process' user ID to <number>. It is recommended that the user ID
580 is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
581 be started with superuser privileges in order to be able to switch to another
582 one. See also "gid" and "user".
583
584ulimit-n <number>
585 Sets the maximum number of per-process file-descriptors to <number>. By
586 default, it is automatically computed, so it is recommended not to use this
587 option.
588
589user <user name>
590 Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
591 See also "uid" and "group".
592
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200593node <name>
594 Only letters, digits, hyphen and underscore are allowed, like in DNS names.
595
596 This statement is useful in HA configurations where two or more processes or
597 servers share the same IP address. By setting a different node-name on all
598 nodes, it becomes easy to immediately spot what server is handling the
599 traffic.
600
601description <text>
602 Add a text that describes the instance.
603
604 Please note that it is required to escape certain characters (# for example)
605 and this text is inserted into a html page so you should avoid using
606 "<" and ">" characters.
607
Willy Tarreau6a06a402007-07-15 20:15:28 +0200608
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006093.2. Performance tuning
Willy Tarreau6a06a402007-07-15 20:15:28 +0200610-----------------------
611
612maxconn <number>
613 Sets the maximum per-process number of concurrent connections to <number>. It
614 is equivalent to the command-line argument "-n". Proxies will stop accepting
615 connections when this limit is reached. The "ulimit-n" parameter is
616 automatically adjusted according to this value. See also "ulimit-n".
617
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100618maxpipes <number>
619 Sets the maximum per-process number of pipes to <number>. Currently, pipes
620 are only used by kernel-based tcp splicing. Since a pipe contains two file
621 descriptors, the "ulimit-n" value will be increased accordingly. The default
622 value is maxconn/4, which seems to be more than enough for most heavy usages.
623 The splice code dynamically allocates and releases pipes, and can fall back
624 to standard copy, so setting this value too low may only impact performance.
625
Willy Tarreau6a06a402007-07-15 20:15:28 +0200626noepoll
627 Disables the use of the "epoll" event polling system on Linux. It is
628 equivalent to the command-line argument "-de". The next polling system
629 used will generally be "poll". See also "nosepoll", and "nopoll".
630
631nokqueue
632 Disables the use of the "kqueue" event polling system on BSD. It is
633 equivalent to the command-line argument "-dk". The next polling system
634 used will generally be "poll". See also "nopoll".
635
636nopoll
637 Disables the use of the "poll" event polling system. It is equivalent to the
638 command-line argument "-dp". The next polling system used will be "select".
Willy Tarreau0ba27502007-12-24 16:55:16 +0100639 It should never be needed to disable "poll" since it's available on all
Willy Tarreau6a06a402007-07-15 20:15:28 +0200640 platforms supported by HAProxy. See also "nosepoll", and "nopoll" and
641 "nokqueue".
642
643nosepoll
644 Disables the use of the "speculative epoll" event polling system on Linux. It
645 is equivalent to the command-line argument "-ds". The next polling system
646 used will generally be "epoll". See also "nosepoll", and "nopoll".
647
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100648nosplice
649 Disables the use of kernel tcp splicing between sockets on Linux. It is
650 equivalent to the command line argument "-dS". Data will then be copied
651 using conventional and more portable recv/send calls. Kernel tcp splicing is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100652 limited to some very recent instances of kernel 2.6. Most versions between
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100653 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not
654 be used. This option makes it easier to globally disable kernel splicing in
655 case of doubt. See also "option splice-auto", "option splice-request" and
656 "option splice-response".
657
Willy Tarreaufe255b72007-10-14 23:09:26 +0200658spread-checks <0..50, in percent>
659 Sometimes it is desirable to avoid sending health checks to servers at exact
660 intervals, for instance when many logical servers are located on the same
661 physical server. With the help of this parameter, it becomes possible to add
662 some randomness in the check interval between 0 and +/- 50%. A value between
663 2 and 5 seems to show good results. The default value remains at 0.
664
Willy Tarreau27a674e2009-08-17 07:23:33 +0200665tune.bufsize <number>
666 Sets the buffer size to this size (in bytes). Lower values allow more
667 sessions to coexist in the same amount of RAM, and higher values allow some
668 applications with very large cookies to work. The default value is 16384 and
669 can be changed at build time. It is strongly recommended not to change this
670 from the default value, as very low values will break some services such as
671 statistics, and values larger than default size will increase memory usage,
672 possibly causing the system to run out of memory. At least the global maxconn
673 parameter should be decreased by the same factor as this one is increased.
674
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100675tune.maxaccept <number>
676 Sets the maximum number of consecutive accepts that a process may perform on
677 a single wake up. High values give higher priority to high connection rates,
678 while lower values give higher priority to already established connections.
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100679 This value is limited to 100 by default in single process mode. However, in
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100680 multi-process mode (nbproc > 1), it defaults to 8 so that when one process
681 wakes up, it does not take all incoming connections for itself and leaves a
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100682 part of them to other processes. Setting this value to -1 completely disables
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100683 the limitation. It should normally not be needed to tweak this value.
684
685tune.maxpollevents <number>
686 Sets the maximum amount of events that can be processed at once in a call to
687 the polling system. The default value is adapted to the operating system. It
688 has been noticed that reducing it below 200 tends to slightly decrease
689 latency at the expense of network bandwidth, and increasing it above 200
690 tends to trade latency for slightly increased bandwidth.
691
Willy Tarreau27a674e2009-08-17 07:23:33 +0200692tune.maxrewrite <number>
693 Sets the reserved buffer space to this size in bytes. The reserved space is
694 used for header rewriting or appending. The first reads on sockets will never
695 fill more than bufsize-maxrewrite. Historically it has defaulted to half of
696 bufsize, though that does not make much sense since there are rarely large
697 numbers of headers to add. Setting it too high prevents processing of large
698 requests or responses. Setting it too low prevents addition of new headers
699 to already large requests or to POST requests. It is generally wise to set it
700 to about 1024. It is automatically readjusted to half of bufsize if it is
701 larger than that. This means you don't have to worry about it when changing
702 bufsize.
703
Willy Tarreaue803de22010-01-21 17:43:04 +0100704tune.rcvbuf.client <number>
705tune.rcvbuf.server <number>
706 Forces the kernel socket receive buffer size on the client or the server side
707 to the specified value in bytes. This value applies to all TCP/HTTP frontends
708 and backends. It should normally never be set, and the default size (0) lets
709 the kernel autotune this value depending on the amount of available memory.
710 However it can sometimes help to set it to very low values (eg: 4096) in
711 order to save kernel memory by preventing it from buffering too large amounts
712 of received data. Lower values will significantly increase CPU usage though.
713
714tune.sndbuf.client <number>
715tune.sndbuf.server <number>
716 Forces the kernel socket send buffer size on the client or the server side to
717 the specified value in bytes. This value applies to all TCP/HTTP frontends
718 and backends. It should normally never be set, and the default size (0) lets
719 the kernel autotune this value depending on the amount of available memory.
720 However it can sometimes help to set it to very low values (eg: 4096) in
721 order to save kernel memory by preventing it from buffering too large amounts
722 of received data. Lower values will significantly increase CPU usage though.
723 Another use case is to prevent write timeouts with extremely slow clients due
724 to the kernel waiting for a large part of the buffer to be read before
725 notifying haproxy again.
726
Willy Tarreau6a06a402007-07-15 20:15:28 +0200727
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007283.3. Debugging
729--------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200730
731debug
732 Enables debug mode which dumps to stdout all exchanges, and disables forking
733 into background. It is the equivalent of the command-line argument "-d". It
734 should never be used in a production configuration since it may prevent full
735 system startup.
736
737quiet
738 Do not display any message during startup. It is equivalent to the command-
739 line argument "-q".
740
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01007413.4. Userlists
742--------------
743It is possible to control access to frontend/backend/listen sections or to
744http stats by allowing only authenticated and authorized users. To do this,
745it is required to create at least one userlist and to define users.
746
747userlist <listname>
Cyril Bonté78caf842010-03-10 22:41:43 +0100748 Creates new userlist with name <listname>. Many independent userlists can be
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100749 used to store authentication & authorization data for independent customers.
750
751group <groupname> [users <user>,<user>,(...)]
Cyril Bonté78caf842010-03-10 22:41:43 +0100752 Adds group <groupname> to the current userlist. It is also possible to
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100753 attach users to this group by using a comma separated list of names
754 proceeded by "users" keyword.
755
Cyril Bontéf0c60612010-02-06 14:44:47 +0100756user <username> [password|insecure-password <password>]
757 [groups <group>,<group>,(...)]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100758 Adds user <username> to the current userlist. Both secure (encrypted) and
759 insecure (unencrypted) passwords can be used. Encrypted passwords are
Cyril Bonté78caf842010-03-10 22:41:43 +0100760 evaluated using the crypt(3) function so depending of the system's
761 capabilities, different algorithms are supported. For example modern Glibc
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100762 based Linux system supports MD5, SHA-256, SHA-512 and of course classic,
763 DES-based method of crypting passwords.
764
765
766 Example:
Cyril Bontéf0c60612010-02-06 14:44:47 +0100767 userlist L1
768 group G1 users tiger,scott
769 group G2 users xdb,scott
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100770
Cyril Bontéf0c60612010-02-06 14:44:47 +0100771 user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91
772 user scott insecure-password elgato
773 user xdb insecure-password hello
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100774
Cyril Bontéf0c60612010-02-06 14:44:47 +0100775 userlist L2
776 group G1
777 group G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100778
Cyril Bontéf0c60612010-02-06 14:44:47 +0100779 user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1
780 user scott insecure-password elgato groups G1,G2
781 user xdb insecure-password hello groups G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100782
783 Please note that both lists are functionally identical.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200784
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007854. Proxies
Willy Tarreau6a06a402007-07-15 20:15:28 +0200786----------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100787
Willy Tarreau6a06a402007-07-15 20:15:28 +0200788Proxy configuration can be located in a set of sections :
789 - defaults <name>
790 - frontend <name>
791 - backend <name>
792 - listen <name>
793
794A "defaults" section sets default parameters for all other sections following
795its declaration. Those default parameters are reset by the next "defaults"
796section. See below for the list of parameters which can be set in a "defaults"
Willy Tarreau0ba27502007-12-24 16:55:16 +0100797section. The name is optional but its use is encouraged for better readability.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200798
799A "frontend" section describes a set of listening sockets accepting client
800connections.
801
802A "backend" section describes a set of servers to which the proxy will connect
803to forward incoming connections.
804
805A "listen" section defines a complete proxy with its frontend and backend
806parts combined in one section. It is generally useful for TCP-only traffic.
807
Willy Tarreau0ba27502007-12-24 16:55:16 +0100808All proxy names must be formed from upper and lower case letters, digits,
809'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
810case-sensitive, which means that "www" and "WWW" are two different proxies.
811
812Historically, all proxy names could overlap, it just caused troubles in the
813logs. Since the introduction of content switching, it is mandatory that two
814proxies with overlapping capabilities (frontend/backend) have different names.
815However, it is still permitted that a frontend and a backend share the same
816name, as this configuration seems to be commonly encountered.
817
818Right now, two major proxy modes are supported : "tcp", also known as layer 4,
819and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100820bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the
Willy Tarreau0ba27502007-12-24 16:55:16 +0100821protocol, and can interact with it by allowing, blocking, switching, adding,
822modifying, or removing arbitrary contents in requests or responses, based on
823arbitrary criteria.
824
Willy Tarreau0ba27502007-12-24 16:55:16 +0100825
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008264.1. Proxy keywords matrix
827--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100828
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200829The following list of keywords is supported. Most of them may only be used in a
830limited set of section types. Some of them are marked as "deprecated" because
831they are inherited from an old syntax which may be confusing or functionally
832limited, and there are new recommended keywords to replace them. Keywords
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100833marked with "(*)" can be optionally inverted using the "no" prefix, eg. "no
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200834option contstats". This makes sense when the option has been enabled by default
Willy Tarreau3842f002009-06-14 11:39:52 +0200835and must be disabled for a specific instance. Such options may also be prefixed
836with "default" in order to restore default settings regardless of what has been
837specified in a previous "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +0100838
Willy Tarreau6a06a402007-07-15 20:15:28 +0200839
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100840 keyword defaults frontend listen backend
841------------------------------------+----------+----------+---------+---------
842acl - X X X
843appsession - - X X
844backlog X X X -
845balance X - X X
846bind - X X -
847bind-process X X X X
848block - X X X
849capture cookie - X X -
850capture request header - X X -
851capture response header - X X -
852clitimeout (deprecated) X X X -
853contimeout (deprecated) X - X X
854cookie X - X X
855default-server X - X X
856default_backend X X X -
857description - X X X
858disabled X X X X
859dispatch - - X X
860enabled X X X X
861errorfile X X X X
862errorloc X X X X
863errorloc302 X X X X
864-- keyword -------------------------- defaults - frontend - listen -- backend -
865errorloc303 X X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +0200866force-persist - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100867fullconn X - X X
868grace X X X X
869hash-type X - X X
870http-check disable-on-404 X - X X
Willy Tarreau7ab6aff2010-10-12 06:30:16 +0200871http-check send-state X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100872http-request - X X X
873id - X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +0200874ignore-persist - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100875log X X X X
876maxconn X X X -
877mode X X X X
878monitor fail - X X -
879monitor-net X X X -
880monitor-uri X X X -
881option abortonclose (*) X - X X
882option accept-invalid-http-request (*) X X X -
883option accept-invalid-http-response (*) X - X X
884option allbackups (*) X - X X
885option checkcache (*) X - X X
886option clitcpka (*) X X X -
887option contstats (*) X X X -
888option dontlog-normal (*) X X X -
889option dontlognull (*) X X X -
890option forceclose (*) X X X X
891-- keyword -------------------------- defaults - frontend - listen -- backend -
892option forwardfor X X X X
Willy Tarreau8a8e1d92010-04-05 16:15:16 +0200893option http-pretend-keepalive (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100894option http-server-close (*) X X X X
895option http-use-proxy-header (*) X X X -
896option httpchk X - X X
897option httpclose (*) X X X X
898option httplog X X X X
899option http_proxy (*) X X X X
900option independant-streams (*) X X X X
901option log-health-checks (*) X - X X
902option log-separate-errors (*) X X X -
903option logasap (*) X X X -
904option mysql-check X - X X
905option nolinger (*) X X X X
906option originalto X X X X
907option persist (*) X - X X
908option redispatch (*) X - X X
909option smtpchk X - X X
910option socket-stats (*) X X X -
911option splice-auto (*) X X X X
912option splice-request (*) X X X X
913option splice-response (*) X X X X
914option srvtcpka (*) X - X X
915option ssl-hello-chk X - X X
916-- keyword -------------------------- defaults - frontend - listen -- backend -
917option tcp-smart-accept (*) X X X -
918option tcp-smart-connect (*) X - X X
919option tcpka X X X X
920option tcplog X X X X
921option transparent (*) X - X X
922persist rdp-cookie X - X X
923rate-limit sessions X X X -
924redirect - X X X
925redisp (deprecated) X - X X
926redispatch (deprecated) X - X X
927reqadd - X X X
928reqallow - X X X
929reqdel - X X X
930reqdeny - X X X
931reqiallow - X X X
932reqidel - X X X
933reqideny - X X X
934reqipass - X X X
935reqirep - X X X
936reqisetbe - X X X
937reqitarpit - X X X
938reqpass - X X X
939reqrep - X X X
940-- keyword -------------------------- defaults - frontend - listen -- backend -
941reqsetbe - X X X
942reqtarpit - X X X
943retries X - X X
944rspadd - X X X
945rspdel - X X X
946rspdeny - X X X
947rspidel - X X X
948rspideny - X X X
949rspirep - X X X
950rsprep - X X X
951server - - X X
952source X - X X
953srvtimeout (deprecated) X - X X
954stats auth X - X X
955stats enable X - X X
956stats hide-version X - X X
957stats realm X - X X
958stats refresh X - X X
959stats scope X - X X
960stats show-desc X - X X
961stats show-legends X - X X
962stats show-node X - X X
963stats uri X - X X
964-- keyword -------------------------- defaults - frontend - listen -- backend -
965stick match - - X X
966stick on - - X X
967stick store-request - - X X
968stick-table - - X X
Willy Tarreaue9656522010-08-17 15:40:09 +0200969tcp-request connection - X X -
970tcp-request content - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100971tcp-request inspect-delay - X X -
972timeout check X - X X
973timeout client X X X -
974timeout clitimeout (deprecated) X X X -
975timeout connect X - X X
976timeout contimeout (deprecated) X - X X
977timeout http-keep-alive X X X X
978timeout http-request X X X X
979timeout queue X - X X
980timeout server X - X X
981timeout srvtimeout (deprecated) X - X X
982timeout tarpit X X X X
983transparent (deprecated) X - X X
984use_backend - X X -
985------------------------------------+----------+----------+---------+---------
986 keyword defaults frontend listen backend
Willy Tarreau6a06a402007-07-15 20:15:28 +0200987
Willy Tarreau0ba27502007-12-24 16:55:16 +0100988
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009894.2. Alphabetically sorted keywords reference
990---------------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100991
992This section provides a description of each keyword and its usage.
993
994
995acl <aclname> <criterion> [flags] [operator] <value> ...
996 Declare or complete an access list.
997 May be used in sections : defaults | frontend | listen | backend
998 no | yes | yes | yes
999 Example:
1000 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1001 acl invalid_src src_port 0:1023
1002 acl local_dst hdr(host) -i localhost
1003
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001004 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001005
1006
Cyril Bontéb21570a2009-11-29 20:04:48 +01001007appsession <cookie> len <length> timeout <holdtime>
1008 [request-learn] [prefix] [mode <path-parameters|query-string>]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001009 Define session stickiness on an existing application cookie.
1010 May be used in sections : defaults | frontend | listen | backend
1011 no | no | yes | yes
1012 Arguments :
1013 <cookie> this is the name of the cookie used by the application and which
1014 HAProxy will have to learn for each new session.
1015
Cyril Bontéb21570a2009-11-29 20:04:48 +01001016 <length> this is the max number of characters that will be memorized and
Willy Tarreau0ba27502007-12-24 16:55:16 +01001017 checked in each cookie value.
1018
1019 <holdtime> this is the time after which the cookie will be removed from
1020 memory if unused. If no unit is specified, this time is in
1021 milliseconds.
1022
Cyril Bontébf47aeb2009-10-15 00:15:40 +02001023 request-learn
1024 If this option is specified, then haproxy will be able to learn
1025 the cookie found in the request in case the server does not
1026 specify any in response. This is typically what happens with
1027 PHPSESSID cookies, or when haproxy's session expires before
1028 the application's session and the correct server is selected.
1029 It is recommended to specify this option to improve reliability.
1030
Cyril Bontéb21570a2009-11-29 20:04:48 +01001031 prefix When this option is specified, haproxy will match on the cookie
1032 prefix (or URL parameter prefix). The appsession value is the
1033 data following this prefix.
1034
1035 Example :
1036 appsession ASPSESSIONID len 64 timeout 3h prefix
1037
1038 This will match the cookie ASPSESSIONIDXXXX=XXXXX,
1039 the appsession value will be XXXX=XXXXX.
1040
1041 mode This option allows to change the URL parser mode.
1042 2 modes are currently supported :
1043 - path-parameters :
1044 The parser looks for the appsession in the path parameters
1045 part (each parameter is separated by a semi-colon), which is
1046 convenient for JSESSIONID for example.
1047 This is the default mode if the option is not set.
1048 - query-string :
1049 In this mode, the parser will look for the appsession in the
1050 query string.
1051
Willy Tarreau0ba27502007-12-24 16:55:16 +01001052 When an application cookie is defined in a backend, HAProxy will check when
1053 the server sets such a cookie, and will store its value in a table, and
1054 associate it with the server's identifier. Up to <length> characters from
1055 the value will be retained. On each connection, haproxy will look for this
Cyril Bontéb21570a2009-11-29 20:04:48 +01001056 cookie both in the "Cookie:" headers, and as a URL parameter (depending on
1057 the mode used). If a known value is found, the client will be directed to the
1058 server associated with this value. Otherwise, the load balancing algorithm is
Willy Tarreau0ba27502007-12-24 16:55:16 +01001059 applied. Cookies are automatically removed from memory when they have been
1060 unused for a duration longer than <holdtime>.
1061
1062 The definition of an application cookie is limited to one per backend.
1063
1064 Example :
1065 appsession JSESSIONID len 52 timeout 3h
1066
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02001067 See also : "cookie", "capture cookie", "balance", "stick", "stick-table"
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001068 and "ignore-persist"
Willy Tarreau0ba27502007-12-24 16:55:16 +01001069
1070
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001071backlog <conns>
1072 Give hints to the system about the approximate listen backlog desired size
1073 May be used in sections : defaults | frontend | listen | backend
1074 yes | yes | yes | no
1075 Arguments :
1076 <conns> is the number of pending connections. Depending on the operating
1077 system, it may represent the number of already acknowledged
1078 connections, of non-acknowledged ones, or both.
1079
1080 In order to protect against SYN flood attacks, one solution is to increase
1081 the system's SYN backlog size. Depending on the system, sometimes it is just
1082 tunable via a system parameter, sometimes it is not adjustable at all, and
1083 sometimes the system relies on hints given by the application at the time of
1084 the listen() syscall. By default, HAProxy passes the frontend's maxconn value
1085 to the listen() syscall. On systems which can make use of this value, it can
1086 sometimes be useful to be able to specify a different value, hence this
1087 backlog parameter.
1088
1089 On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
1090 used as a hint and the system accepts up to the smallest greater power of
1091 two, and never more than some limits (usually 32768).
1092
1093 See also : "maxconn" and the target operating system's tuning guide.
1094
1095
Willy Tarreau0ba27502007-12-24 16:55:16 +01001096balance <algorithm> [ <arguments> ]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001097balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001098 Define the load balancing algorithm to be used in a backend.
1099 May be used in sections : defaults | frontend | listen | backend
1100 yes | no | yes | yes
1101 Arguments :
1102 <algorithm> is the algorithm used to select a server when doing load
1103 balancing. This only applies when no persistence information
1104 is available, or when a connection is redispatched to another
1105 server. <algorithm> may be one of the following :
1106
1107 roundrobin Each server is used in turns, according to their weights.
1108 This is the smoothest and fairest algorithm when the server's
1109 processing time remains equally distributed. This algorithm
1110 is dynamic, which means that server weights may be adjusted
Willy Tarreau9757a382009-10-03 12:56:50 +02001111 on the fly for slow starts for instance. It is limited by
1112 design to 4128 active servers per backend. Note that in some
1113 large farms, when a server becomes up after having been down
1114 for a very short time, it may sometimes take a few hundreds
1115 requests for it to be re-integrated into the farm and start
1116 receiving traffic. This is normal, though very rare. It is
1117 indicated here in case you would have the chance to observe
1118 it, so that you don't worry.
1119
1120 static-rr Each server is used in turns, according to their weights.
1121 This algorithm is as similar to roundrobin except that it is
1122 static, which means that changing a server's weight on the
1123 fly will have no effect. On the other hand, it has no design
1124 limitation on the number of servers, and when a server goes
1125 up, it is always immediately reintroduced into the farm, once
1126 the full map is recomputed. It also uses slightly less CPU to
1127 run (around -1%).
Willy Tarreau0ba27502007-12-24 16:55:16 +01001128
Willy Tarreau2d2a7f82008-03-17 12:07:56 +01001129 leastconn The server with the lowest number of connections receives the
1130 connection. Round-robin is performed within groups of servers
1131 of the same load to ensure that all servers will be used. Use
1132 of this algorithm is recommended where very long sessions are
1133 expected, such as LDAP, SQL, TSE, etc... but is not very well
1134 suited for protocols using short sessions such as HTTP. This
1135 algorithm is dynamic, which means that server weights may be
1136 adjusted on the fly for slow starts for instance.
1137
Willy Tarreau0ba27502007-12-24 16:55:16 +01001138 source The source IP address is hashed and divided by the total
1139 weight of the running servers to designate which server will
1140 receive the request. This ensures that the same client IP
1141 address will always reach the same server as long as no
1142 server goes down or up. If the hash result changes due to the
1143 number of running servers changing, many clients will be
1144 directed to a different server. This algorithm is generally
1145 used in TCP mode where no cookie may be inserted. It may also
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001146 be used on the Internet to provide a best-effort stickiness
Willy Tarreau0ba27502007-12-24 16:55:16 +01001147 to clients which refuse session cookies. This algorithm is
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001148 static by default, which means that changing a server's
1149 weight on the fly will have no effect, but this can be
1150 changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001151
1152 uri The left part of the URI (before the question mark) is hashed
1153 and divided by the total weight of the running servers. The
1154 result designates which server will receive the request. This
1155 ensures that a same URI will always be directed to the same
1156 server as long as no server goes up or down. This is used
1157 with proxy caches and anti-virus proxies in order to maximize
1158 the cache hit rate. Note that this algorithm may only be used
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001159 in an HTTP backend. This algorithm is static by default,
1160 which means that changing a server's weight on the fly will
1161 have no effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001162
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001163 This algorithm support two optional parameters "len" and
1164 "depth", both followed by a positive integer number. These
1165 options may be helpful when it is needed to balance servers
1166 based on the beginning of the URI only. The "len" parameter
1167 indicates that the algorithm should only consider that many
1168 characters at the beginning of the URI to compute the hash.
1169 Note that having "len" set to 1 rarely makes sense since most
1170 URIs start with a leading "/".
1171
1172 The "depth" parameter indicates the maximum directory depth
1173 to be used to compute the hash. One level is counted for each
1174 slash in the request. If both parameters are specified, the
1175 evaluation stops when either is reached.
1176
Willy Tarreau0ba27502007-12-24 16:55:16 +01001177 url_param The URL parameter specified in argument will be looked up in
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001178 the query string of each HTTP GET request.
1179
1180 If the modifier "check_post" is used, then an HTTP POST
1181 request entity will be searched for the parameter argument,
1182 when the question mark indicating a query string ('?') is not
1183 present in the URL. Optionally, specify a number of octets to
1184 wait for before attempting to search the message body. If the
1185 entity can not be searched, then round robin is used for each
1186 request. For instance, if your clients always send the LB
1187 parameter in the first 128 bytes, then specify that. The
1188 default is 48. The entity data will not be scanned until the
1189 required number of octets have arrived at the gateway, this
1190 is the minimum of: (default/max_wait, Content-Length or first
1191 chunk length). If Content-Length is missing or zero, it does
1192 not need to wait for more data than the client promised to
1193 send. When Content-Length is present and larger than
1194 <max_wait>, then waiting is limited to <max_wait> and it is
1195 assumed that this will be enough data to search for the
1196 presence of the parameter. In the unlikely event that
1197 Transfer-Encoding: chunked is used, only the first chunk is
1198 scanned. Parameter values separated by a chunk boundary, may
1199 be randomly balanced if at all.
1200
1201 If the parameter is found followed by an equal sign ('=') and
1202 a value, then the value is hashed and divided by the total
1203 weight of the running servers. The result designates which
1204 server will receive the request.
1205
1206 This is used to track user identifiers in requests and ensure
1207 that a same user ID will always be sent to the same server as
1208 long as no server goes up or down. If no value is found or if
1209 the parameter is not found, then a round robin algorithm is
1210 applied. Note that this algorithm may only be used in an HTTP
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001211 backend. This algorithm is static by default, which means
1212 that changing a server's weight on the fly will have no
1213 effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001214
Benoitaffb4812009-03-25 13:02:10 +01001215 hdr(name) The HTTP header <name> will be looked up in each HTTP request.
1216 Just as with the equivalent ACL 'hdr()' function, the header
1217 name in parenthesis is not case sensitive. If the header is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001218 absent or if it does not contain any value, the roundrobin
Benoitaffb4812009-03-25 13:02:10 +01001219 algorithm is applied instead.
1220
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001221 An optional 'use_domain_only' parameter is available, for
Benoitaffb4812009-03-25 13:02:10 +01001222 reducing the hash algorithm to the main domain part with some
1223 specific headers such as 'Host'. For instance, in the Host
1224 value "haproxy.1wt.eu", only "1wt" will be considered.
1225
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001226 This algorithm is static by default, which means that
1227 changing a server's weight on the fly will have no effect,
1228 but this can be changed using "hash-type".
1229
Emeric Brun736aa232009-06-30 17:56:00 +02001230 rdp-cookie
1231 rdp-cookie(name)
1232 The RDP cookie <name> (or "mstshash" if omitted) will be
1233 looked up and hashed for each incoming TCP request. Just as
1234 with the equivalent ACL 'req_rdp_cookie()' function, the name
1235 is not case-sensitive. This mechanism is useful as a degraded
1236 persistence mode, as it makes it possible to always send the
1237 same user (or the same session ID) to the same server. If the
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001238 cookie is not found, the normal roundrobin algorithm is
Emeric Brun736aa232009-06-30 17:56:00 +02001239 used instead.
1240
1241 Note that for this to work, the frontend must ensure that an
1242 RDP cookie is already present in the request buffer. For this
1243 you must use 'tcp-request content accept' rule combined with
1244 a 'req_rdp_cookie_cnt' ACL.
1245
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001246 This algorithm is static by default, which means that
1247 changing a server's weight on the fly will have no effect,
1248 but this can be changed using "hash-type".
1249
Willy Tarreau0ba27502007-12-24 16:55:16 +01001250 <arguments> is an optional list of arguments which may be needed by some
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001251 algorithms. Right now, only "url_param" and "uri" support an
1252 optional argument.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001253
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001254 balance uri [len <len>] [depth <depth>]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001255 balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001256
Willy Tarreau3cd9af22009-03-15 14:06:41 +01001257 The load balancing algorithm of a backend is set to roundrobin when no other
1258 algorithm, mode nor option have been set. The algorithm may only be set once
1259 for each backend.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001260
1261 Examples :
1262 balance roundrobin
1263 balance url_param userid
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001264 balance url_param session_id check_post 64
Benoitaffb4812009-03-25 13:02:10 +01001265 balance hdr(User-Agent)
1266 balance hdr(host)
1267 balance hdr(Host) use_domain_only
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001268
1269 Note: the following caveats and limitations on using the "check_post"
1270 extension with "url_param" must be considered :
1271
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001272 - all POST requests are eligible for consideration, because there is no way
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001273 to determine if the parameters will be found in the body or entity which
1274 may contain binary data. Therefore another method may be required to
1275 restrict consideration of POST requests that have no URL parameters in
1276 the body. (see acl reqideny http_end)
1277
1278 - using a <max_wait> value larger than the request buffer size does not
1279 make sense and is useless. The buffer size is set at build time, and
1280 defaults to 16 kB.
1281
1282 - Content-Encoding is not supported, the parameter search will probably
1283 fail; and load balancing will fall back to Round Robin.
1284
1285 - Expect: 100-continue is not supported, load balancing will fall back to
1286 Round Robin.
1287
1288 - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk.
1289 If the entire parameter value is not present in the first chunk, the
1290 selection of server is undefined (actually, defined by how little
1291 actually appeared in the first chunk).
1292
1293 - This feature does not support generation of a 100, 411 or 501 response.
1294
1295 - In some cases, requesting "check_post" MAY attempt to scan the entire
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001296 contents of a message body. Scanning normally terminates when linear
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001297 white space or control characters are found, indicating the end of what
1298 might be a URL parameter list. This is probably not a concern with SGML
1299 type message bodies.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001300
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001301 See also : "dispatch", "cookie", "appsession", "transparent", "hash-type" and
1302 "http_proxy".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001303
1304
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001305bind [<address>]:<port_range> [, ...]
1306bind [<address>]:<port_range> [, ...] interface <interface>
1307bind [<address>]:<port_range> [, ...] mss <maxseg>
1308bind [<address>]:<port_range> [, ...] transparent
1309bind [<address>]:<port_range> [, ...] id <id>
1310bind [<address>]:<port_range> [, ...] name <name>
1311bind [<address>]:<port_range> [, ...] defer-accept
Willy Tarreau0ba27502007-12-24 16:55:16 +01001312 Define one or several listening addresses and/or ports in a frontend.
1313 May be used in sections : defaults | frontend | listen | backend
1314 no | yes | yes | no
1315 Arguments :
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001316 <address> is optional and can be a host name, an IPv4 address, an IPv6
1317 address, or '*'. It designates the address the frontend will
1318 listen on. If unset, all IPv4 addresses of the system will be
1319 listened on. The same will apply for '*' or the system's
1320 special address "0.0.0.0".
1321
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001322 <port_range> is either a unique TCP port, or a port range for which the
1323 proxy will accept connections for the IP address specified
1324 above. The port is mandatory. Note that in the case of an
1325 IPv6 address, the port is always the number after the last
1326 colon (':'). A range can either be :
1327 - a numerical port (ex: '80')
1328 - a dash-delimited ports range explicitly stating the lower
1329 and upper bounds (ex: '2000-2100') which are included in
1330 the range.
1331
1332 Particular care must be taken against port ranges, because
1333 every <address:port> couple consumes one socket (= a file
1334 descriptor), so it's easy to consume lots of descriptors
1335 with a simple range, and to run out of sockets. Also, each
1336 <address:port> couple must be used only once among all
1337 instances running on a same system. Please note that binding
1338 to ports lower than 1024 generally require particular
1339 privileges to start the program, which are independant of
1340 the 'uid' parameter.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001341
Willy Tarreau5e6e2042009-02-04 17:19:29 +01001342 <interface> is an optional physical interface name. This is currently
1343 only supported on Linux. The interface must be a physical
1344 interface, not an aliased interface. When specified, all
1345 addresses on the same line will only be accepted if the
1346 incoming packet physically come through the designated
1347 interface. It is also possible to bind multiple frontends to
1348 the same address if they are bound to different interfaces.
1349 Note that binding to a physical interface requires root
1350 privileges.
1351
Willy Tarreaube1b9182009-06-14 18:48:19 +02001352 <maxseg> is an optional TCP Maximum Segment Size (MSS) value to be
1353 advertised on incoming connections. This can be used to force
1354 a lower MSS for certain specific ports, for instance for
1355 connections passing through a VPN. Note that this relies on a
1356 kernel feature which is theorically supported under Linux but
1357 was buggy in all versions prior to 2.6.28. It may or may not
1358 work on other operating systems. The commonly advertised
1359 value on Ethernet networks is 1460 = 1500(MTU) - 40(IP+TCP).
1360
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02001361 <id> is a persistent value for socket ID. Must be positive and
1362 unique in the proxy. An unused value will automatically be
1363 assigned if unset. Can only be used when defining only a
1364 single socket.
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02001365
1366 <name> is an optional name provided for stats
1367
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001368 transparent is an optional keyword which is supported only on certain
1369 Linux kernels. It indicates that the addresses will be bound
1370 even if they do not belong to the local machine. Any packet
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001371 targeting any of these addresses will be caught just as if
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001372 the address was locally configured. This normally requires
1373 that IP forwarding is enabled. Caution! do not use this with
1374 the default address '*', as it would redirect any traffic for
1375 the specified port. This keyword is available only when
1376 HAProxy is built with USE_LINUX_TPROXY=1.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001377
Willy Tarreau59f89202010-10-02 11:54:00 +02001378 defer-accept is an optional keyword which is supported only on certain
Willy Tarreaucb6cd432009-10-13 07:34:14 +02001379 Linux kernels. It states that a connection will only be
1380 accepted once some data arrive on it, or at worst after the
1381 first retransmit. This should be used only on protocols for
1382 which the client talks first (eg: HTTP). It can slightly
1383 improve performance by ensuring that most of the request is
1384 already available when the connection is accepted. On the
1385 other hand, it will not be able to detect connections which
1386 don't talk. It is important to note that this option is
1387 broken in all kernels up to 2.6.31, as the connection is
1388 never accepted until the client talks. This can cause issues
1389 with front firewalls which would see an established
1390 connection while the proxy will only see it in SYN_RECV.
1391
Willy Tarreau0ba27502007-12-24 16:55:16 +01001392 It is possible to specify a list of address:port combinations delimited by
1393 commas. The frontend will then listen on all of these addresses. There is no
1394 fixed limit to the number of addresses and ports which can be listened on in
1395 a frontend, as well as there is no limit to the number of "bind" statements
1396 in a frontend.
1397
1398 Example :
1399 listen http_proxy
1400 bind :80,:443
1401 bind 10.0.0.1:10080,10.0.0.1:10443
1402
1403 See also : "source".
1404
1405
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001406bind-process [ all | odd | even | <number 1-32> ] ...
1407 Limit visibility of an instance to a certain set of processes numbers.
1408 May be used in sections : defaults | frontend | listen | backend
1409 yes | yes | yes | yes
1410 Arguments :
1411 all All process will see this instance. This is the default. It
1412 may be used to override a default value.
1413
1414 odd This instance will be enabled on processes 1,3,5,...31. This
1415 option may be combined with other numbers.
1416
1417 even This instance will be enabled on processes 2,4,6,...32. This
1418 option may be combined with other numbers. Do not use it
1419 with less than 2 processes otherwise some instances might be
1420 missing from all processes.
1421
1422 number The instance will be enabled on this process number, between
1423 1 and 32. You must be careful not to reference a process
1424 number greater than the configured global.nbproc, otherwise
1425 some instances might be missing from all processes.
1426
1427 This keyword limits binding of certain instances to certain processes. This
1428 is useful in order not to have too many processes listening to the same
1429 ports. For instance, on a dual-core machine, it might make sense to set
1430 'nbproc 2' in the global section, then distributes the listeners among 'odd'
1431 and 'even' instances.
1432
1433 At the moment, it is not possible to reference more than 32 processes using
1434 this keyword, but this should be more than enough for most setups. Please
1435 note that 'all' really means all processes and is not limited to the first
1436 32.
1437
1438 If some backends are referenced by frontends bound to other processes, the
1439 backend automatically inherits the frontend's processes.
1440
1441 Example :
1442 listen app_ip1
1443 bind 10.0.0.1:80
1444 bind_process odd
1445
1446 listen app_ip2
1447 bind 10.0.0.2:80
1448 bind_process even
1449
1450 listen management
1451 bind 10.0.0.3:80
1452 bind_process 1 2 3 4
1453
1454 See also : "nbproc" in global section.
1455
1456
Willy Tarreau0ba27502007-12-24 16:55:16 +01001457block { if | unless } <condition>
1458 Block a layer 7 request if/unless a condition is matched
1459 May be used in sections : defaults | frontend | listen | backend
1460 no | yes | yes | yes
1461
1462 The HTTP request will be blocked very early in the layer 7 processing
1463 if/unless <condition> is matched. A 403 error will be returned if the request
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001464 is blocked. The condition has to reference ACLs (see section 7). This is
Willy Tarreau0ba27502007-12-24 16:55:16 +01001465 typically used to deny access to certain sensible resources if some
1466 conditions are met or not met. There is no fixed limit to the number of
1467 "block" statements per instance.
1468
1469 Example:
1470 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1471 acl invalid_src src_port 0:1023
1472 acl local_dst hdr(host) -i localhost
1473 block if invalid_src || local_dst
1474
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001475 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001476
1477
1478capture cookie <name> len <length>
1479 Capture and log a cookie in the request and in the response.
1480 May be used in sections : defaults | frontend | listen | backend
1481 no | yes | yes | no
1482 Arguments :
1483 <name> is the beginning of the name of the cookie to capture. In order
1484 to match the exact name, simply suffix the name with an equal
1485 sign ('='). The full name will appear in the logs, which is
1486 useful with application servers which adjust both the cookie name
1487 and value (eg: ASPSESSIONXXXXX).
1488
1489 <length> is the maximum number of characters to report in the logs, which
1490 include the cookie name, the equal sign and the value, all in the
1491 standard "name=value" form. The string will be truncated on the
1492 right if it exceeds <length>.
1493
1494 Only the first cookie is captured. Both the "cookie" request headers and the
1495 "set-cookie" response headers are monitored. This is particularly useful to
1496 check for application bugs causing session crossing or stealing between
1497 users, because generally the user's cookies can only change on a login page.
1498
1499 When the cookie was not presented by the client, the associated log column
1500 will report "-". When a request does not cause a cookie to be assigned by the
1501 server, a "-" is reported in the response column.
1502
1503 The capture is performed in the frontend only because it is necessary that
1504 the log format does not change for a given frontend depending on the
1505 backends. This may change in the future. Note that there can be only one
1506 "capture cookie" statement in a frontend. The maximum capture length is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001507 configured in the sources by default to 64 characters. It is not possible to
Willy Tarreau0ba27502007-12-24 16:55:16 +01001508 specify a capture in a "defaults" section.
1509
1510 Example:
1511 capture cookie ASPSESSION len 32
1512
1513 See also : "capture request header", "capture response header" as well as
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001514 section 8 about logging.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001515
1516
1517capture request header <name> len <length>
1518 Capture and log the first occurrence of the specified request header.
1519 May be used in sections : defaults | frontend | listen | backend
1520 no | yes | yes | no
1521 Arguments :
1522 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001523 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001524 appear in the requests, with the first letter of each word in
1525 upper case. The header name will not appear in the logs, only the
1526 value is reported, but the position in the logs is respected.
1527
1528 <length> is the maximum number of characters to extract from the value and
1529 report in the logs. The string will be truncated on the right if
1530 it exceeds <length>.
1531
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001532 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001533 value will be added to the logs between braces ('{}'). If multiple headers
1534 are captured, they will be delimited by a vertical bar ('|') and will appear
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001535 in the same order they were declared in the configuration. Non-existent
1536 headers will be logged just as an empty string. Common uses for request
1537 header captures include the "Host" field in virtual hosting environments, the
1538 "Content-length" when uploads are supported, "User-agent" to quickly
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001539 differentiate between real users and robots, and "X-Forwarded-For" in proxied
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001540 environments to find where the request came from.
1541
1542 Note that when capturing headers such as "User-agent", some spaces may be
1543 logged, making the log analysis more difficult. Thus be careful about what
1544 you log if you know your log parser is not smart enough to rely on the
1545 braces.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001546
1547 There is no limit to the number of captured request headers, but each capture
1548 is limited to 64 characters. In order to keep log format consistent for a
1549 same frontend, header captures can only be declared in a frontend. It is not
1550 possible to specify a capture in a "defaults" section.
1551
1552 Example:
1553 capture request header Host len 15
1554 capture request header X-Forwarded-For len 15
1555 capture request header Referrer len 15
1556
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001557 See also : "capture cookie", "capture response header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001558 about logging.
1559
1560
1561capture response header <name> len <length>
1562 Capture and log the first occurrence of the specified response header.
1563 May be used in sections : defaults | frontend | listen | backend
1564 no | yes | yes | no
1565 Arguments :
1566 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001567 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001568 appear in the response, with the first letter of each word in
1569 upper case. The header name will not appear in the logs, only the
1570 value is reported, but the position in the logs is respected.
1571
1572 <length> is the maximum number of characters to extract from the value and
1573 report in the logs. The string will be truncated on the right if
1574 it exceeds <length>.
1575
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001576 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001577 result will be added to the logs between braces ('{}') after the captured
1578 request headers. If multiple headers are captured, they will be delimited by
1579 a vertical bar ('|') and will appear in the same order they were declared in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001580 the configuration. Non-existent headers will be logged just as an empty
1581 string. Common uses for response header captures include the "Content-length"
1582 header which indicates how many bytes are expected to be returned, the
1583 "Location" header to track redirections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001584
1585 There is no limit to the number of captured response headers, but each
1586 capture is limited to 64 characters. In order to keep log format consistent
1587 for a same frontend, header captures can only be declared in a frontend. It
1588 is not possible to specify a capture in a "defaults" section.
1589
1590 Example:
1591 capture response header Content-length len 9
1592 capture response header Location len 15
1593
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001594 See also : "capture cookie", "capture request header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001595 about logging.
1596
1597
Cyril Bontéf0c60612010-02-06 14:44:47 +01001598clitimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01001599 Set the maximum inactivity time on the client side.
1600 May be used in sections : defaults | frontend | listen | backend
1601 yes | yes | yes | no
1602 Arguments :
1603 <timeout> is the timeout value is specified in milliseconds by default, but
1604 can be in any other unit if the number is suffixed by the unit,
1605 as explained at the top of this document.
1606
1607 The inactivity timeout applies when the client is expected to acknowledge or
1608 send data. In HTTP mode, this timeout is particularly important to consider
1609 during the first phase, when the client sends the request, and during the
1610 response while it is reading data sent by the server. The value is specified
1611 in milliseconds by default, but can be in any other unit if the number is
1612 suffixed by the unit, as specified at the top of this document. In TCP mode
1613 (and to a lesser extent, in HTTP mode), it is highly recommended that the
1614 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001615 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01001616 losses by specifying timeouts that are slightly above multiples of 3 seconds
1617 (eg: 4 or 5 seconds).
1618
1619 This parameter is specific to frontends, but can be specified once for all in
1620 "defaults" sections. This is in fact one of the easiest solutions not to
1621 forget about it. An unspecified timeout results in an infinite timeout, which
1622 is not recommended. Such a usage is accepted and works but reports a warning
1623 during startup because it may results in accumulation of expired sessions in
1624 the system if the system's timeouts are not configured either.
1625
1626 This parameter is provided for compatibility but is currently deprecated.
1627 Please use "timeout client" instead.
1628
Willy Tarreau036fae02008-01-06 13:24:40 +01001629 See also : "timeout client", "timeout http-request", "timeout server", and
1630 "srvtimeout".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001631
1632
Cyril Bontéf0c60612010-02-06 14:44:47 +01001633contimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01001634 Set the maximum time to wait for a connection attempt to a server to succeed.
1635 May be used in sections : defaults | frontend | listen | backend
1636 yes | no | yes | yes
1637 Arguments :
1638 <timeout> is the timeout value is specified in milliseconds by default, but
1639 can be in any other unit if the number is suffixed by the unit,
1640 as explained at the top of this document.
1641
1642 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001643 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01001644 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01001645 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
1646 connect timeout also presets the queue timeout to the same value if this one
1647 has not been specified. Historically, the contimeout was also used to set the
1648 tarpit timeout in a listen section, which is not possible in a pure frontend.
1649
1650 This parameter is specific to backends, but can be specified once for all in
1651 "defaults" sections. This is in fact one of the easiest solutions not to
1652 forget about it. An unspecified timeout results in an infinite timeout, which
1653 is not recommended. Such a usage is accepted and works but reports a warning
1654 during startup because it may results in accumulation of failed sessions in
1655 the system if the system's timeouts are not configured either.
1656
1657 This parameter is provided for backwards compatibility but is currently
1658 deprecated. Please use "timeout connect", "timeout queue" or "timeout tarpit"
1659 instead.
1660
1661 See also : "timeout connect", "timeout queue", "timeout tarpit",
1662 "timeout server", "contimeout".
1663
1664
Willy Tarreau55165fe2009-05-10 12:02:55 +02001665cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
Willy Tarreau68a897b2009-12-03 23:28:34 +01001666 [ postonly ] [ domain <domain> ]*
Willy Tarreau0ba27502007-12-24 16:55:16 +01001667 Enable cookie-based persistence in a backend.
1668 May be used in sections : defaults | frontend | listen | backend
1669 yes | no | yes | yes
1670 Arguments :
1671 <name> is the name of the cookie which will be monitored, modified or
1672 inserted in order to bring persistence. This cookie is sent to
1673 the client via a "Set-Cookie" header in the response, and is
1674 brought back by the client in a "Cookie" header in all requests.
1675 Special care should be taken to choose a name which does not
1676 conflict with any likely application cookie. Also, if the same
1677 backends are subject to be used by the same clients (eg:
1678 HTTP/HTTPS), care should be taken to use different cookie names
1679 between all backends if persistence between them is not desired.
1680
1681 rewrite This keyword indicates that the cookie will be provided by the
1682 server and that haproxy will have to modify its value to set the
1683 server's identifier in it. This mode is handy when the management
1684 of complex combinations of "Set-cookie" and "Cache-control"
1685 headers is left to the application. The application can then
1686 decide whether or not it is appropriate to emit a persistence
1687 cookie. Since all responses should be monitored, this mode only
1688 works in HTTP close mode. Unless the application behaviour is
1689 very complex and/or broken, it is advised not to start with this
1690 mode for new deployments. This keyword is incompatible with
1691 "insert" and "prefix".
1692
1693 insert This keyword indicates that the persistence cookie will have to
Willy Tarreaua79094d2010-08-31 22:54:15 +02001694 be inserted by haproxy in server responses if the client did not
1695 already have a cookie that would have permitted it to access this
1696 server. If the server emits a cookie with the same name, it will
1697 be remove before processing. For this reason, this mode can be
1698 used to upgrade existing configurations running in the "rewrite"
1699 mode. The cookie will only be a session cookie and will not be
1700 stored on the client's disk. By default, unless the "indirect"
1701 option is added, the server will see the cookies emitted by the
1702 client. Due to caching effects, it is generally wise to add the
Willy Tarreau0ba27502007-12-24 16:55:16 +01001703 "nocache" or "postonly" keywords (see below). The "insert"
1704 keyword is not compatible with "rewrite" and "prefix".
1705
1706 prefix This keyword indicates that instead of relying on a dedicated
1707 cookie for the persistence, an existing one will be completed.
1708 This may be needed in some specific environments where the client
1709 does not support more than one single cookie and the application
1710 already needs it. In this case, whenever the server sets a cookie
1711 named <name>, it will be prefixed with the server's identifier
1712 and a delimiter. The prefix will be removed from all client
1713 requests so that the server still finds the cookie it emitted.
1714 Since all requests and responses are subject to being modified,
1715 this mode requires the HTTP close mode. The "prefix" keyword is
1716 not compatible with "rewrite" and "insert".
1717
Willy Tarreaua79094d2010-08-31 22:54:15 +02001718 indirect When this option is specified, no cookie will be emitted to a
1719 client which already has a valid one for the server which has
1720 processed the request. If the server sets such a cookie itself,
1721 it will be removed. In "insert" mode, this will additionally
1722 remove cookies from requests transmitted to the server, making
1723 the persistence mechanism totally transparent from an application
1724 point of view.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001725
1726 nocache This option is recommended in conjunction with the insert mode
1727 when there is a cache between the client and HAProxy, as it
1728 ensures that a cacheable response will be tagged non-cacheable if
1729 a cookie needs to be inserted. This is important because if all
1730 persistence cookies are added on a cacheable home page for
1731 instance, then all customers will then fetch the page from an
1732 outer cache and will all share the same persistence cookie,
1733 leading to one server receiving much more traffic than others.
1734 See also the "insert" and "postonly" options.
1735
1736 postonly This option ensures that cookie insertion will only be performed
1737 on responses to POST requests. It is an alternative to the
1738 "nocache" option, because POST responses are not cacheable, so
1739 this ensures that the persistence cookie will never get cached.
1740 Since most sites do not need any sort of persistence before the
1741 first POST which generally is a login request, this is a very
1742 efficient method to optimize caching without risking to find a
1743 persistence cookie in the cache.
1744 See also the "insert" and "nocache" options.
1745
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02001746 domain This option allows to specify the domain at which a cookie is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001747 inserted. It requires exactly one parameter: a valid domain
Willy Tarreau68a897b2009-12-03 23:28:34 +01001748 name. If the domain begins with a dot, the browser is allowed to
1749 use it for any host ending with that name. It is also possible to
1750 specify several domain names by invoking this option multiple
1751 times. Some browsers might have small limits on the number of
1752 domains, so be careful when doing that. For the record, sending
1753 10 domains to MSIE 6 or Firefox 2 works as expected.
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02001754
Willy Tarreau0ba27502007-12-24 16:55:16 +01001755 There can be only one persistence cookie per HTTP backend, and it can be
1756 declared in a defaults section. The value of the cookie will be the value
1757 indicated after the "cookie" keyword in a "server" statement. If no cookie
1758 is declared for a given server, the cookie is not set.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001759
Willy Tarreau0ba27502007-12-24 16:55:16 +01001760 Examples :
1761 cookie JSESSIONID prefix
1762 cookie SRV insert indirect nocache
1763 cookie SRV insert postonly indirect
1764
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02001765 See also : "appsession", "balance source", "capture cookie", "server"
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001766 and "ignore-persist".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001767
Willy Tarreau983e01e2010-01-11 18:42:06 +01001768
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01001769default-server [param*]
1770 Change default options for a server in a backend
1771 May be used in sections : defaults | frontend | listen | backend
1772 yes | no | yes | yes
1773 Arguments:
Willy Tarreau983e01e2010-01-11 18:42:06 +01001774 <param*> is a list of parameters for this server. The "default-server"
1775 keyword accepts an important number of options and has a complete
1776 section dedicated to it. Please refer to section 5 for more
1777 details.
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01001778
Willy Tarreau983e01e2010-01-11 18:42:06 +01001779 Example :
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01001780 default-server inter 1000 weight 13
1781
1782 See also: "server" and section 5 about server options
Willy Tarreau0ba27502007-12-24 16:55:16 +01001783
Willy Tarreau983e01e2010-01-11 18:42:06 +01001784
Willy Tarreau0ba27502007-12-24 16:55:16 +01001785default_backend <backend>
1786 Specify the backend to use when no "use_backend" rule has been matched.
1787 May be used in sections : defaults | frontend | listen | backend
1788 yes | yes | yes | no
1789 Arguments :
1790 <backend> is the name of the backend to use.
1791
1792 When doing content-switching between frontend and backends using the
1793 "use_backend" keyword, it is often useful to indicate which backend will be
1794 used when no rule has matched. It generally is the dynamic backend which
1795 will catch all undetermined requests.
1796
Willy Tarreau0ba27502007-12-24 16:55:16 +01001797 Example :
1798
1799 use_backend dynamic if url_dyn
1800 use_backend static if url_css url_img extension_img
1801 default_backend dynamic
1802
Willy Tarreau2769aa02007-12-27 18:26:09 +01001803 See also : "use_backend", "reqsetbe", "reqisetbe"
1804
Willy Tarreau0ba27502007-12-24 16:55:16 +01001805
1806disabled
1807 Disable a proxy, frontend or backend.
1808 May be used in sections : defaults | frontend | listen | backend
1809 yes | yes | yes | yes
1810 Arguments : none
1811
1812 The "disabled" keyword is used to disable an instance, mainly in order to
1813 liberate a listening port or to temporarily disable a service. The instance
1814 will still be created and its configuration will be checked, but it will be
1815 created in the "stopped" state and will appear as such in the statistics. It
1816 will not receive any traffic nor will it send any health-checks or logs. It
1817 is possible to disable many instances at once by adding the "disabled"
1818 keyword in a "defaults" section.
1819
1820 See also : "enabled"
1821
1822
Willy Tarreau5ce94572010-06-07 14:35:41 +02001823dispatch <address>:<port>
1824 Set a default server address
1825 May be used in sections : defaults | frontend | listen | backend
1826 no | no | yes | yes
1827 Arguments : none
1828
1829 <address> is the IPv4 address of the default server. Alternatively, a
1830 resolvable hostname is supported, but this name will be resolved
1831 during start-up.
1832
1833 <ports> is a mandatory port specification. All connections will be sent
1834 to this port, and it is not permitted to use port offsets as is
1835 possible with normal servers.
1836
1837 The "disabled" keyword designates a default server for use when no other
1838 server can take the connection. In the past it was used to forward non
1839 persistent connections to an auxiliary load balancer. Due to its simple
1840 syntax, it has also been used for simple TCP relays. It is recommended not to
1841 use it for more clarity, and to use the "server" directive instead.
1842
1843 See also : "server"
1844
1845
Willy Tarreau0ba27502007-12-24 16:55:16 +01001846enabled
1847 Enable a proxy, frontend or backend.
1848 May be used in sections : defaults | frontend | listen | backend
1849 yes | yes | yes | yes
1850 Arguments : none
1851
1852 The "enabled" keyword is used to explicitly enable an instance, when the
1853 defaults has been set to "disabled". This is very rarely used.
1854
1855 See also : "disabled"
1856
1857
1858errorfile <code> <file>
1859 Return a file contents instead of errors generated by HAProxy
1860 May be used in sections : defaults | frontend | listen | backend
1861 yes | yes | yes | yes
1862 Arguments :
1863 <code> is the HTTP status code. Currently, HAProxy is capable of
1864 generating codes 400, 403, 408, 500, 502, 503, and 504.
1865
1866 <file> designates a file containing the full HTTP response. It is
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001867 recommended to follow the common practice of appending ".http" to
Willy Tarreau0ba27502007-12-24 16:55:16 +01001868 the filename so that people do not confuse the response with HTML
Willy Tarreau59140a22009-02-22 12:02:30 +01001869 error pages, and to use absolute paths, since files are read
1870 before any chroot is performed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001871
1872 It is important to understand that this keyword is not meant to rewrite
1873 errors returned by the server, but errors detected and returned by HAProxy.
1874 This is why the list of supported errors is limited to a small set.
1875
1876 The files are returned verbatim on the TCP socket. This allows any trick such
1877 as redirections to another URL or site, as well as tricks to clean cookies,
1878 force enable or disable caching, etc... The package provides default error
1879 files returning the same contents as default errors.
1880
Willy Tarreau59140a22009-02-22 12:02:30 +01001881 The files should not exceed the configured buffer size (BUFSIZE), which
1882 generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
1883 not to put any reference to local contents (eg: images) in order to avoid
1884 loops between the client and HAProxy when all servers are down, causing an
1885 error to be returned instead of an image. For better HTTP compliance, it is
1886 recommended that all header lines end with CR-LF and not LF alone.
1887
Willy Tarreau0ba27502007-12-24 16:55:16 +01001888 The files are read at the same time as the configuration and kept in memory.
1889 For this reason, the errors continue to be returned even when the process is
1890 chrooted, and no file change is considered while the process is running. A
Willy Tarreauc27debf2008-01-06 08:57:02 +01001891 simple method for developing those files consists in associating them to the
Willy Tarreau0ba27502007-12-24 16:55:16 +01001892 403 status code and interrogating a blocked URL.
1893
1894 See also : "errorloc", "errorloc302", "errorloc303"
1895
Willy Tarreau59140a22009-02-22 12:02:30 +01001896 Example :
1897 errorfile 400 /etc/haproxy/errorfiles/400badreq.http
1898 errorfile 403 /etc/haproxy/errorfiles/403forbid.http
1899 errorfile 503 /etc/haproxy/errorfiles/503sorry.http
1900
Willy Tarreau2769aa02007-12-27 18:26:09 +01001901
1902errorloc <code> <url>
1903errorloc302 <code> <url>
1904 Return an HTTP redirection to a URL instead of errors generated by HAProxy
1905 May be used in sections : defaults | frontend | listen | backend
1906 yes | yes | yes | yes
1907 Arguments :
1908 <code> is the HTTP status code. Currently, HAProxy is capable of
1909 generating codes 400, 403, 408, 500, 502, 503, and 504.
1910
1911 <url> it is the exact contents of the "Location" header. It may contain
1912 either a relative URI to an error page hosted on the same site,
1913 or an absolute URI designating an error page on another site.
1914 Special care should be given to relative URIs to avoid redirect
1915 loops if the URI itself may generate the same error (eg: 500).
1916
1917 It is important to understand that this keyword is not meant to rewrite
1918 errors returned by the server, but errors detected and returned by HAProxy.
1919 This is why the list of supported errors is limited to a small set.
1920
1921 Note that both keyword return the HTTP 302 status code, which tells the
1922 client to fetch the designated URL using the same HTTP method. This can be
1923 quite problematic in case of non-GET methods such as POST, because the URL
1924 sent to the client might not be allowed for something other than GET. To
1925 workaround this problem, please use "errorloc303" which send the HTTP 303
1926 status code, indicating to the client that the URL must be fetched with a GET
1927 request.
1928
1929 See also : "errorfile", "errorloc303"
1930
1931
1932errorloc303 <code> <url>
1933 Return an HTTP redirection to a URL instead of errors generated by HAProxy
1934 May be used in sections : defaults | frontend | listen | backend
1935 yes | yes | yes | yes
1936 Arguments :
1937 <code> is the HTTP status code. Currently, HAProxy is capable of
1938 generating codes 400, 403, 408, 500, 502, 503, and 504.
1939
1940 <url> it is the exact contents of the "Location" header. It may contain
1941 either a relative URI to an error page hosted on the same site,
1942 or an absolute URI designating an error page on another site.
1943 Special care should be given to relative URIs to avoid redirect
1944 loops if the URI itself may generate the same error (eg: 500).
1945
1946 It is important to understand that this keyword is not meant to rewrite
1947 errors returned by the server, but errors detected and returned by HAProxy.
1948 This is why the list of supported errors is limited to a small set.
1949
1950 Note that both keyword return the HTTP 303 status code, which tells the
1951 client to fetch the designated URL using the same HTTP GET method. This
1952 solves the usual problems associated with "errorloc" and the 302 code. It is
1953 possible that some very old browsers designed before HTTP/1.1 do not support
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001954 it, but no such problem has been reported till now.
Willy Tarreau2769aa02007-12-27 18:26:09 +01001955
1956 See also : "errorfile", "errorloc", "errorloc302"
1957
1958
Willy Tarreau4de91492010-01-22 19:10:05 +01001959force-persist { if | unless } <condition>
1960 Declare a condition to force persistence on down servers
1961 May be used in sections: defaults | frontend | listen | backend
1962 no | yes | yes | yes
1963
1964 By default, requests are not dispatched to down servers. It is possible to
1965 force this using "option persist", but it is unconditional and redispatches
1966 to a valid server if "option redispatch" is set. That leaves with very little
1967 possibilities to force some requests to reach a server which is artificially
1968 marked down for maintenance operations.
1969
1970 The "force-persist" statement allows one to declare various ACL-based
1971 conditions which, when met, will cause a request to ignore the down status of
1972 a server and still try to connect to it. That makes it possible to start a
1973 server, still replying an error to the health checks, and run a specially
1974 configured browser to test the service. Among the handy methods, one could
1975 use a specific source IP address, or a specific cookie. The cookie also has
1976 the advantage that it can easily be added/removed on the browser from a test
1977 page. Once the service is validated, it is then possible to open the service
1978 to the world by returning a valid response to health checks.
1979
1980 The forced persistence is enabled when an "if" condition is met, or unless an
1981 "unless" condition is met. The final redispatch is always disabled when this
1982 is used.
1983
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001984 See also : "option redispatch", "ignore-persist", "persist",
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02001985 and section 7 about ACL usage.
Willy Tarreau4de91492010-01-22 19:10:05 +01001986
1987
Willy Tarreau2769aa02007-12-27 18:26:09 +01001988fullconn <conns>
1989 Specify at what backend load the servers will reach their maxconn
1990 May be used in sections : defaults | frontend | listen | backend
1991 yes | no | yes | yes
1992 Arguments :
1993 <conns> is the number of connections on the backend which will make the
1994 servers use the maximal number of connections.
1995
Willy Tarreau198a7442008-01-17 12:05:32 +01001996 When a server has a "maxconn" parameter specified, it means that its number
Willy Tarreau2769aa02007-12-27 18:26:09 +01001997 of concurrent connections will never go higher. Additionally, if it has a
Willy Tarreau198a7442008-01-17 12:05:32 +01001998 "minconn" parameter, it indicates a dynamic limit following the backend's
Willy Tarreau2769aa02007-12-27 18:26:09 +01001999 load. The server will then always accept at least <minconn> connections,
2000 never more than <maxconn>, and the limit will be on the ramp between both
2001 values when the backend has less than <conns> concurrent connections. This
2002 makes it possible to limit the load on the servers during normal loads, but
2003 push it further for important loads without overloading the servers during
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002004 exceptional loads.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002005
2006 Example :
2007 # The servers will accept between 100 and 1000 concurrent connections each
2008 # and the maximum of 1000 will be reached when the backend reaches 10000
2009 # connections.
2010 backend dynamic
2011 fullconn 10000
2012 server srv1 dyn1:80 minconn 100 maxconn 1000
2013 server srv2 dyn2:80 minconn 100 maxconn 1000
2014
2015 See also : "maxconn", "server"
2016
2017
2018grace <time>
2019 Maintain a proxy operational for some time after a soft stop
2020 May be used in sections : defaults | frontend | listen | backend
Cyril Bonté99ed3272010-01-24 23:29:44 +01002021 yes | yes | yes | yes
Willy Tarreau2769aa02007-12-27 18:26:09 +01002022 Arguments :
2023 <time> is the time (by default in milliseconds) for which the instance
2024 will remain operational with the frontend sockets still listening
2025 when a soft-stop is received via the SIGUSR1 signal.
2026
2027 This may be used to ensure that the services disappear in a certain order.
2028 This was designed so that frontends which are dedicated to monitoring by an
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002029 external equipment fail immediately while other ones remain up for the time
Willy Tarreau2769aa02007-12-27 18:26:09 +01002030 needed by the equipment to detect the failure.
2031
2032 Note that currently, there is very little benefit in using this parameter,
2033 and it may in fact complicate the soft-reconfiguration process more than
2034 simplify it.
2035
Willy Tarreau0ba27502007-12-24 16:55:16 +01002036
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002037hash-type <method>
2038 Specify a method to use for mapping hashes to servers
2039 May be used in sections : defaults | frontend | listen | backend
2040 yes | no | yes | yes
2041 Arguments :
2042 map-based the hash table is a static array containing all alive servers.
2043 The hashes will be very smooth, will consider weights, but will
2044 be static in that weight changes while a server is up will be
2045 ignored. This means that there will be no slow start. Also,
2046 since a server is selected by its position in the array, most
2047 mappings are changed when the server count changes. This means
2048 that when a server goes up or down, or when a server is added
2049 to a farm, most connections will be redistributed to different
2050 servers. This can be inconvenient with caches for instance.
2051
2052 consistent the hash table is a tree filled with many occurrences of each
2053 server. The hash key is looked up in the tree and the closest
2054 server is chosen. This hash is dynamic, it supports changing
2055 weights while the servers are up, so it is compatible with the
2056 slow start feature. It has the advantage that when a server
2057 goes up or down, only its associations are moved. When a server
2058 is added to the farm, only a few part of the mappings are
2059 redistributed, making it an ideal algorithm for caches.
2060 However, due to its principle, the algorithm will never be very
2061 smooth and it may sometimes be necessary to adjust a server's
2062 weight or its ID to get a more balanced distribution. In order
2063 to get the same distribution on multiple load balancers, it is
2064 important that all servers have the same IDs.
2065
2066 The default hash type is "map-based" and is recommended for most usages.
2067
2068 See also : "balance", "server"
2069
2070
Willy Tarreau0ba27502007-12-24 16:55:16 +01002071http-check disable-on-404
2072 Enable a maintenance mode upon HTTP/404 response to health-checks
2073 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau2769aa02007-12-27 18:26:09 +01002074 yes | no | yes | yes
Willy Tarreau0ba27502007-12-24 16:55:16 +01002075 Arguments : none
2076
2077 When this option is set, a server which returns an HTTP code 404 will be
2078 excluded from further load-balancing, but will still receive persistent
2079 connections. This provides a very convenient method for Web administrators
2080 to perform a graceful shutdown of their servers. It is also important to note
2081 that a server which is detected as failed while it was in this mode will not
2082 generate an alert, just a notice. If the server responds 2xx or 3xx again, it
2083 will immediately be reinserted into the farm. The status on the stats page
2084 reports "NOLB" for a server in this mode. It is important to note that this
2085 option only works in conjunction with the "httpchk" option.
2086
Willy Tarreau2769aa02007-12-27 18:26:09 +01002087 See also : "option httpchk"
2088
2089
Willy Tarreauef781042010-01-27 11:53:01 +01002090http-check send-state
2091 Enable emission of a state header with HTTP health checks
2092 May be used in sections : defaults | frontend | listen | backend
2093 yes | no | yes | yes
2094 Arguments : none
2095
2096 When this option is set, haproxy will systematically send a special header
2097 "X-Haproxy-Server-State" with a list of parameters indicating to each server
2098 how they are seen by haproxy. This can be used for instance when a server is
2099 manipulated without access to haproxy and the operator needs to know whether
2100 haproxy still sees it up or not, or if the server is the last one in a farm.
2101
2102 The header is composed of fields delimited by semi-colons, the first of which
2103 is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid
2104 checks on the total number before transition, just as appears in the stats
2105 interface. Next headers are in the form "<variable>=<value>", indicating in
2106 no specific order some values available in the stats interface :
2107 - a variable "name", containing the name of the backend followed by a slash
2108 ("/") then the name of the server. This can be used when a server is
2109 checked in multiple backends.
2110
2111 - a variable "node" containing the name of the haproxy node, as set in the
2112 global "node" variable, otherwise the system's hostname if unspecified.
2113
2114 - a variable "weight" indicating the weight of the server, a slash ("/")
2115 and the total weight of the farm (just counting usable servers). This
2116 helps to know if other servers are available to handle the load when this
2117 one fails.
2118
2119 - a variable "scur" indicating the current number of concurrent connections
2120 on the server, followed by a slash ("/") then the total number of
2121 connections on all servers of the same backend.
2122
2123 - a variable "qcur" indicating the current number of requests in the
2124 server's queue.
2125
2126 Example of a header received by the application server :
2127 >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \
2128 scur=13/22; qcur=0
2129
2130 See also : "option httpchk", "http-check disable-on-404"
2131
Cyril Bontéf0c60612010-02-06 14:44:47 +01002132http-request { allow | deny | http-auth [realm <realm>] }
2133 [ { if | unless } <condition> ]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002134 Access control for Layer 7 requests
2135
2136 May be used in sections: defaults | frontend | listen | backend
2137 no | yes | yes | yes
2138
2139 These set of options allow to fine control access to a
2140 frontend/listen/backend. Each option may be followed by if/unless and acl.
2141 First option with matched condition (or option without condition) is final.
2142 For "block" a 403 error will be returned, for "allow" normal processing is
2143 performed, for "http-auth" a 401/407 error code is returned so the client
2144 should be asked to enter a username and password.
2145
2146 There is no fixed limit to the number of http-request statements per
2147 instance.
2148
2149 Example:
Cyril Bonté78caf842010-03-10 22:41:43 +01002150 acl nagios src 192.168.129.3
2151 acl local_net src 192.168.0.0/16
2152 acl auth_ok http_auth(L1)
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002153
Cyril Bonté78caf842010-03-10 22:41:43 +01002154 http-request allow if nagios
2155 http-request allow if local_net auth_ok
2156 http-request auth realm Gimme if local_net auth_ok
2157 http-request deny
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002158
Cyril Bonté78caf842010-03-10 22:41:43 +01002159 Example:
2160 acl auth_ok http_auth_group(L1) G1
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002161
Cyril Bonté78caf842010-03-10 22:41:43 +01002162 http-request auth unless auth_ok
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002163
2164 See section 3.4 about userlists and 7 about ACL usage.
Willy Tarreauef781042010-01-27 11:53:01 +01002165
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01002166id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02002167 Set a persistent ID to a proxy.
2168 May be used in sections : defaults | frontend | listen | backend
2169 no | yes | yes | yes
2170 Arguments : none
2171
2172 Set a persistent ID for the proxy. This ID must be unique and positive.
2173 An unused ID will automatically be assigned if unset. The first assigned
2174 value will be 1. This ID is currently only returned in statistics.
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01002175
2176
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002177ignore-persist { if | unless } <condition>
2178 Declare a condition to ignore persistence
2179 May be used in sections: defaults | frontend | listen | backend
2180 no | yes | yes | yes
2181
2182 By default, when cookie persistence is enabled, every requests containing
2183 the cookie are unconditionally persistent (assuming the target server is up
2184 and running).
2185
2186 The "ignore-persist" statement allows one to declare various ACL-based
2187 conditions which, when met, will cause a request to ignore persistence.
2188 This is sometimes useful to load balance requests for static files, which
2189 oftenly don't require persistence. This can also be used to fully disable
2190 persistence for a specific User-Agent (for example, some web crawler bots).
2191
2192 Combined with "appsession", it can also help reduce HAProxy memory usage, as
2193 the appsession table won't grow if persistence is ignored.
2194
2195 The persistence is ignored when an "if" condition is met, or unless an
2196 "unless" condition is met.
2197
2198 See also : "force-persist", "cookie", and section 7 about ACL usage.
2199
2200
Willy Tarreau2769aa02007-12-27 18:26:09 +01002201log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002202log <address> <facility> [<level> [<minlevel>]]
Willy Tarreau2769aa02007-12-27 18:26:09 +01002203 Enable per-instance logging of events and traffic.
2204 May be used in sections : defaults | frontend | listen | backend
2205 yes | yes | yes | yes
2206 Arguments :
2207 global should be used when the instance's logging parameters are the
2208 same as the global ones. This is the most common usage. "global"
2209 replaces <address>, <facility> and <level> with those of the log
2210 entries found in the "global" section. Only one "log global"
2211 statement may be used per instance, and this form takes no other
2212 parameter.
2213
2214 <address> indicates where to send the logs. It takes the same format as
2215 for the "global" section's logs, and can be one of :
2216
2217 - An IPv4 address optionally followed by a colon (':') and a UDP
2218 port. If no port is specified, 514 is used by default (the
2219 standard syslog port).
2220
2221 - A filesystem path to a UNIX domain socket, keeping in mind
2222 considerations for chroot (be sure the path is accessible
2223 inside the chroot) and uid/gid (be sure the path is
2224 appropriately writeable).
2225
2226 <facility> must be one of the 24 standard syslog facilities :
2227
2228 kern user mail daemon auth syslog lpr news
2229 uucp cron auth2 ftp ntp audit alert cron2
2230 local0 local1 local2 local3 local4 local5 local6 local7
2231
2232 <level> is optional and can be specified to filter outgoing messages. By
2233 default, all messages are sent. If a level is specified, only
2234 messages with a severity at least as important as this level
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002235 will be sent. An optional minimum level can be specified. If it
2236 is set, logs emitted with a more severe level than this one will
2237 be capped to this level. This is used to avoid sending "emerg"
2238 messages on all terminals on some default syslog configurations.
2239 Eight levels are known :
Willy Tarreau2769aa02007-12-27 18:26:09 +01002240
2241 emerg alert crit err warning notice info debug
2242
2243 Note that up to two "log" entries may be specified per instance. However, if
2244 "log global" is used and if the "global" section already contains 2 log
2245 entries, then additional log entries will be ignored.
2246
2247 Also, it is important to keep in mind that it is the frontend which decides
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002248 what to log from a connection, and that in case of content switching, the log
2249 entries from the backend will be ignored. Connections are logged at level
2250 "info".
2251
2252 However, backend log declaration define how and where servers status changes
2253 will be logged. Level "notice" will be used to indicate a server going up,
2254 "warning" will be used for termination signals and definitive service
2255 termination, and "alert" will be used for when a server goes down.
2256
2257 Note : According to RFC3164, messages are truncated to 1024 bytes before
2258 being emitted.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002259
2260 Example :
2261 log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002262 log 127.0.0.1:514 local0 notice # only send important events
2263 log 127.0.0.1:514 local0 notice notice # same but limit output level
Willy Tarreau2769aa02007-12-27 18:26:09 +01002264
2265
2266maxconn <conns>
2267 Fix the maximum number of concurrent connections on a frontend
2268 May be used in sections : defaults | frontend | listen | backend
2269 yes | yes | yes | no
2270 Arguments :
2271 <conns> is the maximum number of concurrent connections the frontend will
2272 accept to serve. Excess connections will be queued by the system
2273 in the socket's listen queue and will be served once a connection
2274 closes.
2275
2276 If the system supports it, it can be useful on big sites to raise this limit
2277 very high so that haproxy manages connection queues, instead of leaving the
2278 clients with unanswered connection attempts. This value should not exceed the
2279 global maxconn. Also, keep in mind that a connection contains two buffers
2280 of 8kB each, as well as some other data resulting in about 17 kB of RAM being
2281 consumed per established connection. That means that a medium system equipped
2282 with 1GB of RAM can withstand around 40000-50000 concurrent connections if
2283 properly tuned.
2284
2285 Also, when <conns> is set to large values, it is possible that the servers
2286 are not sized to accept such loads, and for this reason it is generally wise
2287 to assign them some reasonable connection limits.
2288
2289 See also : "server", global section's "maxconn", "fullconn"
2290
2291
2292mode { tcp|http|health }
2293 Set the running mode or protocol of the instance
2294 May be used in sections : defaults | frontend | listen | backend
2295 yes | yes | yes | yes
2296 Arguments :
2297 tcp The instance will work in pure TCP mode. A full-duplex connection
2298 will be established between clients and servers, and no layer 7
2299 examination will be performed. This is the default mode. It
2300 should be used for SSL, SSH, SMTP, ...
2301
2302 http The instance will work in HTTP mode. The client request will be
2303 analyzed in depth before connecting to any server. Any request
2304 which is not RFC-compliant will be rejected. Layer 7 filtering,
2305 processing and switching will be possible. This is the mode which
2306 brings HAProxy most of its value.
2307
2308 health The instance will work in "health" mode. It will just reply "OK"
2309 to incoming connections and close the connection. Nothing will be
2310 logged. This mode is used to reply to external components health
2311 checks. This mode is deprecated and should not be used anymore as
2312 it is possible to do the same and even better by combining TCP or
2313 HTTP modes with the "monitor" keyword.
2314
2315 When doing content switching, it is mandatory that the frontend and the
2316 backend are in the same mode (generally HTTP), otherwise the configuration
2317 will be refused.
2318
2319 Example :
2320 defaults http_instances
2321 mode http
2322
2323 See also : "monitor", "monitor-net"
2324
Willy Tarreau0ba27502007-12-24 16:55:16 +01002325
Cyril Bontéf0c60612010-02-06 14:44:47 +01002326monitor fail { if | unless } <condition>
Willy Tarreau2769aa02007-12-27 18:26:09 +01002327 Add a condition to report a failure to a monitor HTTP request.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002328 May be used in sections : defaults | frontend | listen | backend
2329 no | yes | yes | no
Willy Tarreau0ba27502007-12-24 16:55:16 +01002330 Arguments :
2331 if <cond> the monitor request will fail if the condition is satisfied,
2332 and will succeed otherwise. The condition should describe a
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002333 combined test which must induce a failure if all conditions
Willy Tarreau0ba27502007-12-24 16:55:16 +01002334 are met, for instance a low number of servers both in a
2335 backend and its backup.
2336
2337 unless <cond> the monitor request will succeed only if the condition is
2338 satisfied, and will fail otherwise. Such a condition may be
2339 based on a test on the presence of a minimum number of active
2340 servers in a list of backends.
2341
2342 This statement adds a condition which can force the response to a monitor
2343 request to report a failure. By default, when an external component queries
2344 the URI dedicated to monitoring, a 200 response is returned. When one of the
2345 conditions above is met, haproxy will return 503 instead of 200. This is
2346 very useful to report a site failure to an external component which may base
2347 routing advertisements between multiple sites on the availability reported by
2348 haproxy. In this case, one would rely on an ACL involving the "nbsrv"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002349 criterion. Note that "monitor fail" only works in HTTP mode.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002350
2351 Example:
2352 frontend www
Willy Tarreau2769aa02007-12-27 18:26:09 +01002353 mode http
Willy Tarreau0ba27502007-12-24 16:55:16 +01002354 acl site_dead nbsrv(dynamic) lt 2
2355 acl site_dead nbsrv(static) lt 2
2356 monitor-uri /site_alive
2357 monitor fail if site_dead
2358
Willy Tarreau2769aa02007-12-27 18:26:09 +01002359 See also : "monitor-net", "monitor-uri"
2360
2361
2362monitor-net <source>
2363 Declare a source network which is limited to monitor requests
2364 May be used in sections : defaults | frontend | listen | backend
2365 yes | yes | yes | no
2366 Arguments :
2367 <source> is the source IPv4 address or network which will only be able to
2368 get monitor responses to any request. It can be either an IPv4
2369 address, a host name, or an address followed by a slash ('/')
2370 followed by a mask.
2371
2372 In TCP mode, any connection coming from a source matching <source> will cause
2373 the connection to be immediately closed without any log. This allows another
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002374 equipment to probe the port and verify that it is still listening, without
Willy Tarreau2769aa02007-12-27 18:26:09 +01002375 forwarding the connection to a remote server.
2376
2377 In HTTP mode, a connection coming from a source matching <source> will be
2378 accepted, the following response will be sent without waiting for a request,
2379 then the connection will be closed : "HTTP/1.0 200 OK". This is normally
2380 enough for any front-end HTTP probe to detect that the service is UP and
2381 running without forwarding the request to a backend server.
2382
2383 Monitor requests are processed very early. It is not possible to block nor
2384 divert them using ACLs. They cannot be logged either, and it is the intended
2385 purpose. They are only used to report HAProxy's health to an upper component,
2386 nothing more. Right now, it is not possible to set failure conditions on
2387 requests caught by "monitor-net".
2388
Willy Tarreau95cd2832010-03-04 23:36:33 +01002389 Last, please note that only one "monitor-net" statement can be specified in
2390 a frontend. If more than one is found, only the last one will be considered.
2391
Willy Tarreau2769aa02007-12-27 18:26:09 +01002392 Example :
2393 # addresses .252 and .253 are just probing us.
2394 frontend www
2395 monitor-net 192.168.0.252/31
2396
2397 See also : "monitor fail", "monitor-uri"
2398
2399
2400monitor-uri <uri>
2401 Intercept a URI used by external components' monitor requests
2402 May be used in sections : defaults | frontend | listen | backend
2403 yes | yes | yes | no
2404 Arguments :
2405 <uri> is the exact URI which we want to intercept to return HAProxy's
2406 health status instead of forwarding the request.
2407
2408 When an HTTP request referencing <uri> will be received on a frontend,
2409 HAProxy will not forward it nor log it, but instead will return either
2410 "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
2411 conditions defined with "monitor fail". This is normally enough for any
2412 front-end HTTP probe to detect that the service is UP and running without
2413 forwarding the request to a backend server. Note that the HTTP method, the
2414 version and all headers are ignored, but the request must at least be valid
2415 at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
2416
2417 Monitor requests are processed very early. It is not possible to block nor
2418 divert them using ACLs. They cannot be logged either, and it is the intended
2419 purpose. They are only used to report HAProxy's health to an upper component,
2420 nothing more. However, it is possible to add any number of conditions using
2421 "monitor fail" and ACLs so that the result can be adjusted to whatever check
2422 can be imagined (most often the number of available servers in a backend).
2423
2424 Example :
2425 # Use /haproxy_test to report haproxy's status
2426 frontend www
2427 mode http
2428 monitor-uri /haproxy_test
2429
2430 See also : "monitor fail", "monitor-net"
2431
Willy Tarreau0ba27502007-12-24 16:55:16 +01002432
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002433option abortonclose
2434no option abortonclose
2435 Enable or disable early dropping of aborted requests pending in queues.
2436 May be used in sections : defaults | frontend | listen | backend
2437 yes | no | yes | yes
2438 Arguments : none
2439
2440 In presence of very high loads, the servers will take some time to respond.
2441 The per-instance connection queue will inflate, and the response time will
2442 increase respective to the size of the queue times the average per-session
2443 response time. When clients will wait for more than a few seconds, they will
Willy Tarreau198a7442008-01-17 12:05:32 +01002444 often hit the "STOP" button on their browser, leaving a useless request in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002445 the queue, and slowing down other users, and the servers as well, because the
2446 request will eventually be served, then aborted at the first error
2447 encountered while delivering the response.
2448
2449 As there is no way to distinguish between a full STOP and a simple output
2450 close on the client side, HTTP agents should be conservative and consider
2451 that the client might only have closed its output channel while waiting for
2452 the response. However, this introduces risks of congestion when lots of users
2453 do the same, and is completely useless nowadays because probably no client at
2454 all will close the session while waiting for the response. Some HTTP agents
Willy Tarreaud72758d2010-01-12 10:42:19 +01002455 support this behaviour (Squid, Apache, HAProxy), and others do not (TUX, most
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002456 hardware-based load balancers). So the probability for a closed input channel
Willy Tarreau198a7442008-01-17 12:05:32 +01002457 to represent a user hitting the "STOP" button is close to 100%, and the risk
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002458 of being the single component to break rare but valid traffic is extremely
2459 low, which adds to the temptation to be able to abort a session early while
2460 still not served and not pollute the servers.
2461
2462 In HAProxy, the user can choose the desired behaviour using the option
2463 "abortonclose". By default (without the option) the behaviour is HTTP
2464 compliant and aborted requests will be served. But when the option is
2465 specified, a session with an incoming channel closed will be aborted while
2466 it is still possible, either pending in the queue for a connection slot, or
2467 during the connection establishment if the server has not yet acknowledged
2468 the connection request. This considerably reduces the queue size and the load
2469 on saturated servers when users are tempted to click on STOP, which in turn
Willy Tarreaud72758d2010-01-12 10:42:19 +01002470 reduces the response time for other users.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002471
2472 If this option has been enabled in a "defaults" section, it can be disabled
2473 in a specific instance by prepending the "no" keyword before it.
2474
2475 See also : "timeout queue" and server's "maxconn" and "maxqueue" parameters
2476
2477
Willy Tarreau4076a152009-04-02 15:18:36 +02002478option accept-invalid-http-request
2479no option accept-invalid-http-request
2480 Enable or disable relaxing of HTTP request parsing
2481 May be used in sections : defaults | frontend | listen | backend
2482 yes | yes | yes | no
2483 Arguments : none
2484
2485 By default, HAProxy complies with RFC2616 in terms of message parsing. This
2486 means that invalid characters in header names are not permitted and cause an
2487 error to be returned to the client. This is the desired behaviour as such
2488 forbidden characters are essentially used to build attacks exploiting server
2489 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
2490 server will emit invalid header names for whatever reason (configuration,
2491 implementation) and the issue will not be immediately fixed. In such a case,
2492 it is possible to relax HAProxy's header name parser to accept any character
2493 even if that does not make sense, by specifying this option.
2494
2495 This option should never be enabled by default as it hides application bugs
2496 and open security breaches. It should only be deployed after a problem has
2497 been confirmed.
2498
2499 When this option is enabled, erroneous header names will still be accepted in
2500 requests, but the complete request will be captured in order to permit later
2501 analysis using the "show errors" request on the UNIX stats socket. Doing this
2502 also helps confirming that the issue has been solved.
2503
2504 If this option has been enabled in a "defaults" section, it can be disabled
2505 in a specific instance by prepending the "no" keyword before it.
2506
2507 See also : "option accept-invalid-http-response" and "show errors" on the
2508 stats socket.
2509
2510
2511option accept-invalid-http-response
2512no option accept-invalid-http-response
2513 Enable or disable relaxing of HTTP response parsing
2514 May be used in sections : defaults | frontend | listen | backend
2515 yes | no | yes | yes
2516 Arguments : none
2517
2518 By default, HAProxy complies with RFC2616 in terms of message parsing. This
2519 means that invalid characters in header names are not permitted and cause an
2520 error to be returned to the client. This is the desired behaviour as such
2521 forbidden characters are essentially used to build attacks exploiting server
2522 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
2523 server will emit invalid header names for whatever reason (configuration,
2524 implementation) and the issue will not be immediately fixed. In such a case,
2525 it is possible to relax HAProxy's header name parser to accept any character
2526 even if that does not make sense, by specifying this option.
2527
2528 This option should never be enabled by default as it hides application bugs
2529 and open security breaches. It should only be deployed after a problem has
2530 been confirmed.
2531
2532 When this option is enabled, erroneous header names will still be accepted in
2533 responses, but the complete response will be captured in order to permit
2534 later analysis using the "show errors" request on the UNIX stats socket.
2535 Doing this also helps confirming that the issue has been solved.
2536
2537 If this option has been enabled in a "defaults" section, it can be disabled
2538 in a specific instance by prepending the "no" keyword before it.
2539
2540 See also : "option accept-invalid-http-request" and "show errors" on the
2541 stats socket.
2542
2543
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002544option allbackups
2545no option allbackups
2546 Use either all backup servers at a time or only the first one
2547 May be used in sections : defaults | frontend | listen | backend
2548 yes | no | yes | yes
2549 Arguments : none
2550
2551 By default, the first operational backup server gets all traffic when normal
2552 servers are all down. Sometimes, it may be preferred to use multiple backups
2553 at once, because one will not be enough. When "option allbackups" is enabled,
2554 the load balancing will be performed among all backup servers when all normal
2555 ones are unavailable. The same load balancing algorithm will be used and the
2556 servers' weights will be respected. Thus, there will not be any priority
2557 order between the backup servers anymore.
2558
2559 This option is mostly used with static server farms dedicated to return a
2560 "sorry" page when an application is completely offline.
2561
2562 If this option has been enabled in a "defaults" section, it can be disabled
2563 in a specific instance by prepending the "no" keyword before it.
2564
2565
2566option checkcache
2567no option checkcache
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002568 Analyze all server responses and block requests with cacheable cookies
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002569 May be used in sections : defaults | frontend | listen | backend
2570 yes | no | yes | yes
2571 Arguments : none
2572
2573 Some high-level frameworks set application cookies everywhere and do not
2574 always let enough control to the developer to manage how the responses should
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002575 be cached. When a session cookie is returned on a cacheable object, there is a
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002576 high risk of session crossing or stealing between users traversing the same
2577 caches. In some situations, it is better to block the response than to let
2578 some sensible session information go in the wild.
2579
2580 The option "checkcache" enables deep inspection of all server responses for
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002581 strict compliance with HTTP specification in terms of cacheability. It
Willy Tarreau198a7442008-01-17 12:05:32 +01002582 carefully checks "Cache-control", "Pragma" and "Set-cookie" headers in server
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002583 response to check if there's a risk of caching a cookie on a client-side
2584 proxy. When this option is enabled, the only responses which can be delivered
Willy Tarreau198a7442008-01-17 12:05:32 +01002585 to the client are :
2586 - all those without "Set-Cookie" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002587 - all those with a return code other than 200, 203, 206, 300, 301, 410,
Willy Tarreau198a7442008-01-17 12:05:32 +01002588 provided that the server has not set a "Cache-control: public" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002589 - all those that come from a POST request, provided that the server has not
2590 set a 'Cache-Control: public' header ;
2591 - those with a 'Pragma: no-cache' header
2592 - those with a 'Cache-control: private' header
2593 - those with a 'Cache-control: no-store' header
2594 - those with a 'Cache-control: max-age=0' header
2595 - those with a 'Cache-control: s-maxage=0' header
2596 - those with a 'Cache-control: no-cache' header
2597 - those with a 'Cache-control: no-cache="set-cookie"' header
2598 - those with a 'Cache-control: no-cache="set-cookie,' header
2599 (allowing other fields after set-cookie)
2600
2601 If a response doesn't respect these requirements, then it will be blocked
Willy Tarreau198a7442008-01-17 12:05:32 +01002602 just as if it was from an "rspdeny" filter, with an "HTTP 502 bad gateway".
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002603 The session state shows "PH--" meaning that the proxy blocked the response
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002604 during headers processing. Additionally, an alert will be sent in the logs so
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002605 that admins are informed that there's something to be fixed.
2606
2607 Due to the high impact on the application, the application should be tested
2608 in depth with the option enabled before going to production. It is also a
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002609 good practice to always activate it during tests, even if it is not used in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002610 production, as it will report potentially dangerous application behaviours.
2611
2612 If this option has been enabled in a "defaults" section, it can be disabled
2613 in a specific instance by prepending the "no" keyword before it.
2614
2615
2616option clitcpka
2617no option clitcpka
2618 Enable or disable the sending of TCP keepalive packets on the client side
2619 May be used in sections : defaults | frontend | listen | backend
2620 yes | yes | yes | no
2621 Arguments : none
2622
2623 When there is a firewall or any session-aware component between a client and
2624 a server, and when the protocol involves very long sessions with long idle
2625 periods (eg: remote desktops), there is a risk that one of the intermediate
2626 components decides to expire a session which has remained idle for too long.
2627
2628 Enabling socket-level TCP keep-alives makes the system regularly send packets
2629 to the other end of the connection, leaving it active. The delay between
2630 keep-alive probes is controlled by the system only and depends both on the
2631 operating system and its tuning parameters.
2632
2633 It is important to understand that keep-alive packets are neither emitted nor
2634 received at the application level. It is only the network stacks which sees
2635 them. For this reason, even if one side of the proxy already uses keep-alives
2636 to maintain its connection alive, those keep-alive packets will not be
2637 forwarded to the other side of the proxy.
2638
2639 Please note that this has nothing to do with HTTP keep-alive.
2640
2641 Using option "clitcpka" enables the emission of TCP keep-alive probes on the
2642 client side of a connection, which should help when session expirations are
2643 noticed between HAProxy and a client.
2644
2645 If this option has been enabled in a "defaults" section, it can be disabled
2646 in a specific instance by prepending the "no" keyword before it.
2647
2648 See also : "option srvtcpka", "option tcpka"
2649
2650
Willy Tarreau0ba27502007-12-24 16:55:16 +01002651option contstats
2652 Enable continuous traffic statistics updates
2653 May be used in sections : defaults | frontend | listen | backend
2654 yes | yes | yes | no
2655 Arguments : none
2656
2657 By default, counters used for statistics calculation are incremented
2658 only when a session finishes. It works quite well when serving small
2659 objects, but with big ones (for example large images or archives) or
2660 with A/V streaming, a graph generated from haproxy counters looks like
2661 a hedgehog. With this option enabled counters get incremented continuously,
2662 during a whole session. Recounting touches a hotpath directly so
2663 it is not enabled by default, as it has small performance impact (~0.5%).
2664
2665
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02002666option dontlog-normal
2667no option dontlog-normal
2668 Enable or disable logging of normal, successful connections
2669 May be used in sections : defaults | frontend | listen | backend
2670 yes | yes | yes | no
2671 Arguments : none
2672
2673 There are large sites dealing with several thousand connections per second
2674 and for which logging is a major pain. Some of them are even forced to turn
2675 logs off and cannot debug production issues. Setting this option ensures that
2676 normal connections, those which experience no error, no timeout, no retry nor
2677 redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
2678 mode, the response status code is checked and return codes 5xx will still be
2679 logged.
2680
2681 It is strongly discouraged to use this option as most of the time, the key to
2682 complex issues is in the normal logs which will not be logged here. If you
2683 need to separate logs, see the "log-separate-errors" option instead.
2684
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002685 See also : "log", "dontlognull", "log-separate-errors" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02002686 logging.
2687
2688
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002689option dontlognull
2690no option dontlognull
2691 Enable or disable logging of null connections
2692 May be used in sections : defaults | frontend | listen | backend
2693 yes | yes | yes | no
2694 Arguments : none
2695
2696 In certain environments, there are components which will regularly connect to
2697 various systems to ensure that they are still alive. It can be the case from
2698 another load balancer as well as from monitoring systems. By default, even a
2699 simple port probe or scan will produce a log. If those connections pollute
2700 the logs too much, it is possible to enable option "dontlognull" to indicate
2701 that a connection on which no data has been transferred will not be logged,
2702 which typically corresponds to those probes.
2703
2704 It is generally recommended not to use this option in uncontrolled
2705 environments (eg: internet), otherwise scans and other malicious activities
2706 would not be logged.
2707
2708 If this option has been enabled in a "defaults" section, it can be disabled
2709 in a specific instance by prepending the "no" keyword before it.
2710
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002711 See also : "log", "monitor-net", "monitor-uri" and section 8 about logging.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002712
2713
2714option forceclose
2715no option forceclose
2716 Enable or disable active connection closing after response is transferred.
2717 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaua31e5df2009-12-30 01:10:35 +01002718 yes | yes | yes | yes
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002719 Arguments : none
2720
2721 Some HTTP servers do not necessarily close the connections when they receive
2722 the "Connection: close" set by "option httpclose", and if the client does not
2723 close either, then the connection remains open till the timeout expires. This
2724 causes high number of simultaneous connections on the servers and shows high
2725 global session times in the logs.
2726
2727 When this happens, it is possible to use "option forceclose". It will
Willy Tarreau82eeaf22009-12-29 12:09:05 +01002728 actively close the outgoing server channel as soon as the server has finished
Willy Tarreau0dfdf192010-01-05 11:33:11 +01002729 to respond. This option implicitly enables the "httpclose" option. Note that
2730 this option also enables the parsing of the full request and response, which
2731 means we can close the connection to the server very quickly, releasing some
2732 resources earlier than with httpclose.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002733
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02002734 This option may also be combined with "option http-pretend-keepalive", which
2735 will disable sending of the "Connection: close" header, but will still cause
2736 the connection to be closed once the whole response is received.
2737
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002738 If this option has been enabled in a "defaults" section, it can be disabled
2739 in a specific instance by prepending the "no" keyword before it.
2740
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02002741 See also : "option httpclose" and "option http-pretend-keepalive"
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002742
2743
Ross Westaf72a1d2008-08-03 10:51:45 +02002744option forwardfor [ except <network> ] [ header <name> ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01002745 Enable insertion of the X-Forwarded-For header to requests sent to servers
2746 May be used in sections : defaults | frontend | listen | backend
2747 yes | yes | yes | yes
2748 Arguments :
2749 <network> is an optional argument used to disable this option for sources
2750 matching <network>
Ross Westaf72a1d2008-08-03 10:51:45 +02002751 <name> an optional argument to specify a different "X-Forwarded-For"
Willy Tarreaud72758d2010-01-12 10:42:19 +01002752 header name.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002753
2754 Since HAProxy works in reverse-proxy mode, the servers see its IP address as
2755 their client address. This is sometimes annoying when the client's IP address
2756 is expected in server logs. To solve this problem, the well-known HTTP header
2757 "X-Forwarded-For" may be added by HAProxy to all requests sent to the server.
2758 This header contains a value representing the client's IP address. Since this
2759 header is always appended at the end of the existing header list, the server
2760 must be configured to always use the last occurrence of this header only. See
Ross Westaf72a1d2008-08-03 10:51:45 +02002761 the server's manual to find how to enable use of this standard header. Note
2762 that only the last occurrence of the header must be used, since it is really
2763 possible that the client has already brought one.
2764
Willy Tarreaud72758d2010-01-12 10:42:19 +01002765 The keyword "header" may be used to supply a different header name to replace
Ross Westaf72a1d2008-08-03 10:51:45 +02002766 the default "X-Forwarded-For". This can be useful where you might already
Willy Tarreaud72758d2010-01-12 10:42:19 +01002767 have a "X-Forwarded-For" header from a different application (eg: stunnel),
2768 and you need preserve it. Also if your backend server doesn't use the
Ross Westaf72a1d2008-08-03 10:51:45 +02002769 "X-Forwarded-For" header and requires different one (eg: Zeus Web Servers
2770 require "X-Cluster-Client-IP").
Willy Tarreauc27debf2008-01-06 08:57:02 +01002771
2772 Sometimes, a same HAProxy instance may be shared between a direct client
2773 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
2774 used to decrypt HTTPS traffic). It is possible to disable the addition of the
2775 header for a known source address or network by adding the "except" keyword
2776 followed by the network address. In this case, any source IP matching the
2777 network will not cause an addition of this header. Most common uses are with
2778 private networks or 127.0.0.1.
2779
2780 This option may be specified either in the frontend or in the backend. If at
Ross Westaf72a1d2008-08-03 10:51:45 +02002781 least one of them uses it, the header will be added. Note that the backend's
2782 setting of the header subargument takes precedence over the frontend's if
2783 both are defined.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002784
2785 It is important to note that as long as HAProxy does not support keep-alive
2786 connections, only the first request of a connection will receive the header.
2787 For this reason, it is important to ensure that "option httpclose" is set
2788 when using this option.
2789
Ross Westaf72a1d2008-08-03 10:51:45 +02002790 Examples :
Willy Tarreauc27debf2008-01-06 08:57:02 +01002791 # Public HTTP address also used by stunnel on the same machine
2792 frontend www
2793 mode http
2794 option forwardfor except 127.0.0.1 # stunnel already adds the header
2795
Ross Westaf72a1d2008-08-03 10:51:45 +02002796 # Those servers want the IP Address in X-Client
2797 backend www
2798 mode http
2799 option forwardfor header X-Client
2800
Willy Tarreauc27debf2008-01-06 08:57:02 +01002801 See also : "option httpclose"
2802
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02002803
2804option http-pretend-keepalive
2805no option http-pretend-keepalive
2806 Define whether haproxy will announce keepalive to the server or not
2807 May be used in sections : defaults | frontend | listen | backend
2808 yes | yes | yes | yes
2809 Arguments : none
2810
2811 When running with "option http-server-close" or "option forceclose", haproxy
2812 adds a "Connection: close" header to the request forwarded to the server.
2813 Unfortunately, when some servers see this header, they automatically refrain
2814 from using the chunked encoding for responses of unknown length, while this
2815 is totally unrelated. The immediate effect is that this prevents haproxy from
2816 maintaining the client connection alive. A second effect is that a client or
2817 a cache could receive an incomplete response without being aware of it, and
2818 consider the response complete.
2819
2820 By setting "option http-pretend-keepalive", haproxy will make the server
2821 believe it will keep the connection alive. The server will then not fall back
2822 to the abnormal undesired above. When haproxy gets the whole response, it
2823 will close the connection with the server just as it would do with the
2824 "forceclose" option. That way the client gets a normal response and the
2825 connection is correctly closed on the server side.
2826
2827 It is recommended not to enable this option by default, because most servers
2828 will more efficiently close the connection themselves after the last packet,
2829 and release its buffers slightly earlier. Also, the added packet on the
2830 network could slightly reduce the overall peak performance. However it is
2831 worth noting that when this option is enabled, haproxy will have slightly
2832 less work to do. So if haproxy is the bottleneck on the whole architecture,
2833 enabling this option might save a few CPU cycles.
2834
2835 This option may be set both in a frontend and in a backend. It is enabled if
2836 at least one of the frontend or backend holding a connection has it enabled.
2837 This option has no effect if it is combined with "option httpclose", which
2838 has precedence.
2839
2840 If this option has been enabled in a "defaults" section, it can be disabled
2841 in a specific instance by prepending the "no" keyword before it.
2842
2843 See also : "option forceclose" and "option http-server-close"
2844
Willy Tarreauc27debf2008-01-06 08:57:02 +01002845
Willy Tarreaub608feb2010-01-02 22:47:18 +01002846option http-server-close
2847no option http-server-close
2848 Enable or disable HTTP connection closing on the server side
2849 May be used in sections : defaults | frontend | listen | backend
2850 yes | yes | yes | yes
2851 Arguments : none
2852
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02002853 By default, when a client communicates with a server, HAProxy will only
2854 analyze, log, and process the first request of each connection. Setting
2855 "option http-server-close" enables HTTP connection-close mode on the server
2856 side while keeping the ability to support HTTP keep-alive and pipelining on
2857 the client side. This provides the lowest latency on the client side (slow
2858 network) and the fastest session reuse on the server side to save server
2859 resources, similarly to "option forceclose". It also permits non-keepalive
2860 capable servers to be served in keep-alive mode to the clients if they
2861 conform to the requirements of RFC2616. Please note that some servers do not
2862 always conform to those requirements when they see "Connection: close" in the
2863 request. The effect will be that keep-alive will never be used. A workaround
2864 consists in enabling "option http-pretend-keepalive".
Willy Tarreaub608feb2010-01-02 22:47:18 +01002865
2866 At the moment, logs will not indicate whether requests came from the same
2867 session or not. The accept date reported in the logs corresponds to the end
2868 of the previous request, and the request time corresponds to the time spent
2869 waiting for a new request. The keep-alive request time is still bound to the
Willy Tarreaub16a5742010-01-10 14:46:16 +01002870 timeout defined by "timeout http-keep-alive" or "timeout http-request" if
2871 not set.
Willy Tarreaub608feb2010-01-02 22:47:18 +01002872
2873 This option may be set both in a frontend and in a backend. It is enabled if
2874 at least one of the frontend or backend holding a connection has it enabled.
Willy Tarreau0dfdf192010-01-05 11:33:11 +01002875 It is worth noting that "option forceclose" has precedence over "option
2876 http-server-close" and that combining "http-server-close" with "httpclose"
2877 basically achieve the same result as "forceclose".
Willy Tarreaub608feb2010-01-02 22:47:18 +01002878
2879 If this option has been enabled in a "defaults" section, it can be disabled
2880 in a specific instance by prepending the "no" keyword before it.
2881
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02002882 See also : "option forceclose", "option http-pretend-keepalive",
2883 "option httpclose" and "1.1. The HTTP transaction model".
Willy Tarreaub608feb2010-01-02 22:47:18 +01002884
2885
Willy Tarreau88d349d2010-01-25 12:15:43 +01002886option http-use-proxy-header
Cyril Bontéf0c60612010-02-06 14:44:47 +01002887no option http-use-proxy-header
Willy Tarreau88d349d2010-01-25 12:15:43 +01002888 Make use of non-standard Proxy-Connection header instead of Connection
2889 May be used in sections : defaults | frontend | listen | backend
2890 yes | yes | yes | no
2891 Arguments : none
2892
2893 While RFC2616 explicitly states that HTTP/1.1 agents must use the
2894 Connection header to indicate their wish of persistent or non-persistent
2895 connections, both browsers and proxies ignore this header for proxied
2896 connections and make use of the undocumented, non-standard Proxy-Connection
2897 header instead. The issue begins when trying to put a load balancer between
2898 browsers and such proxies, because there will be a difference between what
2899 haproxy understands and what the client and the proxy agree on.
2900
2901 By setting this option in a frontend, haproxy can automatically switch to use
2902 that non-standard header if it sees proxied requests. A proxied request is
2903 defined here as one where the URI begins with neither a '/' nor a '*'. The
2904 choice of header only affects requests passing through proxies making use of
2905 one of the "httpclose", "forceclose" and "http-server-close" options. Note
2906 that this option can only be specified in a frontend and will affect the
2907 request along its whole life.
2908
Willy Tarreau844a7e72010-01-31 21:46:18 +01002909 Also, when this option is set, a request which requires authentication will
2910 automatically switch to use proxy authentication headers if it is itself a
2911 proxied request. That makes it possible to check or enforce authentication in
2912 front of an existing proxy.
2913
Willy Tarreau88d349d2010-01-25 12:15:43 +01002914 This option should normally never be used, except in front of a proxy.
2915
2916 See also : "option httpclose", "option forceclose" and "option
2917 http-server-close".
2918
2919
Willy Tarreaud63335a2010-02-26 12:56:52 +01002920option httpchk
2921option httpchk <uri>
2922option httpchk <method> <uri>
2923option httpchk <method> <uri> <version>
2924 Enable HTTP protocol to check on the servers health
2925 May be used in sections : defaults | frontend | listen | backend
2926 yes | no | yes | yes
2927 Arguments :
2928 <method> is the optional HTTP method used with the requests. When not set,
2929 the "OPTIONS" method is used, as it generally requires low server
2930 processing and is easy to filter out from the logs. Any method
2931 may be used, though it is not recommended to invent non-standard
2932 ones.
2933
2934 <uri> is the URI referenced in the HTTP requests. It defaults to " / "
2935 which is accessible by default on almost any server, but may be
2936 changed to any other URI. Query strings are permitted.
2937
2938 <version> is the optional HTTP version string. It defaults to "HTTP/1.0"
2939 but some servers might behave incorrectly in HTTP 1.0, so turning
2940 it to HTTP/1.1 may sometimes help. Note that the Host field is
2941 mandatory in HTTP/1.1, and as a trick, it is possible to pass it
2942 after "\r\n" following the version string.
2943
2944 By default, server health checks only consist in trying to establish a TCP
2945 connection. When "option httpchk" is specified, a complete HTTP request is
2946 sent once the TCP connection is established, and responses 2xx and 3xx are
2947 considered valid, while all other ones indicate a server failure, including
2948 the lack of any response.
2949
2950 The port and interval are specified in the server configuration.
2951
2952 This option does not necessarily require an HTTP backend, it also works with
2953 plain TCP backends. This is particularly useful to check simple scripts bound
2954 to some dedicated ports using the inetd daemon.
2955
2956 Examples :
2957 # Relay HTTPS traffic to Apache instance and check service availability
2958 # using HTTP request "OPTIONS * HTTP/1.1" on port 80.
2959 backend https_relay
2960 mode tcp
2961 option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
2962 server apache1 192.168.1.1:443 check port 80
2963
2964 See also : "option ssl-hello-chk", "option smtpchk", "option mysql-check",
2965 "http-check" and the "check", "port" and "inter" server options.
2966
2967
Willy Tarreauc27debf2008-01-06 08:57:02 +01002968option httpclose
2969no option httpclose
2970 Enable or disable passive HTTP connection closing
2971 May be used in sections : defaults | frontend | listen | backend
2972 yes | yes | yes | yes
2973 Arguments : none
2974
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02002975 By default, when a client communicates with a server, HAProxy will only
2976 analyze, log, and process the first request of each connection. If "option
2977 httpclose" is set, it will check if a "Connection: close" header is already
2978 set in each direction, and will add one if missing. Each end should react to
2979 this by actively closing the TCP connection after each transfer, thus
2980 resulting in a switch to the HTTP close mode. Any "Connection" header
2981 different from "close" will also be removed.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002982
2983 It seldom happens that some servers incorrectly ignore this header and do not
Willy Tarreau0dfdf192010-01-05 11:33:11 +01002984 close the connection eventhough they reply "Connection: close". For this
2985 reason, they are not compatible with older HTTP 1.0 browsers. If this happens
2986 it is possible to use the "option forceclose" which actively closes the
2987 request connection once the server responds. Option "forceclose" also
2988 releases the server connection earlier because it does not have to wait for
2989 the client to acknowledge it.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002990
2991 This option may be set both in a frontend and in a backend. It is enabled if
2992 at least one of the frontend or backend holding a connection has it enabled.
2993 If "option forceclose" is specified too, it has precedence over "httpclose".
Willy Tarreau0dfdf192010-01-05 11:33:11 +01002994 If "option http-server-close" is enabled at the same time as "httpclose", it
2995 basically achieves the same result as "option forceclose".
Willy Tarreauc27debf2008-01-06 08:57:02 +01002996
2997 If this option has been enabled in a "defaults" section, it can be disabled
2998 in a specific instance by prepending the "no" keyword before it.
2999
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02003000 See also : "option forceclose", "option http-server-close" and
3001 "1.1. The HTTP transaction model".
Willy Tarreauc27debf2008-01-06 08:57:02 +01003002
3003
Emeric Brun3a058f32009-06-30 18:26:00 +02003004option httplog [ clf ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01003005 Enable logging of HTTP request, session state and timers
3006 May be used in sections : defaults | frontend | listen | backend
3007 yes | yes | yes | yes
Emeric Brun3a058f32009-06-30 18:26:00 +02003008 Arguments :
3009 clf if the "clf" argument is added, then the output format will be
3010 the CLF format instead of HAProxy's default HTTP format. You can
3011 use this when you need to feed HAProxy's logs through a specific
3012 log analyser which only support the CLF format and which is not
3013 extensible.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003014
3015 By default, the log output format is very poor, as it only contains the
3016 source and destination addresses, and the instance name. By specifying
3017 "option httplog", each log line turns into a much richer format including,
3018 but not limited to, the HTTP request, the connection timers, the session
3019 status, the connections numbers, the captured headers and cookies, the
3020 frontend, backend and server name, and of course the source address and
3021 ports.
3022
3023 This option may be set either in the frontend or the backend.
3024
Emeric Brun3a058f32009-06-30 18:26:00 +02003025 If this option has been enabled in a "defaults" section, it can be disabled
3026 in a specific instance by prepending the "no" keyword before it. Specifying
3027 only "option httplog" will automatically clear the 'clf' mode if it was set
3028 by default.
3029
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003030 See also : section 8 about logging.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003031
Willy Tarreau55165fe2009-05-10 12:02:55 +02003032
3033option http_proxy
3034no option http_proxy
3035 Enable or disable plain HTTP proxy mode
3036 May be used in sections : defaults | frontend | listen | backend
3037 yes | yes | yes | yes
3038 Arguments : none
3039
3040 It sometimes happens that people need a pure HTTP proxy which understands
3041 basic proxy requests without caching nor any fancy feature. In this case,
3042 it may be worth setting up an HAProxy instance with the "option http_proxy"
3043 set. In this mode, no server is declared, and the connection is forwarded to
3044 the IP address and port found in the URL after the "http://" scheme.
3045
3046 No host address resolution is performed, so this only works when pure IP
3047 addresses are passed. Since this option's usage perimeter is rather limited,
3048 it will probably be used only by experts who know they need exactly it. Last,
3049 if the clients are susceptible of sending keep-alive requests, it will be
3050 needed to add "option http_close" to ensure that all requests will correctly
3051 be analyzed.
3052
3053 If this option has been enabled in a "defaults" section, it can be disabled
3054 in a specific instance by prepending the "no" keyword before it.
3055
3056 Example :
3057 # this backend understands HTTP proxy requests and forwards them directly.
3058 backend direct_forward
3059 option httpclose
3060 option http_proxy
3061
3062 See also : "option httpclose"
3063
Willy Tarreau211ad242009-10-03 21:45:07 +02003064
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02003065option ignore-persist { if | unless } <condition>
3066 Declare a condition to ignore persistence
3067 May be used in sections: defaults | frontend | listen | backend
3068 no | yes | yes | yes
3069
3070 By default, when cookie persistence is enabled, every requests containing
3071 the cookie are unconditionally persistent (assuming the target server is up
3072 and running).
3073
3074 The "ignore-persist" statement allows one to declare various ACL-based
3075 conditions which, when met, will cause a request to ignore persistence.
3076 This is sometimes useful to load balance requests for static files, which
3077 oftenly don't require persistence. This can also be used to fully disable
3078 persistence for a specific User-Agent (for example, some web crawler bots).
3079
3080 Combined with "appsession", it can also help reduce HAProxy memory usage, as
3081 the appsession table won't grow if persistence is ignored.
3082
3083 The persistence is ignored when an "if" condition is met, or unless an
3084 "unless" condition is met.
3085
3086 See also : "option force-persist", "cookie", and section 7 about ACL usage.
3087
3088
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02003089option independant-streams
3090no option independant-streams
3091 Enable or disable independant timeout processing for both directions
3092 May be used in sections : defaults | frontend | listen | backend
3093 yes | yes | yes | yes
3094 Arguments : none
3095
3096 By default, when data is sent over a socket, both the write timeout and the
3097 read timeout for that socket are refreshed, because we consider that there is
3098 activity on that socket, and we have no other means of guessing if we should
3099 receive data or not.
3100
3101 While this default behaviour is desirable for almost all applications, there
3102 exists a situation where it is desirable to disable it, and only refresh the
3103 read timeout if there are incoming data. This happens on sessions with large
3104 timeouts and low amounts of exchanged data such as telnet session. If the
3105 server suddenly disappears, the output data accumulates in the system's
3106 socket buffers, both timeouts are correctly refreshed, and there is no way
3107 to know the server does not receive them, so we don't timeout. However, when
3108 the underlying protocol always echoes sent data, it would be enough by itself
3109 to detect the issue using the read timeout. Note that this problem does not
3110 happen with more verbose protocols because data won't accumulate long in the
3111 socket buffers.
3112
3113 When this option is set on the frontend, it will disable read timeout updates
3114 on data sent to the client. There probably is little use of this case. When
3115 the option is set on the backend, it will disable read timeout updates on
3116 data sent to the server. Doing so will typically break large HTTP posts from
3117 slow lines, so use it with caution.
3118
3119 See also : "timeout client" and "timeout server"
3120
3121
Willy Tarreau211ad242009-10-03 21:45:07 +02003122option log-health-checks
3123no option log-health-checks
3124 Enable or disable logging of health checks
3125 May be used in sections : defaults | frontend | listen | backend
3126 yes | no | yes | yes
3127 Arguments : none
3128
3129 Enable health checks logging so it possible to check for example what
3130 was happening before a server crash. Failed health check are logged if
3131 server is UP and succeeded health checks if server is DOWN, so the amount
3132 of additional information is limited.
3133
3134 If health check logging is enabled no health check status is printed
3135 when servers is set up UP/DOWN/ENABLED/DISABLED.
3136
3137 See also: "log" and section 8 about logging.
3138
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003139
3140option log-separate-errors
3141no option log-separate-errors
3142 Change log level for non-completely successful connections
3143 May be used in sections : defaults | frontend | listen | backend
3144 yes | yes | yes | no
3145 Arguments : none
3146
3147 Sometimes looking for errors in logs is not easy. This option makes haproxy
3148 raise the level of logs containing potentially interesting information such
3149 as errors, timeouts, retries, redispatches, or HTTP status codes 5xx. The
3150 level changes from "info" to "err". This makes it possible to log them
3151 separately to a different file with most syslog daemons. Be careful not to
3152 remove them from the original file, otherwise you would lose ordering which
3153 provides very important information.
3154
3155 Using this option, large sites dealing with several thousand connections per
3156 second may log normal traffic to a rotating buffer and only archive smaller
3157 error logs.
3158
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003159 See also : "log", "dontlognull", "dontlog-normal" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003160 logging.
3161
Willy Tarreauc27debf2008-01-06 08:57:02 +01003162
3163option logasap
3164no option logasap
3165 Enable or disable early logging of HTTP requests
3166 May be used in sections : defaults | frontend | listen | backend
3167 yes | yes | yes | no
3168 Arguments : none
3169
3170 By default, HTTP requests are logged upon termination so that the total
3171 transfer time and the number of bytes appear in the logs. When large objects
3172 are being transferred, it may take a while before the request appears in the
3173 logs. Using "option logasap", the request gets logged as soon as the server
3174 sends the complete headers. The only missing information in the logs will be
3175 the total number of bytes which will indicate everything except the amount
3176 of data transferred, and the total time which will not take the transfer
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01003177 time into account. In such a situation, it's a good practice to capture the
Willy Tarreauc27debf2008-01-06 08:57:02 +01003178 "Content-Length" response header so that the logs at least indicate how many
3179 bytes are expected to be transferred.
3180
Willy Tarreaucc6c8912009-02-22 10:53:55 +01003181 Examples :
3182 listen http_proxy 0.0.0.0:80
3183 mode http
3184 option httplog
3185 option logasap
3186 log 192.168.2.200 local3
3187
3188 >>> Feb 6 12:14:14 localhost \
3189 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
3190 static/srv1 9/10/7/14/+30 200 +243 - - ---- 3/1/1/1/0 1/0 \
3191 "GET /image.iso HTTP/1.0"
3192
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003193 See also : "option httplog", "capture response header", and section 8 about
Willy Tarreauc27debf2008-01-06 08:57:02 +01003194 logging.
3195
3196
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01003197option mysql-check
3198 Use Mysql health checks for server testing
3199 May be used in sections : defaults | frontend | listen | backend
3200 yes | no | yes | yes
3201 Arguments : none
3202
3203 The check consists in parsing Mysql Handshake Initialisation packet or Error
3204 packet, which is sent by MySQL server on connect. It is a basic but useful
3205 test which does not produce any logging on the server. However, it does not
3206 check database presence nor database consistency, nor user permission to
3207 access. To do this, you can use an external check with xinetd for example.
3208
3209 Most often, an incoming MySQL server needs to see the client's IP address for
3210 various purposes, including IP privilege matching and connection logging.
3211 When possible, it is often wise to masquerade the client's IP address when
3212 connecting to the server using the "usesrc" argument of the "source" keyword,
3213 which requires the cttproxy feature to be compiled in, and the MySQL server
3214 to route the client via the machine hosting haproxy.
3215
3216 See also: "option httpchk"
3217
3218
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003219option nolinger
3220no option nolinger
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003221 Enable or disable immediate session resource cleaning after close
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003222 May be used in sections: defaults | frontend | listen | backend
3223 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003224 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003225
3226 When clients or servers abort connections in a dirty way (eg: they are
3227 physically disconnected), the session timeouts triggers and the session is
3228 closed. But it will remain in FIN_WAIT1 state for some time in the system,
3229 using some resources and possibly limiting the ability to establish newer
3230 connections.
3231
3232 When this happens, it is possible to activate "option nolinger" which forces
3233 the system to immediately remove any socket's pending data on close. Thus,
3234 the session is instantly purged from the system's tables. This usually has
3235 side effects such as increased number of TCP resets due to old retransmits
3236 getting immediately rejected. Some firewalls may sometimes complain about
3237 this too.
3238
3239 For this reason, it is not recommended to use this option when not absolutely
3240 needed. You know that you need it when you have thousands of FIN_WAIT1
3241 sessions on your system (TIME_WAIT ones do not count).
3242
3243 This option may be used both on frontends and backends, depending on the side
3244 where it is required. Use it on the frontend for clients, and on the backend
3245 for servers.
3246
3247 If this option has been enabled in a "defaults" section, it can be disabled
3248 in a specific instance by prepending the "no" keyword before it.
3249
3250
Willy Tarreau55165fe2009-05-10 12:02:55 +02003251option originalto [ except <network> ] [ header <name> ]
3252 Enable insertion of the X-Original-To header to requests sent to servers
3253 May be used in sections : defaults | frontend | listen | backend
3254 yes | yes | yes | yes
3255 Arguments :
3256 <network> is an optional argument used to disable this option for sources
3257 matching <network>
3258 <name> an optional argument to specify a different "X-Original-To"
3259 header name.
3260
3261 Since HAProxy can work in transparent mode, every request from a client can
3262 be redirected to the proxy and HAProxy itself can proxy every request to a
3263 complex SQUID environment and the destination host from SO_ORIGINAL_DST will
3264 be lost. This is annoying when you want access rules based on destination ip
3265 addresses. To solve this problem, a new HTTP header "X-Original-To" may be
3266 added by HAProxy to all requests sent to the server. This header contains a
3267 value representing the original destination IP address. Since this must be
3268 configured to always use the last occurrence of this header only. Note that
3269 only the last occurrence of the header must be used, since it is really
3270 possible that the client has already brought one.
3271
3272 The keyword "header" may be used to supply a different header name to replace
3273 the default "X-Original-To". This can be useful where you might already
3274 have a "X-Original-To" header from a different application, and you need
3275 preserve it. Also if your backend server doesn't use the "X-Original-To"
3276 header and requires different one.
3277
3278 Sometimes, a same HAProxy instance may be shared between a direct client
3279 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
3280 used to decrypt HTTPS traffic). It is possible to disable the addition of the
3281 header for a known source address or network by adding the "except" keyword
3282 followed by the network address. In this case, any source IP matching the
3283 network will not cause an addition of this header. Most common uses are with
3284 private networks or 127.0.0.1.
3285
3286 This option may be specified either in the frontend or in the backend. If at
3287 least one of them uses it, the header will be added. Note that the backend's
3288 setting of the header subargument takes precedence over the frontend's if
3289 both are defined.
3290
3291 It is important to note that as long as HAProxy does not support keep-alive
3292 connections, only the first request of a connection will receive the header.
3293 For this reason, it is important to ensure that "option httpclose" is set
3294 when using this option.
3295
3296 Examples :
3297 # Original Destination address
3298 frontend www
3299 mode http
3300 option originalto except 127.0.0.1
3301
3302 # Those servers want the IP Address in X-Client-Dst
3303 backend www
3304 mode http
3305 option originalto header X-Client-Dst
3306
3307 See also : "option httpclose"
3308
3309
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003310option persist
3311no option persist
3312 Enable or disable forced persistence on down servers
3313 May be used in sections: defaults | frontend | listen | backend
3314 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003315 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003316
3317 When an HTTP request reaches a backend with a cookie which references a dead
3318 server, by default it is redispatched to another server. It is possible to
3319 force the request to be sent to the dead server first using "option persist"
3320 if absolutely needed. A common use case is when servers are under extreme
3321 load and spend their time flapping. In this case, the users would still be
3322 directed to the server they opened the session on, in the hope they would be
3323 correctly served. It is recommended to use "option redispatch" in conjunction
3324 with this option so that in the event it would not be possible to connect to
3325 the server at all (server definitely dead), the client would finally be
3326 redirected to another valid server.
3327
3328 If this option has been enabled in a "defaults" section, it can be disabled
3329 in a specific instance by prepending the "no" keyword before it.
3330
Willy Tarreau4de91492010-01-22 19:10:05 +01003331 See also : "option redispatch", "retries", "force-persist"
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003332
3333
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003334option redispatch
3335no option redispatch
3336 Enable or disable session redistribution in case of connection failure
3337 May be used in sections: defaults | frontend | listen | backend
3338 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003339 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003340
3341 In HTTP mode, if a server designated by a cookie is down, clients may
3342 definitely stick to it because they cannot flush the cookie, so they will not
3343 be able to access the service anymore.
3344
3345 Specifying "option redispatch" will allow the proxy to break their
3346 persistence and redistribute them to a working server.
3347
3348 It also allows to retry last connection to another server in case of multiple
3349 connection failures. Of course, it requires having "retries" set to a nonzero
3350 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01003351
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003352 This form is the preferred form, which replaces both the "redispatch" and
3353 "redisp" keywords.
3354
3355 If this option has been enabled in a "defaults" section, it can be disabled
3356 in a specific instance by prepending the "no" keyword before it.
3357
Willy Tarreau4de91492010-01-22 19:10:05 +01003358 See also : "redispatch", "retries", "force-persist"
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003359
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003360
3361option smtpchk
3362option smtpchk <hello> <domain>
3363 Use SMTP health checks for server testing
3364 May be used in sections : defaults | frontend | listen | backend
3365 yes | no | yes | yes
Willy Tarreaud72758d2010-01-12 10:42:19 +01003366 Arguments :
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003367 <hello> is an optional argument. It is the "hello" command to use. It can
3368 be either "HELO" (for SMTP) or "EHLO" (for ESTMP). All other
3369 values will be turned into the default command ("HELO").
3370
3371 <domain> is the domain name to present to the server. It may only be
3372 specified (and is mandatory) if the hello command has been
3373 specified. By default, "localhost" is used.
3374
3375 When "option smtpchk" is set, the health checks will consist in TCP
3376 connections followed by an SMTP command. By default, this command is
3377 "HELO localhost". The server's return code is analyzed and only return codes
3378 starting with a "2" will be considered as valid. All other responses,
3379 including a lack of response will constitute an error and will indicate a
3380 dead server.
3381
3382 This test is meant to be used with SMTP servers or relays. Depending on the
3383 request, it is possible that some servers do not log each connection attempt,
3384 so you may want to experiment to improve the behaviour. Using telnet on port
3385 25 is often easier than adjusting the configuration.
3386
3387 Most often, an incoming SMTP server needs to see the client's IP address for
3388 various purposes, including spam filtering, anti-spoofing and logging. When
3389 possible, it is often wise to masquerade the client's IP address when
3390 connecting to the server using the "usesrc" argument of the "source" keyword,
3391 which requires the cttproxy feature to be compiled in.
3392
3393 Example :
3394 option smtpchk HELO mydomain.org
3395
3396 See also : "option httpchk", "source"
3397
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003398
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02003399option socket-stats
3400no option socket-stats
3401
3402 Enable or disable collecting & providing separate statistics for each socket.
3403 May be used in sections : defaults | frontend | listen | backend
3404 yes | yes | yes | no
3405
3406 Arguments : none
3407
3408
Willy Tarreauff4f82d2009-02-06 11:28:13 +01003409option splice-auto
3410no option splice-auto
3411 Enable or disable automatic kernel acceleration on sockets in both directions
3412 May be used in sections : defaults | frontend | listen | backend
3413 yes | yes | yes | yes
3414 Arguments : none
3415
3416 When this option is enabled either on a frontend or on a backend, haproxy
3417 will automatically evaluate the opportunity to use kernel tcp splicing to
3418 forward data between the client and the server, in either direction. Haproxy
3419 uses heuristics to estimate if kernel splicing might improve performance or
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003420 not. Both directions are handled independently. Note that the heuristics used
Willy Tarreauff4f82d2009-02-06 11:28:13 +01003421 are not much aggressive in order to limit excessive use of splicing. This
3422 option requires splicing to be enabled at compile time, and may be globally
3423 disabled with the global option "nosplice". Since splice uses pipes, using it
3424 requires that there are enough spare pipes.
3425
3426 Important note: kernel-based TCP splicing is a Linux-specific feature which
3427 first appeared in kernel 2.6.25. It offers kernel-based acceleration to
3428 transfer data between sockets without copying these data to user-space, thus
3429 providing noticeable performance gains and CPU cycles savings. Since many
3430 early implementations are buggy, corrupt data and/or are inefficient, this
3431 feature is not enabled by default, and it should be used with extreme care.
3432 While it is not possible to detect the correctness of an implementation,
3433 2.6.29 is the first version offering a properly working implementation. In
3434 case of doubt, splicing may be globally disabled using the global "nosplice"
3435 keyword.
3436
3437 Example :
3438 option splice-auto
3439
3440 If this option has been enabled in a "defaults" section, it can be disabled
3441 in a specific instance by prepending the "no" keyword before it.
3442
3443 See also : "option splice-request", "option splice-response", and global
3444 options "nosplice" and "maxpipes"
3445
3446
3447option splice-request
3448no option splice-request
3449 Enable or disable automatic kernel acceleration on sockets for requests
3450 May be used in sections : defaults | frontend | listen | backend
3451 yes | yes | yes | yes
3452 Arguments : none
3453
3454 When this option is enabled either on a frontend or on a backend, haproxy
3455 will user kernel tcp splicing whenever possible to forward data going from
3456 the client to the server. It might still use the recv/send scheme if there
3457 are no spare pipes left. This option requires splicing to be enabled at
3458 compile time, and may be globally disabled with the global option "nosplice".
3459 Since splice uses pipes, using it requires that there are enough spare pipes.
3460
3461 Important note: see "option splice-auto" for usage limitations.
3462
3463 Example :
3464 option splice-request
3465
3466 If this option has been enabled in a "defaults" section, it can be disabled
3467 in a specific instance by prepending the "no" keyword before it.
3468
3469 See also : "option splice-auto", "option splice-response", and global options
3470 "nosplice" and "maxpipes"
3471
3472
3473option splice-response
3474no option splice-response
3475 Enable or disable automatic kernel acceleration on sockets for responses
3476 May be used in sections : defaults | frontend | listen | backend
3477 yes | yes | yes | yes
3478 Arguments : none
3479
3480 When this option is enabled either on a frontend or on a backend, haproxy
3481 will user kernel tcp splicing whenever possible to forward data going from
3482 the server to the client. It might still use the recv/send scheme if there
3483 are no spare pipes left. This option requires splicing to be enabled at
3484 compile time, and may be globally disabled with the global option "nosplice".
3485 Since splice uses pipes, using it requires that there are enough spare pipes.
3486
3487 Important note: see "option splice-auto" for usage limitations.
3488
3489 Example :
3490 option splice-response
3491
3492 If this option has been enabled in a "defaults" section, it can be disabled
3493 in a specific instance by prepending the "no" keyword before it.
3494
3495 See also : "option splice-auto", "option splice-request", and global options
3496 "nosplice" and "maxpipes"
3497
3498
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003499option srvtcpka
3500no option srvtcpka
3501 Enable or disable the sending of TCP keepalive packets on the server side
3502 May be used in sections : defaults | frontend | listen | backend
3503 yes | no | yes | yes
3504 Arguments : none
3505
3506 When there is a firewall or any session-aware component between a client and
3507 a server, and when the protocol involves very long sessions with long idle
3508 periods (eg: remote desktops), there is a risk that one of the intermediate
3509 components decides to expire a session which has remained idle for too long.
3510
3511 Enabling socket-level TCP keep-alives makes the system regularly send packets
3512 to the other end of the connection, leaving it active. The delay between
3513 keep-alive probes is controlled by the system only and depends both on the
3514 operating system and its tuning parameters.
3515
3516 It is important to understand that keep-alive packets are neither emitted nor
3517 received at the application level. It is only the network stacks which sees
3518 them. For this reason, even if one side of the proxy already uses keep-alives
3519 to maintain its connection alive, those keep-alive packets will not be
3520 forwarded to the other side of the proxy.
3521
3522 Please note that this has nothing to do with HTTP keep-alive.
3523
3524 Using option "srvtcpka" enables the emission of TCP keep-alive probes on the
3525 server side of a connection, which should help when session expirations are
3526 noticed between HAProxy and a server.
3527
3528 If this option has been enabled in a "defaults" section, it can be disabled
3529 in a specific instance by prepending the "no" keyword before it.
3530
3531 See also : "option clitcpka", "option tcpka"
3532
3533
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003534option ssl-hello-chk
3535 Use SSLv3 client hello health checks for server testing
3536 May be used in sections : defaults | frontend | listen | backend
3537 yes | no | yes | yes
3538 Arguments : none
3539
3540 When some SSL-based protocols are relayed in TCP mode through HAProxy, it is
3541 possible to test that the server correctly talks SSL instead of just testing
3542 that it accepts the TCP connection. When "option ssl-hello-chk" is set, pure
3543 SSLv3 client hello messages are sent once the connection is established to
3544 the server, and the response is analyzed to find an SSL server hello message.
3545 The server is considered valid only when the response contains this server
3546 hello message.
3547
3548 All servers tested till there correctly reply to SSLv3 client hello messages,
3549 and most servers tested do not even log the requests containing only hello
3550 messages, which is appreciable.
3551
3552 See also: "option httpchk"
3553
3554
Willy Tarreau9ea05a72009-06-14 12:07:01 +02003555option tcp-smart-accept
3556no option tcp-smart-accept
3557 Enable or disable the saving of one ACK packet during the accept sequence
3558 May be used in sections : defaults | frontend | listen | backend
3559 yes | yes | yes | no
3560 Arguments : none
3561
3562 When an HTTP connection request comes in, the system acknowledges it on
3563 behalf of HAProxy, then the client immediately sends its request, and the
3564 system acknowledges it too while it is notifying HAProxy about the new
3565 connection. HAProxy then reads the request and responds. This means that we
3566 have one TCP ACK sent by the system for nothing, because the request could
3567 very well be acknowledged by HAProxy when it sends its response.
3568
3569 For this reason, in HTTP mode, HAProxy automatically asks the system to avoid
3570 sending this useless ACK on platforms which support it (currently at least
3571 Linux). It must not cause any problem, because the system will send it anyway
3572 after 40 ms if the response takes more time than expected to come.
3573
3574 During complex network debugging sessions, it may be desirable to disable
3575 this optimization because delayed ACKs can make troubleshooting more complex
3576 when trying to identify where packets are delayed. It is then possible to
3577 fall back to normal behaviour by specifying "no option tcp-smart-accept".
3578
3579 It is also possible to force it for non-HTTP proxies by simply specifying
3580 "option tcp-smart-accept". For instance, it can make sense with some services
3581 such as SMTP where the server speaks first.
3582
3583 It is recommended to avoid forcing this option in a defaults section. In case
3584 of doubt, consider setting it back to automatic values by prepending the
3585 "default" keyword before it, or disabling it using the "no" keyword.
3586
Willy Tarreaud88edf22009-06-14 15:48:17 +02003587 See also : "option tcp-smart-connect"
3588
3589
3590option tcp-smart-connect
3591no option tcp-smart-connect
3592 Enable or disable the saving of one ACK packet during the connect sequence
3593 May be used in sections : defaults | frontend | listen | backend
3594 yes | no | yes | yes
3595 Arguments : none
3596
3597 On certain systems (at least Linux), HAProxy can ask the kernel not to
3598 immediately send an empty ACK upon a connection request, but to directly
3599 send the buffer request instead. This saves one packet on the network and
3600 thus boosts performance. It can also be useful for some servers, because they
3601 immediately get the request along with the incoming connection.
3602
3603 This feature is enabled when "option tcp-smart-connect" is set in a backend.
3604 It is not enabled by default because it makes network troubleshooting more
3605 complex.
3606
3607 It only makes sense to enable it with protocols where the client speaks first
3608 such as HTTP. In other situations, if there is no data to send in place of
3609 the ACK, a normal ACK is sent.
3610
3611 If this option has been enabled in a "defaults" section, it can be disabled
3612 in a specific instance by prepending the "no" keyword before it.
3613
3614 See also : "option tcp-smart-accept"
3615
Willy Tarreau9ea05a72009-06-14 12:07:01 +02003616
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003617option tcpka
3618 Enable or disable the sending of TCP keepalive packets on both sides
3619 May be used in sections : defaults | frontend | listen | backend
3620 yes | yes | yes | yes
3621 Arguments : none
3622
3623 When there is a firewall or any session-aware component between a client and
3624 a server, and when the protocol involves very long sessions with long idle
3625 periods (eg: remote desktops), there is a risk that one of the intermediate
3626 components decides to expire a session which has remained idle for too long.
3627
3628 Enabling socket-level TCP keep-alives makes the system regularly send packets
3629 to the other end of the connection, leaving it active. The delay between
3630 keep-alive probes is controlled by the system only and depends both on the
3631 operating system and its tuning parameters.
3632
3633 It is important to understand that keep-alive packets are neither emitted nor
3634 received at the application level. It is only the network stacks which sees
3635 them. For this reason, even if one side of the proxy already uses keep-alives
3636 to maintain its connection alive, those keep-alive packets will not be
3637 forwarded to the other side of the proxy.
3638
3639 Please note that this has nothing to do with HTTP keep-alive.
3640
3641 Using option "tcpka" enables the emission of TCP keep-alive probes on both
3642 the client and server sides of a connection. Note that this is meaningful
3643 only in "defaults" or "listen" sections. If this option is used in a
3644 frontend, only the client side will get keep-alives, and if this option is
3645 used in a backend, only the server side will get keep-alives. For this
3646 reason, it is strongly recommended to explicitly use "option clitcpka" and
3647 "option srvtcpka" when the configuration is split between frontends and
3648 backends.
3649
3650 See also : "option clitcpka", "option srvtcpka"
3651
Willy Tarreau844e3c52008-01-11 16:28:18 +01003652
3653option tcplog
3654 Enable advanced logging of TCP connections with session state and timers
3655 May be used in sections : defaults | frontend | listen | backend
3656 yes | yes | yes | yes
3657 Arguments : none
3658
3659 By default, the log output format is very poor, as it only contains the
3660 source and destination addresses, and the instance name. By specifying
3661 "option tcplog", each log line turns into a much richer format including, but
3662 not limited to, the connection timers, the session status, the connections
3663 numbers, the frontend, backend and server name, and of course the source
3664 address and ports. This option is useful for pure TCP proxies in order to
3665 find which of the client or server disconnects or times out. For normal HTTP
3666 proxies, it's better to use "option httplog" which is even more complete.
3667
3668 This option may be set either in the frontend or the backend.
3669
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003670 See also : "option httplog", and section 8 about logging.
Willy Tarreau844e3c52008-01-11 16:28:18 +01003671
3672
Willy Tarreau844e3c52008-01-11 16:28:18 +01003673option transparent
3674no option transparent
3675 Enable client-side transparent proxying
3676 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01003677 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01003678 Arguments : none
3679
3680 This option was introduced in order to provide layer 7 persistence to layer 3
3681 load balancers. The idea is to use the OS's ability to redirect an incoming
3682 connection for a remote address to a local process (here HAProxy), and let
3683 this process know what address was initially requested. When this option is
3684 used, sessions without cookies will be forwarded to the original destination
3685 IP address of the incoming request (which should match that of another
3686 equipment), while requests with cookies will still be forwarded to the
3687 appropriate server.
3688
3689 Note that contrary to a common belief, this option does NOT make HAProxy
3690 present the client's IP to the server when establishing the connection.
3691
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003692 See also: the "usersrc" argument of the "source" keyword, and the
3693 "transparent" option of the "bind" keyword.
Willy Tarreau844e3c52008-01-11 16:28:18 +01003694
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003695
Emeric Brun647caf12009-06-30 17:57:00 +02003696persist rdp-cookie
3697persist rdp-cookie(name)
3698 Enable RDP cookie-based persistence
3699 May be used in sections : defaults | frontend | listen | backend
3700 yes | no | yes | yes
3701 Arguments :
3702 <name> is the optional name of the RDP cookie to check. If omitted, the
Willy Tarreau61e28f22010-05-16 22:31:05 +02003703 default cookie name "msts" will be used. There currently is no
3704 valid reason to change this name.
Emeric Brun647caf12009-06-30 17:57:00 +02003705
3706 This statement enables persistence based on an RDP cookie. The RDP cookie
3707 contains all information required to find the server in the list of known
3708 servers. So when this option is set in the backend, the request is analysed
3709 and if an RDP cookie is found, it is decoded. If it matches a known server
3710 which is still UP (or if "option persist" is set), then the connection is
3711 forwarded to this server.
3712
3713 Note that this only makes sense in a TCP backend, but for this to work, the
3714 frontend must have waited long enough to ensure that an RDP cookie is present
3715 in the request buffer. This is the same requirement as with the "rdp-cookie"
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003716 load-balancing method. Thus it is highly recommended to put all statements in
Emeric Brun647caf12009-06-30 17:57:00 +02003717 a single "listen" section.
3718
Willy Tarreau61e28f22010-05-16 22:31:05 +02003719 Also, it is important to understand that the terminal server will emit this
3720 RDP cookie only if it is configured for "token redirection mode", which means
3721 that the "IP address redirection" option is disabled.
3722
Emeric Brun647caf12009-06-30 17:57:00 +02003723 Example :
3724 listen tse-farm
3725 bind :3389
3726 # wait up to 5s for an RDP cookie in the request
3727 tcp-request inspect-delay 5s
3728 tcp-request content accept if RDP_COOKIE
3729 # apply RDP cookie persistence
3730 persist rdp-cookie
3731 # if server is unknown, let's balance on the same cookie.
3732 # alternatively, "balance leastconn" may be useful too.
3733 balance rdp-cookie
3734 server srv1 1.1.1.1:3389
3735 server srv2 1.1.1.2:3389
3736
3737 See also : "balance rdp-cookie", "tcp-request" and the "req_rdp_cookie" ACL.
3738
3739
Willy Tarreau3a7d2072009-03-05 23:48:25 +01003740rate-limit sessions <rate>
3741 Set a limit on the number of new sessions accepted per second on a frontend
3742 May be used in sections : defaults | frontend | listen | backend
3743 yes | yes | yes | no
3744 Arguments :
3745 <rate> The <rate> parameter is an integer designating the maximum number
3746 of new sessions per second to accept on the frontend.
3747
3748 When the frontend reaches the specified number of new sessions per second, it
3749 stops accepting new connections until the rate drops below the limit again.
3750 During this time, the pending sessions will be kept in the socket's backlog
3751 (in system buffers) and haproxy will not even be aware that sessions are
3752 pending. When applying very low limit on a highly loaded service, it may make
3753 sense to increase the socket's backlog using the "backlog" keyword.
3754
3755 This feature is particularly efficient at blocking connection-based attacks
3756 or service abuse on fragile servers. Since the session rate is measured every
3757 millisecond, it is extremely accurate. Also, the limit applies immediately,
3758 no delay is needed at all to detect the threshold.
3759
3760 Example : limit the connection rate on SMTP to 10 per second max
3761 listen smtp
3762 mode tcp
3763 bind :25
3764 rate-limit sessions 10
3765 server 127.0.0.1:1025
3766
3767 Note : when the maximum rate is reached, the frontend's status appears as
3768 "FULL" in the statistics, exactly as when it is saturated.
3769
3770 See also : the "backlog" keyword and the "fe_sess_rate" ACL criterion.
3771
3772
Willy Tarreauf285f542010-01-03 20:03:03 +01003773redirect location <to> [code <code>] <option> [{if | unless} <condition>]
3774redirect prefix <to> [code <code>] <option> [{if | unless} <condition>]
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003775 Return an HTTP redirection if/unless a condition is matched
3776 May be used in sections : defaults | frontend | listen | backend
3777 no | yes | yes | yes
3778
3779 If/unless the condition is matched, the HTTP request will lead to a redirect
Willy Tarreauf285f542010-01-03 20:03:03 +01003780 response. If no condition is specified, the redirect applies unconditionally.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003781
Willy Tarreau0140f252008-11-19 21:07:09 +01003782 Arguments :
3783 <to> With "redirect location", the exact value in <to> is placed into
3784 the HTTP "Location" header. In case of "redirect prefix", the
3785 "Location" header is built from the concatenation of <to> and the
3786 complete URI, including the query string, unless the "drop-query"
Willy Tarreaufe651a52008-11-19 21:15:17 +01003787 option is specified (see below). As a special case, if <to>
3788 equals exactly "/" in prefix mode, then nothing is inserted
3789 before the original URI. It allows one to redirect to the same
3790 URL.
Willy Tarreau0140f252008-11-19 21:07:09 +01003791
3792 <code> The code is optional. It indicates which type of HTTP redirection
3793 is desired. Only codes 301, 302 and 303 are supported, and 302 is
3794 used if no code is specified. 301 means "Moved permanently", and
3795 a browser may cache the Location. 302 means "Moved permanently"
3796 and means that the browser should not cache the redirection. 303
3797 is equivalent to 302 except that the browser will fetch the
3798 location with a GET method.
3799
3800 <option> There are several options which can be specified to adjust the
3801 expected behaviour of a redirection :
3802
3803 - "drop-query"
3804 When this keyword is used in a prefix-based redirection, then the
3805 location will be set without any possible query-string, which is useful
3806 for directing users to a non-secure page for instance. It has no effect
3807 with a location-type redirect.
3808
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01003809 - "append-slash"
3810 This keyword may be used in conjunction with "drop-query" to redirect
3811 users who use a URL not ending with a '/' to the same one with the '/'.
3812 It can be useful to ensure that search engines will only see one URL.
3813 For this, a return code 301 is preferred.
3814
Willy Tarreau0140f252008-11-19 21:07:09 +01003815 - "set-cookie NAME[=value]"
3816 A "Set-Cookie" header will be added with NAME (and optionally "=value")
3817 to the response. This is sometimes used to indicate that a user has
3818 been seen, for instance to protect against some types of DoS. No other
3819 cookie option is added, so the cookie will be a session cookie. Note
3820 that for a browser, a sole cookie name without an equal sign is
3821 different from a cookie with an equal sign.
3822
3823 - "clear-cookie NAME[=]"
3824 A "Set-Cookie" header will be added with NAME (and optionally "="), but
3825 with the "Max-Age" attribute set to zero. This will tell the browser to
3826 delete this cookie. It is useful for instance on logout pages. It is
3827 important to note that clearing the cookie "NAME" will not remove a
3828 cookie set with "NAME=value". You have to clear the cookie "NAME=" for
3829 that, because the browser makes the difference.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003830
3831 Example: move the login URL only to HTTPS.
3832 acl clear dst_port 80
3833 acl secure dst_port 8080
3834 acl login_page url_beg /login
Willy Tarreau0140f252008-11-19 21:07:09 +01003835 acl logout url_beg /logout
Willy Tarreau79da4692008-11-19 20:03:04 +01003836 acl uid_given url_reg /login?userid=[^&]+
Willy Tarreau0140f252008-11-19 21:07:09 +01003837 acl cookie_set hdr_sub(cookie) SEEN=1
3838
3839 redirect prefix https://mysite.com set-cookie SEEN=1 if !cookie_set
Willy Tarreau79da4692008-11-19 20:03:04 +01003840 redirect prefix https://mysite.com if login_page !secure
3841 redirect prefix http://mysite.com drop-query if login_page !uid_given
3842 redirect location http://mysite.com/ if !login_page secure
Willy Tarreau0140f252008-11-19 21:07:09 +01003843 redirect location / clear-cookie USERID= if logout
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003844
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01003845 Example: send redirects for request for articles without a '/'.
3846 acl missing_slash path_reg ^/article/[^/]*$
3847 redirect code 301 prefix / drop-query append-slash if missing_slash
3848
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003849 See section 7 about ACL usage.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003850
3851
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003852redisp (deprecated)
3853redispatch (deprecated)
3854 Enable or disable session redistribution in case of connection failure
3855 May be used in sections: defaults | frontend | listen | backend
3856 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003857 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003858
3859 In HTTP mode, if a server designated by a cookie is down, clients may
3860 definitely stick to it because they cannot flush the cookie, so they will not
3861 be able to access the service anymore.
3862
3863 Specifying "redispatch" will allow the proxy to break their persistence and
3864 redistribute them to a working server.
3865
3866 It also allows to retry last connection to another server in case of multiple
3867 connection failures. Of course, it requires having "retries" set to a nonzero
3868 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01003869
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003870 This form is deprecated, do not use it in any new configuration, use the new
3871 "option redispatch" instead.
3872
3873 See also : "option redispatch"
3874
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003875
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01003876reqadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01003877 Add a header at the end of the HTTP request
3878 May be used in sections : defaults | frontend | listen | backend
3879 no | yes | yes | yes
3880 Arguments :
3881 <string> is the complete line to be added. Any space or known delimiter
3882 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003883 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01003884
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01003885 <cond> is an optional matching condition built from ACLs. It makes it
3886 possible to ignore this rule when other conditions are not met.
3887
Willy Tarreau303c0352008-01-17 19:01:39 +01003888 A new line consisting in <string> followed by a line feed will be added after
3889 the last header of an HTTP request.
3890
3891 Header transformations only apply to traffic which passes through HAProxy,
3892 and not to traffic generated by HAProxy, such as health-checks or error
3893 responses.
3894
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01003895 Example : add "X-Proto: SSL" to requests coming via port 81
3896 acl is-ssl dst_port 81
3897 reqadd X-Proto:\ SSL if is-ssl
3898
3899 See also: "rspadd", section 6 about HTTP header manipulation, and section 7
3900 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01003901
3902
Willy Tarreau5321c422010-01-28 20:35:13 +01003903reqallow <search> [{if | unless} <cond>]
3904reqiallow <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01003905 Definitely allow an HTTP request if a line matches a regular expression
3906 May be used in sections : defaults | frontend | listen | backend
3907 no | yes | yes | yes
3908 Arguments :
3909 <search> is the regular expression applied to HTTP headers and to the
3910 request line. This is an extended regular expression. Parenthesis
3911 grouping is supported and no preliminary backslash is required.
3912 Any space or known delimiter must be escaped using a backslash
3913 ('\'). The pattern applies to a full line at a time. The
3914 "reqallow" keyword strictly matches case while "reqiallow"
3915 ignores case.
3916
Willy Tarreau5321c422010-01-28 20:35:13 +01003917 <cond> is an optional matching condition built from ACLs. It makes it
3918 possible to ignore this rule when other conditions are not met.
3919
Willy Tarreau303c0352008-01-17 19:01:39 +01003920 A request containing any line which matches extended regular expression
3921 <search> will mark the request as allowed, even if any later test would
3922 result in a deny. The test applies both to the request line and to request
3923 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01003924 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01003925
3926 It is easier, faster and more powerful to use ACLs to write access policies.
3927 Reqdeny, reqallow and reqpass should be avoided in new designs.
3928
3929 Example :
3930 # allow www.* but refuse *.local
3931 reqiallow ^Host:\ www\.
3932 reqideny ^Host:\ .*\.local
3933
Willy Tarreau5321c422010-01-28 20:35:13 +01003934 See also: "reqdeny", "block", section 6 about HTTP header manipulation, and
3935 section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01003936
3937
Willy Tarreau5321c422010-01-28 20:35:13 +01003938reqdel <search> [{if | unless} <cond>]
3939reqidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01003940 Delete all headers matching a regular expression in an HTTP request
3941 May be used in sections : defaults | frontend | listen | backend
3942 no | yes | yes | yes
3943 Arguments :
3944 <search> is the regular expression applied to HTTP headers and to the
3945 request line. This is an extended regular expression. Parenthesis
3946 grouping is supported and no preliminary backslash is required.
3947 Any space or known delimiter must be escaped using a backslash
3948 ('\'). The pattern applies to a full line at a time. The "reqdel"
3949 keyword strictly matches case while "reqidel" ignores case.
3950
Willy Tarreau5321c422010-01-28 20:35:13 +01003951 <cond> is an optional matching condition built from ACLs. It makes it
3952 possible to ignore this rule when other conditions are not met.
3953
Willy Tarreau303c0352008-01-17 19:01:39 +01003954 Any header line matching extended regular expression <search> in the request
3955 will be completely deleted. Most common use of this is to remove unwanted
3956 and/or dangerous headers or cookies from a request before passing it to the
3957 next servers.
3958
3959 Header transformations only apply to traffic which passes through HAProxy,
3960 and not to traffic generated by HAProxy, such as health-checks or error
3961 responses. Keep in mind that header names are not case-sensitive.
3962
3963 Example :
3964 # remove X-Forwarded-For header and SERVER cookie
3965 reqidel ^X-Forwarded-For:.*
3966 reqidel ^Cookie:.*SERVER=
3967
Willy Tarreau5321c422010-01-28 20:35:13 +01003968 See also: "reqadd", "reqrep", "rspdel", section 6 about HTTP header
3969 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01003970
3971
Willy Tarreau5321c422010-01-28 20:35:13 +01003972reqdeny <search> [{if | unless} <cond>]
3973reqideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01003974 Deny an HTTP request if a line matches a regular expression
3975 May be used in sections : defaults | frontend | listen | backend
3976 no | yes | yes | yes
3977 Arguments :
3978 <search> is the regular expression applied to HTTP headers and to the
3979 request line. This is an extended regular expression. Parenthesis
3980 grouping is supported and no preliminary backslash is required.
3981 Any space or known delimiter must be escaped using a backslash
3982 ('\'). The pattern applies to a full line at a time. The
3983 "reqdeny" keyword strictly matches case while "reqideny" ignores
3984 case.
3985
Willy Tarreau5321c422010-01-28 20:35:13 +01003986 <cond> is an optional matching condition built from ACLs. It makes it
3987 possible to ignore this rule when other conditions are not met.
3988
Willy Tarreau303c0352008-01-17 19:01:39 +01003989 A request containing any line which matches extended regular expression
3990 <search> will mark the request as denied, even if any later test would
3991 result in an allow. The test applies both to the request line and to request
3992 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01003993 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01003994
Willy Tarreauced27012008-01-17 20:35:34 +01003995 A denied request will generate an "HTTP 403 forbidden" response once the
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01003996 complete request has been parsed. This is consistent with what is practiced
Willy Tarreaud72758d2010-01-12 10:42:19 +01003997 using ACLs.
Willy Tarreauced27012008-01-17 20:35:34 +01003998
Willy Tarreau303c0352008-01-17 19:01:39 +01003999 It is easier, faster and more powerful to use ACLs to write access policies.
4000 Reqdeny, reqallow and reqpass should be avoided in new designs.
4001
4002 Example :
4003 # refuse *.local, then allow www.*
4004 reqideny ^Host:\ .*\.local
4005 reqiallow ^Host:\ www\.
4006
Willy Tarreau5321c422010-01-28 20:35:13 +01004007 See also: "reqallow", "rspdeny", "block", section 6 about HTTP header
4008 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004009
4010
Willy Tarreau5321c422010-01-28 20:35:13 +01004011reqpass <search> [{if | unless} <cond>]
4012reqipass <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004013 Ignore any HTTP request line matching a regular expression in next rules
4014 May be used in sections : defaults | frontend | listen | backend
4015 no | yes | yes | yes
4016 Arguments :
4017 <search> is the regular expression applied to HTTP headers and to the
4018 request line. This is an extended regular expression. Parenthesis
4019 grouping is supported and no preliminary backslash is required.
4020 Any space or known delimiter must be escaped using a backslash
4021 ('\'). The pattern applies to a full line at a time. The
4022 "reqpass" keyword strictly matches case while "reqipass" ignores
4023 case.
4024
Willy Tarreau5321c422010-01-28 20:35:13 +01004025 <cond> is an optional matching condition built from ACLs. It makes it
4026 possible to ignore this rule when other conditions are not met.
4027
Willy Tarreau303c0352008-01-17 19:01:39 +01004028 A request containing any line which matches extended regular expression
4029 <search> will skip next rules, without assigning any deny or allow verdict.
4030 The test applies both to the request line and to request headers. Keep in
4031 mind that URLs in request line are case-sensitive while header names are not.
4032
4033 It is easier, faster and more powerful to use ACLs to write access policies.
4034 Reqdeny, reqallow and reqpass should be avoided in new designs.
4035
4036 Example :
4037 # refuse *.local, then allow www.*, but ignore "www.private.local"
4038 reqipass ^Host:\ www.private\.local
4039 reqideny ^Host:\ .*\.local
4040 reqiallow ^Host:\ www\.
4041
Willy Tarreau5321c422010-01-28 20:35:13 +01004042 See also: "reqallow", "reqdeny", "block", section 6 about HTTP header
4043 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004044
4045
Willy Tarreau5321c422010-01-28 20:35:13 +01004046reqrep <search> <string> [{if | unless} <cond>]
4047reqirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004048 Replace a regular expression with a string in an HTTP request line
4049 May be used in sections : defaults | frontend | listen | backend
4050 no | yes | yes | yes
4051 Arguments :
4052 <search> is the regular expression applied to HTTP headers and to the
4053 request line. This is an extended regular expression. Parenthesis
4054 grouping is supported and no preliminary backslash is required.
4055 Any space or known delimiter must be escaped using a backslash
4056 ('\'). The pattern applies to a full line at a time. The "reqrep"
4057 keyword strictly matches case while "reqirep" ignores case.
4058
4059 <string> is the complete line to be added. Any space or known delimiter
4060 must be escaped using a backslash ('\'). References to matched
4061 pattern groups are possible using the common \N form, with N
4062 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004063 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004064
Willy Tarreau5321c422010-01-28 20:35:13 +01004065 <cond> is an optional matching condition built from ACLs. It makes it
4066 possible to ignore this rule when other conditions are not met.
4067
Willy Tarreau303c0352008-01-17 19:01:39 +01004068 Any line matching extended regular expression <search> in the request (both
4069 the request line and header lines) will be completely replaced with <string>.
4070 Most common use of this is to rewrite URLs or domain names in "Host" headers.
4071
4072 Header transformations only apply to traffic which passes through HAProxy,
4073 and not to traffic generated by HAProxy, such as health-checks or error
4074 responses. Note that for increased readability, it is suggested to add enough
4075 spaces between the request and the response. Keep in mind that URLs in
4076 request line are case-sensitive while header names are not.
4077
4078 Example :
4079 # replace "/static/" with "/" at the beginning of any request path.
4080 reqrep ^([^\ ]*)\ /static/(.*) \1\ /\2
4081 # replace "www.mydomain.com" with "www" in the host name.
4082 reqirep ^Host:\ www.mydomain.com Host:\ www
4083
Willy Tarreau5321c422010-01-28 20:35:13 +01004084 See also: "reqadd", "reqdel", "rsprep", section 6 about HTTP header
4085 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004086
4087
Willy Tarreau5321c422010-01-28 20:35:13 +01004088reqtarpit <search> [{if | unless} <cond>]
4089reqitarpit <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004090 Tarpit an HTTP request containing a line matching a regular expression
4091 May be used in sections : defaults | frontend | listen | backend
4092 no | yes | yes | yes
4093 Arguments :
4094 <search> is the regular expression applied to HTTP headers and to the
4095 request line. This is an extended regular expression. Parenthesis
4096 grouping is supported and no preliminary backslash is required.
4097 Any space or known delimiter must be escaped using a backslash
4098 ('\'). The pattern applies to a full line at a time. The
4099 "reqtarpit" keyword strictly matches case while "reqitarpit"
4100 ignores case.
4101
Willy Tarreau5321c422010-01-28 20:35:13 +01004102 <cond> is an optional matching condition built from ACLs. It makes it
4103 possible to ignore this rule when other conditions are not met.
4104
Willy Tarreau303c0352008-01-17 19:01:39 +01004105 A request containing any line which matches extended regular expression
4106 <search> will be tarpitted, which means that it will connect to nowhere, will
Willy Tarreauced27012008-01-17 20:35:34 +01004107 be kept open for a pre-defined time, then will return an HTTP error 500 so
4108 that the attacker does not suspect it has been tarpitted. The status 500 will
4109 be reported in the logs, but the completion flags will indicate "PT". The
Willy Tarreau303c0352008-01-17 19:01:39 +01004110 delay is defined by "timeout tarpit", or "timeout connect" if the former is
4111 not set.
4112
4113 The goal of the tarpit is to slow down robots attacking servers with
4114 identifiable requests. Many robots limit their outgoing number of connections
4115 and stay connected waiting for a reply which can take several minutes to
4116 come. Depending on the environment and attack, it may be particularly
4117 efficient at reducing the load on the network and firewalls.
4118
Willy Tarreau5321c422010-01-28 20:35:13 +01004119 Examples :
Willy Tarreau303c0352008-01-17 19:01:39 +01004120 # ignore user-agents reporting any flavour of "Mozilla" or "MSIE", but
4121 # block all others.
4122 reqipass ^User-Agent:\.*(Mozilla|MSIE)
4123 reqitarpit ^User-Agent:
4124
Willy Tarreau5321c422010-01-28 20:35:13 +01004125 # block bad guys
4126 acl badguys src 10.1.0.3 172.16.13.20/28
4127 reqitarpit . if badguys
4128
4129 See also: "reqallow", "reqdeny", "reqpass", section 6 about HTTP header
4130 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004131
4132
Willy Tarreaue5c5ce92008-06-20 17:27:19 +02004133retries <value>
4134 Set the number of retries to perform on a server after a connection failure
4135 May be used in sections: defaults | frontend | listen | backend
4136 yes | no | yes | yes
4137 Arguments :
4138 <value> is the number of times a connection attempt should be retried on
4139 a server when a connection either is refused or times out. The
4140 default value is 3.
4141
4142 It is important to understand that this value applies to the number of
4143 connection attempts, not full requests. When a connection has effectively
4144 been established to a server, there will be no more retry.
4145
4146 In order to avoid immediate reconnections to a server which is restarting,
4147 a turn-around timer of 1 second is applied before a retry occurs.
4148
4149 When "option redispatch" is set, the last retry may be performed on another
4150 server even if a cookie references a different server.
4151
4152 See also : "option redispatch"
4153
4154
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004155rspadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01004156 Add a header at the end of the HTTP response
4157 May be used in sections : defaults | frontend | listen | backend
4158 no | yes | yes | yes
4159 Arguments :
4160 <string> is the complete line to be added. Any space or known delimiter
4161 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004162 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004163
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004164 <cond> is an optional matching condition built from ACLs. It makes it
4165 possible to ignore this rule when other conditions are not met.
4166
Willy Tarreau303c0352008-01-17 19:01:39 +01004167 A new line consisting in <string> followed by a line feed will be added after
4168 the last header of an HTTP response.
4169
4170 Header transformations only apply to traffic which passes through HAProxy,
4171 and not to traffic generated by HAProxy, such as health-checks or error
4172 responses.
4173
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004174 See also: "reqadd", section 6 about HTTP header manipulation, and section 7
4175 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004176
4177
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004178rspdel <search> [{if | unless} <cond>]
4179rspidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004180 Delete all headers matching a regular expression in an HTTP response
4181 May be used in sections : defaults | frontend | listen | backend
4182 no | yes | yes | yes
4183 Arguments :
4184 <search> is the regular expression applied to HTTP headers and to the
4185 response line. This is an extended regular expression, so
4186 parenthesis grouping is supported and no preliminary backslash
4187 is required. Any space or known delimiter must be escaped using
4188 a backslash ('\'). The pattern applies to a full line at a time.
4189 The "rspdel" keyword strictly matches case while "rspidel"
4190 ignores case.
4191
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004192 <cond> is an optional matching condition built from ACLs. It makes it
4193 possible to ignore this rule when other conditions are not met.
4194
Willy Tarreau303c0352008-01-17 19:01:39 +01004195 Any header line matching extended regular expression <search> in the response
4196 will be completely deleted. Most common use of this is to remove unwanted
4197 and/or sensible headers or cookies from a response before passing it to the
4198 client.
4199
4200 Header transformations only apply to traffic which passes through HAProxy,
4201 and not to traffic generated by HAProxy, such as health-checks or error
4202 responses. Keep in mind that header names are not case-sensitive.
4203
4204 Example :
4205 # remove the Server header from responses
4206 reqidel ^Server:.*
4207
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004208 See also: "rspadd", "rsprep", "reqdel", section 6 about HTTP header
4209 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004210
4211
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004212rspdeny <search> [{if | unless} <cond>]
4213rspideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004214 Block an HTTP response if a line matches a regular expression
4215 May be used in sections : defaults | frontend | listen | backend
4216 no | yes | yes | yes
4217 Arguments :
4218 <search> is the regular expression applied to HTTP headers and to the
4219 response line. This is an extended regular expression, so
4220 parenthesis grouping is supported and no preliminary backslash
4221 is required. Any space or known delimiter must be escaped using
4222 a backslash ('\'). The pattern applies to a full line at a time.
4223 The "rspdeny" keyword strictly matches case while "rspideny"
4224 ignores case.
4225
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004226 <cond> is an optional matching condition built from ACLs. It makes it
4227 possible to ignore this rule when other conditions are not met.
4228
Willy Tarreau303c0352008-01-17 19:01:39 +01004229 A response containing any line which matches extended regular expression
4230 <search> will mark the request as denied. The test applies both to the
4231 response line and to response headers. Keep in mind that header names are not
4232 case-sensitive.
4233
4234 Main use of this keyword is to prevent sensitive information leak and to
Willy Tarreauced27012008-01-17 20:35:34 +01004235 block the response before it reaches the client. If a response is denied, it
4236 will be replaced with an HTTP 502 error so that the client never retrieves
4237 any sensitive data.
Willy Tarreau303c0352008-01-17 19:01:39 +01004238
4239 It is easier, faster and more powerful to use ACLs to write access policies.
4240 Rspdeny should be avoided in new designs.
4241
4242 Example :
4243 # Ensure that no content type matching ms-word will leak
4244 rspideny ^Content-type:\.*/ms-word
4245
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004246 See also: "reqdeny", "acl", "block", section 6 about HTTP header manipulation
4247 and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004248
4249
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004250rsprep <search> <string> [{if | unless} <cond>]
4251rspirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004252 Replace a regular expression with a string in an HTTP response line
4253 May be used in sections : defaults | frontend | listen | backend
4254 no | yes | yes | yes
4255 Arguments :
4256 <search> is the regular expression applied to HTTP headers and to the
4257 response line. This is an extended regular expression, so
4258 parenthesis grouping is supported and no preliminary backslash
4259 is required. Any space or known delimiter must be escaped using
4260 a backslash ('\'). The pattern applies to a full line at a time.
4261 The "rsprep" keyword strictly matches case while "rspirep"
4262 ignores case.
4263
4264 <string> is the complete line to be added. Any space or known delimiter
4265 must be escaped using a backslash ('\'). References to matched
4266 pattern groups are possible using the common \N form, with N
4267 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004268 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004269
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004270 <cond> is an optional matching condition built from ACLs. It makes it
4271 possible to ignore this rule when other conditions are not met.
4272
Willy Tarreau303c0352008-01-17 19:01:39 +01004273 Any line matching extended regular expression <search> in the response (both
4274 the response line and header lines) will be completely replaced with
4275 <string>. Most common use of this is to rewrite Location headers.
4276
4277 Header transformations only apply to traffic which passes through HAProxy,
4278 and not to traffic generated by HAProxy, such as health-checks or error
4279 responses. Note that for increased readability, it is suggested to add enough
4280 spaces between the request and the response. Keep in mind that header names
4281 are not case-sensitive.
4282
4283 Example :
4284 # replace "Location: 127.0.0.1:8080" with "Location: www.mydomain.com"
4285 rspirep ^Location:\ 127.0.0.1:8080 Location:\ www.mydomain.com
4286
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004287 See also: "rspadd", "rspdel", "reqrep", section 6 about HTTP header
4288 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004289
4290
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004291server <name> <address>[:port] [param*]
4292 Declare a server in a backend
4293 May be used in sections : defaults | frontend | listen | backend
4294 no | no | yes | yes
4295 Arguments :
4296 <name> is the internal name assigned to this server. This name will
4297 appear in logs and alerts.
4298
4299 <address> is the IPv4 address of the server. Alternatively, a resolvable
4300 hostname is supported, but this name will be resolved during
Willy Tarreaud669a4f2010-07-13 14:49:50 +02004301 start-up. Address "0.0.0.0" or "*" has a special meaning. It
4302 indicates that the connection will be forwarded to the same IP
4303 address as the one from the client connection. This is useful in
4304 transparent proxy architectures where the client's connection is
4305 intercepted and haproxy must forward to the original destination
4306 address. This is more or less what the "transparent" keyword does
4307 except that with a server it's possible to limit concurrency and
4308 to report statistics.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004309
4310 <ports> is an optional port specification. If set, all connections will
4311 be sent to this port. If unset, the same port the client
4312 connected to will be used. The port may also be prefixed by a "+"
4313 or a "-". In this case, the server's port will be determined by
4314 adding this value to the client's port.
4315
4316 <param*> is a list of parameters for this server. The "server" keywords
4317 accepts an important number of options and has a complete section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004318 dedicated to it. Please refer to section 5 for more details.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004319
4320 Examples :
4321 server first 10.1.1.1:1080 cookie first check inter 1000
4322 server second 10.1.1.2:1080 cookie second check inter 1000
4323
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01004324 See also: "default-server" and section 5 about server options
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004325
4326
4327source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02004328source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreaud53f96b2009-02-04 18:46:54 +01004329source <addr>[:<port>] [interface <name>]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004330 Set the source address for outgoing connections
4331 May be used in sections : defaults | frontend | listen | backend
4332 yes | no | yes | yes
4333 Arguments :
4334 <addr> is the IPv4 address HAProxy will bind to before connecting to a
4335 server. This address is also used as a source for health checks.
4336 The default value of 0.0.0.0 means that the system will select
4337 the most appropriate address to reach its destination.
4338
4339 <port> is an optional port. It is normally not needed but may be useful
4340 in some very specific contexts. The default value of zero means
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02004341 the system will select a free port. Note that port ranges are not
4342 supported in the backend. If you want to force port ranges, you
4343 have to specify them on each "server" line.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004344
4345 <addr2> is the IP address to present to the server when connections are
4346 forwarded in full transparent proxy mode. This is currently only
4347 supported on some patched Linux kernels. When this address is
4348 specified, clients connecting to the server will be presented
4349 with this address, while health checks will still use the address
4350 <addr>.
4351
4352 <port2> is the optional port to present to the server when connections
4353 are forwarded in full transparent proxy mode (see <addr2> above).
4354 The default value of zero means the system will select a free
4355 port.
4356
Willy Tarreaubce70882009-09-07 11:51:47 +02004357 <hdr> is the name of a HTTP header in which to fetch the IP to bind to.
4358 This is the name of a comma-separated header list which can
4359 contain multiple IP addresses. By default, the last occurrence is
4360 used. This is designed to work with the X-Forwarded-For header
4361 and to automatically bind to the the client's IP address as seen
4362 by previous proxy, typically Stunnel. In order to use another
4363 occurrence from the last one, please see the <occ> parameter
4364 below. When the header (or occurrence) is not found, no binding
4365 is performed so that the proxy's default IP address is used. Also
4366 keep in mind that the header name is case insensitive, as for any
4367 HTTP header.
4368
4369 <occ> is the occurrence number of a value to be used in a multi-value
4370 header. This is to be used in conjunction with "hdr_ip(<hdr>)",
4371 in order to specificy which occurrence to use for the source IP
4372 address. Positive values indicate a position from the first
4373 occurrence, 1 being the first one. Negative values indicate
4374 positions relative to the last one, -1 being the last one. This
4375 is helpful for situations where an X-Forwarded-For header is set
4376 at the entry point of an infrastructure and must be used several
4377 proxy layers away. When this value is not specified, -1 is
4378 assumed. Passing a zero here disables the feature.
4379
Willy Tarreaud53f96b2009-02-04 18:46:54 +01004380 <name> is an optional interface name to which to bind to for outgoing
4381 traffic. On systems supporting this features (currently, only
4382 Linux), this allows one to bind all traffic to the server to
4383 this interface even if it is not the one the system would select
4384 based on routing tables. This should be used with extreme care.
4385 Note that using this option requires root privileges.
4386
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004387 The "source" keyword is useful in complex environments where a specific
4388 address only is allowed to connect to the servers. It may be needed when a
4389 private address must be used through a public gateway for instance, and it is
4390 known that the system cannot determine the adequate source address by itself.
4391
4392 An extension which is available on certain patched Linux kernels may be used
4393 through the "usesrc" optional keyword. It makes it possible to connect to the
4394 servers with an IP address which does not belong to the system itself. This
4395 is called "full transparent proxy mode". For this to work, the destination
4396 servers have to route their traffic back to this address through the machine
4397 running HAProxy, and IP forwarding must generally be enabled on this machine.
4398
4399 In this "full transparent proxy" mode, it is possible to force a specific IP
4400 address to be presented to the servers. This is not much used in fact. A more
4401 common use is to tell HAProxy to present the client's IP address. For this,
4402 there are two methods :
4403
4404 - present the client's IP and port addresses. This is the most transparent
4405 mode, but it can cause problems when IP connection tracking is enabled on
4406 the machine, because a same connection may be seen twice with different
4407 states. However, this solution presents the huge advantage of not
4408 limiting the system to the 64k outgoing address+port couples, because all
4409 of the client ranges may be used.
4410
4411 - present only the client's IP address and select a spare port. This
4412 solution is still quite elegant but slightly less transparent (downstream
4413 firewalls logs will not match upstream's). It also presents the downside
4414 of limiting the number of concurrent connections to the usual 64k ports.
4415 However, since the upstream and downstream ports are different, local IP
4416 connection tracking on the machine will not be upset by the reuse of the
4417 same session.
4418
4419 Note that depending on the transparent proxy technology used, it may be
4420 required to force the source address. In fact, cttproxy version 2 requires an
4421 IP address in <addr> above, and does not support setting of "0.0.0.0" as the
4422 IP address because it creates NAT entries which much match the exact outgoing
4423 address. Tproxy version 4 and some other kernel patches which work in pure
4424 forwarding mode generally will not have this limitation.
4425
4426 This option sets the default source for all servers in the backend. It may
4427 also be specified in a "defaults" section. Finer source address specification
4428 is possible at the server level using the "source" server option. Refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004429 section 5 for more information.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004430
4431 Examples :
4432 backend private
4433 # Connect to the servers using our 192.168.1.200 source address
4434 source 192.168.1.200
4435
4436 backend transparent_ssl1
4437 # Connect to the SSL farm from the client's source address
4438 source 192.168.1.200 usesrc clientip
4439
4440 backend transparent_ssl2
4441 # Connect to the SSL farm from the client's source address and port
4442 # not recommended if IP conntrack is present on the local machine.
4443 source 192.168.1.200 usesrc client
4444
4445 backend transparent_ssl3
4446 # Connect to the SSL farm from the client's source address. It
4447 # is more conntrack-friendly.
4448 source 192.168.1.200 usesrc clientip
4449
4450 backend transparent_smtp
4451 # Connect to the SMTP farm from the client's source address/port
4452 # with Tproxy version 4.
4453 source 0.0.0.0 usesrc clientip
4454
Willy Tarreaubce70882009-09-07 11:51:47 +02004455 backend transparent_http
4456 # Connect to the servers using the client's IP as seen by previous
4457 # proxy.
4458 source 0.0.0.0 usesrc hdr_ip(x-forwarded-for,-1)
4459
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004460 See also : the "source" server option in section 5, the Tproxy patches for
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004461 the Linux kernel on www.balabit.com, the "bind" keyword.
4462
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004463
Willy Tarreau844e3c52008-01-11 16:28:18 +01004464srvtimeout <timeout> (deprecated)
4465 Set the maximum inactivity time on the server side.
4466 May be used in sections : defaults | frontend | listen | backend
4467 yes | no | yes | yes
4468 Arguments :
4469 <timeout> is the timeout value specified in milliseconds by default, but
4470 can be in any other unit if the number is suffixed by the unit,
4471 as explained at the top of this document.
4472
4473 The inactivity timeout applies when the server is expected to acknowledge or
4474 send data. In HTTP mode, this timeout is particularly important to consider
4475 during the first phase of the server's response, when it has to send the
4476 headers, as it directly represents the server's processing time for the
4477 request. To find out what value to put there, it's often good to start with
4478 what would be considered as unacceptable response times, then check the logs
4479 to observe the response time distribution, and adjust the value accordingly.
4480
4481 The value is specified in milliseconds by default, but can be in any other
4482 unit if the number is suffixed by the unit, as specified at the top of this
4483 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
4484 recommended that the client timeout remains equal to the server timeout in
4485 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004486 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01004487 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreaud72758d2010-01-12 10:42:19 +01004488 seconds (eg: 4 or 5 seconds minimum).
Willy Tarreau844e3c52008-01-11 16:28:18 +01004489
4490 This parameter is specific to backends, but can be specified once for all in
4491 "defaults" sections. This is in fact one of the easiest solutions not to
4492 forget about it. An unspecified timeout results in an infinite timeout, which
4493 is not recommended. Such a usage is accepted and works but reports a warning
4494 during startup because it may results in accumulation of expired sessions in
4495 the system if the system's timeouts are not configured either.
4496
4497 This parameter is provided for compatibility but is currently deprecated.
4498 Please use "timeout server" instead.
4499
4500 See also : "timeout server", "timeout client" and "clitimeout".
4501
4502
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004503stats auth <user>:<passwd>
4504 Enable statistics with authentication and grant access to an account
4505 May be used in sections : defaults | frontend | listen | backend
4506 yes | no | yes | yes
4507 Arguments :
4508 <user> is a user name to grant access to
4509
4510 <passwd> is the cleartext password associated to this user
4511
4512 This statement enables statistics with default settings, and restricts access
4513 to declared users only. It may be repeated as many times as necessary to
4514 allow as many users as desired. When a user tries to access the statistics
4515 without a valid account, a "401 Forbidden" response will be returned so that
4516 the browser asks the user to provide a valid user and password. The real
4517 which will be returned to the browser is configurable using "stats realm".
4518
4519 Since the authentication method is HTTP Basic Authentication, the passwords
4520 circulate in cleartext on the network. Thus, it was decided that the
4521 configuration file would also use cleartext passwords to remind the users
4522 that those ones should not be sensible and not shared with any other account.
4523
4524 It is also possible to reduce the scope of the proxies which appear in the
4525 report using "stats scope".
4526
4527 Though this statement alone is enough to enable statistics reporting, it is
4528 recommended to set all other settings in order to avoid relying on default
4529 unobvious parameters.
4530
4531 Example :
4532 # public access (limited to this backend only)
4533 backend public_www
4534 server srv1 192.168.0.1:80
4535 stats enable
4536 stats hide-version
4537 stats scope .
4538 stats uri /admin?stats
4539 stats realm Haproxy\ Statistics
4540 stats auth admin1:AdMiN123
4541 stats auth admin2:AdMiN321
4542
4543 # internal monitoring access (unlimited)
4544 backend private_monitoring
4545 stats enable
4546 stats uri /admin?stats
4547 stats refresh 5s
4548
4549 See also : "stats enable", "stats realm", "stats scope", "stats uri"
4550
4551
4552stats enable
4553 Enable statistics reporting with default settings
4554 May be used in sections : defaults | frontend | listen | backend
4555 yes | no | yes | yes
4556 Arguments : none
4557
4558 This statement enables statistics reporting with default settings defined
4559 at build time. Unless stated otherwise, these settings are used :
4560 - stats uri : /haproxy?stats
4561 - stats realm : "HAProxy Statistics"
4562 - stats auth : no authentication
4563 - stats scope : no restriction
4564
4565 Though this statement alone is enough to enable statistics reporting, it is
4566 recommended to set all other settings in order to avoid relying on default
4567 unobvious parameters.
4568
4569 Example :
4570 # public access (limited to this backend only)
4571 backend public_www
4572 server srv1 192.168.0.1:80
4573 stats enable
4574 stats hide-version
4575 stats scope .
4576 stats uri /admin?stats
4577 stats realm Haproxy\ Statistics
4578 stats auth admin1:AdMiN123
4579 stats auth admin2:AdMiN321
4580
4581 # internal monitoring access (unlimited)
4582 backend private_monitoring
4583 stats enable
4584 stats uri /admin?stats
4585 stats refresh 5s
4586
4587 See also : "stats auth", "stats realm", "stats uri"
4588
4589
Willy Tarreaud63335a2010-02-26 12:56:52 +01004590stats hide-version
4591 Enable statistics and hide HAProxy version reporting
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004592 May be used in sections : defaults | frontend | listen | backend
4593 yes | no | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +01004594 Arguments : none
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004595
Willy Tarreaud63335a2010-02-26 12:56:52 +01004596 By default, the stats page reports some useful status information along with
4597 the statistics. Among them is HAProxy's version. However, it is generally
4598 considered dangerous to report precise version to anyone, as it can help them
4599 target known weaknesses with specific attacks. The "stats hide-version"
4600 statement removes the version from the statistics report. This is recommended
4601 for public sites or any site with a weak login/password.
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004602
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02004603 Though this statement alone is enough to enable statistics reporting, it is
4604 recommended to set all other settings in order to avoid relying on default
4605 unobvious parameters.
4606
Willy Tarreaud63335a2010-02-26 12:56:52 +01004607 Example :
4608 # public access (limited to this backend only)
4609 backend public_www
4610 server srv1 192.168.0.1:80
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02004611 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01004612 stats hide-version
4613 stats scope .
4614 stats uri /admin?stats
4615 stats realm Haproxy\ Statistics
4616 stats auth admin1:AdMiN123
4617 stats auth admin2:AdMiN321
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004618
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004619 # internal monitoring access (unlimited)
4620 backend private_monitoring
4621 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01004622 stats uri /admin?stats
4623 stats refresh 5s
Krzysztof Piotr Oledzki15514c22010-01-04 16:03:09 +01004624
Willy Tarreaud63335a2010-02-26 12:56:52 +01004625 See also : "stats auth", "stats enable", "stats realm", "stats uri"
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004626
Willy Tarreau983e01e2010-01-11 18:42:06 +01004627
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004628stats realm <realm>
4629 Enable statistics and set authentication realm
4630 May be used in sections : defaults | frontend | listen | backend
4631 yes | no | yes | yes
4632 Arguments :
4633 <realm> is the name of the HTTP Basic Authentication realm reported to
4634 the browser. The browser uses it to display it in the pop-up
4635 inviting the user to enter a valid username and password.
4636
4637 The realm is read as a single word, so any spaces in it should be escaped
4638 using a backslash ('\').
4639
4640 This statement is useful only in conjunction with "stats auth" since it is
4641 only related to authentication.
4642
4643 Though this statement alone is enough to enable statistics reporting, it is
4644 recommended to set all other settings in order to avoid relying on default
4645 unobvious parameters.
4646
4647 Example :
4648 # public access (limited to this backend only)
4649 backend public_www
4650 server srv1 192.168.0.1:80
4651 stats enable
4652 stats hide-version
4653 stats scope .
4654 stats uri /admin?stats
4655 stats realm Haproxy\ Statistics
4656 stats auth admin1:AdMiN123
4657 stats auth admin2:AdMiN321
4658
4659 # internal monitoring access (unlimited)
4660 backend private_monitoring
4661 stats enable
4662 stats uri /admin?stats
4663 stats refresh 5s
4664
4665 See also : "stats auth", "stats enable", "stats uri"
4666
4667
4668stats refresh <delay>
4669 Enable statistics with automatic refresh
4670 May be used in sections : defaults | frontend | listen | backend
4671 yes | no | yes | yes
4672 Arguments :
4673 <delay> is the suggested refresh delay, specified in seconds, which will
4674 be returned to the browser consulting the report page. While the
4675 browser is free to apply any delay, it will generally respect it
4676 and refresh the page this every seconds. The refresh interval may
4677 be specified in any other non-default time unit, by suffixing the
4678 unit after the value, as explained at the top of this document.
4679
4680 This statement is useful on monitoring displays with a permanent page
4681 reporting the load balancer's activity. When set, the HTML report page will
4682 include a link "refresh"/"stop refresh" so that the user can select whether
4683 he wants automatic refresh of the page or not.
4684
4685 Though this statement alone is enough to enable statistics reporting, it is
4686 recommended to set all other settings in order to avoid relying on default
4687 unobvious parameters.
4688
4689 Example :
4690 # public access (limited to this backend only)
4691 backend public_www
4692 server srv1 192.168.0.1:80
4693 stats enable
4694 stats hide-version
4695 stats scope .
4696 stats uri /admin?stats
4697 stats realm Haproxy\ Statistics
4698 stats auth admin1:AdMiN123
4699 stats auth admin2:AdMiN321
4700
4701 # internal monitoring access (unlimited)
4702 backend private_monitoring
4703 stats enable
4704 stats uri /admin?stats
4705 stats refresh 5s
4706
4707 See also : "stats auth", "stats enable", "stats realm", "stats uri"
4708
4709
4710stats scope { <name> | "." }
4711 Enable statistics and limit access scope
4712 May be used in sections : defaults | frontend | listen | backend
4713 yes | no | yes | yes
4714 Arguments :
4715 <name> is the name of a listen, frontend or backend section to be
4716 reported. The special name "." (a single dot) designates the
4717 section in which the statement appears.
4718
4719 When this statement is specified, only the sections enumerated with this
4720 statement will appear in the report. All other ones will be hidden. This
4721 statement may appear as many times as needed if multiple sections need to be
4722 reported. Please note that the name checking is performed as simple string
4723 comparisons, and that it is never checked that a give section name really
4724 exists.
4725
4726 Though this statement alone is enough to enable statistics reporting, it is
4727 recommended to set all other settings in order to avoid relying on default
4728 unobvious parameters.
4729
4730 Example :
4731 # public access (limited to this backend only)
4732 backend public_www
4733 server srv1 192.168.0.1:80
4734 stats enable
4735 stats hide-version
4736 stats scope .
4737 stats uri /admin?stats
4738 stats realm Haproxy\ Statistics
4739 stats auth admin1:AdMiN123
4740 stats auth admin2:AdMiN321
4741
4742 # internal monitoring access (unlimited)
4743 backend private_monitoring
4744 stats enable
4745 stats uri /admin?stats
4746 stats refresh 5s
4747
4748 See also : "stats auth", "stats enable", "stats realm", "stats uri"
4749
Willy Tarreaud63335a2010-02-26 12:56:52 +01004750
Willy Tarreauc9705a12010-07-27 20:05:50 +02004751stats show-desc [ <desc> ]
Willy Tarreaud63335a2010-02-26 12:56:52 +01004752 Enable reporting of a description on the statistics page.
4753 May be used in sections : defaults | frontend | listen | backend
4754 yes | no | yes | yes
4755
Willy Tarreauc9705a12010-07-27 20:05:50 +02004756 <desc> is an optional description to be reported. If unspecified, the
Willy Tarreaud63335a2010-02-26 12:56:52 +01004757 description from global section is automatically used instead.
4758
4759 This statement is useful for users that offer shared services to their
4760 customers, where node or description should be different for each customer.
4761
4762 Though this statement alone is enough to enable statistics reporting, it is
4763 recommended to set all other settings in order to avoid relying on default
4764 unobvious parameters.
4765
4766 Example :
4767 # internal monitoring access (unlimited)
4768 backend private_monitoring
4769 stats enable
4770 stats show-desc Master node for Europe, Asia, Africa
4771 stats uri /admin?stats
4772 stats refresh 5s
4773
4774 See also: "show-node", "stats enable", "stats uri" and "description" in
4775 global section.
4776
4777
4778stats show-legends
4779 Enable reporting additional informations on the statistics page :
4780 - cap: capabilities (proxy)
4781 - mode: one of tcp, http or health (proxy)
4782 - id: SNMP ID (proxy, socket, server)
4783 - IP (socket, server)
4784 - cookie (backend, server)
4785
4786 Though this statement alone is enough to enable statistics reporting, it is
4787 recommended to set all other settings in order to avoid relying on default
4788 unobvious parameters.
4789
4790 See also: "stats enable", "stats uri".
4791
4792
4793stats show-node [ <name> ]
4794 Enable reporting of a host name on the statistics page.
4795 May be used in sections : defaults | frontend | listen | backend
4796 yes | no | yes | yes
4797 Arguments:
4798 <name> is an optional name to be reported. If unspecified, the
4799 node name from global section is automatically used instead.
4800
4801 This statement is useful for users that offer shared services to their
4802 customers, where node or description might be different on a stats page
4803 provided for each customer.
4804
4805 Though this statement alone is enough to enable statistics reporting, it is
4806 recommended to set all other settings in order to avoid relying on default
4807 unobvious parameters.
4808
4809 Example:
4810 # internal monitoring access (unlimited)
4811 backend private_monitoring
4812 stats enable
4813 stats show-node Europe-1
4814 stats uri /admin?stats
4815 stats refresh 5s
4816
4817 See also: "show-desc", "stats enable", "stats uri", and "node" in global
4818 section.
4819
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004820
4821stats uri <prefix>
4822 Enable statistics and define the URI prefix to access them
4823 May be used in sections : defaults | frontend | listen | backend
4824 yes | no | yes | yes
4825 Arguments :
4826 <prefix> is the prefix of any URI which will be redirected to stats. This
4827 prefix may contain a question mark ('?') to indicate part of a
4828 query string.
4829
4830 The statistics URI is intercepted on the relayed traffic, so it appears as a
4831 page within the normal application. It is strongly advised to ensure that the
4832 selected URI will never appear in the application, otherwise it will never be
4833 possible to reach it in the application.
4834
4835 The default URI compiled in haproxy is "/haproxy?stats", but this may be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004836 changed at build time, so it's better to always explicitly specify it here.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004837 It is generally a good idea to include a question mark in the URI so that
4838 intermediate proxies refrain from caching the results. Also, since any string
4839 beginning with the prefix will be accepted as a stats request, the question
4840 mark helps ensuring that no valid URI will begin with the same words.
4841
4842 It is sometimes very convenient to use "/" as the URI prefix, and put that
4843 statement in a "listen" instance of its own. That makes it easy to dedicate
4844 an address or a port to statistics only.
4845
4846 Though this statement alone is enough to enable statistics reporting, it is
4847 recommended to set all other settings in order to avoid relying on default
4848 unobvious parameters.
4849
4850 Example :
4851 # public access (limited to this backend only)
4852 backend public_www
4853 server srv1 192.168.0.1:80
4854 stats enable
4855 stats hide-version
4856 stats scope .
4857 stats uri /admin?stats
4858 stats realm Haproxy\ Statistics
4859 stats auth admin1:AdMiN123
4860 stats auth admin2:AdMiN321
4861
4862 # internal monitoring access (unlimited)
4863 backend private_monitoring
4864 stats enable
4865 stats uri /admin?stats
4866 stats refresh 5s
4867
4868 See also : "stats auth", "stats enable", "stats realm"
4869
4870
Willy Tarreaud63335a2010-02-26 12:56:52 +01004871stick match <pattern> [table <table>] [{if | unless} <cond>]
4872 Define a request pattern matching condition to stick a user to a server
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004873 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaud63335a2010-02-26 12:56:52 +01004874 no | no | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01004875
4876 Arguments :
4877 <pattern> is a pattern extraction rule as described in section 7.8. It
4878 describes what elements of the incoming request or connection
4879 will be analysed in the hope to find a matching entry in a
4880 stickiness table. This rule is mandatory.
4881
4882 <table> is an optional stickiness table name. If unspecified, the same
4883 backend's table is used. A stickiness table is declared using
4884 the "stick-table" statement.
4885
4886 <cond> is an optional matching condition. It makes it possible to match
4887 on a certain criterion only when other conditions are met (or
4888 not met). For instance, it could be used to match on a source IP
4889 address except when a request passes through a known proxy, in
4890 which case we'd match on a header containing that IP address.
4891
4892 Some protocols or applications require complex stickiness rules and cannot
4893 always simply rely on cookies nor hashing. The "stick match" statement
4894 describes a rule to extract the stickiness criterion from an incoming request
4895 or connection. See section 7 for a complete list of possible patterns and
4896 transformation rules.
4897
4898 The table has to be declared using the "stick-table" statement. It must be of
4899 a type compatible with the pattern. By default it is the one which is present
4900 in the same backend. It is possible to share a table with other backends by
4901 referencing it using the "table" keyword. If another table is referenced,
4902 the server's ID inside the backends are used. By default, all server IDs
4903 start at 1 in each backend, so the server ordering is enough. But in case of
4904 doubt, it is highly recommended to force server IDs using their "id" setting.
4905
4906 It is possible to restrict the conditions where a "stick match" statement
4907 will apply, using "if" or "unless" followed by a condition. See section 7 for
4908 ACL based conditions.
4909
4910 There is no limit on the number of "stick match" statements. The first that
4911 applies and matches will cause the request to be directed to the same server
4912 as was used for the request which created the entry. That way, multiple
4913 matches can be used as fallbacks.
4914
4915 The stick rules are checked after the persistence cookies, so they will not
4916 affect stickiness if a cookie has already been used to select a server. That
4917 way, it becomes very easy to insert cookies and match on IP addresses in
4918 order to maintain stickiness between HTTP and HTTPS.
4919
4920 Example :
4921 # forward SMTP users to the same server they just used for POP in the
4922 # last 30 minutes
4923 backend pop
4924 mode tcp
4925 balance roundrobin
4926 stick store-request src
4927 stick-table type ip size 200k expire 30m
4928 server s1 192.168.1.1:110
4929 server s2 192.168.1.1:110
4930
4931 backend smtp
4932 mode tcp
4933 balance roundrobin
4934 stick match src table pop
4935 server s1 192.168.1.1:25
4936 server s2 192.168.1.1:25
4937
4938 See also : "stick-table", "stick on", and section 7 about ACLs and pattern
4939 extraction.
4940
4941
4942stick on <pattern> [table <table>] [{if | unless} <condition>]
4943 Define a request pattern to associate a user to a server
4944 May be used in sections : defaults | frontend | listen | backend
4945 no | no | yes | yes
4946
4947 Note : This form is exactly equivalent to "stick match" followed by
4948 "stick store-request", all with the same arguments. Please refer
4949 to both keywords for details. It is only provided as a convenience
4950 for writing more maintainable configurations.
4951
4952 Examples :
4953 # The following form ...
Willy Tarreauec579d82010-02-26 19:15:04 +01004954 stick on src table pop if !localhost
Willy Tarreaub937b7e2010-01-12 15:27:54 +01004955
4956 # ...is strictly equivalent to this one :
4957 stick match src table pop if !localhost
4958 stick store-request src table pop if !localhost
4959
4960
4961 # Use cookie persistence for HTTP, and stick on source address for HTTPS as
4962 # well as HTTP without cookie. Share the same table between both accesses.
4963 backend http
4964 mode http
4965 balance roundrobin
4966 stick on src table https
4967 cookie SRV insert indirect nocache
4968 server s1 192.168.1.1:80 cookie s1
4969 server s2 192.168.1.1:80 cookie s2
4970
4971 backend https
4972 mode tcp
4973 balance roundrobin
4974 stick-table type ip size 200k expire 30m
4975 stick on src
4976 server s1 192.168.1.1:443
4977 server s2 192.168.1.1:443
4978
4979 See also : "stick match" and "stick store-request"
4980
4981
4982stick store-request <pattern> [table <table>] [{if | unless} <condition>]
4983 Define a request pattern used to create an entry in a stickiness table
4984 May be used in sections : defaults | frontend | listen | backend
4985 no | no | yes | yes
4986
4987 Arguments :
4988 <pattern> is a pattern extraction rule as described in section 7.8. It
4989 describes what elements of the incoming request or connection
4990 will be analysed, extracted and stored in the table once a
4991 server is selected.
4992
4993 <table> is an optional stickiness table name. If unspecified, the same
4994 backend's table is used. A stickiness table is declared using
4995 the "stick-table" statement.
4996
4997 <cond> is an optional storage condition. It makes it possible to store
4998 certain criteria only when some conditions are met (or not met).
4999 For instance, it could be used to store the source IP address
5000 except when the request passes through a known proxy, in which
5001 case we'd store a converted form of a header containing that IP
5002 address.
5003
5004 Some protocols or applications require complex stickiness rules and cannot
5005 always simply rely on cookies nor hashing. The "stick store-request" statement
5006 describes a rule to decide what to extract from the request and when to do
5007 it, in order to store it into a stickiness table for further requests to
5008 match it using the "stick match" statement. Obviously the extracted part must
5009 make sense and have a chance to be matched in a further request. Storing a
5010 client's IP address for instance often makes sense. Storing an ID found in a
5011 URL parameter also makes sense. Storing a source port will almost never make
5012 any sense because it will be randomly matched. See section 7 for a complete
5013 list of possible patterns and transformation rules.
5014
5015 The table has to be declared using the "stick-table" statement. It must be of
5016 a type compatible with the pattern. By default it is the one which is present
5017 in the same backend. It is possible to share a table with other backends by
5018 referencing it using the "table" keyword. If another table is referenced,
5019 the server's ID inside the backends are used. By default, all server IDs
5020 start at 1 in each backend, so the server ordering is enough. But in case of
5021 doubt, it is highly recommended to force server IDs using their "id" setting.
5022
5023 It is possible to restrict the conditions where a "stick store-request"
5024 statement will apply, using "if" or "unless" followed by a condition. This
5025 condition will be evaluated while parsing the request, so any criteria can be
5026 used. See section 7 for ACL based conditions.
5027
5028 There is no limit on the number of "stick store-request" statements, but
5029 there is a limit of 8 simultaneous stores per request or response. This
5030 makes it possible to store up to 8 criteria, all extracted from either the
5031 request or the response, regardless of the number of rules. Only the 8 first
5032 ones which match will be kept. Using this, it is possible to feed multiple
5033 tables at once in the hope to increase the chance to recognize a user on
5034 another protocol or access method.
5035
5036 The "store-request" rules are evaluated once the server connection has been
5037 established, so that the table will contain the real server that processed
5038 the request.
5039
5040 Example :
5041 # forward SMTP users to the same server they just used for POP in the
5042 # last 30 minutes
5043 backend pop
5044 mode tcp
5045 balance roundrobin
5046 stick store-request src
5047 stick-table type ip size 200k expire 30m
5048 server s1 192.168.1.1:110
5049 server s2 192.168.1.1:110
5050
5051 backend smtp
5052 mode tcp
5053 balance roundrobin
5054 stick match src table pop
5055 server s1 192.168.1.1:25
5056 server s2 192.168.1.1:25
5057
5058 See also : "stick-table", "stick on", and section 7 about ACLs and pattern
5059 extraction.
5060
5061
5062stick-table type {ip | integer | string [len <length>] } size <size>
Willy Tarreau08d5f982010-06-06 13:34:54 +02005063 [expire <expire>] [nopurge] [store <data_type>]*
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005064 Configure the stickiness table for the current backend
5065 May be used in sections : defaults | frontend | listen | backend
Willy Tarreauc00cdc22010-06-06 16:48:26 +02005066 no | yes | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005067
5068 Arguments :
5069 ip a table declared with "type ip" will only store IPv4 addresses.
5070 This form is very compact (about 50 bytes per entry) and allows
5071 very fast entry lookup and stores with almost no overhead. This
5072 is mainly used to store client source IP addresses.
5073
5074 integer a table declared with "type integer" will store 32bit integers
5075 which can represent a client identifier found in a request for
5076 instance.
5077
5078 string a table declared with "type string" will store substrings of up
5079 to <len> characters. If the string provided by the pattern
5080 extractor is larger than <len>, it will be truncated before
5081 being stored. During matching, at most <len> characters will be
5082 compared between the string in the table and the extracted
5083 pattern. When not specified, the string is automatically limited
5084 to 31 characters.
5085
5086 <length> is the maximum number of characters that will be stored in a
5087 "string" type table. See type "string" above. Be careful when
5088 changing this parameter as memory usage will proportionally
5089 increase.
5090
5091 <size> is the maximum number of entries that can fit in the table. This
Cyril Bonté78caf842010-03-10 22:41:43 +01005092 value directly impacts memory usage. Count approximately
5093 50 bytes per entry, plus the size of a string if any. The size
5094 supports suffixes "k", "m", "g" for 2^10, 2^20 and 2^30 factors.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005095
5096 [nopurge] indicates that we refuse to purge older entries when the table
5097 is full. When not specified and the table is full when haproxy
5098 wants to store an entry in it, it will flush a few of the oldest
5099 entries in order to release some space for the new ones. This is
5100 most often the desired behaviour. In some specific cases, it
5101 be desirable to refuse new entries instead of purging the older
5102 ones. That may be the case when the amount of data to store is
5103 far above the hardware limits and we prefer not to offer access
5104 to new clients than to reject the ones already connected. When
5105 using this parameter, be sure to properly set the "expire"
5106 parameter (see below).
5107
5108 <expire> defines the maximum duration of an entry in the table since it
5109 was last created, refreshed or matched. The expiration delay is
5110 defined using the standard time format, similarly as the various
5111 timeouts. The maximum duration is slightly above 24 days. See
5112 section 2.2 for more information. If this delay is not specified,
5113 the session won't automatically expire, but older entries will
5114 be removed once full. Be sure not to use the "nopurge" parameter
5115 if not expiration delay is specified.
5116
Willy Tarreau08d5f982010-06-06 13:34:54 +02005117 <data_type> is used to store additional information in the stick-table. This
5118 may be used by ACLs in order to control various criteria related
5119 to the activity of the client matching the stick-table. For each
5120 item specified here, the size of each entry will be inflated so
Willy Tarreauc9705a12010-07-27 20:05:50 +02005121 that the additional data can fit. Several data types may be
5122 stored with an entry. Multiple data types may be specified after
5123 the "store" keyword, as a comma-separated list. Alternatively,
5124 it is possible to repeat the "store" keyword followed by one or
5125 several data types. Except for the "server_id" type which is
5126 automatically detected and enabled, all data types must be
5127 explicitly declared to be stored. If an ACL references a data
5128 type which is not stored, the ACL will simply not match. Some
5129 data types require an argument which must be passed just after
5130 the type between parenthesis. See below for the supported data
5131 types and their arguments.
5132
5133 The data types that can be stored with an entry are the following :
5134 - server_id : this is an integer which holds the numeric ID of the server a
5135 request was assigned to. It is used by the "stick match", "stick store",
5136 and "stick on" rules. It is automatically enabled when referenced.
5137
5138 - gpc0 : first General Purpose Counter. It is a positive 32-bit integer
5139 integer which may be used for anything. Most of the time it will be used
5140 to put a special tag on some entries, for instance to note that a
5141 specific behaviour was detected and must be known for future matches.
5142
5143 - conn_cnt : Connection Count. It is a positive 32-bit integer which counts
5144 the absolute number of connections received from clients which matched
5145 this entry. It does not mean the connections were accepted, just that
5146 they were received.
5147
5148 - conn_cur : Current Connections. It is a positive 32-bit integer which
5149 stores the concurrent connection counts for the entry. It is incremented
5150 once an incoming connection matches the entry, and decremented once the
5151 connection leaves. That way it is possible to know at any time the exact
5152 number of concurrent connections for an entry.
5153
5154 - conn_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5155 integer parameter <period> which indicates in milliseconds the length
5156 of the period over which the average is measured. It reports the average
5157 incoming connection rate over that period, in connections per period. The
5158 result is an integer which can be matched using ACLs.
5159
5160 - sess_cnt : Session Count. It is a positive 32-bit integer which counts
5161 the absolute number of sessions received from clients which matched this
5162 entry. A session is a connection that was accepted by the layer 4 rules.
5163
5164 - sess_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5165 integer parameter <period> which indicates in milliseconds the length
5166 of the period over which the average is measured. It reports the average
5167 incoming session rate over that period, in sessions per period. The
5168 result is an integer which can be matched using ACLs.
5169
5170 - http_req_cnt : HTTP request Count. It is a positive 32-bit integer which
5171 counts the absolute number of HTTP requests received from clients which
5172 matched this entry. It does not matter whether they are valid requests or
5173 not. Note that this is different from sessions when keep-alive is used on
5174 the client side.
5175
5176 - http_req_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5177 integer parameter <period> which indicates in milliseconds the length
5178 of the period over which the average is measured. It reports the average
5179 HTTP request rate over that period, in requests per period. The result is
5180 an integer which can be matched using ACLs. It does not matter whether
5181 they are valid requests or not. Note that this is different from sessions
5182 when keep-alive is used on the client side.
5183
5184 - http_err_cnt : HTTP Error Count. It is a positive 32-bit integer which
5185 counts the absolute number of HTTP requests errors induced by clients
5186 which matched this entry. Errors are counted on invalid and truncated
5187 requests, as well as on denied or tarpitted requests, and on failed
5188 authentications. If the server responds with 4xx, then the request is
5189 also counted as an error since it's an error triggered by the client
5190 (eg: vulnerability scan).
5191
5192 - http_err_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5193 integer parameter <period> which indicates in milliseconds the length
5194 of the period over which the average is measured. It reports the average
5195 HTTP request error rate over that period, in requests per period (see
5196 http_err_cnt above for what is accounted as an error). The result is an
5197 integer which can be matched using ACLs.
5198
5199 - bytes_in_cnt : client to server byte count. It is a positive 64-bit
5200 integer which counts the cumulated amount of bytes received from clients
5201 which matched this entry. Headers are included in the count. This may be
5202 used to limit abuse of upload features on photo or video servers.
5203
5204 - bytes_in_rate(<period>) : frequency counter (takes 12 bytes). It takes an
5205 integer parameter <period> which indicates in milliseconds the length
5206 of the period over which the average is measured. It reports the average
5207 incoming bytes rate over that period, in bytes per period. It may be used
5208 to detect users which upload too much and too fast. Warning: with large
5209 uploads, it is possible that the amount of uploaded data will be counted
5210 once upon termination, thus causing spikes in the average transfer speed
5211 instead of having a smooth one. This may partially be smoothed with
5212 "option contstats" though this is not perfect yet. Use of byte_in_cnt is
5213 recommended for better fairness.
5214
5215 - bytes_out_cnt : server to client byte count. It is a positive 64-bit
5216 integer which counts the cumulated amount of bytes sent to clients which
5217 matched this entry. Headers are included in the count. This may be used
5218 to limit abuse of bots sucking the whole site.
5219
5220 - bytes_out_rate(<period>) : frequency counter (takes 12 bytes). It takes
5221 an integer parameter <period> which indicates in milliseconds the length
5222 of the period over which the average is measured. It reports the average
5223 outgoing bytes rate over that period, in bytes per period. It may be used
5224 to detect users which download too much and too fast. Warning: with large
5225 transfers, it is possible that the amount of transferred data will be
5226 counted once upon termination, thus causing spikes in the average
5227 transfer speed instead of having a smooth one. This may partially be
5228 smoothed with "option contstats" though this is not perfect yet. Use of
5229 byte_out_cnt is recommended for better fairness.
Willy Tarreau08d5f982010-06-06 13:34:54 +02005230
Willy Tarreauc00cdc22010-06-06 16:48:26 +02005231 There is only one stick-table per proxy. At the moment of writing this doc,
5232 it does not seem useful to have multiple tables per proxy. If this happens
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005233 to be required, simply create a dummy backend with a stick-table in it and
5234 reference it.
5235
5236 It is important to understand that stickiness based on learning information
5237 has some limitations, including the fact that all learned associations are
5238 lost upon restart. In general it can be good as a complement but not always
5239 as an exclusive stickiness.
5240
Willy Tarreauc9705a12010-07-27 20:05:50 +02005241 Last, memory requirements may be important when storing many data types.
5242 Indeed, storing all indicators above at once in each entry requires 116 bytes
5243 per entry, or 116 MB for a 1-million entries table. This is definitely not
5244 something that can be ignored.
5245
5246 Example:
5247 # Keep track of counters of up to 1 million IP addresses over 5 minutes
5248 # and store a general purpose counter and the average connection rate
5249 # computed over a sliding window of 30 seconds.
5250 stick-table type ip size 1m expire 5m store gpc0,conn_rate(30s)
5251
5252 See also : "stick match", "stick on", "stick store-request", section 2.2
5253 about time format and section 7 avoud ACLs.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01005254
5255
Willy Tarreaue9656522010-08-17 15:40:09 +02005256tcp-request connection <action> [{if | unless} <condition>]
5257 Perform an action on an incoming connection depending on a layer 4 condition
Willy Tarreau1a687942010-05-23 22:40:30 +02005258 May be used in sections : defaults | frontend | listen | backend
5259 no | yes | yes | no
Willy Tarreaue9656522010-08-17 15:40:09 +02005260 Arguments :
5261 <action> defines the action to perform if the condition applies. Valid
5262 actions include : "accept", "reject", "track-sc1", "track-sc2".
5263 See below for more details.
Willy Tarreau1a687942010-05-23 22:40:30 +02005264
Willy Tarreaue9656522010-08-17 15:40:09 +02005265 <condition> is a standard layer4-only ACL-based condition (see section 7).
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005266
5267 Immediately after acceptance of a new incoming connection, it is possible to
5268 evaluate some conditions to decide whether this connection must be accepted
Willy Tarreaue9656522010-08-17 15:40:09 +02005269 or dropped or have its counters tracked. Those conditions cannot make use of
5270 any data contents because the connection has not been read from yet, and the
5271 buffers are not yet allocated. This is used to selectively and very quickly
5272 accept or drop connections from various sources with a very low overhead. If
5273 some contents need to be inspected in order to take the decision, the
5274 "tcp-request content" statements must be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005275
Willy Tarreaue9656522010-08-17 15:40:09 +02005276 The "tcp-request connection" rules are evaluated in their exact declaration
5277 order. If no rule matches or if there is no rule, the default action is to
5278 accept the incoming connection. There is no specific limit to the number of
5279 rules which may be inserted.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005280
Willy Tarreaue9656522010-08-17 15:40:09 +02005281 Three types of actions are supported :
5282 - accept :
5283 accepts the connection if the condition is true (when used with "if")
5284 or false (when used with "unless"). The first such rule executed ends
5285 the rules evaluation.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005286
Willy Tarreaue9656522010-08-17 15:40:09 +02005287 - reject :
5288 rejects the connection if the condition is true (when used with "if")
5289 or false (when used with "unless"). The first such rule executed ends
5290 the rules evaluation. Rejected connections do not even become a
5291 session, which is why they are accounted separately for in the stats,
5292 as "denied connections". They are not considered for the session
5293 rate-limit and are not logged either. The reason is that these rules
5294 should only be used to filter extremely high connection rates such as
5295 the ones encountered during a massive DDoS attack. Under these extreme
5296 conditions, the simple action of logging each event would make the
5297 system collapse and would considerably lower the filtering capacity. If
5298 logging is absolutely desired, then "tcp-request content" rules should
5299 be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005300
Willy Tarreaue9656522010-08-17 15:40:09 +02005301 - { track-sc1 | track-sc2 } <key> [table <table>] :
5302 enables tracking of sticky counters from current connection. These
5303 rules do not stop evaluation and do not change default action. Two sets
5304 of counters may be simultaneously tracked by the same connection. The
5305 first "track-sc1" rule executed enables tracking of the counters of the
5306 specified table as the first set. The first "track-sc2" rule executed
5307 enables tracking of the counters of the specified table as the second
5308 set. It is a recommended practice to use the first set of counters for
5309 the per-frontend counters and the second set for the per-backend ones.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005310
Willy Tarreaue9656522010-08-17 15:40:09 +02005311 These actions take one or two arguments :
5312 <key> is mandatory, and defines the criterion the tracking key will
5313 be derived from. At the moment, only "src" is supported. With
5314 it, the key will be the connection's source IPv4 address.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005315
Willy Tarreaue9656522010-08-17 15:40:09 +02005316 <table> is an optional table to be used instead of the default one,
5317 which is the stick-table declared in the current proxy. All
5318 the counters for the matches and updates for the key will
5319 then be performed in that table until the session ends.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005320
Willy Tarreaue9656522010-08-17 15:40:09 +02005321 Once a "track-sc*" rule is executed, the key is looked up in the table
5322 and if it is not found, an entry is allocated for it. Then a pointer to
5323 that entry is kept during all the session's life, and this entry's
5324 counters are updated as often as possible, every time the session's
5325 counters are updated, and also systematically when the session ends.
5326 If the entry tracks concurrent connection counters, one connection is
5327 counted for as long as the entry is tracked, and the entry will not
5328 expire during that time. Tracking counters also provides a performance
5329 advantage over just checking the keys, because only one table lookup is
5330 performed for all ACL checks that make use of it.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005331
Willy Tarreaue9656522010-08-17 15:40:09 +02005332 Note that the "if/unless" condition is optional. If no condition is set on
5333 the action, it is simply performed unconditionally. That can be useful for
5334 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005335
Willy Tarreaue9656522010-08-17 15:40:09 +02005336 Example: accept all connections from white-listed hosts, reject too fast
5337 connection without counting them, and track accepted connections.
5338 This results in connection rate being capped from abusive sources.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005339
Willy Tarreaue9656522010-08-17 15:40:09 +02005340 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005341 tcp-request connection reject if { src_conn_rate gt 10 }
Willy Tarreaue9656522010-08-17 15:40:09 +02005342 tcp-request connection track-sc1 src
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005343
Willy Tarreaue9656522010-08-17 15:40:09 +02005344 Example: accept all connections from white-listed hosts, count all other
5345 connections and reject too fast ones. This results in abusive ones
5346 being blocked as long as they don't slow down.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005347
Willy Tarreaue9656522010-08-17 15:40:09 +02005348 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
5349 tcp-request connection track-sc1 src
5350 tcp-request connection reject if { sc1_conn_rate gt 10 }
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005351
5352 See section 7 about ACL usage.
5353
Willy Tarreaue9656522010-08-17 15:40:09 +02005354 See also : "tcp-request content", "stick-table"
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005355
5356
Willy Tarreaue9656522010-08-17 15:40:09 +02005357tcp-request content <action> [{if | unless} <condition>]
5358 Perform an action on a new session depending on a layer 4-7 condition
Willy Tarreau62644772008-07-16 18:36:06 +02005359 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02005360 no | yes | yes | yes
Willy Tarreaue9656522010-08-17 15:40:09 +02005361 Arguments :
5362 <action> defines the action to perform if the condition applies. Valid
5363 actions include : "accept", "reject", "track-sc1", "track-sc2".
5364 See "tcp-request connection" above for their signification.
Willy Tarreau62644772008-07-16 18:36:06 +02005365
Willy Tarreaue9656522010-08-17 15:40:09 +02005366 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
Willy Tarreau62644772008-07-16 18:36:06 +02005367
Willy Tarreaue9656522010-08-17 15:40:09 +02005368 A request's contents can be analysed at an early stage of request processing
5369 called "TCP content inspection". During this stage, ACL-based rules are
5370 evaluated every time the request contents are updated, until either an
5371 "accept" or a "reject" rule matches, or the TCP request inspection delay
5372 expires with no matching rule.
Willy Tarreau62644772008-07-16 18:36:06 +02005373
Willy Tarreaue9656522010-08-17 15:40:09 +02005374 The first difference between these rules and "tcp-request connection" rules
5375 is that "tcp-request content" rules can make use of contents to take a
5376 decision. Most often, these decisions will consider a protocol recognition or
5377 validity. The second difference is that content-based rules can be used in
5378 both frontends and backends. In frontends, they will be evaluated upon new
5379 connections. In backends, they will be evaluated once a session is assigned
5380 a backend. This means that a single frontend connection may be evaluated
5381 several times by one or multiple backends when a session gets reassigned
5382 (for instance after a client-side HTTP keep-alive request).
Willy Tarreau62644772008-07-16 18:36:06 +02005383
Willy Tarreaue9656522010-08-17 15:40:09 +02005384 Content-based rules are evaluated in their exact declaration order. If no
5385 rule matches or if there is no rule, the default action is to accept the
5386 contents. There is no specific limit to the number of rules which may be
5387 inserted.
Willy Tarreau62644772008-07-16 18:36:06 +02005388
Willy Tarreaue9656522010-08-17 15:40:09 +02005389 Three types of actions are supported :
5390 - accept :
5391 - reject :
5392 - { track-sc1 | track-sc2 } <key> [table <table>]
Willy Tarreau62644772008-07-16 18:36:06 +02005393
Willy Tarreaue9656522010-08-17 15:40:09 +02005394 They have the same meaning as their counter-parts in "tcp-request connection"
5395 so please refer to that section for a complete description.
Willy Tarreau62644772008-07-16 18:36:06 +02005396
Willy Tarreaue9656522010-08-17 15:40:09 +02005397 Also, it is worth noting that if sticky counters are tracked from a rule
5398 defined in a backend, this tracking will automatically end when the session
5399 releases the backend. That allows per-backend counter tracking even in case
5400 of HTTP keep-alive requests when the backend changes. While there is nothing
5401 mandatory about it, it is recommended to use the track-sc1 pointer to track
5402 per-frontend counters and track-sc2 to track per-backend counters.
Willy Tarreau62644772008-07-16 18:36:06 +02005403
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005404 Note that the "if/unless" condition is optional. If no condition is set on
Willy Tarreaue9656522010-08-17 15:40:09 +02005405 the action, it is simply performed unconditionally. That can be useful for
5406 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau62644772008-07-16 18:36:06 +02005407
Willy Tarreaue9656522010-08-17 15:40:09 +02005408 It is perfectly possible to match layer 7 contents with "tcp-request content"
5409 rules, but then it is important to ensure that a full request has been
5410 buffered, otherwise no contents will match. In order to achieve this, the
5411 best solution involves detecting the HTTP protocol during the inspection
5412 period.
Willy Tarreau62644772008-07-16 18:36:06 +02005413
5414 Example:
Willy Tarreaue9656522010-08-17 15:40:09 +02005415 # Accept HTTP requests containing a Host header saying "example.com"
5416 # and reject everything else.
5417 acl is_host_com hdr(Host) -i example.com
5418 tcp-request inspect-delay 30s
5419 tcp-request content accept if HTTP is_host_com
5420 tcp-request content reject
5421
5422 Example:
Willy Tarreau62644772008-07-16 18:36:06 +02005423 # reject SMTP connection if client speaks first
5424 tcp-request inspect-delay 30s
5425 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005426 tcp-request content reject if content_present
Willy Tarreau62644772008-07-16 18:36:06 +02005427
5428 # Forward HTTPS connection only if client speaks
5429 tcp-request inspect-delay 30s
5430 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +02005431 tcp-request content accept if content_present
Willy Tarreaue9656522010-08-17 15:40:09 +02005432 tcp-request content reject
5433
5434 Example: track per-frontend and per-backend counters, block abusers at the
5435 frontend when the backend detects abuse.
5436
5437 frontend http
5438 # Use General Purpose Couter 0 in SC1 as a global abuse counter
5439 # protecting all our sites
5440 stick-table type ip size 1m expire 5m store gpc0
5441 tcp-request connection track-sc1 src
5442 tcp-request connection reject if { sc1_get_gpc0 gt 0 }
5443 ...
5444 use_backend http_dynamic if { path_end .php }
5445
5446 backend http_dynamic
5447 # if a source makes too fast requests to this dynamic site (tracked
5448 # by SC2), block it globally in the frontend.
5449 stick-table type ip size 1m expire 5m store http_req_rate(10s)
5450 acl click_too_fast sc2_http_req_rate gt 10
5451 acl mark_as_abuser sc1_inc_gpc0
5452 tcp-request content track-sc2 src
5453 tcp-request content reject if click_too_fast mark_as_abuser
Willy Tarreau62644772008-07-16 18:36:06 +02005454
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005455 See section 7 about ACL usage.
Willy Tarreau62644772008-07-16 18:36:06 +02005456
Willy Tarreaue9656522010-08-17 15:40:09 +02005457 See also : "tcp-request connection", "tcp-request inspect-delay"
Willy Tarreau62644772008-07-16 18:36:06 +02005458
5459
5460tcp-request inspect-delay <timeout>
5461 Set the maximum allowed time to wait for data during content inspection
5462 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02005463 no | yes | yes | yes
Willy Tarreau62644772008-07-16 18:36:06 +02005464 Arguments :
5465 <timeout> is the timeout value specified in milliseconds by default, but
5466 can be in any other unit if the number is suffixed by the unit,
5467 as explained at the top of this document.
5468
5469 People using haproxy primarily as a TCP relay are often worried about the
5470 risk of passing any type of protocol to a server without any analysis. In
5471 order to be able to analyze the request contents, we must first withhold
5472 the data then analyze them. This statement simply enables withholding of
5473 data for at most the specified amount of time.
5474
Willy Tarreaufb356202010-08-03 14:02:05 +02005475 TCP content inspection applies very early when a connection reaches a
5476 frontend, then very early when the connection is forwarded to a backend. This
5477 means that a connection may experience a first delay in the frontend and a
5478 second delay in the backend if both have tcp-request rules.
5479
Willy Tarreau62644772008-07-16 18:36:06 +02005480 Note that when performing content inspection, haproxy will evaluate the whole
5481 rules for every new chunk which gets in, taking into account the fact that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005482 those data are partial. If no rule matches before the aforementioned delay,
Willy Tarreau62644772008-07-16 18:36:06 +02005483 a last check is performed upon expiration, this time considering that the
Willy Tarreaud869b242009-03-15 14:43:58 +01005484 contents are definitive. If no delay is set, haproxy will not wait at all
5485 and will immediately apply a verdict based on the available information.
5486 Obviously this is unlikely to be very useful and might even be racy, so such
5487 setups are not recommended.
Willy Tarreau62644772008-07-16 18:36:06 +02005488
5489 As soon as a rule matches, the request is released and continues as usual. If
5490 the timeout is reached and no rule matches, the default policy will be to let
5491 it pass through unaffected.
5492
5493 For most protocols, it is enough to set it to a few seconds, as most clients
5494 send the full request immediately upon connection. Add 3 or more seconds to
5495 cover TCP retransmits but that's all. For some protocols, it may make sense
Willy Tarreaud72758d2010-01-12 10:42:19 +01005496 to use large values, for instance to ensure that the client never talks
Willy Tarreau62644772008-07-16 18:36:06 +02005497 before the server (eg: SMTP), or to wait for a client to talk before passing
5498 data to the server (eg: SSL). Note that the client timeout must cover at
5499 least the inspection delay, otherwise it will expire first.
5500
Willy Tarreau55165fe2009-05-10 12:02:55 +02005501 See also : "tcp-request content accept", "tcp-request content reject",
Willy Tarreau62644772008-07-16 18:36:06 +02005502 "timeout client".
5503
5504
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01005505timeout check <timeout>
5506 Set additional check timeout, but only after a connection has been already
5507 established.
5508
5509 May be used in sections: defaults | frontend | listen | backend
5510 yes | no | yes | yes
5511 Arguments:
5512 <timeout> is the timeout value specified in milliseconds by default, but
5513 can be in any other unit if the number is suffixed by the unit,
5514 as explained at the top of this document.
5515
5516 If set, haproxy uses min("timeout connect", "inter") as a connect timeout
5517 for check and "timeout check" as an additional read timeout. The "min" is
5518 used so that people running with *very* long "timeout connect" (eg. those
5519 who needed this due to the queue or tarpit) do not slow down their checks.
Willy Tarreaud7550a22010-02-10 05:10:19 +01005520 (Please also note that there is no valid reason to have such long connect
5521 timeouts, because "timeout queue" and "timeout tarpit" can always be used to
5522 avoid that).
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01005523
5524 If "timeout check" is not set haproxy uses "inter" for complete check
5525 timeout (connect + read) exactly like all <1.3.15 version.
5526
5527 In most cases check request is much simpler and faster to handle than normal
5528 requests and people may want to kick out laggy servers so this timeout should
Willy Tarreau41a340d2008-01-22 12:25:31 +01005529 be smaller than "timeout server".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01005530
5531 This parameter is specific to backends, but can be specified once for all in
5532 "defaults" sections. This is in fact one of the easiest solutions not to
5533 forget about it.
5534
Willy Tarreau41a340d2008-01-22 12:25:31 +01005535 See also: "timeout connect", "timeout queue", "timeout server",
5536 "timeout tarpit".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01005537
5538
Willy Tarreau0ba27502007-12-24 16:55:16 +01005539timeout client <timeout>
5540timeout clitimeout <timeout> (deprecated)
5541 Set the maximum inactivity time on the client side.
5542 May be used in sections : defaults | frontend | listen | backend
5543 yes | yes | yes | no
5544 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01005545 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01005546 can be in any other unit if the number is suffixed by the unit,
5547 as explained at the top of this document.
5548
5549 The inactivity timeout applies when the client is expected to acknowledge or
5550 send data. In HTTP mode, this timeout is particularly important to consider
5551 during the first phase, when the client sends the request, and during the
5552 response while it is reading data sent by the server. The value is specified
5553 in milliseconds by default, but can be in any other unit if the number is
5554 suffixed by the unit, as specified at the top of this document. In TCP mode
5555 (and to a lesser extent, in HTTP mode), it is highly recommended that the
5556 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01005557 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01005558 losses by specifying timeouts that are slightly above multiples of 3 seconds
5559 (eg: 4 or 5 seconds).
5560
5561 This parameter is specific to frontends, but can be specified once for all in
5562 "defaults" sections. This is in fact one of the easiest solutions not to
5563 forget about it. An unspecified timeout results in an infinite timeout, which
5564 is not recommended. Such a usage is accepted and works but reports a warning
5565 during startup because it may results in accumulation of expired sessions in
5566 the system if the system's timeouts are not configured either.
5567
5568 This parameter replaces the old, deprecated "clitimeout". It is recommended
5569 to use it to write new configurations. The form "timeout clitimeout" is
5570 provided only by backwards compatibility but its use is strongly discouraged.
5571
5572 See also : "clitimeout", "timeout server".
5573
5574
5575timeout connect <timeout>
5576timeout contimeout <timeout> (deprecated)
5577 Set the maximum time to wait for a connection attempt to a server to succeed.
5578 May be used in sections : defaults | frontend | listen | backend
5579 yes | no | yes | yes
5580 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01005581 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01005582 can be in any other unit if the number is suffixed by the unit,
5583 as explained at the top of this document.
5584
5585 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01005586 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01005587 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01005588 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01005589 connect timeout also presets both queue and tarpit timeouts to the same value
5590 if these have not been specified.
Willy Tarreau0ba27502007-12-24 16:55:16 +01005591
5592 This parameter is specific to backends, but can be specified once for all in
5593 "defaults" sections. This is in fact one of the easiest solutions not to
5594 forget about it. An unspecified timeout results in an infinite timeout, which
5595 is not recommended. Such a usage is accepted and works but reports a warning
5596 during startup because it may results in accumulation of failed sessions in
5597 the system if the system's timeouts are not configured either.
5598
5599 This parameter replaces the old, deprecated "contimeout". It is recommended
5600 to use it to write new configurations. The form "timeout contimeout" is
5601 provided only by backwards compatibility but its use is strongly discouraged.
5602
Willy Tarreau41a340d2008-01-22 12:25:31 +01005603 See also: "timeout check", "timeout queue", "timeout server", "contimeout",
5604 "timeout tarpit".
Willy Tarreau0ba27502007-12-24 16:55:16 +01005605
5606
Willy Tarreaub16a5742010-01-10 14:46:16 +01005607timeout http-keep-alive <timeout>
5608 Set the maximum allowed time to wait for a new HTTP request to appear
5609 May be used in sections : defaults | frontend | listen | backend
5610 yes | yes | yes | yes
5611 Arguments :
5612 <timeout> is the timeout value specified in milliseconds by default, but
5613 can be in any other unit if the number is suffixed by the unit,
5614 as explained at the top of this document.
5615
5616 By default, the time to wait for a new request in case of keep-alive is set
5617 by "timeout http-request". However this is not always convenient because some
5618 people want very short keep-alive timeouts in order to release connections
5619 faster, and others prefer to have larger ones but still have short timeouts
5620 once the request has started to present itself.
5621
5622 The "http-keep-alive" timeout covers these needs. It will define how long to
5623 wait for a new HTTP request to start coming after a response was sent. Once
5624 the first byte of request has been seen, the "http-request" timeout is used
5625 to wait for the complete request to come. Note that empty lines prior to a
5626 new request do not refresh the timeout and are not counted as a new request.
5627
5628 There is also another difference between the two timeouts : when a connection
5629 expires during timeout http-keep-alive, no error is returned, the connection
5630 just closes. If the connection expires in "http-request" while waiting for a
5631 connection to complete, a HTTP 408 error is returned.
5632
5633 In general it is optimal to set this value to a few tens to hundreds of
5634 milliseconds, to allow users to fetch all objects of a page at once but
5635 without waiting for further clicks. Also, if set to a very small value (eg:
5636 1 millisecond) it will probably only accept pipelined requests but not the
5637 non-pipelined ones. It may be a nice trade-off for very large sites running
Patrick Mézard2382ad62010-05-09 10:43:32 +02005638 with tens to hundreds of thousands of clients.
Willy Tarreaub16a5742010-01-10 14:46:16 +01005639
5640 If this parameter is not set, the "http-request" timeout applies, and if both
5641 are not set, "timeout client" still applies at the lower level. It should be
5642 set in the frontend to take effect, unless the frontend is in TCP mode, in
5643 which case the HTTP backend's timeout will be used.
5644
5645 See also : "timeout http-request", "timeout client".
5646
5647
Willy Tarreau036fae02008-01-06 13:24:40 +01005648timeout http-request <timeout>
5649 Set the maximum allowed time to wait for a complete HTTP request
5650 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaucd7afc02009-07-12 10:03:17 +02005651 yes | yes | yes | yes
Willy Tarreau036fae02008-01-06 13:24:40 +01005652 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01005653 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau036fae02008-01-06 13:24:40 +01005654 can be in any other unit if the number is suffixed by the unit,
5655 as explained at the top of this document.
5656
5657 In order to offer DoS protection, it may be required to lower the maximum
5658 accepted time to receive a complete HTTP request without affecting the client
5659 timeout. This helps protecting against established connections on which
5660 nothing is sent. The client timeout cannot offer a good protection against
5661 this abuse because it is an inactivity timeout, which means that if the
5662 attacker sends one character every now and then, the timeout will not
5663 trigger. With the HTTP request timeout, no matter what speed the client
5664 types, the request will be aborted if it does not complete in time.
5665
5666 Note that this timeout only applies to the header part of the request, and
5667 not to any data. As soon as the empty line is received, this timeout is not
Willy Tarreaub16a5742010-01-10 14:46:16 +01005668 used anymore. It is used again on keep-alive connections to wait for a second
5669 request if "timeout http-keep-alive" is not set.
Willy Tarreau036fae02008-01-06 13:24:40 +01005670
5671 Generally it is enough to set it to a few seconds, as most clients send the
5672 full request immediately upon connection. Add 3 or more seconds to cover TCP
5673 retransmits but that's all. Setting it to very low values (eg: 50 ms) will
5674 generally work on local networks as long as there are no packet losses. This
5675 will prevent people from sending bare HTTP requests using telnet.
5676
5677 If this parameter is not set, the client timeout still applies between each
Willy Tarreaucd7afc02009-07-12 10:03:17 +02005678 chunk of the incoming request. It should be set in the frontend to take
5679 effect, unless the frontend is in TCP mode, in which case the HTTP backend's
5680 timeout will be used.
Willy Tarreau036fae02008-01-06 13:24:40 +01005681
Willy Tarreaub16a5742010-01-10 14:46:16 +01005682 See also : "timeout http-keep-alive", "timeout client".
Willy Tarreau036fae02008-01-06 13:24:40 +01005683
Willy Tarreau844e3c52008-01-11 16:28:18 +01005684
5685timeout queue <timeout>
5686 Set the maximum time to wait in the queue for a connection slot to be free
5687 May be used in sections : defaults | frontend | listen | backend
5688 yes | no | yes | yes
5689 Arguments :
5690 <timeout> is the timeout value specified in milliseconds by default, but
5691 can be in any other unit if the number is suffixed by the unit,
5692 as explained at the top of this document.
5693
5694 When a server's maxconn is reached, connections are left pending in a queue
5695 which may be server-specific or global to the backend. In order not to wait
5696 indefinitely, a timeout is applied to requests pending in the queue. If the
5697 timeout is reached, it is considered that the request will almost never be
5698 served, so it is dropped and a 503 error is returned to the client.
5699
5700 The "timeout queue" statement allows to fix the maximum time for a request to
5701 be left pending in a queue. If unspecified, the same value as the backend's
5702 connection timeout ("timeout connect") is used, for backwards compatibility
5703 with older versions with no "timeout queue" parameter.
5704
5705 See also : "timeout connect", "contimeout".
5706
5707
5708timeout server <timeout>
5709timeout srvtimeout <timeout> (deprecated)
5710 Set the maximum inactivity time on the server side.
5711 May be used in sections : defaults | frontend | listen | backend
5712 yes | no | yes | yes
5713 Arguments :
5714 <timeout> is the timeout value specified in milliseconds by default, but
5715 can be in any other unit if the number is suffixed by the unit,
5716 as explained at the top of this document.
5717
5718 The inactivity timeout applies when the server is expected to acknowledge or
5719 send data. In HTTP mode, this timeout is particularly important to consider
5720 during the first phase of the server's response, when it has to send the
5721 headers, as it directly represents the server's processing time for the
5722 request. To find out what value to put there, it's often good to start with
5723 what would be considered as unacceptable response times, then check the logs
5724 to observe the response time distribution, and adjust the value accordingly.
5725
5726 The value is specified in milliseconds by default, but can be in any other
5727 unit if the number is suffixed by the unit, as specified at the top of this
5728 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
5729 recommended that the client timeout remains equal to the server timeout in
5730 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01005731 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01005732 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreaud72758d2010-01-12 10:42:19 +01005733 seconds (eg: 4 or 5 seconds minimum).
Willy Tarreau844e3c52008-01-11 16:28:18 +01005734
5735 This parameter is specific to backends, but can be specified once for all in
5736 "defaults" sections. This is in fact one of the easiest solutions not to
5737 forget about it. An unspecified timeout results in an infinite timeout, which
5738 is not recommended. Such a usage is accepted and works but reports a warning
5739 during startup because it may results in accumulation of expired sessions in
5740 the system if the system's timeouts are not configured either.
5741
5742 This parameter replaces the old, deprecated "srvtimeout". It is recommended
5743 to use it to write new configurations. The form "timeout srvtimeout" is
5744 provided only by backwards compatibility but its use is strongly discouraged.
5745
5746 See also : "srvtimeout", "timeout client".
5747
5748
5749timeout tarpit <timeout>
Cyril Bonté78caf842010-03-10 22:41:43 +01005750 Set the duration for which tarpitted connections will be maintained
Willy Tarreau844e3c52008-01-11 16:28:18 +01005751 May be used in sections : defaults | frontend | listen | backend
5752 yes | yes | yes | yes
5753 Arguments :
5754 <timeout> is the tarpit duration specified in milliseconds by default, but
5755 can be in any other unit if the number is suffixed by the unit,
5756 as explained at the top of this document.
5757
5758 When a connection is tarpitted using "reqtarpit", it is maintained open with
5759 no activity for a certain amount of time, then closed. "timeout tarpit"
5760 defines how long it will be maintained open.
5761
5762 The value is specified in milliseconds by default, but can be in any other
5763 unit if the number is suffixed by the unit, as specified at the top of this
5764 document. If unspecified, the same value as the backend's connection timeout
5765 ("timeout connect") is used, for backwards compatibility with older versions
Cyril Bonté78caf842010-03-10 22:41:43 +01005766 with no "timeout tarpit" parameter.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005767
5768 See also : "timeout connect", "contimeout".
5769
5770
5771transparent (deprecated)
5772 Enable client-side transparent proxying
5773 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01005774 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01005775 Arguments : none
5776
5777 This keyword was introduced in order to provide layer 7 persistence to layer
5778 3 load balancers. The idea is to use the OS's ability to redirect an incoming
5779 connection for a remote address to a local process (here HAProxy), and let
5780 this process know what address was initially requested. When this option is
5781 used, sessions without cookies will be forwarded to the original destination
5782 IP address of the incoming request (which should match that of another
5783 equipment), while requests with cookies will still be forwarded to the
5784 appropriate server.
5785
5786 The "transparent" keyword is deprecated, use "option transparent" instead.
5787
5788 Note that contrary to a common belief, this option does NOT make HAProxy
5789 present the client's IP to the server when establishing the connection.
5790
Willy Tarreau844e3c52008-01-11 16:28:18 +01005791 See also: "option transparent"
5792
5793
5794use_backend <backend> if <condition>
5795use_backend <backend> unless <condition>
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02005796 Switch to a specific backend if/unless an ACL-based condition is matched.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005797 May be used in sections : defaults | frontend | listen | backend
5798 no | yes | yes | no
5799 Arguments :
5800 <backend> is the name of a valid backend or "listen" section.
5801
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005802 <condition> is a condition composed of ACLs, as described in section 7.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005803
5804 When doing content-switching, connections arrive on a frontend and are then
5805 dispatched to various backends depending on a number of conditions. The
5806 relation between the conditions and the backends is described with the
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02005807 "use_backend" keyword. While it is normally used with HTTP processing, it can
5808 also be used in pure TCP, either without content using stateless ACLs (eg:
5809 source address validation) or combined with a "tcp-request" rule to wait for
5810 some payload.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005811
5812 There may be as many "use_backend" rules as desired. All of these rules are
5813 evaluated in their declaration order, and the first one which matches will
5814 assign the backend.
5815
5816 In the first form, the backend will be used if the condition is met. In the
5817 second form, the backend will be used if the condition is not met. If no
5818 condition is valid, the backend defined with "default_backend" will be used.
5819 If no default backend is defined, either the servers in the same section are
5820 used (in case of a "listen" section) or, in case of a frontend, no server is
5821 used and a 503 service unavailable response is returned.
5822
Willy Tarreau51aecc72009-07-12 09:47:04 +02005823 Note that it is possible to switch from a TCP frontend to an HTTP backend. In
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005824 this case, either the frontend has already checked that the protocol is HTTP,
Willy Tarreau51aecc72009-07-12 09:47:04 +02005825 and backend processing will immediately follow, or the backend will wait for
5826 a complete HTTP request to get in. This feature is useful when a frontend
5827 must decode several protocols on a unique port, one of them being HTTP.
5828
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02005829 See also: "default_backend", "tcp-request", and section 7 about ACLs.
Willy Tarreaud72758d2010-01-12 10:42:19 +01005830
Willy Tarreau036fae02008-01-06 13:24:40 +01005831
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +010058325. Server and default-server options
Cyril Bontéf0c60612010-02-06 14:44:47 +01005833------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02005834
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01005835The "server" and "default-server" keywords support a certain number of settings
5836which are all passed as arguments on the server line. The order in which those
5837arguments appear does not count, and they are all optional. Some of those
5838settings are single words (booleans) while others expect one or several values
5839after them. In this case, the values must immediately follow the setting name.
5840Except default-server, all those settings must be specified after the server's
5841address if they are used:
Willy Tarreau6a06a402007-07-15 20:15:28 +02005842
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005843 server <name> <address>[:port] [settings ...]
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01005844 default-server [settings ...]
Willy Tarreau6a06a402007-07-15 20:15:28 +02005845
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005846The currently supported settings are the following ones.
Willy Tarreau0ba27502007-12-24 16:55:16 +01005847
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005848addr <ipv4>
5849 Using the "addr" parameter, it becomes possible to use a different IP address
5850 to send health-checks. On some servers, it may be desirable to dedicate an IP
5851 address to specific component able to perform complex tests which are more
5852 suitable to health-checks than the application. This parameter is ignored if
5853 the "check" parameter is not set. See also the "port" parameter.
Willy Tarreau6a06a402007-07-15 20:15:28 +02005854
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005855 Supported in default-server: No
5856
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005857backup
5858 When "backup" is present on a server line, the server is only used in load
5859 balancing when all other non-backup servers are unavailable. Requests coming
5860 with a persistence cookie referencing the server will always be served
5861 though. By default, only the first operational backup server is used, unless
5862 the "allbackups" option is set in the backend. See also the "allbackups"
5863 option.
Willy Tarreau6a06a402007-07-15 20:15:28 +02005864
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005865 Supported in default-server: No
5866
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005867check
5868 This option enables health checks on the server. By default, a server is
5869 always considered available. If "check" is set, the server will receive
5870 periodic health checks to ensure that it is really able to serve requests.
5871 The default address and port to send the tests to are those of the server,
5872 and the default source is the same as the one defined in the backend. It is
5873 possible to change the address using the "addr" parameter, the port using the
5874 "port" parameter, the source address using the "source" address, and the
5875 interval and timers using the "inter", "rise" and "fall" parameters. The
5876 request method is define in the backend using the "httpchk", "smtpchk",
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01005877 "mysql-check" and "ssl-hello-chk" options. Please refer to those options and
5878 parameters for more information.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005879
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005880 Supported in default-server: No
5881
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005882cookie <value>
5883 The "cookie" parameter sets the cookie value assigned to the server to
5884 <value>. This value will be checked in incoming requests, and the first
5885 operational server possessing the same value will be selected. In return, in
5886 cookie insertion or rewrite modes, this value will be assigned to the cookie
5887 sent to the client. There is nothing wrong in having several servers sharing
5888 the same cookie value, and it is in fact somewhat common between normal and
5889 backup servers. See also the "cookie" keyword in backend section.
5890
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005891 Supported in default-server: No
5892
Willy Tarreau96839092010-03-29 10:02:24 +02005893disabled
5894 The "disabled" keyword starts the server in the "disabled" state. That means
5895 that it is marked down in maintenance mode, and no connection other than the
5896 ones allowed by persist mode will reach it. It is very well suited to setup
5897 new servers, because normal traffic will never reach them, while it is still
5898 possible to test the service by making use of the force-persist mechanism.
5899
5900 Supported in default-server: No
5901
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005902error-limit <count>
Willy Tarreau983e01e2010-01-11 18:42:06 +01005903 If health observing is enabled, the "error-limit" parameter specifies the
5904 number of consecutive errors that triggers event selected by the "on-error"
5905 option. By default it is set to 10 consecutive errors.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005906
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005907 Supported in default-server: Yes
5908
5909 See also the "check", "error-limit" and "on-error".
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005910
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005911fall <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005912 The "fall" parameter states that a server will be considered as dead after
5913 <count> consecutive unsuccessful health checks. This value defaults to 3 if
5914 unspecified. See also the "check", "inter" and "rise" parameters.
5915
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005916 Supported in default-server: Yes
5917
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005918id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02005919 Set a persistent ID for the server. This ID must be positive and unique for
5920 the proxy. An unused ID will automatically be assigned if unset. The first
5921 assigned value will be 1. This ID is currently only returned in statistics.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005922
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005923 Supported in default-server: No
5924
5925inter <delay>
5926fastinter <delay>
5927downinter <delay>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005928 The "inter" parameter sets the interval between two consecutive health checks
5929 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
5930 It is also possible to use "fastinter" and "downinter" to optimize delays
5931 between checks depending on the server state :
5932
5933 Server state | Interval used
5934 ---------------------------------+-----------------------------------------
5935 UP 100% (non-transitional) | "inter"
5936 ---------------------------------+-----------------------------------------
5937 Transitionally UP (going down), |
5938 Transitionally DOWN (going up), | "fastinter" if set, "inter" otherwise.
5939 or yet unchecked. |
5940 ---------------------------------+-----------------------------------------
5941 DOWN 100% (non-transitional) | "downinter" if set, "inter" otherwise.
5942 ---------------------------------+-----------------------------------------
Willy Tarreaud72758d2010-01-12 10:42:19 +01005943
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005944 Just as with every other time-based parameter, they can be entered in any
5945 other explicit unit among { us, ms, s, m, h, d }. The "inter" parameter also
5946 serves as a timeout for health checks sent to servers if "timeout check" is
5947 not set. In order to reduce "resonance" effects when multiple servers are
5948 hosted on the same hardware, the health-checks of all servers are started
5949 with a small time offset between them. It is also possible to add some random
5950 noise in the health checks interval using the global "spread-checks"
5951 keyword. This makes sense for instance when a lot of backends use the same
5952 servers.
5953
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005954 Supported in default-server: Yes
5955
5956maxconn <maxconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005957 The "maxconn" parameter specifies the maximal number of concurrent
5958 connections that will be sent to this server. If the number of incoming
5959 concurrent requests goes higher than this value, they will be queued, waiting
5960 for a connection to be released. This parameter is very important as it can
5961 save fragile servers from going down under extreme loads. If a "minconn"
5962 parameter is specified, the limit becomes dynamic. The default value is "0"
5963 which means unlimited. See also the "minconn" and "maxqueue" parameters, and
5964 the backend's "fullconn" keyword.
5965
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005966 Supported in default-server: Yes
5967
5968maxqueue <maxqueue>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005969 The "maxqueue" parameter specifies the maximal number of connections which
5970 will wait in the queue for this server. If this limit is reached, next
5971 requests will be redispatched to other servers instead of indefinitely
5972 waiting to be served. This will break persistence but may allow people to
5973 quickly re-log in when the server they try to connect to is dying. The
5974 default value is "0" which means the queue is unlimited. See also the
5975 "maxconn" and "minconn" parameters.
5976
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005977 Supported in default-server: Yes
5978
5979minconn <minconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005980 When the "minconn" parameter is set, the maxconn limit becomes a dynamic
5981 limit following the backend's load. The server will always accept at least
5982 <minconn> connections, never more than <maxconn>, and the limit will be on
5983 the ramp between both values when the backend has less than <fullconn>
5984 concurrent connections. This makes it possible to limit the load on the
5985 server during normal loads, but push it further for important loads without
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005986 overloading the server during exceptional loads. See also the "maxconn"
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005987 and "maxqueue" parameters, as well as the "fullconn" backend keyword.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005988
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005989 Supported in default-server: Yes
5990
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005991observe <mode>
5992 This option enables health adjusting based on observing communication with
5993 the server. By default this functionality is disabled and enabling it also
5994 requires to enable health checks. There are two supported modes: "layer4" and
5995 "layer7". In layer4 mode, only successful/unsuccessful tcp connections are
5996 significant. In layer7, which is only allowed for http proxies, responses
5997 received from server are verified, like valid/wrong http code, unparsable
5998 headers, a timeout, etc.
5999
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006000 Supported in default-server: No
6001
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006002 See also the "check", "on-error" and "error-limit".
6003
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006004on-error <mode>
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006005 Select what should happen when enough consecutive errors are detected.
6006 Currently, four modes are available:
6007 - fastinter: force fastinter
6008 - fail-check: simulate a failed check, also forces fastinter (default)
6009 - sudden-death: simulate a pre-fatal failed health check, one more failed
6010 check will mark a server down, forces fastinter
6011 - mark-down: mark the server immediately down and force fastinter
6012
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006013 Supported in default-server: Yes
6014
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01006015 See also the "check", "observe" and "error-limit".
6016
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006017port <port>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006018 Using the "port" parameter, it becomes possible to use a different port to
6019 send health-checks. On some servers, it may be desirable to dedicate a port
6020 to a specific component able to perform complex tests which are more suitable
6021 to health-checks than the application. It is common to run a simple script in
6022 inetd for instance. This parameter is ignored if the "check" parameter is not
6023 set. See also the "addr" parameter.
6024
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006025 Supported in default-server: Yes
6026
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006027redir <prefix>
6028 The "redir" parameter enables the redirection mode for all GET and HEAD
6029 requests addressing this server. This means that instead of having HAProxy
6030 forward the request to the server, it will send an "HTTP 302" response with
6031 the "Location" header composed of this prefix immediately followed by the
6032 requested URI beginning at the leading '/' of the path component. That means
6033 that no trailing slash should be used after <prefix>. All invalid requests
6034 will be rejected, and all non-GET or HEAD requests will be normally served by
6035 the server. Note that since the response is completely forged, no header
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006036 mangling nor cookie insertion is possible in the response. However, cookies in
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006037 requests are still analysed, making this solution completely usable to direct
6038 users to a remote location in case of local disaster. Main use consists in
6039 increasing bandwidth for static servers by having the clients directly
6040 connect to them. Note: never use a relative location here, it would cause a
6041 loop between the client and HAProxy!
6042
6043 Example : server srv1 192.168.1.1:80 redir http://image1.mydomain.com check
6044
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006045 Supported in default-server: No
6046
6047rise <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006048 The "rise" parameter states that a server will be considered as operational
6049 after <count> consecutive successful health checks. This value defaults to 2
6050 if unspecified. See also the "check", "inter" and "fall" parameters.
6051
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006052 Supported in default-server: Yes
6053
6054slowstart <start_time_in_ms>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006055 The "slowstart" parameter for a server accepts a value in milliseconds which
6056 indicates after how long a server which has just come back up will run at
6057 full speed. Just as with every other time-based parameter, it can be entered
6058 in any other explicit unit among { us, ms, s, m, h, d }. The speed grows
6059 linearly from 0 to 100% during this time. The limitation applies to two
6060 parameters :
6061
6062 - maxconn: the number of connections accepted by the server will grow from 1
6063 to 100% of the usual dynamic limit defined by (minconn,maxconn,fullconn).
6064
6065 - weight: when the backend uses a dynamic weighted algorithm, the weight
6066 grows linearly from 1 to 100%. In this case, the weight is updated at every
6067 health-check. For this reason, it is important that the "inter" parameter
6068 is smaller than the "slowstart", in order to maximize the number of steps.
6069
6070 The slowstart never applies when haproxy starts, otherwise it would cause
6071 trouble to running servers. It only applies when a server has been previously
6072 seen as failed.
6073
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006074 Supported in default-server: Yes
6075
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02006076source <addr>[:<pl>[-<ph>]] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02006077source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02006078source <addr>[:<pl>[-<ph>]] [interface <name>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006079 The "source" parameter sets the source address which will be used when
6080 connecting to the server. It follows the exact same parameters and principle
6081 as the backend "source" keyword, except that it only applies to the server
6082 referencing it. Please consult the "source" keyword for details.
6083
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02006084 Additionally, the "source" statement on a server line allows one to specify a
6085 source port range by indicating the lower and higher bounds delimited by a
6086 dash ('-'). Some operating systems might require a valid IP address when a
6087 source port range is specified. It is permitted to have the same IP/range for
6088 several servers. Doing so makes it possible to bypass the maximum of 64k
6089 total concurrent connections. The limit will then reach 64k connections per
6090 server.
6091
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006092 Supported in default-server: No
6093
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006094track [<proxy>/]<server>
6095 This option enables ability to set the current state of the server by
6096 tracking another one. Only a server with checks enabled can be tracked
6097 so it is not possible for example to track a server that tracks another
6098 one. If <proxy> is omitted the current one is used. If disable-on-404 is
6099 used, it has to be enabled on both proxies.
6100
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006101 Supported in default-server: No
6102
6103weight <weight>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006104 The "weight" parameter is used to adjust the server's weight relative to
6105 other servers. All servers will receive a load proportional to their weight
6106 relative to the sum of all weights, so the higher the weight, the higher the
Willy Tarreau6704d672009-06-15 10:56:05 +02006107 load. The default weight is 1, and the maximal value is 256. A value of 0
6108 means the server will not participate in load-balancing but will still accept
6109 persistent connections. If this parameter is used to distribute the load
6110 according to server's capacity, it is recommended to start with values which
6111 can both grow and shrink, for instance between 10 and 100 to leave enough
6112 room above and below for later adjustments.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006113
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01006114 Supported in default-server: Yes
6115
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006116
61176. HTTP header manipulation
6118---------------------------
6119
6120In HTTP mode, it is possible to rewrite, add or delete some of the request and
6121response headers based on regular expressions. It is also possible to block a
6122request or a response if a particular header matches a regular expression,
6123which is enough to stop most elementary protocol attacks, and to protect
6124against information leak from the internal network. But there is a limitation
6125to this : since HAProxy's HTTP engine does not support keep-alive, only headers
6126passed during the first request of a TCP session will be seen. All subsequent
6127headers will be considered data only and not analyzed. Furthermore, HAProxy
6128never touches data contents, it stops analysis at the end of headers.
6129
Willy Tarreau816b9792009-09-15 21:25:21 +02006130There is an exception though. If HAProxy encounters an "Informational Response"
6131(status code 1xx), it is able to process all rsp* rules which can allow, deny,
6132rewrite or delete a header, but it will refuse to add a header to any such
6133messages as this is not HTTP-compliant. The reason for still processing headers
6134in such responses is to stop and/or fix any possible information leak which may
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006135happen, for instance because another downstream equipment would unconditionally
Willy Tarreau816b9792009-09-15 21:25:21 +02006136add a header, or if a server name appears there. When such messages are seen,
6137normal processing still occurs on the next non-informational messages.
6138
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006139This section covers common usage of the following keywords, described in detail
6140in section 4.2 :
6141
6142 - reqadd <string>
6143 - reqallow <search>
6144 - reqiallow <search>
6145 - reqdel <search>
6146 - reqidel <search>
6147 - reqdeny <search>
6148 - reqideny <search>
6149 - reqpass <search>
6150 - reqipass <search>
6151 - reqrep <search> <replace>
6152 - reqirep <search> <replace>
6153 - reqtarpit <search>
6154 - reqitarpit <search>
6155 - rspadd <string>
6156 - rspdel <search>
6157 - rspidel <search>
6158 - rspdeny <search>
6159 - rspideny <search>
6160 - rsprep <search> <replace>
6161 - rspirep <search> <replace>
6162
6163With all these keywords, the same conventions are used. The <search> parameter
6164is a POSIX extended regular expression (regex) which supports grouping through
6165parenthesis (without the backslash). Spaces and other delimiters must be
6166prefixed with a backslash ('\') to avoid confusion with a field delimiter.
6167Other characters may be prefixed with a backslash to change their meaning :
6168
6169 \t for a tab
6170 \r for a carriage return (CR)
6171 \n for a new line (LF)
6172 \ to mark a space and differentiate it from a delimiter
6173 \# to mark a sharp and differentiate it from a comment
6174 \\ to use a backslash in a regex
6175 \\\\ to use a backslash in the text (*2 for regex, *2 for haproxy)
6176 \xXX to write the ASCII hex code XX as in the C language
6177
6178The <replace> parameter contains the string to be used to replace the largest
6179portion of text matching the regex. It can make use of the special characters
6180above, and can reference a substring which is delimited by parenthesis in the
6181regex, by writing a backslash ('\') immediately followed by one digit from 0 to
61829 indicating the group position (0 designating the entire line). This practice
6183is very common to users of the "sed" program.
6184
6185The <string> parameter represents the string which will systematically be added
6186after the last header line. It can also use special character sequences above.
6187
6188Notes related to these keywords :
6189---------------------------------
6190 - these keywords are not always convenient to allow/deny based on header
6191 contents. It is strongly recommended to use ACLs with the "block" keyword
6192 instead, resulting in far more flexible and manageable rules.
6193
6194 - lines are always considered as a whole. It is not possible to reference
6195 a header name only or a value only. This is important because of the way
6196 headers are written (notably the number of spaces after the colon).
6197
6198 - the first line is always considered as a header, which makes it possible to
6199 rewrite or filter HTTP requests URIs or response codes, but in turn makes
6200 it harder to distinguish between headers and request line. The regex prefix
6201 ^[^\ \t]*[\ \t] matches any HTTP method followed by a space, and the prefix
6202 ^[^ \t:]*: matches any header name followed by a colon.
6203
6204 - for performances reasons, the number of characters added to a request or to
6205 a response is limited at build time to values between 1 and 4 kB. This
6206 should normally be far more than enough for most usages. If it is too short
6207 on occasional usages, it is possible to gain some space by removing some
6208 useless headers before adding new ones.
6209
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006210 - keywords beginning with "reqi" and "rspi" are the same as their counterpart
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006211 without the 'i' letter except that they ignore case when matching patterns.
6212
6213 - when a request passes through a frontend then a backend, all req* rules
6214 from the frontend will be evaluated, then all req* rules from the backend
6215 will be evaluated. The reverse path is applied to responses.
6216
6217 - req* statements are applied after "block" statements, so that "block" is
6218 always the first one, but before "use_backend" in order to permit rewriting
Willy Tarreaud72758d2010-01-12 10:42:19 +01006219 before switching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006220
6221
Willy Tarreaub937b7e2010-01-12 15:27:54 +010062227. Using ACLs and pattern extraction
6223------------------------------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006224
6225The use of Access Control Lists (ACL) provides a flexible solution to perform
6226content switching and generally to take decisions based on content extracted
6227from the request, the response or any environmental status. The principle is
6228simple :
6229
6230 - define test criteria with sets of values
6231 - perform actions only if a set of tests is valid
6232
6233The actions generally consist in blocking the request, or selecting a backend.
6234
6235In order to define a test, the "acl" keyword is used. The syntax is :
6236
6237 acl <aclname> <criterion> [flags] [operator] <value> ...
6238
6239This creates a new ACL <aclname> or completes an existing one with new tests.
6240Those tests apply to the portion of request/response specified in <criterion>
6241and may be adjusted with optional flags [flags]. Some criteria also support
6242an operator which may be specified before the set of values. The values are
6243of the type supported by the criterion, and are separated by spaces.
6244
6245ACL names must be formed from upper and lower case letters, digits, '-' (dash),
6246'_' (underscore) , '.' (dot) and ':' (colon). ACL names are case-sensitive,
6247which means that "my_acl" and "My_Acl" are two different ACLs.
6248
6249There is no enforced limit to the number of ACLs. The unused ones do not affect
6250performance, they just consume a small amount of memory.
6251
6252The following ACL flags are currently supported :
6253
Willy Tarreau2b5285d2010-05-09 23:45:24 +02006254 -i : ignore case during matching of all subsequent patterns.
6255 -f : load patterns from a file.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006256 -- : force end of flags. Useful when a string looks like one of the flags.
6257
Willy Tarreau2b5285d2010-05-09 23:45:24 +02006258The "-f" flag is special as it loads all of the lines it finds in the file
6259specified in argument and loads all of them before continuing. It is even
6260possible to pass multiple "-f" arguments if the patterns are to be loaded from
Willy Tarreau58215a02010-05-13 22:07:43 +02006261multiple files. Empty lines as well as lines beginning with a sharp ('#') will
6262be ignored. All leading spaces and tabs will be stripped. If it is absolutely
6263needed to insert a valid pattern beginning with a sharp, just prefix it with a
6264space so that it is not taken for a comment. Depending on the data type and
6265match method, haproxy may load the lines into a binary tree, allowing very fast
6266lookups. This is true for IPv4 and exact string matching. In this case,
6267duplicates will automatically be removed. Also, note that the "-i" flag applies
6268to subsequent entries and not to entries loaded from files preceeding it. For
6269instance :
Willy Tarreau2b5285d2010-05-09 23:45:24 +02006270
6271 acl valid-ua hdr(user-agent) -f exact-ua.lst -i -f generic-ua.lst test
6272
6273In this example, each line of "exact-ua.lst" will be exactly matched against
6274the "user-agent" header of the request. Then each line of "generic-ua" will be
6275case-insensitively matched. Then the word "test" will be insensitively matched
6276too.
6277
6278Note that right now it is difficult for the ACL parsers to report errors, so if
6279a file is unreadable or unparsable, the most you'll get is a parse error in the
6280ACL. Thus, file-based ACLs should only be produced by reliable processes.
6281
Willy Tarreau6a06a402007-07-15 20:15:28 +02006282Supported types of values are :
Willy Tarreau0ba27502007-12-24 16:55:16 +01006283
Willy Tarreau6a06a402007-07-15 20:15:28 +02006284 - integers or integer ranges
6285 - strings
6286 - regular expressions
6287 - IP addresses and networks
6288
6289
Willy Tarreauc57f0e22009-05-10 13:12:33 +020062907.1. Matching integers
6291----------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02006292
6293Matching integers is special in that ranges and operators are permitted. Note
6294that integer matching only applies to positive values. A range is a value
6295expressed with a lower and an upper bound separated with a colon, both of which
6296may be omitted.
6297
6298For instance, "1024:65535" is a valid range to represent a range of
6299unprivileged ports, and "1024:" would also work. "0:1023" is a valid
6300representation of privileged ports, and ":1023" would also work.
6301
Willy Tarreau62644772008-07-16 18:36:06 +02006302As a special case, some ACL functions support decimal numbers which are in fact
6303two integers separated by a dot. This is used with some version checks for
6304instance. All integer properties apply to those decimal numbers, including
6305ranges and operators.
6306
Willy Tarreau6a06a402007-07-15 20:15:28 +02006307For an easier usage, comparison operators are also supported. Note that using
Willy Tarreau0ba27502007-12-24 16:55:16 +01006308operators with ranges does not make much sense and is strongly discouraged.
6309Similarly, it does not make much sense to perform order comparisons with a set
6310of values.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006311
Willy Tarreau0ba27502007-12-24 16:55:16 +01006312Available operators for integer matching are :
Willy Tarreau6a06a402007-07-15 20:15:28 +02006313
6314 eq : true if the tested value equals at least one value
6315 ge : true if the tested value is greater than or equal to at least one value
6316 gt : true if the tested value is greater than at least one value
6317 le : true if the tested value is less than or equal to at least one value
6318 lt : true if the tested value is less than at least one value
6319
Willy Tarreau0ba27502007-12-24 16:55:16 +01006320For instance, the following ACL matches any negative Content-Length header :
Willy Tarreau6a06a402007-07-15 20:15:28 +02006321
6322 acl negative-length hdr_val(content-length) lt 0
6323
Willy Tarreau62644772008-07-16 18:36:06 +02006324This one matches SSL versions between 3.0 and 3.1 (inclusive) :
6325
6326 acl sslv3 req_ssl_ver 3:3.1
6327
Willy Tarreau6a06a402007-07-15 20:15:28 +02006328
Willy Tarreauc57f0e22009-05-10 13:12:33 +020063297.2. Matching strings
6330---------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02006331
6332String matching applies to verbatim strings as they are passed, with the
6333exception of the backslash ("\") which makes it possible to escape some
6334characters such as the space. If the "-i" flag is passed before the first
6335string, then the matching will be performed ignoring the case. In order
6336to match the string "-i", either set it second, or pass the "--" flag
Willy Tarreau0ba27502007-12-24 16:55:16 +01006337before the first string. Same applies of course to match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02006338
6339
Willy Tarreauc57f0e22009-05-10 13:12:33 +020063407.3. Matching regular expressions (regexes)
6341-------------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02006342
6343Just like with string matching, regex matching applies to verbatim strings as
6344they are passed, with the exception of the backslash ("\") which makes it
6345possible to escape some characters such as the space. If the "-i" flag is
6346passed before the first regex, then the matching will be performed ignoring
6347the case. In order to match the string "-i", either set it second, or pass
Willy Tarreau0ba27502007-12-24 16:55:16 +01006348the "--" flag before the first string. Same principle applies of course to
6349match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02006350
6351
Willy Tarreauc57f0e22009-05-10 13:12:33 +020063527.4. Matching IPv4 addresses
6353----------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02006354
6355IPv4 addresses values can be specified either as plain addresses or with a
6356netmask appended, in which case the IPv4 address matches whenever it is
6357within the network. Plain addresses may also be replaced with a resolvable
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01006358host name, but this practice is generally discouraged as it makes it more
Willy Tarreau0ba27502007-12-24 16:55:16 +01006359difficult to read and debug configurations. If hostnames are used, you should
6360at least ensure that they are present in /etc/hosts so that the configuration
6361does not depend on any random DNS match at the moment the configuration is
6362parsed.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006363
6364
Willy Tarreauc57f0e22009-05-10 13:12:33 +020063657.5. Available matching criteria
6366--------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02006367
Willy Tarreauc57f0e22009-05-10 13:12:33 +020063687.5.1. Matching at Layer 4 and below
6369------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01006370
6371A first set of criteria applies to information which does not require any
6372analysis of the request or response contents. Those generally include TCP/IP
6373addresses and ports, as well as internal values independant on the stream.
6374
Willy Tarreau6a06a402007-07-15 20:15:28 +02006375always_false
6376 This one never matches. All values and flags are ignored. It may be used as
6377 a temporary replacement for another one when adjusting configurations.
6378
6379always_true
6380 This one always matches. All values and flags are ignored. It may be used as
6381 a temporary replacement for another one when adjusting configurations.
6382
Willy Tarreaud63335a2010-02-26 12:56:52 +01006383avg_queue <integer>
Willy Tarreau6cbd6472010-09-08 19:06:18 +02006384avg_queue(backend) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01006385 Returns the total number of queued connections of the designated backend
6386 divided by the number of active servers. This is very similar to "queue"
6387 except that the size of the farm is considered, in order to give a more
6388 accurate measurement of the time it may take for a new connection to be
6389 processed. The main usage is to return a sorry page to new users when it
6390 becomes certain they will get a degraded service. Note that in the event
6391 there would not be any active server anymore, we would consider twice the
6392 number of queued connections as the measured value. This is a fair estimate,
6393 as we expect one server to get back soon anyway, but we still prefer to send
6394 new traffic to another backend if in better shape. See also the "queue",
6395 "be_conn", and "be_sess_rate" criteria.
Krzysztof Piotr Oledzki346f76d2010-01-12 21:59:30 +01006396
Willy Tarreaua36af912009-10-10 12:02:45 +02006397be_conn <integer>
Willy Tarreau6cbd6472010-09-08 19:06:18 +02006398be_conn(backend) <integer>
Willy Tarreaua36af912009-10-10 12:02:45 +02006399 Applies to the number of currently established connections on the backend,
6400 possibly including the connection being evaluated. If no backend name is
6401 specified, the current one is used. But it is also possible to check another
6402 backend. It can be used to use a specific farm when the nominal one is full.
6403 See also the "fe_conn", "queue" and "be_sess_rate" criteria.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006404
Willy Tarreaud63335a2010-02-26 12:56:52 +01006405be_sess_rate <integer>
6406be_sess_rate(backend) <integer>
6407 Returns true when the sessions creation rate on the backend matches the
6408 specified values or ranges, in number of new sessions per second. This is
6409 used to switch to an alternate backend when an expensive or fragile one
6410 reaches too high a session rate, or to limit abuse of service (eg. prevent
6411 sucking of an online dictionary).
6412
6413 Example :
6414 # Redirect to an error page if the dictionary is requested too often
6415 backend dynamic
6416 mode http
6417 acl being_scanned be_sess_rate gt 100
6418 redirect location /denied.html if being_scanned
Willy Tarreau0ba27502007-12-24 16:55:16 +01006419
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08006420connslots <integer>
6421connslots(backend) <integer>
6422 The basic idea here is to be able to measure the number of connection "slots"
Willy Tarreau55165fe2009-05-10 12:02:55 +02006423 still available (connection + queue), so that anything beyond that (intended
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08006424 usage; see "use_backend" keyword) can be redirected to a different backend.
6425
Willy Tarreau55165fe2009-05-10 12:02:55 +02006426 'connslots' = number of available server connection slots, + number of
6427 available server queue slots.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08006428
Willy Tarreaua36af912009-10-10 12:02:45 +02006429 Note that while "fe_conn" may be used, "connslots" comes in especially
Willy Tarreau55165fe2009-05-10 12:02:55 +02006430 useful when you have a case of traffic going to one single ip, splitting into
6431 multiple backends (perhaps using acls to do name-based load balancing) and
6432 you want to be able to differentiate between different backends, and their
6433 available "connslots". Also, whereas "nbsrv" only measures servers that are
6434 actually *down*, this acl is more fine-grained and looks into the number of
Willy Tarreaua36af912009-10-10 12:02:45 +02006435 available connection slots as well. See also "queue" and "avg_queue".
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08006436
Willy Tarreau55165fe2009-05-10 12:02:55 +02006437 OTHER CAVEATS AND NOTES: at this point in time, the code does not take care
6438 of dynamic connections. Also, if any of the server maxconn, or maxqueue is 0,
6439 then this acl clearly does not make sense, in which case the value returned
6440 will be -1.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08006441
Willy Tarreaud63335a2010-02-26 12:56:52 +01006442dst <ip_address>
6443 Applies to the local IPv4 address the client connected to. It can be used to
6444 switch to a different backend for some alternative addresses.
Willy Tarreaua36af912009-10-10 12:02:45 +02006445
Willy Tarreaud63335a2010-02-26 12:56:52 +01006446dst_conn <integer>
6447 Applies to the number of currently established connections on the same socket
6448 including the one being evaluated. It can be used to either return a sorry
6449 page before hard-blocking, or to use a specific backend to drain new requests
6450 when the socket is considered saturated. This offers the ability to assign
6451 different limits to different listening ports or addresses. See also the
6452 "fe_conn" and "be_conn" criteria.
6453
6454dst_port <integer>
6455 Applies to the local port the client connected to. It can be used to switch
6456 to a different backend for some alternative ports.
6457
6458fe_conn <integer>
6459fe_conn(frontend) <integer>
6460 Applies to the number of currently established connections on the frontend,
6461 possibly including the connection being evaluated. If no frontend name is
6462 specified, the current one is used. But it is also possible to check another
6463 frontend. It can be used to either return a sorry page before hard-blocking,
6464 or to use a specific backend to drain new requests when the farm is
6465 considered saturated. See also the "dst_conn", "be_conn" and "fe_sess_rate"
6466 criteria.
6467
6468fe_id <integer>
Cyril Bonté78caf842010-03-10 22:41:43 +01006469 Applies to the frontend's id. Can be used in backends to check from which
Willy Tarreaud63335a2010-02-26 12:56:52 +01006470 frontend it was called.
Willy Tarreaua36af912009-10-10 12:02:45 +02006471
Willy Tarreau079ff0a2009-03-05 21:34:28 +01006472fe_sess_rate <integer>
6473fe_sess_rate(frontend) <integer>
6474 Returns true when the session creation rate on the current or the named
6475 frontend matches the specified values or ranges, expressed in new sessions
6476 per second. This is used to limit the connection rate to acceptable ranges in
6477 order to prevent abuse of service at the earliest moment. This can be
6478 combined with layer 4 ACLs in order to force the clients to wait a bit for
6479 the rate to go down below the limit.
6480
6481 Example :
6482 # This frontend limits incoming mails to 10/s with a max of 100
6483 # concurrent connections. We accept any connection below 10/s, and
6484 # force excess clients to wait for 100 ms. Since clients are limited to
6485 # 100 max, there cannot be more than 10 incoming mails per second.
6486 frontend mail
6487 bind :25
6488 mode tcp
6489 maxconn 100
6490 acl too_fast fe_sess_rate ge 10
6491 tcp-request inspect-delay 100ms
6492 tcp-request content accept if ! too_fast
6493 tcp-request content accept if WAIT_END
Willy Tarreaud72758d2010-01-12 10:42:19 +01006494
Willy Tarreaud63335a2010-02-26 12:56:52 +01006495nbsrv <integer>
6496nbsrv(backend) <integer>
6497 Returns true when the number of usable servers of either the current backend
6498 or the named backend matches the values or ranges specified. This is used to
6499 switch to an alternate backend when the number of servers is too low to
6500 to handle some load. It is useful to report a failure when combined with
6501 "monitor fail".
Willy Tarreau079ff0a2009-03-05 21:34:28 +01006502
Willy Tarreaud63335a2010-02-26 12:56:52 +01006503queue <integer>
Willy Tarreauf5a526f2010-09-01 08:06:18 +02006504queue(backend) <integer>
Willy Tarreaud63335a2010-02-26 12:56:52 +01006505 Returns the total number of queued connections of the designated backend,
6506 including all the connections in server queues. If no backend name is
6507 specified, the current one is used, but it is also possible to check another
6508 one. This can be used to take actions when queuing goes above a known level,
6509 generally indicating a surge of traffic or a massive slowdown on the servers.
6510 One possible action could be to reject new users but still accept old ones.
6511 See also the "avg_queue", "be_conn", and "be_sess_rate" criteria.
6512
Willy Tarreaue9656522010-08-17 15:40:09 +02006513sc1_bytes_in_rate
6514sc2_bytes_in_rate
6515 Returns the average client-to-server bytes rate from the currently tracked
6516 counters, measured in amount of bytes over the period configured in the
6517 table. See also src_bytes_in_rate.
6518
6519sc1_bytes_out_rate
6520sc2_bytes_out_rate
6521 Returns the average server-to-client bytes rate from the currently tracked
6522 counters, measured in amount of bytes over the period configured in the
6523 table. See also src_bytes_out_rate.
6524
6525sc1_conn_cnt
6526sc2_conn_cnt
6527 Returns the cumulated number of incoming connections from currently tracked
6528 counters. See also src_conn_cnt.
6529
6530sc1_conn_cur
6531sc2_conn_cur
6532 Returns the current amount of concurrent connections tracking the same
6533 tracked counters. This number is automatically incremented when tracking
6534 begins and decremented when tracking stops. See also src_conn_cur.
6535
6536sc1_conn_rate
6537sc2_conn_rate
6538 Returns the average connection rate from the currently tracked counters,
6539 measured in amount of connections over the period configured in the table.
6540 See also src_conn_rate.
6541
6542sc1_get_gpc0
6543sc2_get_gpc0
6544 Returns the value of the first General Purpose Counter associated to the
6545 currently tracked counters. See also src_get_gpc0 and sc1/sc2_inc_gpc0.
6546
6547sc1_http_err_cnt
6548sc2_http_err_cnt
6549 Returns the cumulated number of HTTP errors from the currently tracked
6550 counters. This includes the both request errors and 4xx error responses.
6551 See also src_http_err_cnt.
6552
6553sc1_http_err_rate
6554sc2_http_err_rate
6555 Returns the average rate of HTTP errors from the currently tracked counters,
6556 measured in amount of errors over the period configured in the table. This
6557 includes the both request errors and 4xx error responses. See also
6558 src_http_err_rate.
6559
6560sc1_http_req_cnt
6561sc2_http_req_cnt
6562 Returns the cumulated number of HTTP requests from the currently tracked
6563 counters. This includes every started request, valid or not. See also
6564 src_http_req_cnt.
6565
6566sc1_http_req_rate
6567sc2_http_req_rate
6568 Returns the average rate of HTTP requests from the currently tracked
6569 counters, measured in amount of requests over the period configured in
6570 the table. This includes every started request, valid or not. See also
6571 src_http_req_rate.
6572
6573sc1_inc_gpc0
6574sc2_inc_gpc0
6575 Increments the first General Purpose Counter associated to the currently
6576 tracked counters, and returns its value. Before the first invocation, the
6577 stored value is zero, so first invocation will increase it to 1 and will
6578 return 1. The test can also be used alone and always returns true. This is
6579 typically used as a second ACL in an expression in order to mark a connection
6580 when a first ACL was verified :
6581
6582 acl abuse sc1_http_req_rate gt 10
6583 acl kill sc1_inc_gpc0
6584 tcp-request connection reject if abuse kill
6585
6586sc1_kbytes_in
6587sc2_kbytes_in
6588 Returns the amount of client-to-server data from the currently tracked
6589 counters, measured in kilobytes over the period configured in the table. The
6590 test is currently performed on 32-bit integers, which limits values to 4
6591 terabytes. See also src_kbytes_in.
6592
6593sc1_kbytes_out
6594sc2_kbytes_out
6595 Returns the amount of server-to-client data from the currently tracked
6596 counters, measured in kilobytes over the period configured in the table. The
6597 test is currently performed on 32-bit integers, which limits values to 4
6598 terabytes. See also src_kbytes_out.
6599
6600sc1_sess_cnt
6601sc2_sess_cnt
6602 Returns the cumulated number of incoming connections that were transformed
6603 into sessions, which means that they were accepted by a "tcp-request
6604 connection" rule, from the currently tracked counters. A backend may count
6605 more sessions than connections because each connection could result in many
6606 backend sessions if some HTTP keep-alive is performend over the connection
6607 with the client. See also src_sess_cnt.
6608
6609sc1_sess_rate
6610sc2_sess_rate
6611 Returns the average session rate from the currently tracked counters,
6612 measured in amount of sessions over the period configured in the table. A
6613 session is a connection that got past the early "tcp-request connection"
6614 rules. A backend may count more sessions than connections because each
6615 connection could result in many backend sessions if some HTTP keep-alive is
6616 performend over the connection with the client. See also src_sess_rate.
6617
Willy Tarreaud63335a2010-02-26 12:56:52 +01006618so_id <integer>
6619 Applies to the socket's id. Useful in frontends with many bind keywords.
6620
6621src <ip_address>
6622 Applies to the client's IPv4 address. It is usually used to limit access to
6623 certain resources such as statistics. Note that it is the TCP-level source
6624 address which is used, and not the address of a client behind a proxy.
6625
Willy Tarreauc9705a12010-07-27 20:05:50 +02006626src_bytes_in_rate <integer>
6627src_bytes_in_rate(table) <integer>
6628 Returns the average bytes rate from the connection's source IPv4 address in
6629 the current proxy's stick-table or in the designated stick-table, measured in
6630 amount of bytes over the period configured in the table. If the address is
Willy Tarreaue9656522010-08-17 15:40:09 +02006631 not found, zero is returned. See also sc1/sc2_bytes_in_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006632
6633src_bytes_out_rate <integer>
6634src_bytes_out_rate(table) <integer>
6635 Returns the average bytes rate to the connection's source IPv4 address in the
6636 current proxy's stick-table or in the designated stick-table, measured in
6637 amount of bytes over the period configured in the table. If the address is
Willy Tarreaue9656522010-08-17 15:40:09 +02006638 not found, zero is returned. See also sc1/sc2_bytes_out_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006639
6640src_conn_cnt <integer>
6641src_conn_cnt(table) <integer>
6642 Returns the cumulated number of connections initiated from the current
6643 connection's source IPv4 address in the current proxy's stick-table or in
6644 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreaue9656522010-08-17 15:40:09 +02006645 See also sc1/sc2_conn_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006646
6647src_conn_cur <integer>
6648src_conn_cur(table) <integer>
6649 Returns the current amount of concurrent connections initiated from the
6650 current connection's source IPv4 address in the current proxy's stick-table
6651 or in the designated stick-table. If the address is not found, zero is
Willy Tarreaue9656522010-08-17 15:40:09 +02006652 returned. See also sc1/sc2_conn_cur.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006653
6654src_conn_rate <integer>
6655src_conn_rate(table) <integer>
6656 Returns the average connection rate from the connection's source IPv4 address
6657 in the current proxy's stick-table or in the designated stick-table, measured
6658 in amount of connections over the period configured in the table. If the
Willy Tarreaue9656522010-08-17 15:40:09 +02006659 address is not found, zero is returned. See also sc1/sc2_conn_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006660
6661src_get_gpc0 <integer>
6662src_get_gpc0(table) <integer>
6663 Returns the value of the first General Purpose Counter associated to the
6664 connection's source IPv4 address in the current proxy's stick-table or in
6665 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreaue9656522010-08-17 15:40:09 +02006666 See also sc1/sc2_get_gpc0 and src_inc_gpc0.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006667
6668src_http_err_cnt <integer>
6669src_http_err_cnt(table) <integer>
6670 Returns the cumulated number of HTTP errors from the current connection's
6671 source IPv4 address in the current proxy's stick-table or in the designated
6672 stick-table. This includes the both request errors and 4xx error responses.
Willy Tarreaue9656522010-08-17 15:40:09 +02006673 If the address is not found, zero is returned. See also sc1/sc2_http_err_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006674
6675src_http_err_rate <integer>
6676src_http_err_rate(table) <integer>
6677 Returns the average rate of HTTP errors from the current connection's source
6678 IPv4 address in the current proxy's stick-table or in the designated stick-
6679 table, measured in amount of errors over the period configured in the table.
6680 This includes the both request errors and 4xx error responses. If the address
Willy Tarreaue9656522010-08-17 15:40:09 +02006681 is not found, zero is returned. See also sc1/sc2_http_err_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006682
6683src_http_req_cnt <integer>
6684src_http_req_cnt(table) <integer>
6685 Returns the cumulated number of HTTP requests from the current connection's
6686 source IPv4 address in the current proxy's stick-table or in the designated
6687 stick-table. This includes every started request, valid or not. If the
Willy Tarreaue9656522010-08-17 15:40:09 +02006688 address is not found, zero is returned. See also sc1/sc2_http_req_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006689
6690src_http_req_rate <integer>
6691src_http_req_rate(table) <integer>
6692 Returns the average rate of HTTP requests from the current connection's
6693 source IPv4 address in the current proxy's stick-table or in the designated
6694 stick-table, measured in amount of requests over the period configured in the
6695 table. This includes every started request, valid or not. If the address is
Willy Tarreaue9656522010-08-17 15:40:09 +02006696 not found, zero is returned. See also sc1/sc2_http_req_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006697
6698src_inc_gpc0 <integer>
6699src_inc_gpc0(table) <integer>
6700 Increments the first General Purpose Counter associated to the connection's
6701 source IPv4 address in the current proxy's stick-table or in the designated
6702 stick-table, and returns its value. If the address is not found, an entry is
6703 created and 1 is returned. The test can also be used alone and always returns
6704 true. This is typically used as a second ACL in an expression in order to
6705 mark a connection when a first ACL was verified :
6706
6707 acl abuse src_http_req_rate gt 10
6708 acl kill src_inc_gpc0
Willy Tarreaue9656522010-08-17 15:40:09 +02006709 tcp-request connection reject if abuse kill
Willy Tarreauc9705a12010-07-27 20:05:50 +02006710
6711src_kbytes_in <integer>
6712src_kbytes_in(table) <integer>
6713 Returns the amount of data received from the connection's source IPv4 address
6714 in the current proxy's stick-table or in the designated stick-table, measured
6715 in kilobytes over the period configured in the table. If the address is not
6716 found, zero is returned. The test is currently performed on 32-bit integers,
Willy Tarreaue9656522010-08-17 15:40:09 +02006717 which limits values to 4 terabytes. See also sc1/sc2_kbytes_in.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006718
6719src_kbytes_out <integer>
6720src_kbytes_out(table) <integer>
6721 Returns the amount of data sent to the connection's source IPv4 address in
6722 the current proxy's stick-table or in the designated stick-table, measured
6723 in kilobytes over the period configured in the table. If the address is not
6724 found, zero is returned. The test is currently performed on 32-bit integers,
Willy Tarreaue9656522010-08-17 15:40:09 +02006725 which limits values to 4 terabytes. See also sc1/sc2_kbytes_out.
Willy Tarreaua975b8f2010-06-05 19:13:27 +02006726
Willy Tarreaud63335a2010-02-26 12:56:52 +01006727src_port <integer>
6728 Applies to the client's TCP source port. This has a very limited usage.
Willy Tarreau079ff0a2009-03-05 21:34:28 +01006729
Willy Tarreauc9705a12010-07-27 20:05:50 +02006730src_sess_cnt <integer>
6731src_sess_cnt(table) <integer>
6732 Returns the cumulated number of connections initiated from the current
6733 connection's source IPv4 address in the current proxy's stick-table or in the
6734 designated stick-table, that were transformed into sessions, which means that
6735 they were accepted by "tcp-request" rules. If the address is not found, zero
Willy Tarreaue9656522010-08-17 15:40:09 +02006736 is returned. See also sc1/sc2_sess_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006737
6738src_sess_rate <integer>
6739src_sess_rate(table) <integer>
6740 Returns the average session rate from the connection's source IPv4 address in
6741 the current proxy's stick-table or in the designated stick-table, measured in
6742 amount of sessions over the period configured in the table. A session is a
6743 connection that got past the early "tcp-request" rules. If the address is not
Willy Tarreaue9656522010-08-17 15:40:09 +02006744 found, zero is returned. See also sc1/sc2_sess_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006745
6746src_updt_conn_cnt <integer>
6747src_updt_conn_cnt(table) <integer>
Willy Tarreaua975b8f2010-06-05 19:13:27 +02006748 Creates or updates the entry associated to the source IPv4 address in the
Willy Tarreauc9705a12010-07-27 20:05:50 +02006749 current proxy's stick-table or in the designated stick-table. This table
6750 must be configured to store the "conn_cnt" data type, otherwise the match
Willy Tarreaua975b8f2010-06-05 19:13:27 +02006751 will be ignored. The current count is incremented by one, and the expiration
6752 timer refreshed. The updated count is returned, so this match can't return
6753 zero. This is used to reject service abusers based on their source address.
Willy Tarreauc9705a12010-07-27 20:05:50 +02006754 Note: it is recommended to use the more complete "track-counters" instead.
Willy Tarreaua975b8f2010-06-05 19:13:27 +02006755
6756 Example :
6757 # This frontend limits incoming SSH connections to 3 per 10 second for
6758 # each source address, and rejects excess connections until a 10 second
6759 # silence is observed. At most 20 addresses are tracked.
6760 listen ssh
6761 bind :22
6762 mode tcp
6763 maxconn 100
Willy Tarreauc9705a12010-07-27 20:05:50 +02006764 stick-table type ip size 20 expire 10s store conn_cnt
Willy Tarreaua975b8f2010-06-05 19:13:27 +02006765 tcp-request content reject if { src_update_count gt 3 }
6766 server local 127.0.0.1:22
6767
Willy Tarreau0b1cd942010-05-16 22:18:27 +02006768srv_is_up(<server>)
6769srv_is_up(<backend>/<server>)
6770 Returns true when the designated server is UP, and false when it is either
6771 DOWN or in maintenance mode. If <backend> is omitted, then the server is
6772 looked up in the current backend. The function takes no arguments since it
6773 is used as a boolean. It is mainly used to take action based on an external
6774 status reported via a health check (eg: a geographical site's availability).
6775 Another possible use which is more of a hack consists in using dummy servers
6776 as boolean variables that can be enabled or disabled from the CLI, so that
6777 rules depending on those ACLs can be tweaked in realtime.
6778
Willy Tarreau0ba27502007-12-24 16:55:16 +01006779
Willy Tarreaue9656522010-08-17 15:40:09 +020067807.5.2. Matching contents at Layer 4 (also called Layer 6)
6781---------------------------------------------------------
Willy Tarreau62644772008-07-16 18:36:06 +02006782
6783A second set of criteria depends on data found in buffers, but which can change
6784during analysis. This requires that some data has been buffered, for instance
Willy Tarreaue9656522010-08-17 15:40:09 +02006785through TCP request content inspection. Please see the "tcp-request content"
6786keyword for more detailed information on the subject.
Willy Tarreau62644772008-07-16 18:36:06 +02006787
6788req_len <integer>
Emeric Brunbede3d02009-06-30 17:54:00 +02006789 Returns true when the length of the data in the request buffer matches the
Willy Tarreau62644772008-07-16 18:36:06 +02006790 specified range. It is important to understand that this test does not
6791 return false as long as the buffer is changing. This means that a check with
6792 equality to zero will almost always immediately match at the beginning of the
6793 session, while a test for more data will wait for that data to come in and
6794 return false only when haproxy is certain that no more data will come in.
6795 This test was designed to be used with TCP request content inspection.
6796
Willy Tarreau2492d5b2009-07-11 00:06:00 +02006797req_proto_http
6798 Returns true when data in the request buffer look like HTTP and correctly
6799 parses as such. It is the same parser as the common HTTP request parser which
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006800 is used so there should be no surprises. This test can be used for instance
Willy Tarreau2492d5b2009-07-11 00:06:00 +02006801 to direct HTTP traffic to a given port and HTTPS traffic to another one
6802 using TCP request content inspection rules.
6803
Emeric Brunbede3d02009-06-30 17:54:00 +02006804req_rdp_cookie <string>
6805req_rdp_cookie(name) <string>
6806 Returns true when data in the request buffer look like the RDP protocol, and
6807 a cookie is present and equal to <string>. By default, any cookie name is
6808 checked, but a specific cookie name can be specified in parenthesis. The
6809 parser only checks for the first cookie, as illustrated in the RDP protocol
6810 specification. The cookie name is case insensitive. This ACL can be useful
6811 with the "MSTS" cookie, as it can contain the user name of the client
6812 connecting to the server if properly configured on the client. This can be
6813 used to restrict access to certain servers to certain users.
6814
6815req_rdp_cookie_cnt <integer>
6816req_rdp_cookie_cnt(name) <integer>
6817 Returns true when the data in the request buffer look like the RDP protocol
6818 and the number of RDP cookies matches the specified range (typically zero or
6819 one). Optionally a specific cookie name can be checked. This is a simple way
6820 of detecting the RDP protocol, as clients generally send the MSTS or MSTSHASH
6821 cookies.
6822
Willy Tarreau62644772008-07-16 18:36:06 +02006823req_ssl_ver <decimal>
6824 Returns true when data in the request buffer look like SSL, with a protocol
6825 version matching the specified range. Both SSLv2 hello messages and SSLv3
6826 messages are supported. The test tries to be strict enough to avoid being
6827 easily fooled. In particular, it waits for as many bytes as announced in the
6828 message header if this header looks valid (bound to the buffer size). Note
6829 that TLSv1 is announced as SSL version 3.1. This test was designed to be used
6830 with TCP request content inspection.
6831
Willy Tarreaub6fb4202008-07-20 11:18:28 +02006832wait_end
6833 Waits for the end of the analysis period to return true. This may be used in
6834 conjunction with content analysis to avoid returning a wrong verdict early.
6835 It may also be used to delay some actions, such as a delayed reject for some
6836 special addresses. Since it either stops the rules evaluation or immediately
6837 returns true, it is recommended to use this acl as the last one in a rule.
6838 Please note that the default ACL "WAIT_END" is always usable without prior
6839 declaration. This test was designed to be used with TCP request content
6840 inspection.
6841
6842 Examples :
6843 # delay every incoming request by 2 seconds
6844 tcp-request inspect-delay 2s
6845 tcp-request content accept if WAIT_END
6846
6847 # don't immediately tell bad guys they are rejected
6848 tcp-request inspect-delay 10s
6849 acl goodguys src 10.0.0.0/24
6850 acl badguys src 10.0.1.0/24
6851 tcp-request content accept if goodguys
6852 tcp-request content reject if badguys WAIT_END
6853 tcp-request content reject
6854
Willy Tarreau62644772008-07-16 18:36:06 +02006855
Willy Tarreauc57f0e22009-05-10 13:12:33 +020068567.5.3. Matching at Layer 7
6857--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01006858
Willy Tarreau62644772008-07-16 18:36:06 +02006859A third set of criteria applies to information which can be found at the
Willy Tarreau0ba27502007-12-24 16:55:16 +01006860application layer (layer 7). Those require that a full HTTP request has been
6861read, and are only evaluated then. They may require slightly more CPU resources
6862than the layer 4 ones, but not much since the request and response are indexed.
6863
Willy Tarreaud63335a2010-02-26 12:56:52 +01006864hdr <string>
6865hdr(header) <string>
6866 Note: all the "hdr*" matching criteria either apply to all headers, or to a
6867 particular header whose name is passed between parenthesis and without any
6868 space. The header name is not case-sensitive. The header matching complies
6869 with RFC2616, and treats as separate headers all values delimited by commas.
6870 Use the shdr() variant for response headers sent by the server.
6871
6872 The "hdr" criteria returns true if any of the headers matching the criteria
6873 match any of the strings. This can be used to check exact for values. For
6874 instance, checking that "connection: close" is set :
6875
6876 hdr(Connection) -i close
6877
6878hdr_beg <string>
6879hdr_beg(header) <string>
6880 Returns true when one of the headers begins with one of the strings. See
6881 "hdr" for more information on header matching. Use the shdr_beg() variant for
6882 response headers sent by the server.
6883
6884hdr_cnt <integer>
6885hdr_cnt(header) <integer>
6886 Returns true when the number of occurrence of the specified header matches
6887 the values or ranges specified. It is important to remember that one header
6888 line may count as several headers if it has several values. This is used to
6889 detect presence, absence or abuse of a specific header, as well as to block
6890 request smuggling attacks by rejecting requests which contain more than one
6891 of certain headers. See "hdr" for more information on header matching. Use
6892 the shdr_cnt() variant for response headers sent by the server.
6893
6894hdr_dir <string>
6895hdr_dir(header) <string>
6896 Returns true when one of the headers contains one of the strings either
6897 isolated or delimited by slashes. This is used to perform filename or
6898 directory name matching, and may be used with Referer. See "hdr" for more
6899 information on header matching. Use the shdr_dir() variant for response
6900 headers sent by the server.
6901
6902hdr_dom <string>
6903hdr_dom(header) <string>
6904 Returns true when one of the headers contains one of the strings either
6905 isolated or delimited by dots. This is used to perform domain name matching,
6906 and may be used with the Host header. See "hdr" for more information on
6907 header matching. Use the shdr_dom() variant for response headers sent by the
6908 server.
6909
6910hdr_end <string>
6911hdr_end(header) <string>
6912 Returns true when one of the headers ends with one of the strings. See "hdr"
6913 for more information on header matching. Use the shdr_end() variant for
6914 response headers sent by the server.
6915
6916hdr_ip <ip_address>
6917hdr_ip(header) <ip_address>
6918 Returns true when one of the headers' values contains an IP address matching
6919 <ip_address>. This is mainly used with headers such as X-Forwarded-For or
6920 X-Client-IP. See "hdr" for more information on header matching. Use the
6921 shdr_ip() variant for response headers sent by the server.
6922
6923hdr_reg <regex>
6924hdr_reg(header) <regex>
6925 Returns true when one of the headers matches of the regular expressions. It
6926 can be used at any time, but it is important to remember that regex matching
6927 is slower than other methods. See also other "hdr_" criteria, as well as
6928 "hdr" for more information on header matching. Use the shdr_reg() variant for
6929 response headers sent by the server.
6930
6931hdr_sub <string>
6932hdr_sub(header) <string>
6933 Returns true when one of the headers contains one of the strings. See "hdr"
6934 for more information on header matching. Use the shdr_sub() variant for
6935 response headers sent by the server.
6936
6937hdr_val <integer>
6938hdr_val(header) <integer>
6939 Returns true when one of the headers starts with a number which matches the
6940 values or ranges specified. This may be used to limit content-length to
6941 acceptable values for example. See "hdr" for more information on header
6942 matching. Use the shdr_val() variant for response headers sent by the server.
6943
6944http_auth(userlist)
6945http_auth_group(userlist) <group> [<group>]*
6946 Returns true when authentication data received from the client matches
6947 username & password stored on the userlist. It is also possible to
6948 use http_auth_group to check if the user is assigned to at least one
6949 of specified groups.
6950
6951 Currently only http basic auth is supported.
6952
Willy Tarreau6a06a402007-07-15 20:15:28 +02006953method <string>
6954 Applies to the method in the HTTP request, eg: "GET". Some predefined ACL
6955 already check for most common methods.
6956
Willy Tarreau6a06a402007-07-15 20:15:28 +02006957path <string>
6958 Returns true when the path part of the request, which starts at the first
6959 slash and ends before the question mark, equals one of the strings. It may be
6960 used to match known files, such as /favicon.ico.
6961
6962path_beg <string>
Willy Tarreau0ba27502007-12-24 16:55:16 +01006963 Returns true when the path begins with one of the strings. This can be used
6964 to send certain directory names to alternative backends.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006965
Willy Tarreau6a06a402007-07-15 20:15:28 +02006966path_dir <string>
6967 Returns true when one of the strings is found isolated or delimited with
6968 slashes in the path. This is used to perform filename or directory name
6969 matching without the risk of wrong match due to colliding prefixes. See also
6970 "url_dir" and "path_sub".
6971
6972path_dom <string>
6973 Returns true when one of the strings is found isolated or delimited with dots
6974 in the path. This may be used to perform domain name matching in proxy
6975 requests. See also "path_sub" and "url_dom".
6976
Willy Tarreaud63335a2010-02-26 12:56:52 +01006977path_end <string>
6978 Returns true when the path ends with one of the strings. This may be used to
6979 control file name extension.
6980
Willy Tarreau6a06a402007-07-15 20:15:28 +02006981path_reg <regex>
6982 Returns true when the path matches one of the regular expressions. It can be
6983 used any time, but it is important to remember that regex matching is slower
6984 than other methods. See also "url_reg" and all "path_" criteria.
6985
Willy Tarreaud63335a2010-02-26 12:56:52 +01006986path_sub <string>
6987 Returns true when the path contains one of the strings. It can be used to
6988 detect particular patterns in paths, such as "../" for example. See also
6989 "path_dir".
6990
6991req_ver <string>
6992 Applies to the version string in the HTTP request, eg: "1.0". Some predefined
6993 ACL already check for versions 1.0 and 1.1.
6994
6995status <integer>
6996 Applies to the HTTP status code in the HTTP response, eg: "302". It can be
6997 used to act on responses depending on status ranges, for instance, remove
6998 any Location header if the response is not a 3xx.
6999
Willy Tarreau6a06a402007-07-15 20:15:28 +02007000url <string>
7001 Applies to the whole URL passed in the request. The only real use is to match
7002 "*", for which there already is a predefined ACL.
7003
7004url_beg <string>
7005 Returns true when the URL begins with one of the strings. This can be used to
7006 check whether a URL begins with a slash or with a protocol scheme.
7007
Willy Tarreau6a06a402007-07-15 20:15:28 +02007008url_dir <string>
7009 Returns true when one of the strings is found isolated or delimited with
7010 slashes in the URL. This is used to perform filename or directory name
7011 matching without the risk of wrong match due to colliding prefixes. See also
7012 "path_dir" and "url_sub".
7013
7014url_dom <string>
7015 Returns true when one of the strings is found isolated or delimited with dots
7016 in the URL. This is used to perform domain name matching without the risk of
7017 wrong match due to colliding prefixes. See also "url_sub".
7018
Willy Tarreaud63335a2010-02-26 12:56:52 +01007019url_end <string>
7020 Returns true when the URL ends with one of the strings. It has very limited
7021 use. "path_end" should be used instead for filename matching.
Willy Tarreau6a06a402007-07-15 20:15:28 +02007022
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01007023url_ip <ip_address>
Willy Tarreau0ba27502007-12-24 16:55:16 +01007024 Applies to the IP address specified in the absolute URI in an HTTP request.
7025 It can be used to prevent access to certain resources such as local network.
Willy Tarreau198a7442008-01-17 12:05:32 +01007026 It is useful with option "http_proxy".
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01007027
7028url_port <integer>
Willy Tarreau0ba27502007-12-24 16:55:16 +01007029 Applies to the port specified in the absolute URI in an HTTP request. It can
7030 be used to prevent access to certain resources. It is useful with option
Willy Tarreau198a7442008-01-17 12:05:32 +01007031 "http_proxy". Note that if the port is not specified in the request, port 80
Willy Tarreau0ba27502007-12-24 16:55:16 +01007032 is assumed.
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01007033
Willy Tarreaud63335a2010-02-26 12:56:52 +01007034url_reg <regex>
7035 Returns true when the URL matches one of the regular expressions. It can be
7036 used any time, but it is important to remember that regex matching is slower
7037 than other methods. See also "path_reg" and all "url_" criteria.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01007038
Willy Tarreaud63335a2010-02-26 12:56:52 +01007039url_sub <string>
7040 Returns true when the URL contains one of the strings. It can be used to
7041 detect particular patterns in query strings for example. See also "path_sub".
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01007042
Willy Tarreau198a7442008-01-17 12:05:32 +01007043
Willy Tarreauc57f0e22009-05-10 13:12:33 +020070447.6. Pre-defined ACLs
7045---------------------
Willy Tarreauced27012008-01-17 20:35:34 +01007046
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007047Some predefined ACLs are hard-coded so that they do not have to be declared in
7048every frontend which needs them. They all have their names in upper case in
Patrick Mézard2382ad62010-05-09 10:43:32 +02007049order to avoid confusion. Their equivalence is provided below.
Willy Tarreauced27012008-01-17 20:35:34 +01007050
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007051ACL name Equivalent to Usage
7052---------------+-----------------------------+---------------------------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007053FALSE always_false never match
Willy Tarreau2492d5b2009-07-11 00:06:00 +02007054HTTP req_proto_http match if protocol is valid HTTP
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007055HTTP_1.0 req_ver 1.0 match HTTP version 1.0
7056HTTP_1.1 req_ver 1.1 match HTTP version 1.1
Willy Tarreaud63335a2010-02-26 12:56:52 +01007057HTTP_CONTENT hdr_val(content-length) gt 0 match an existing content-length
7058HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme
7059HTTP_URL_SLASH url_beg / match URL beginning with "/"
7060HTTP_URL_STAR url * match URL equal to "*"
7061LOCALHOST src 127.0.0.1/8 match connection from local host
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007062METH_CONNECT method CONNECT match HTTP CONNECT method
7063METH_GET method GET HEAD match HTTP GET or HEAD method
7064METH_HEAD method HEAD match HTTP HEAD method
7065METH_OPTIONS method OPTIONS match HTTP OPTIONS method
7066METH_POST method POST match HTTP POST method
7067METH_TRACE method TRACE match HTTP TRACE method
Emeric Brunbede3d02009-06-30 17:54:00 +02007068RDP_COOKIE req_rdp_cookie_cnt gt 0 match presence of an RDP cookie
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007069REQ_CONTENT req_len gt 0 match data in the request buffer
Willy Tarreaud63335a2010-02-26 12:56:52 +01007070TRUE always_true always match
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007071WAIT_END wait_end wait for end of content analysis
7072---------------+-----------------------------+---------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +01007073
Willy Tarreauced27012008-01-17 20:35:34 +01007074
Willy Tarreauc57f0e22009-05-10 13:12:33 +020070757.7. Using ACLs to form conditions
7076----------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +01007077
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007078Some actions are only performed upon a valid condition. A condition is a
7079combination of ACLs with operators. 3 operators are supported :
Willy Tarreauced27012008-01-17 20:35:34 +01007080
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007081 - AND (implicit)
7082 - OR (explicit with the "or" keyword or the "||" operator)
7083 - Negation with the exclamation mark ("!")
Willy Tarreauced27012008-01-17 20:35:34 +01007084
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007085A condition is formed as a disjunctive form:
Willy Tarreauced27012008-01-17 20:35:34 +01007086
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007087 [!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ...
Willy Tarreauced27012008-01-17 20:35:34 +01007088
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007089Such conditions are generally used after an "if" or "unless" statement,
7090indicating when the condition will trigger the action.
Willy Tarreauced27012008-01-17 20:35:34 +01007091
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007092For instance, to block HTTP requests to the "*" URL with methods other than
7093"OPTIONS", as well as POST requests without content-length, and GET or HEAD
7094requests with a content-length greater than 0, and finally every request which
7095is not either GET/HEAD/POST/OPTIONS !
Willy Tarreauced27012008-01-17 20:35:34 +01007096
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007097 acl missing_cl hdr_cnt(Content-length) eq 0
7098 block if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
7099 block if METH_GET HTTP_CONTENT
7100 block unless METH_GET or METH_POST or METH_OPTIONS
Willy Tarreauced27012008-01-17 20:35:34 +01007101
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007102To select a different backend for requests to static contents on the "www" site
7103and to every request on the "img", "video", "download" and "ftp" hosts :
Willy Tarreauced27012008-01-17 20:35:34 +01007104
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007105 acl url_static path_beg /static /images /img /css
7106 acl url_static path_end .gif .png .jpg .css .js
7107 acl host_www hdr_beg(host) -i www
7108 acl host_static hdr_beg(host) -i img. video. download. ftp.
Willy Tarreauced27012008-01-17 20:35:34 +01007109
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007110 # now use backend "static" for all static-only hosts, and for static urls
7111 # of host "www". Use backend "www" for the rest.
7112 use_backend static if host_static or host_www url_static
7113 use_backend www if host_www
Willy Tarreauced27012008-01-17 20:35:34 +01007114
Willy Tarreau95fa4692010-02-01 13:05:50 +01007115It is also possible to form rules using "anonymous ACLs". Those are unnamed ACL
7116expressions that are built on the fly without needing to be declared. They must
7117be enclosed between braces, with a space before and after each brace (because
7118the braces must be seen as independant words). Example :
7119
7120 The following rule :
7121
7122 acl missing_cl hdr_cnt(Content-length) eq 0
7123 block if METH_POST missing_cl
7124
7125 Can also be written that way :
7126
7127 block if METH_POST { hdr_cnt(Content-length) eq 0 }
7128
7129It is generally not recommended to use this construct because it's a lot easier
7130to leave errors in the configuration when written that way. However, for very
7131simple rules matching only one source IP address for instance, it can make more
7132sense to use them than to declare ACLs with random names. Another example of
7133good use is the following :
7134
7135 With named ACLs :
7136
7137 acl site_dead nbsrv(dynamic) lt 2
7138 acl site_dead nbsrv(static) lt 2
7139 monitor fail if site_dead
7140
7141 With anonymous ACLs :
7142
7143 monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
7144
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007145See section 4.2 for detailed help on the "block" and "use_backend" keywords.
Willy Tarreauced27012008-01-17 20:35:34 +01007146
Willy Tarreau5764b382007-11-30 17:46:49 +01007147
Willy Tarreaub937b7e2010-01-12 15:27:54 +010071487.8. Pattern extraction
7149-----------------------
7150
7151The stickiness features relies on pattern extraction in the request and
7152response. Sometimes the data needs to be converted first before being stored,
7153for instance converted from ASCII to IP or upper case to lower case.
7154
7155All these operations of data extraction and conversion are defined as
7156"pattern extraction rules". A pattern rule always has the same format. It
7157begins with a single pattern fetch word, potentially followed by a list of
7158arguments within parenthesis then an optional list of transformations. As
7159much as possible, the pattern fetch functions use the same name as their
7160equivalent used in ACLs.
7161
7162The list of currently supported pattern fetch functions is the following :
7163
7164 src This is the source IPv4 address of the client of the session.
7165 It is of type IP and only works with such tables.
7166
7167 dst This is the destination IPv4 address of the session on the
7168 client side, which is the address the client connected to.
7169 It can be useful when running in transparent mode. It is of
7170 typie IP and only works with such tables.
7171
7172 dst_port This is the destination TCP port of the session on the client
7173 side, which is the port the client connected to. This might be
7174 used when running in transparent mode or when assigning dynamic
7175 ports to some clients for a whole application session. It is of
7176 type integer and only works with such tables.
7177
Willy Tarreau4a568972010-05-12 08:08:50 +02007178 hdr(name) This extracts the last occurrence of header <name> in an HTTP
7179 request and converts it to an IP address. This IP address is
7180 then used to match the table. A typical use is with the
7181 x-forwarded-for header.
7182
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007183
7184The currently available list of transformations include :
7185
7186 lower Convert a string pattern to lower case. This can only be placed
7187 after a string pattern fetch function or after a conversion
7188 function returning a string type. The result is of type string.
7189
7190 upper Convert a string pattern to upper case. This can only be placed
7191 after a string pattern fetch function or after a conversion
7192 function returning a string type. The result is of type string.
7193
Willy Tarreaud31d6eb2010-01-26 18:01:41 +01007194 ipmask(mask) Apply a mask to an IPv4 address, and use the result for lookups
7195 and storage. This can be used to make all hosts within a
7196 certain mask to share the same table entries and as such use
7197 the same server. The mask can be passed in dotted form (eg:
7198 255.255.255.0) or in CIDR form (eg: 24).
7199
Willy Tarreaub937b7e2010-01-12 15:27:54 +01007200
Willy Tarreauc57f0e22009-05-10 13:12:33 +020072018. Logging
7202----------
Willy Tarreau844e3c52008-01-11 16:28:18 +01007203
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007204One of HAProxy's strong points certainly lies is its precise logs. It probably
7205provides the finest level of information available for such a product, which is
7206very important for troubleshooting complex environments. Standard information
7207provided in logs include client ports, TCP/HTTP state timers, precise session
7208state at termination and precise termination cause, information about decisions
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007209to direct traffic to a server, and of course the ability to capture arbitrary
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007210headers.
7211
7212In order to improve administrators reactivity, it offers a great transparency
7213about encountered problems, both internal and external, and it is possible to
7214send logs to different sources at the same time with different level filters :
7215
7216 - global process-level logs (system errors, start/stop, etc..)
7217 - per-instance system and internal errors (lack of resource, bugs, ...)
7218 - per-instance external troubles (servers up/down, max connections)
7219 - per-instance activity (client connections), either at the establishment or
7220 at the termination.
7221
7222The ability to distribute different levels of logs to different log servers
7223allow several production teams to interact and to fix their problems as soon
7224as possible. For example, the system team might monitor system-wide errors,
7225while the application team might be monitoring the up/down for their servers in
7226real time, and the security team might analyze the activity logs with one hour
7227delay.
7228
7229
Willy Tarreauc57f0e22009-05-10 13:12:33 +020072308.1. Log levels
7231---------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007232
7233TCP and HTTP connections can be logged with informations such as date, time,
7234source IP address, destination address, connection duration, response times,
7235HTTP request, the HTTP return code, number of bytes transmitted, the conditions
7236in which the session ended, and even exchanged cookies values, to track a
7237particular user's problems for example. All messages are sent to up to two
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007238syslog servers. Check the "log" keyword in section 4.2 for more info about log
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007239facilities.
7240
7241
Willy Tarreauc57f0e22009-05-10 13:12:33 +020072428.2. Log formats
7243----------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007244
Emeric Brun3a058f32009-06-30 18:26:00 +02007245HAProxy supports 4 log formats. Several fields are common between these formats
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007246and will be detailed in the next sections. A few of them may slightly vary with
7247the configuration, due to indicators specific to certain options. The supported
7248formats are the following ones :
7249
7250 - the default format, which is very basic and very rarely used. It only
7251 provides very basic information about the incoming connection at the moment
7252 it is accepted : source IP:port, destination IP:port, and frontend-name.
7253 This mode will eventually disappear so it will not be described to great
7254 extents.
7255
7256 - the TCP format, which is more advanced. This format is enabled when "option
7257 tcplog" is set on the frontend. HAProxy will then usually wait for the
7258 connection to terminate before logging. This format provides much richer
7259 information, such as timers, connection counts, queue size, etc... This
7260 format is recommended for pure TCP proxies.
7261
7262 - the HTTP format, which is the most advanced for HTTP proxying. This format
7263 is enabled when "option httplog" is set on the frontend. It provides the
7264 same information as the TCP format with some HTTP-specific fields such as
7265 the request, the status code, and captures of headers and cookies. This
7266 format is recommended for HTTP proxies.
7267
Emeric Brun3a058f32009-06-30 18:26:00 +02007268 - the CLF HTTP format, which is equivalent to the HTTP format, but with the
7269 fields arranged in the same order as the CLF format. In this mode, all
7270 timers, captures, flags, etc... appear one per field after the end of the
7271 common fields, in the same order they appear in the standard HTTP format.
7272
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007273Next sections will go deeper into details for each of these formats. Format
7274specification will be performed on a "field" basis. Unless stated otherwise, a
7275field is a portion of text delimited by any number of spaces. Since syslog
7276servers are susceptible of inserting fields at the beginning of a line, it is
7277always assumed that the first field is the one containing the process name and
7278identifier.
7279
7280Note : Since log lines may be quite long, the log examples in sections below
7281 might be broken into multiple lines. The example log lines will be
7282 prefixed with 3 closing angle brackets ('>>>') and each time a log is
7283 broken into multiple lines, each non-final line will end with a
7284 backslash ('\') and the next line will start indented by two characters.
7285
7286
Willy Tarreauc57f0e22009-05-10 13:12:33 +020072878.2.1. Default log format
7288-------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007289
7290This format is used when no specific option is set. The log is emitted as soon
7291as the connection is accepted. One should note that this currently is the only
7292format which logs the request's destination IP and ports.
7293
7294 Example :
7295 listen www
7296 mode http
7297 log global
7298 server srv1 127.0.0.1:8000
7299
7300 >>> Feb 6 12:12:09 localhost \
7301 haproxy[14385]: Connect from 10.0.1.2:33312 to 10.0.3.31:8012 \
7302 (www/HTTP)
7303
7304 Field Format Extract from the example above
7305 1 process_name '[' pid ']:' haproxy[14385]:
7306 2 'Connect from' Connect from
7307 3 source_ip ':' source_port 10.0.1.2:33312
7308 4 'to' to
7309 5 destination_ip ':' destination_port 10.0.3.31:8012
7310 6 '(' frontend_name '/' mode ')' (www/HTTP)
7311
7312Detailed fields description :
7313 - "source_ip" is the IP address of the client which initiated the connection.
7314 - "source_port" is the TCP port of the client which initiated the connection.
7315 - "destination_ip" is the IP address the client connected to.
7316 - "destination_port" is the TCP port the client connected to.
7317 - "frontend_name" is the name of the frontend (or listener) which received
7318 and processed the connection.
7319 - "mode is the mode the frontend is operating (TCP or HTTP).
7320
7321It is advised not to use this deprecated format for newer installations as it
7322will eventually disappear.
7323
7324
Willy Tarreauc57f0e22009-05-10 13:12:33 +020073258.2.2. TCP log format
7326---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007327
7328The TCP format is used when "option tcplog" is specified in the frontend, and
7329is the recommended format for pure TCP proxies. It provides a lot of precious
7330information for troubleshooting. Since this format includes timers and byte
7331counts, the log is normally emitted at the end of the session. It can be
7332emitted earlier if "option logasap" is specified, which makes sense in most
7333environments with long sessions such as remote terminals. Sessions which match
7334the "monitor" rules are never logged. It is also possible not to emit logs for
7335sessions for which no data were exchanged between the client and the server, by
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02007336specifying "option dontlognull" in the frontend. Successful connections will
7337not be logged if "option dontlog-normal" is specified in the frontend. A few
7338fields may slightly vary depending on some configuration options, those are
7339marked with a star ('*') after the field name below.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007340
7341 Example :
7342 frontend fnt
7343 mode tcp
7344 option tcplog
7345 log global
7346 default_backend bck
7347
7348 backend bck
7349 server srv1 127.0.0.1:8000
7350
7351 >>> Feb 6 12:12:56 localhost \
7352 haproxy[14387]: 10.0.1.2:33313 [06/Feb/2009:12:12:51.443] fnt \
7353 bck/srv1 0/0/5007 212 -- 0/0/0/0/3 0/0
7354
7355 Field Format Extract from the example above
7356 1 process_name '[' pid ']:' haproxy[14387]:
7357 2 client_ip ':' client_port 10.0.1.2:33313
7358 3 '[' accept_date ']' [06/Feb/2009:12:12:51.443]
7359 4 frontend_name fnt
7360 5 backend_name '/' server_name bck/srv1
7361 6 Tw '/' Tc '/' Tt* 0/0/5007
7362 7 bytes_read* 212
7363 8 termination_state --
7364 9 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 0/0/0/0/3
7365 10 srv_queue '/' backend_queue 0/0
7366
7367Detailed fields description :
7368 - "client_ip" is the IP address of the client which initiated the TCP
7369 connection to haproxy.
7370
7371 - "client_port" is the TCP port of the client which initiated the connection.
7372
7373 - "accept_date" is the exact date when the connection was received by haproxy
7374 (which might be very slightly different from the date observed on the
7375 network if there was some queuing in the system's backlog). This is usually
7376 the same date which may appear in any upstream firewall's log.
7377
7378 - "frontend_name" is the name of the frontend (or listener) which received
7379 and processed the connection.
7380
7381 - "backend_name" is the name of the backend (or listener) which was selected
7382 to manage the connection to the server. This will be the same as the
7383 frontend if no switching rule has been applied, which is common for TCP
7384 applications.
7385
7386 - "server_name" is the name of the last server to which the connection was
7387 sent, which might differ from the first one if there were connection errors
7388 and a redispatch occurred. Note that this server belongs to the backend
7389 which processed the request. If the connection was aborted before reaching
7390 a server, "<NOSRV>" is indicated instead of a server name.
7391
7392 - "Tw" is the total time in milliseconds spent waiting in the various queues.
7393 It can be "-1" if the connection was aborted before reaching the queue.
7394 See "Timers" below for more details.
7395
7396 - "Tc" is the total time in milliseconds spent waiting for the connection to
7397 establish to the final server, including retries. It can be "-1" if the
7398 connection was aborted before a connection could be established. See
7399 "Timers" below for more details.
7400
7401 - "Tt" is the total time in milliseconds elapsed between the accept and the
7402 last close. It covers all possible processings. There is one exception, if
7403 "option logasap" was specified, then the time counting stops at the moment
7404 the log is emitted. In this case, a '+' sign is prepended before the value,
7405 indicating that the final one will be larger. See "Timers" below for more
7406 details.
7407
7408 - "bytes_read" is the total number of bytes transmitted from the server to
7409 the client when the log is emitted. If "option logasap" is specified, the
7410 this value will be prefixed with a '+' sign indicating that the final one
7411 may be larger. Please note that this value is a 64-bit counter, so log
7412 analysis tools must be able to handle it without overflowing.
7413
7414 - "termination_state" is the condition the session was in when the session
7415 ended. This indicates the session state, which side caused the end of
7416 session to happen, and for what reason (timeout, error, ...). The normal
7417 flags should be "--", indicating the session was closed by either end with
7418 no data remaining in buffers. See below "Session state at disconnection"
7419 for more details.
7420
7421 - "actconn" is the total number of concurrent connections on the process when
7422 the session was logged. It it useful to detect when some per-process system
7423 limits have been reached. For instance, if actconn is close to 512 when
7424 multiple connection errors occur, chances are high that the system limits
7425 the process to use a maximum of 1024 file descriptors and that all of them
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007426 are used. See section 3 "Global parameters" to find how to tune the system.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007427
7428 - "feconn" is the total number of concurrent connections on the frontend when
7429 the session was logged. It is useful to estimate the amount of resource
7430 required to sustain high loads, and to detect when the frontend's "maxconn"
7431 has been reached. Most often when this value increases by huge jumps, it is
7432 because there is congestion on the backend servers, but sometimes it can be
7433 caused by a denial of service attack.
7434
7435 - "beconn" is the total number of concurrent connections handled by the
7436 backend when the session was logged. It includes the total number of
7437 concurrent connections active on servers as well as the number of
7438 connections pending in queues. It is useful to estimate the amount of
7439 additional servers needed to support high loads for a given application.
7440 Most often when this value increases by huge jumps, it is because there is
7441 congestion on the backend servers, but sometimes it can be caused by a
7442 denial of service attack.
7443
7444 - "srv_conn" is the total number of concurrent connections still active on
7445 the server when the session was logged. It can never exceed the server's
7446 configured "maxconn" parameter. If this value is very often close or equal
7447 to the server's "maxconn", it means that traffic regulation is involved a
7448 lot, meaning that either the server's maxconn value is too low, or that
7449 there aren't enough servers to process the load with an optimal response
7450 time. When only one of the server's "srv_conn" is high, it usually means
7451 that this server has some trouble causing the connections to take longer to
7452 be processed than on other servers.
7453
7454 - "retries" is the number of connection retries experienced by this session
7455 when trying to connect to the server. It must normally be zero, unless a
7456 server is being stopped at the same moment the connection was attempted.
7457 Frequent retries generally indicate either a network problem between
7458 haproxy and the server, or a misconfigured system backlog on the server
7459 preventing new connections from being queued. This field may optionally be
7460 prefixed with a '+' sign, indicating that the session has experienced a
7461 redispatch after the maximal retry count has been reached on the initial
7462 server. In this case, the server name appearing in the log is the one the
7463 connection was redispatched to, and not the first one, though both may
7464 sometimes be the same in case of hashing for instance. So as a general rule
7465 of thumb, when a '+' is present in front of the retry count, this count
7466 should not be attributed to the logged server.
7467
7468 - "srv_queue" is the total number of requests which were processed before
7469 this one in the server queue. It is zero when the request has not gone
7470 through the server queue. It makes it possible to estimate the approximate
7471 server's response time by dividing the time spent in queue by the number of
7472 requests in the queue. It is worth noting that if a session experiences a
7473 redispatch and passes through two server queues, their positions will be
7474 cumulated. A request should not pass through both the server queue and the
7475 backend queue unless a redispatch occurs.
7476
7477 - "backend_queue" is the total number of requests which were processed before
7478 this one in the backend's global queue. It is zero when the request has not
7479 gone through the global queue. It makes it possible to estimate the average
7480 queue length, which easily translates into a number of missing servers when
7481 divided by a server's "maxconn" parameter. It is worth noting that if a
7482 session experiences a redispatch, it may pass twice in the backend's queue,
7483 and then both positions will be cumulated. A request should not pass
7484 through both the server queue and the backend queue unless a redispatch
7485 occurs.
7486
7487
Willy Tarreauc57f0e22009-05-10 13:12:33 +020074888.2.3. HTTP log format
7489----------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007490
7491The HTTP format is the most complete and the best suited for HTTP proxies. It
7492is enabled by when "option httplog" is specified in the frontend. It provides
7493the same level of information as the TCP format with additional features which
7494are specific to the HTTP protocol. Just like the TCP format, the log is usually
7495emitted at the end of the session, unless "option logasap" is specified, which
7496generally only makes sense for download sites. A session which matches the
7497"monitor" rules will never logged. It is also possible not to log sessions for
7498which no data were sent by the client by specifying "option dontlognull" in the
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02007499frontend. Successful connections will not be logged if "option dontlog-normal"
7500is specified in the frontend.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007501
7502Most fields are shared with the TCP log, some being different. A few fields may
7503slightly vary depending on some configuration options. Those ones are marked
7504with a star ('*') after the field name below.
7505
7506 Example :
7507 frontend http-in
7508 mode http
7509 option httplog
7510 log global
7511 default_backend bck
7512
7513 backend static
7514 server srv1 127.0.0.1:8000
7515
7516 >>> Feb 6 12:14:14 localhost \
7517 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
7518 static/srv1 10/0/30/69/109 200 2750 - - ---- 1/1/1/1/0 0/0 {1wt.eu} \
Willy Tarreaud72758d2010-01-12 10:42:19 +01007519 {} "GET /index.html HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007520
7521 Field Format Extract from the example above
7522 1 process_name '[' pid ']:' haproxy[14389]:
7523 2 client_ip ':' client_port 10.0.1.2:33317
7524 3 '[' accept_date ']' [06/Feb/2009:12:14:14.655]
7525 4 frontend_name http-in
7526 5 backend_name '/' server_name static/srv1
7527 6 Tq '/' Tw '/' Tc '/' Tr '/' Tt* 10/0/30/69/109
7528 7 status_code 200
7529 8 bytes_read* 2750
7530 9 captured_request_cookie -
7531 10 captured_response_cookie -
7532 11 termination_state ----
7533 12 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 1/1/1/1/0
7534 13 srv_queue '/' backend_queue 0/0
7535 14 '{' captured_request_headers* '}' {haproxy.1wt.eu}
7536 15 '{' captured_response_headers* '}' {}
7537 16 '"' http_request '"' "GET /index.html HTTP/1.1"
Willy Tarreaud72758d2010-01-12 10:42:19 +01007538
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007539
7540Detailed fields description :
7541 - "client_ip" is the IP address of the client which initiated the TCP
7542 connection to haproxy.
7543
7544 - "client_port" is the TCP port of the client which initiated the connection.
7545
7546 - "accept_date" is the exact date when the TCP connection was received by
7547 haproxy (which might be very slightly different from the date observed on
7548 the network if there was some queuing in the system's backlog). This is
7549 usually the same date which may appear in any upstream firewall's log. This
7550 does not depend on the fact that the client has sent the request or not.
7551
7552 - "frontend_name" is the name of the frontend (or listener) which received
7553 and processed the connection.
7554
7555 - "backend_name" is the name of the backend (or listener) which was selected
7556 to manage the connection to the server. This will be the same as the
7557 frontend if no switching rule has been applied.
7558
7559 - "server_name" is the name of the last server to which the connection was
7560 sent, which might differ from the first one if there were connection errors
7561 and a redispatch occurred. Note that this server belongs to the backend
7562 which processed the request. If the request was aborted before reaching a
7563 server, "<NOSRV>" is indicated instead of a server name. If the request was
7564 intercepted by the stats subsystem, "<STATS>" is indicated instead.
7565
7566 - "Tq" is the total time in milliseconds spent waiting for the client to send
7567 a full HTTP request, not counting data. It can be "-1" if the connection
7568 was aborted before a complete request could be received. It should always
7569 be very small because a request generally fits in one single packet. Large
7570 times here generally indicate network trouble between the client and
7571 haproxy. See "Timers" below for more details.
7572
7573 - "Tw" is the total time in milliseconds spent waiting in the various queues.
7574 It can be "-1" if the connection was aborted before reaching the queue.
7575 See "Timers" below for more details.
7576
7577 - "Tc" is the total time in milliseconds spent waiting for the connection to
7578 establish to the final server, including retries. It can be "-1" if the
7579 request was aborted before a connection could be established. See "Timers"
7580 below for more details.
7581
7582 - "Tr" is the total time in milliseconds spent waiting for the server to send
7583 a full HTTP response, not counting data. It can be "-1" if the request was
7584 aborted before a complete response could be received. It generally matches
7585 the server's processing time for the request, though it may be altered by
7586 the amount of data sent by the client to the server. Large times here on
7587 "GET" requests generally indicate an overloaded server. See "Timers" below
7588 for more details.
7589
7590 - "Tt" is the total time in milliseconds elapsed between the accept and the
7591 last close. It covers all possible processings. There is one exception, if
7592 "option logasap" was specified, then the time counting stops at the moment
7593 the log is emitted. In this case, a '+' sign is prepended before the value,
7594 indicating that the final one will be larger. See "Timers" below for more
7595 details.
7596
7597 - "status_code" is the HTTP status code returned to the client. This status
7598 is generally set by the server, but it might also be set by haproxy when
7599 the server cannot be reached or when its response is blocked by haproxy.
7600
7601 - "bytes_read" is the total number of bytes transmitted to the client when
7602 the log is emitted. This does include HTTP headers. If "option logasap" is
7603 specified, the this value will be prefixed with a '+' sign indicating that
7604 the final one may be larger. Please note that this value is a 64-bit
7605 counter, so log analysis tools must be able to handle it without
7606 overflowing.
7607
7608 - "captured_request_cookie" is an optional "name=value" entry indicating that
7609 the client had this cookie in the request. The cookie name and its maximum
7610 length are defined by the "capture cookie" statement in the frontend
7611 configuration. The field is a single dash ('-') when the option is not
7612 set. Only one cookie may be captured, it is generally used to track session
7613 ID exchanges between a client and a server to detect session crossing
7614 between clients due to application bugs. For more details, please consult
7615 the section "Capturing HTTP headers and cookies" below.
7616
7617 - "captured_response_cookie" is an optional "name=value" entry indicating
7618 that the server has returned a cookie with its response. The cookie name
7619 and its maximum length are defined by the "capture cookie" statement in the
7620 frontend configuration. The field is a single dash ('-') when the option is
7621 not set. Only one cookie may be captured, it is generally used to track
7622 session ID exchanges between a client and a server to detect session
7623 crossing between clients due to application bugs. For more details, please
7624 consult the section "Capturing HTTP headers and cookies" below.
7625
7626 - "termination_state" is the condition the session was in when the session
7627 ended. This indicates the session state, which side caused the end of
7628 session to happen, for what reason (timeout, error, ...), just like in TCP
7629 logs, and information about persistence operations on cookies in the last
7630 two characters. The normal flags should begin with "--", indicating the
7631 session was closed by either end with no data remaining in buffers. See
7632 below "Session state at disconnection" for more details.
7633
7634 - "actconn" is the total number of concurrent connections on the process when
7635 the session was logged. It it useful to detect when some per-process system
7636 limits have been reached. For instance, if actconn is close to 512 or 1024
7637 when multiple connection errors occur, chances are high that the system
7638 limits the process to use a maximum of 1024 file descriptors and that all
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007639 of them are used. See section 3 "Global parameters" to find how to tune the
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007640 system.
7641
7642 - "feconn" is the total number of concurrent connections on the frontend when
7643 the session was logged. It is useful to estimate the amount of resource
7644 required to sustain high loads, and to detect when the frontend's "maxconn"
7645 has been reached. Most often when this value increases by huge jumps, it is
7646 because there is congestion on the backend servers, but sometimes it can be
7647 caused by a denial of service attack.
7648
7649 - "beconn" is the total number of concurrent connections handled by the
7650 backend when the session was logged. It includes the total number of
7651 concurrent connections active on servers as well as the number of
7652 connections pending in queues. It is useful to estimate the amount of
7653 additional servers needed to support high loads for a given application.
7654 Most often when this value increases by huge jumps, it is because there is
7655 congestion on the backend servers, but sometimes it can be caused by a
7656 denial of service attack.
7657
7658 - "srv_conn" is the total number of concurrent connections still active on
7659 the server when the session was logged. It can never exceed the server's
7660 configured "maxconn" parameter. If this value is very often close or equal
7661 to the server's "maxconn", it means that traffic regulation is involved a
7662 lot, meaning that either the server's maxconn value is too low, or that
7663 there aren't enough servers to process the load with an optimal response
7664 time. When only one of the server's "srv_conn" is high, it usually means
7665 that this server has some trouble causing the requests to take longer to be
7666 processed than on other servers.
7667
7668 - "retries" is the number of connection retries experienced by this session
7669 when trying to connect to the server. It must normally be zero, unless a
7670 server is being stopped at the same moment the connection was attempted.
7671 Frequent retries generally indicate either a network problem between
7672 haproxy and the server, or a misconfigured system backlog on the server
7673 preventing new connections from being queued. This field may optionally be
7674 prefixed with a '+' sign, indicating that the session has experienced a
7675 redispatch after the maximal retry count has been reached on the initial
7676 server. In this case, the server name appearing in the log is the one the
7677 connection was redispatched to, and not the first one, though both may
7678 sometimes be the same in case of hashing for instance. So as a general rule
7679 of thumb, when a '+' is present in front of the retry count, this count
7680 should not be attributed to the logged server.
7681
7682 - "srv_queue" is the total number of requests which were processed before
7683 this one in the server queue. It is zero when the request has not gone
7684 through the server queue. It makes it possible to estimate the approximate
7685 server's response time by dividing the time spent in queue by the number of
7686 requests in the queue. It is worth noting that if a session experiences a
7687 redispatch and passes through two server queues, their positions will be
7688 cumulated. A request should not pass through both the server queue and the
7689 backend queue unless a redispatch occurs.
7690
7691 - "backend_queue" is the total number of requests which were processed before
7692 this one in the backend's global queue. It is zero when the request has not
7693 gone through the global queue. It makes it possible to estimate the average
7694 queue length, which easily translates into a number of missing servers when
7695 divided by a server's "maxconn" parameter. It is worth noting that if a
7696 session experiences a redispatch, it may pass twice in the backend's queue,
7697 and then both positions will be cumulated. A request should not pass
7698 through both the server queue and the backend queue unless a redispatch
7699 occurs.
7700
7701 - "captured_request_headers" is a list of headers captured in the request due
7702 to the presence of the "capture request header" statement in the frontend.
7703 Multiple headers can be captured, they will be delimited by a vertical bar
7704 ('|'). When no capture is enabled, the braces do not appear, causing a
7705 shift of remaining fields. It is important to note that this field may
7706 contain spaces, and that using it requires a smarter log parser than when
7707 it's not used. Please consult the section "Capturing HTTP headers and
7708 cookies" below for more details.
7709
7710 - "captured_response_headers" is a list of headers captured in the response
7711 due to the presence of the "capture response header" statement in the
7712 frontend. Multiple headers can be captured, they will be delimited by a
7713 vertical bar ('|'). When no capture is enabled, the braces do not appear,
7714 causing a shift of remaining fields. It is important to note that this
7715 field may contain spaces, and that using it requires a smarter log parser
7716 than when it's not used. Please consult the section "Capturing HTTP headers
7717 and cookies" below for more details.
7718
7719 - "http_request" is the complete HTTP request line, including the method,
7720 request and HTTP version string. Non-printable characters are encoded (see
7721 below the section "Non-printable characters"). This is always the last
7722 field, and it is always delimited by quotes and is the only one which can
7723 contain quotes. If new fields are added to the log format, they will be
7724 added before this field. This field might be truncated if the request is
7725 huge and does not fit in the standard syslog buffer (1024 characters). This
7726 is the reason why this field must always remain the last one.
7727
7728
Willy Tarreauc57f0e22009-05-10 13:12:33 +020077298.3. Advanced logging options
7730-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007731
7732Some advanced logging options are often looked for but are not easy to find out
7733just by looking at the various options. Here is an entry point for the few
7734options which can enable better logging. Please refer to the keywords reference
7735for more information about their usage.
7736
7737
Willy Tarreauc57f0e22009-05-10 13:12:33 +020077388.3.1. Disabling logging of external tests
7739------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007740
7741It is quite common to have some monitoring tools perform health checks on
7742haproxy. Sometimes it will be a layer 3 load-balancer such as LVS or any
7743commercial load-balancer, and sometimes it will simply be a more complete
7744monitoring system such as Nagios. When the tests are very frequent, users often
7745ask how to disable logging for those checks. There are three possibilities :
7746
7747 - if connections come from everywhere and are just TCP probes, it is often
7748 desired to simply disable logging of connections without data exchange, by
7749 setting "option dontlognull" in the frontend. It also disables logging of
7750 port scans, which may or may not be desired.
7751
7752 - if the connection come from a known source network, use "monitor-net" to
7753 declare this network as monitoring only. Any host in this network will then
7754 only be able to perform health checks, and their requests will not be
7755 logged. This is generally appropriate to designate a list of equipments
7756 such as other load-balancers.
7757
7758 - if the tests are performed on a known URI, use "monitor-uri" to declare
7759 this URI as dedicated to monitoring. Any host sending this request will
7760 only get the result of a health-check, and the request will not be logged.
7761
7762
Willy Tarreauc57f0e22009-05-10 13:12:33 +020077638.3.2. Logging before waiting for the session to terminate
7764----------------------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007765
7766The problem with logging at end of connection is that you have no clue about
7767what is happening during very long sessions, such as remote terminal sessions
7768or large file downloads. This problem can be worked around by specifying
7769"option logasap" in the frontend. Haproxy will then log as soon as possible,
7770just before data transfer begins. This means that in case of TCP, it will still
7771log the connection status to the server, and in case of HTTP, it will log just
7772after processing the server headers. In this case, the number of bytes reported
7773is the number of header bytes sent to the client. In order to avoid confusion
7774with normal logs, the total time field and the number of bytes are prefixed
7775with a '+' sign which means that real numbers are certainly larger.
7776
7777
Willy Tarreauc57f0e22009-05-10 13:12:33 +020077788.3.3. Raising log level upon errors
7779------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02007780
7781Sometimes it is more convenient to separate normal traffic from errors logs,
7782for instance in order to ease error monitoring from log files. When the option
7783"log-separate-errors" is used, connections which experience errors, timeouts,
7784retries, redispatches or HTTP status codes 5xx will see their syslog level
7785raised from "info" to "err". This will help a syslog daemon store the log in
7786a separate file. It is very important to keep the errors in the normal traffic
7787file too, so that log ordering is not altered. You should also be careful if
7788you already have configured your syslog daemon to store all logs higher than
7789"notice" in an "admin" file, because the "err" level is higher than "notice".
7790
7791
Willy Tarreauc57f0e22009-05-10 13:12:33 +020077928.3.4. Disabling logging of successful connections
7793--------------------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02007794
7795Although this may sound strange at first, some large sites have to deal with
7796multiple thousands of logs per second and are experiencing difficulties keeping
7797them intact for a long time or detecting errors within them. If the option
7798"dontlog-normal" is set on the frontend, all normal connections will not be
7799logged. In this regard, a normal connection is defined as one without any
7800error, timeout, retry nor redispatch. In HTTP, the status code is checked too,
7801and a response with a status 5xx is not considered normal and will be logged
7802too. Of course, doing is is really discouraged as it will remove most of the
7803useful information from the logs. Do this only if you have no other
7804alternative.
7805
7806
Willy Tarreauc57f0e22009-05-10 13:12:33 +020078078.4. Timing events
7808------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007809
7810Timers provide a great help in troubleshooting network problems. All values are
7811reported in milliseconds (ms). These timers should be used in conjunction with
7812the session termination flags. In TCP mode with "option tcplog" set on the
7813frontend, 3 control points are reported under the form "Tw/Tc/Tt", and in HTTP
7814mode, 5 control points are reported under the form "Tq/Tw/Tc/Tr/Tt" :
7815
7816 - Tq: total time to get the client request (HTTP mode only). It's the time
7817 elapsed between the moment the client connection was accepted and the
7818 moment the proxy received the last HTTP header. The value "-1" indicates
7819 that the end of headers (empty line) has never been seen. This happens when
7820 the client closes prematurely or times out.
7821
7822 - Tw: total time spent in the queues waiting for a connection slot. It
7823 accounts for backend queue as well as the server queues, and depends on the
7824 queue size, and the time needed for the server to complete previous
7825 requests. The value "-1" means that the request was killed before reaching
7826 the queue, which is generally what happens with invalid or denied requests.
7827
7828 - Tc: total time to establish the TCP connection to the server. It's the time
7829 elapsed between the moment the proxy sent the connection request, and the
7830 moment it was acknowledged by the server, or between the TCP SYN packet and
7831 the matching SYN/ACK packet in return. The value "-1" means that the
7832 connection never established.
7833
7834 - Tr: server response time (HTTP mode only). It's the time elapsed between
7835 the moment the TCP connection was established to the server and the moment
7836 the server sent its complete response headers. It purely shows its request
7837 processing time, without the network overhead due to the data transmission.
7838 It is worth noting that when the client has data to send to the server, for
7839 instance during a POST request, the time already runs, and this can distort
7840 apparent response time. For this reason, it's generally wise not to trust
7841 too much this field for POST requests initiated from clients behind an
7842 untrusted network. A value of "-1" here means that the last the response
7843 header (empty line) was never seen, most likely because the server timeout
7844 stroke before the server managed to process the request.
7845
7846 - Tt: total session duration time, between the moment the proxy accepted it
7847 and the moment both ends were closed. The exception is when the "logasap"
7848 option is specified. In this case, it only equals (Tq+Tw+Tc+Tr), and is
7849 prefixed with a '+' sign. From this field, we can deduce "Td", the data
7850 transmission time, by substracting other timers when valid :
7851
7852 Td = Tt - (Tq + Tw + Tc + Tr)
7853
7854 Timers with "-1" values have to be excluded from this equation. In TCP
7855 mode, "Tq" and "Tr" have to be excluded too. Note that "Tt" can never be
7856 negative.
7857
7858These timers provide precious indications on trouble causes. Since the TCP
7859protocol defines retransmit delays of 3, 6, 12... seconds, we know for sure
7860that timers close to multiples of 3s are nearly always related to lost packets
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007861due to network problems (wires, negotiation, congestion). Moreover, if "Tt" is
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007862close to a timeout value specified in the configuration, it often means that a
7863session has been aborted on timeout.
7864
7865Most common cases :
7866
7867 - If "Tq" is close to 3000, a packet has probably been lost between the
7868 client and the proxy. This is very rare on local networks but might happen
7869 when clients are on far remote networks and send large requests. It may
7870 happen that values larger than usual appear here without any network cause.
7871 Sometimes, during an attack or just after a resource starvation has ended,
7872 haproxy may accept thousands of connections in a few milliseconds. The time
7873 spent accepting these connections will inevitably slightly delay processing
7874 of other connections, and it can happen that request times in the order of
7875 a few tens of milliseconds are measured after a few thousands of new
Patrick Mezard105faca2010-06-12 17:02:46 +02007876 connections have been accepted at once. Setting "option http-server-close"
7877 may display larger request times since "Tq" also measures the time spent
7878 waiting for additional requests.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007879
7880 - If "Tc" is close to 3000, a packet has probably been lost between the
7881 server and the proxy during the server connection phase. This value should
7882 always be very low, such as 1 ms on local networks and less than a few tens
7883 of ms on remote networks.
7884
Willy Tarreau55165fe2009-05-10 12:02:55 +02007885 - If "Tr" is nearly always lower than 3000 except some rare values which seem
7886 to be the average majored by 3000, there are probably some packets lost
7887 between the proxy and the server.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007888
7889 - If "Tt" is large even for small byte counts, it generally is because
7890 neither the client nor the server decides to close the connection, for
7891 instance because both have agreed on a keep-alive connection mode. In order
7892 to solve this issue, it will be needed to specify "option httpclose" on
7893 either the frontend or the backend. If the problem persists, it means that
7894 the server ignores the "close" connection mode and expects the client to
7895 close. Then it will be required to use "option forceclose". Having the
7896 smallest possible 'Tt' is important when connection regulation is used with
7897 the "maxconn" option on the servers, since no new connection will be sent
7898 to the server until another one is released.
7899
7900Other noticeable HTTP log cases ('xx' means any value to be ignored) :
7901
7902 Tq/Tw/Tc/Tr/+Tt The "option logasap" is present on the frontend and the log
7903 was emitted before the data phase. All the timers are valid
7904 except "Tt" which is shorter than reality.
7905
7906 -1/xx/xx/xx/Tt The client was not able to send a complete request in time
7907 or it aborted too early. Check the session termination flags
7908 then "timeout http-request" and "timeout client" settings.
7909
7910 Tq/-1/xx/xx/Tt It was not possible to process the request, maybe because
7911 servers were out of order, because the request was invalid
7912 or forbidden by ACL rules. Check the session termination
7913 flags.
7914
7915 Tq/Tw/-1/xx/Tt The connection could not establish on the server. Either it
7916 actively refused it or it timed out after Tt-(Tq+Tw) ms.
7917 Check the session termination flags, then check the
7918 "timeout connect" setting. Note that the tarpit action might
7919 return similar-looking patterns, with "Tw" equal to the time
7920 the client connection was maintained open.
7921
7922 Tq/Tw/Tc/-1/Tt The server has accepted the connection but did not return
7923 a complete response in time, or it closed its connexion
7924 unexpectedly after Tt-(Tq+Tw+Tc) ms. Check the session
7925 termination flags, then check the "timeout server" setting.
7926
7927
Willy Tarreauc57f0e22009-05-10 13:12:33 +020079288.5. Session state at disconnection
7929-----------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007930
7931TCP and HTTP logs provide a session termination indicator in the
7932"termination_state" field, just before the number of active connections. It is
79332-characters long in TCP mode, and is extended to 4 characters in HTTP mode,
7934each of which has a special meaning :
7935
7936 - On the first character, a code reporting the first event which caused the
7937 session to terminate :
7938
7939 C : the TCP session was unexpectedly aborted by the client.
7940
7941 S : the TCP session was unexpectedly aborted by the server, or the
7942 server explicitly refused it.
7943
7944 P : the session was prematurely aborted by the proxy, because of a
7945 connection limit enforcement, because a DENY filter was matched,
7946 because of a security check which detected and blocked a dangerous
7947 error in server response which might have caused information leak
7948 (eg: cacheable cookie), or because the response was processed by
7949 the proxy (redirect, stats, etc...).
7950
7951 R : a resource on the proxy has been exhausted (memory, sockets, source
7952 ports, ...). Usually, this appears during the connection phase, and
7953 system logs should contain a copy of the precise error. If this
7954 happens, it must be considered as a very serious anomaly which
7955 should be fixed as soon as possible by any means.
7956
7957 I : an internal error was identified by the proxy during a self-check.
7958 This should NEVER happen, and you are encouraged to report any log
7959 containing this, because this would almost certainly be a bug. It
7960 would be wise to preventively restart the process after such an
7961 event too, in case it would be caused by memory corruption.
7962
7963 c : the client-side timeout expired while waiting for the client to
7964 send or receive data.
7965
7966 s : the server-side timeout expired while waiting for the server to
7967 send or receive data.
7968
7969 - : normal session completion, both the client and the server closed
7970 with nothing left in the buffers.
7971
7972 - on the second character, the TCP or HTTP session state when it was closed :
7973
7974 R : th proxy was waiting for a complete, valid REQUEST from the client
7975 (HTTP mode only). Nothing was sent to any server.
7976
7977 Q : the proxy was waiting in the QUEUE for a connection slot. This can
7978 only happen when servers have a 'maxconn' parameter set. It can
7979 also happen in the global queue after a redispatch consecutive to
7980 a failed attempt to connect to a dying server. If no redispatch is
7981 reported, then no connection attempt was made to any server.
7982
7983 C : the proxy was waiting for the CONNECTION to establish on the
7984 server. The server might at most have noticed a connection attempt.
7985
7986 H : the proxy was waiting for complete, valid response HEADERS from the
7987 server (HTTP only).
7988
7989 D : the session was in the DATA phase.
7990
7991 L : the proxy was still transmitting LAST data to the client while the
7992 server had already finished. This one is very rare as it can only
7993 happen when the client dies while receiving the last packets.
7994
7995 T : the request was tarpitted. It has been held open with the client
7996 during the whole "timeout tarpit" duration or until the client
7997 closed, both of which will be reported in the "Tw" timer.
7998
7999 - : normal session completion after end of data transfer.
8000
8001 - the third character tells whether the persistence cookie was provided by
8002 the client (only in HTTP mode) :
8003
8004 N : the client provided NO cookie. This is usually the case for new
8005 visitors, so counting the number of occurrences of this flag in the
8006 logs generally indicate a valid trend for the site frequentation.
8007
8008 I : the client provided an INVALID cookie matching no known server.
8009 This might be caused by a recent configuration change, mixed
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02008010 cookies between HTTP/HTTPS sites, persistence conditionally
8011 ignored, or an attack.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008012
8013 D : the client provided a cookie designating a server which was DOWN,
8014 so either "option persist" was used and the client was sent to
8015 this server, or it was not set and the client was redispatched to
8016 another server.
8017
8018 V : the client provided a valid cookie, and was sent to the associated
8019 server.
8020
8021 - : does not apply (no cookie set in configuration).
8022
8023 - the last character reports what operations were performed on the persistence
8024 cookie returned by the server (only in HTTP mode) :
8025
8026 N : NO cookie was provided by the server, and none was inserted either.
8027
8028 I : no cookie was provided by the server, and the proxy INSERTED one.
8029 Note that in "cookie insert" mode, if the server provides a cookie,
8030 it will still be overwritten and reported as "I" here.
8031
8032 P : a cookie was PROVIDED by the server and transmitted as-is.
8033
8034 R : the cookie provided by the server was REWRITTEN by the proxy, which
8035 happens in "cookie rewrite" or "cookie prefix" modes.
8036
8037 D : the cookie provided by the server was DELETED by the proxy.
8038
8039 - : does not apply (no cookie set in configuration).
8040
8041The combination of the two first flags give a lot of information about what was
8042happening when the session terminated, and why it did terminate. It can be
8043helpful to detect server saturation, network troubles, local system resource
8044starvation, attacks, etc...
8045
8046The most common termination flags combinations are indicated below. They are
8047alphabetically sorted, with the lowercase set just after the upper case for
8048easier finding and understanding.
8049
8050 Flags Reason
8051
8052 -- Normal termination.
8053
8054 CC The client aborted before the connection could be established to the
8055 server. This can happen when haproxy tries to connect to a recently
8056 dead (or unchecked) server, and the client aborts while haproxy is
8057 waiting for the server to respond or for "timeout connect" to expire.
8058
8059 CD The client unexpectedly aborted during data transfer. This can be
8060 caused by a browser crash, by an intermediate equipment between the
8061 client and haproxy which decided to actively break the connection,
8062 by network routing issues between the client and haproxy, or by a
8063 keep-alive session between the server and the client terminated first
8064 by the client.
Willy Tarreaud72758d2010-01-12 10:42:19 +01008065
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008066 cD The client did not send nor acknowledge any data for as long as the
8067 "timeout client" delay. This is often caused by network failures on
8068 the client side, or the client simply leaving the net uncleanly.
8069
8070 CH The client aborted while waiting for the server to start responding.
8071 It might be the server taking too long to respond or the client
8072 clicking the 'Stop' button too fast.
8073
8074 cH The "timeout client" stroke while waiting for client data during a
8075 POST request. This is sometimes caused by too large TCP MSS values
8076 for PPPoE networks which cannot transport full-sized packets. It can
8077 also happen when client timeout is smaller than server timeout and
8078 the server takes too long to respond.
8079
8080 CQ The client aborted while its session was queued, waiting for a server
8081 with enough empty slots to accept it. It might be that either all the
8082 servers were saturated or that the assigned server was taking too
8083 long a time to respond.
8084
8085 CR The client aborted before sending a full HTTP request. Most likely
8086 the request was typed by hand using a telnet client, and aborted
8087 too early. The HTTP status code is likely a 400 here. Sometimes this
8088 might also be caused by an IDS killing the connection between haproxy
8089 and the client.
8090
8091 cR The "timeout http-request" stroke before the client sent a full HTTP
8092 request. This is sometimes caused by too large TCP MSS values on the
8093 client side for PPPoE networks which cannot transport full-sized
8094 packets, or by clients sending requests by hand and not typing fast
8095 enough, or forgetting to enter the empty line at the end of the
8096 request. The HTTP status code is likely a 408 here.
8097
8098 CT The client aborted while its session was tarpitted. It is important to
8099 check if this happens on valid requests, in order to be sure that no
Willy Tarreau55165fe2009-05-10 12:02:55 +02008100 wrong tarpit rules have been written. If a lot of them happen, it
8101 might make sense to lower the "timeout tarpit" value to something
8102 closer to the average reported "Tw" timer, in order not to consume
8103 resources for just a few attackers.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008104
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008105 SC The server or an equipment between it and haproxy explicitly refused
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008106 the TCP connection (the proxy received a TCP RST or an ICMP message
8107 in return). Under some circumstances, it can also be the network
8108 stack telling the proxy that the server is unreachable (eg: no route,
8109 or no ARP response on local network). When this happens in HTTP mode,
8110 the status code is likely a 502 or 503 here.
8111
8112 sC The "timeout connect" stroke before a connection to the server could
8113 complete. When this happens in HTTP mode, the status code is likely a
8114 503 or 504 here.
8115
8116 SD The connection to the server died with an error during the data
8117 transfer. This usually means that haproxy has received an RST from
8118 the server or an ICMP message from an intermediate equipment while
8119 exchanging data with the server. This can be caused by a server crash
8120 or by a network issue on an intermediate equipment.
8121
8122 sD The server did not send nor acknowledge any data for as long as the
8123 "timeout server" setting during the data phase. This is often caused
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008124 by too short timeouts on L4 equipments before the server (firewalls,
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008125 load-balancers, ...), as well as keep-alive sessions maintained
8126 between the client and the server expiring first on haproxy.
8127
8128 SH The server aborted before sending its full HTTP response headers, or
8129 it crashed while processing the request. Since a server aborting at
8130 this moment is very rare, it would be wise to inspect its logs to
8131 control whether it crashed and why. The logged request may indicate a
8132 small set of faulty requests, demonstrating bugs in the application.
8133 Sometimes this might also be caused by an IDS killing the connection
8134 between haproxy and the server.
8135
8136 sH The "timeout server" stroke before the server could return its
8137 response headers. This is the most common anomaly, indicating too
8138 long transactions, probably caused by server or database saturation.
8139 The immediate workaround consists in increasing the "timeout server"
8140 setting, but it is important to keep in mind that the user experience
8141 will suffer from these long response times. The only long term
8142 solution is to fix the application.
8143
8144 sQ The session spent too much time in queue and has been expired. See
8145 the "timeout queue" and "timeout connect" settings to find out how to
8146 fix this if it happens too often. If it often happens massively in
8147 short periods, it may indicate general problems on the affected
8148 servers due to I/O or database congestion, or saturation caused by
8149 external attacks.
8150
8151 PC The proxy refused to establish a connection to the server because the
8152 process' socket limit has been reached while attempting to connect.
8153 The global "maxconn" parameter may be increased in the configuration
8154 so that it does not happen anymore. This status is very rare and
8155 might happen when the global "ulimit-n" parameter is forced by hand.
8156
8157 PH The proxy blocked the server's response, because it was invalid,
8158 incomplete, dangerous (cache control), or matched a security filter.
8159 In any case, an HTTP 502 error is sent to the client. One possible
8160 cause for this error is an invalid syntax in an HTTP header name
8161 containing unauthorized characters.
8162
8163 PR The proxy blocked the client's HTTP request, either because of an
8164 invalid HTTP syntax, in which case it returned an HTTP 400 error to
8165 the client, or because a deny filter matched, in which case it
8166 returned an HTTP 403 error.
8167
8168 PT The proxy blocked the client's request and has tarpitted its
8169 connection before returning it a 500 server error. Nothing was sent
8170 to the server. The connection was maintained open for as long as
8171 reported by the "Tw" timer field.
8172
8173 RC A local resource has been exhausted (memory, sockets, source ports)
8174 preventing the connection to the server from establishing. The error
8175 logs will tell precisely what was missing. This is very rare and can
8176 only be solved by proper system tuning.
8177
8178
Willy Tarreauc57f0e22009-05-10 13:12:33 +020081798.6. Non-printable characters
8180-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008181
8182In order not to cause trouble to log analysis tools or terminals during log
8183consulting, non-printable characters are not sent as-is into log files, but are
8184converted to the two-digits hexadecimal representation of their ASCII code,
8185prefixed by the character '#'. The only characters that can be logged without
8186being escaped are comprised between 32 and 126 (inclusive). Obviously, the
8187escape character '#' itself is also encoded to avoid any ambiguity ("#23"). It
8188is the same for the character '"' which becomes "#22", as well as '{', '|' and
8189'}' when logging headers.
8190
8191Note that the space character (' ') is not encoded in headers, which can cause
8192issues for tools relying on space count to locate fields. A typical header
8193containing spaces is "User-Agent".
8194
8195Last, it has been observed that some syslog daemons such as syslog-ng escape
8196the quote ('"') with a backslash ('\'). The reverse operation can safely be
8197performed since no quote may appear anywhere else in the logs.
8198
8199
Willy Tarreauc57f0e22009-05-10 13:12:33 +020082008.7. Capturing HTTP cookies
8201---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008202
8203Cookie capture simplifies the tracking a complete user session. This can be
8204achieved using the "capture cookie" statement in the frontend. Please refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008205section 4.2 for more details. Only one cookie can be captured, and the same
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008206cookie will simultaneously be checked in the request ("Cookie:" header) and in
8207the response ("Set-Cookie:" header). The respective values will be reported in
8208the HTTP logs at the "captured_request_cookie" and "captured_response_cookie"
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008209locations (see section 8.2.3 about HTTP log format). When either cookie is
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008210not seen, a dash ('-') replaces the value. This way, it's easy to detect when a
8211user switches to a new session for example, because the server will reassign it
8212a new cookie. It is also possible to detect if a server unexpectedly sets a
8213wrong cookie to a client, leading to session crossing.
8214
8215 Examples :
8216 # capture the first cookie whose name starts with "ASPSESSION"
8217 capture cookie ASPSESSION len 32
8218
8219 # capture the first cookie whose name is exactly "vgnvisitor"
8220 capture cookie vgnvisitor= len 32
8221
8222
Willy Tarreauc57f0e22009-05-10 13:12:33 +020082238.8. Capturing HTTP headers
8224---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008225
8226Header captures are useful to track unique request identifiers set by an upper
8227proxy, virtual host names, user-agents, POST content-length, referrers, etc. In
8228the response, one can search for information about the response length, how the
8229server asked the cache to behave, or an object location during a redirection.
8230
8231Header captures are performed using the "capture request header" and "capture
8232response header" statements in the frontend. Please consult their definition in
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008233section 4.2 for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008234
8235It is possible to include both request headers and response headers at the same
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008236time. Non-existent headers are logged as empty strings, and if one header
8237appears more than once, only its last occurrence will be logged. Request headers
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008238are grouped within braces '{' and '}' in the same order as they were declared,
8239and delimited with a vertical bar '|' without any space. Response headers
8240follow the same representation, but are displayed after a space following the
8241request headers block. These blocks are displayed just before the HTTP request
8242in the logs.
8243
8244 Example :
8245 # This instance chains to the outgoing proxy
8246 listen proxy-out
8247 mode http
8248 option httplog
8249 option logasap
8250 log global
8251 server cache1 192.168.1.1:3128
8252
8253 # log the name of the virtual server
8254 capture request header Host len 20
8255
8256 # log the amount of data uploaded during a POST
8257 capture request header Content-Length len 10
8258
8259 # log the beginning of the referrer
8260 capture request header Referer len 20
8261
8262 # server name (useful for outgoing proxies only)
8263 capture response header Server len 20
8264
8265 # logging the content-length is useful with "option logasap"
8266 capture response header Content-Length len 10
8267
8268 # log the expected cache behaviour on the response
8269 capture response header Cache-Control len 8
8270
8271 # the Via header will report the next proxy's name
8272 capture response header Via len 20
8273
8274 # log the URL location during a redirection
8275 capture response header Location len 20
8276
8277 >>> Aug 9 20:26:09 localhost \
8278 haproxy[2022]: 127.0.0.1:34014 [09/Aug/2004:20:26:09] proxy-out \
8279 proxy-out/cache1 0/0/0/162/+162 200 +350 - - ---- 0/0/0/0/0 0/0 \
8280 {fr.adserver.yahoo.co||http://fr.f416.mail.} {|864|private||} \
8281 "GET http://fr.adserver.yahoo.com/"
8282
8283 >>> Aug 9 20:30:46 localhost \
8284 haproxy[2022]: 127.0.0.1:34020 [09/Aug/2004:20:30:46] proxy-out \
8285 proxy-out/cache1 0/0/0/182/+182 200 +279 - - ---- 0/0/0/0/0 0/0 \
8286 {w.ods.org||} {Formilux/0.1.8|3495|||} \
Willy Tarreaud72758d2010-01-12 10:42:19 +01008287 "GET http://trafic.1wt.eu/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008288
8289 >>> Aug 9 20:30:46 localhost \
8290 haproxy[2022]: 127.0.0.1:34028 [09/Aug/2004:20:30:46] proxy-out \
8291 proxy-out/cache1 0/0/2/126/+128 301 +223 - - ---- 0/0/0/0/0 0/0 \
8292 {www.sytadin.equipement.gouv.fr||http://trafic.1wt.eu/} \
8293 {Apache|230|||http://www.sytadin.} \
Willy Tarreaud72758d2010-01-12 10:42:19 +01008294 "GET http://www.sytadin.equipement.gouv.fr/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008295
8296
Willy Tarreauc57f0e22009-05-10 13:12:33 +020082978.9. Examples of logs
8298---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008299
8300These are real-world examples of logs accompanied with an explanation. Some of
8301them have been made up by hand. The syslog part has been removed for better
8302reading. Their sole purpose is to explain how to decipher them.
8303
8304 >>> haproxy[674]: 127.0.0.1:33318 [15/Oct/2003:08:31:57.130] px-http \
8305 px-http/srv1 6559/0/7/147/6723 200 243 - - ---- 5/3/3/1/0 0/0 \
8306 "HEAD / HTTP/1.0"
8307
8308 => long request (6.5s) entered by hand through 'telnet'. The server replied
8309 in 147 ms, and the session ended normally ('----')
8310
8311 >>> haproxy[674]: 127.0.0.1:33319 [15/Oct/2003:08:31:57.149] px-http \
8312 px-http/srv1 6559/1230/7/147/6870 200 243 - - ---- 324/239/239/99/0 \
8313 0/9 "HEAD / HTTP/1.0"
8314
8315 => Idem, but the request was queued in the global queue behind 9 other
8316 requests, and waited there for 1230 ms.
8317
8318 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.654] px-http \
8319 px-http/srv1 9/0/7/14/+30 200 +243 - - ---- 3/3/3/1/0 0/0 \
8320 "GET /image.iso HTTP/1.0"
8321
8322 => request for a long data transfer. The "logasap" option was specified, so
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008323 the log was produced just before transferring data. The server replied in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008324 14 ms, 243 bytes of headers were sent to the client, and total time from
8325 accept to first data byte is 30 ms.
8326
8327 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.925] px-http \
8328 px-http/srv1 9/0/7/14/30 502 243 - - PH-- 3/2/2/0/0 0/0 \
8329 "GET /cgi-bin/bug.cgi? HTTP/1.0"
8330
8331 => the proxy blocked a server response either because of an "rspdeny" or
8332 "rspideny" filter, or because the response was improperly formatted and
8333 not HTTP-compliant, or because it blocked sensible information which
8334 risked being cached. In this case, the response is replaced with a "502
8335 bad gateway". The flags ("PH--") tell us that it was haproxy who decided
8336 to return the 502 and not the server.
8337
8338 >>> haproxy[18113]: 127.0.0.1:34548 [15/Oct/2003:15:18:55.798] px-http \
Willy Tarreaud72758d2010-01-12 10:42:19 +01008339 px-http/<NOSRV> -1/-1/-1/-1/8490 -1 0 - - CR-- 2/2/2/0/0 0/0 ""
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008340
8341 => the client never completed its request and aborted itself ("C---") after
8342 8.5s, while the proxy was waiting for the request headers ("-R--").
8343 Nothing was sent to any server.
8344
8345 >>> haproxy[18113]: 127.0.0.1:34549 [15/Oct/2003:15:19:06.103] px-http \
8346 px-http/<NOSRV> -1/-1/-1/-1/50001 408 0 - - cR-- 2/2/2/0/0 0/0 ""
8347
8348 => The client never completed its request, which was aborted by the
8349 time-out ("c---") after 50s, while the proxy was waiting for the request
8350 headers ("-R--"). Nothing was sent to any server, but the proxy could
8351 send a 408 return code to the client.
8352
8353 >>> haproxy[18989]: 127.0.0.1:34550 [15/Oct/2003:15:24:28.312] px-tcp \
8354 px-tcp/srv1 0/0/5007 0 cD 0/0/0/0/0 0/0
8355
8356 => This log was produced with "option tcplog". The client timed out after
8357 5 seconds ("c----").
8358
8359 >>> haproxy[18989]: 10.0.0.1:34552 [15/Oct/2003:15:26:31.462] px-http \
8360 px-http/srv1 3183/-1/-1/-1/11215 503 0 - - SC-- 205/202/202/115/3 \
Willy Tarreaud72758d2010-01-12 10:42:19 +01008361 0/0 "HEAD / HTTP/1.0"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008362
8363 => The request took 3s to complete (probably a network problem), and the
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008364 connection to the server failed ('SC--') after 4 attempts of 2 seconds
Willy Tarreaucc6c8912009-02-22 10:53:55 +01008365 (config says 'retries 3'), and no redispatch (otherwise we would have
8366 seen "/+3"). Status code 503 was returned to the client. There were 115
8367 connections on this server, 202 connections on this proxy, and 205 on
8368 the global process. It is possible that the server refused the
8369 connection because of too many already established.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008370
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008371
Willy Tarreauc57f0e22009-05-10 13:12:33 +020083729. Statistics and monitoring
8373----------------------------
8374
8375It is possible to query HAProxy about its status. The most commonly used
8376mechanism is the HTTP statistics page. This page also exposes an alternative
8377CSV output format for monitoring tools. The same format is provided on the
8378Unix socket.
8379
8380
83819.1. CSV format
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008382---------------
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01008383
Willy Tarreau7f062c42009-03-05 18:43:00 +01008384The statistics may be consulted either from the unix socket or from the HTTP
8385page. Both means provide a CSV format whose fields follow.
8386
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01008387 0. pxname: proxy name
8388 1. svname: service name (FRONTEND for frontend, BACKEND for backend, any name
8389 for server)
8390 2. qcur: current queued requests
8391 3. qmax: max queued requests
8392 4. scur: current sessions
8393 5. smax: max sessions
8394 6. slim: sessions limit
8395 7. stot: total sessions
8396 8. bin: bytes in
8397 9. bout: bytes out
8398 10. dreq: denied requests
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01008399 11. dresp: denied responses
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01008400 12. ereq: request errors
8401 13. econ: connection errors
Willy Tarreauae526782010-03-04 20:34:23 +01008402 14. eresp: response errors (among which srv_abrt)
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01008403 15. wretr: retries (warning)
8404 16. wredis: redispatches (warning)
Cyril Bonté0dae5852010-02-03 00:26:28 +01008405 17. status: status (UP/DOWN/NOLB/MAINT/MAINT(via)...)
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01008406 18. weight: server weight (server), total weight (backend)
8407 19. act: server is active (server), number of active servers (backend)
8408 20. bck: server is backup (server), number of backup servers (backend)
8409 21. chkfail: number of failed checks
8410 22. chkdown: number of UP->DOWN transitions
8411 23. lastchg: last status change (in seconds)
8412 24. downtime: total downtime (in seconds)
8413 25. qlimit: queue limit
8414 26. pid: process id (0 for first instance, 1 for second, ...)
8415 27. iid: unique proxy id
8416 28. sid: service id (unique inside a proxy)
8417 29. throttle: warm up status
8418 30. lbtot: total number of times a server was selected
8419 31. tracked: id of proxy/server if tracking is enabled
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02008420 32. type (0=frontend, 1=backend, 2=server, 3=socket)
Krzysztof Piotr Oledzkidb57c6b2009-08-31 21:23:27 +02008421 33. rate: number of sessions per second over last elapsed second
8422 34. rate_lim: limit on new sessions per second
8423 35. rate_max: max number of new sessions per second
Krzysztof Piotr Oledzki09605412009-09-23 22:09:24 +02008424 36. check_status: status of last health check, one of:
Cyril Bontéf0c60612010-02-06 14:44:47 +01008425 UNK -> unknown
8426 INI -> initializing
8427 SOCKERR -> socket error
8428 L4OK -> check passed on layer 4, no upper layers testing enabled
8429 L4TMOUT -> layer 1-4 timeout
8430 L4CON -> layer 1-4 connection problem, for example
8431 "Connection refused" (tcp rst) or "No route to host" (icmp)
8432 L6OK -> check passed on layer 6
8433 L6TOUT -> layer 6 (SSL) timeout
8434 L6RSP -> layer 6 invalid response - protocol error
8435 L7OK -> check passed on layer 7
8436 L7OKC -> check conditionally passed on layer 7, for example 404 with
8437 disable-on-404
8438 L7TOUT -> layer 7 (HTTP/SMTP) timeout
8439 L7RSP -> layer 7 invalid response - protocol error
8440 L7STS -> layer 7 response error, for example HTTP 5xx
Krzysztof Piotr Oledzki09605412009-09-23 22:09:24 +02008441 37. check_code: layer5-7 code, if available
8442 38. check_duration: time in ms took to finish last health check
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008443 39. hrsp_1xx: http responses with 1xx code
8444 40. hrsp_2xx: http responses with 2xx code
8445 41. hrsp_3xx: http responses with 3xx code
8446 42. hrsp_4xx: http responses with 4xx code
8447 43. hrsp_5xx: http responses with 5xx code
8448 44. hrsp_other: http responses with other codes (protocol error)
Willy Tarreaud63335a2010-02-26 12:56:52 +01008449 45. hanafail: failed health checks details
8450 46. req_rate: HTTP requests per second over last elapsed second
8451 47. req_rate_max: max number of HTTP requests per second observed
8452 48. req_tot: total number of HTTP requests received
Willy Tarreauae526782010-03-04 20:34:23 +01008453 49. cli_abrt: number of data transfers aborted by the client
8454 50. srv_abrt: number of data transfers aborted by the server (inc. in eresp)
Willy Tarreau844e3c52008-01-11 16:28:18 +01008455
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008456
Willy Tarreauc57f0e22009-05-10 13:12:33 +020084579.2. Unix Socket commands
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008458-------------------------
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01008459
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008460The following commands are supported on the UNIX stats socket ; all of them
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008461must be terminated by a line feed. The socket supports pipelining, so that it
8462is possible to chain multiple commands at once provided they are delimited by
8463a semi-colon or a line feed, although the former is more reliable as it has no
8464risk of being truncated over the network. The responses themselves will each be
8465followed by an empty line, so it will be easy for an external script to match a
8466given response with a given request. By default one command line is processed
8467then the connection closes, but there is an interactive allowing multiple lines
8468to be issued one at a time.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008469
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008470It is important to understand that when multiple haproxy processes are started
8471on the same sockets, any process may pick up the request and will output its
8472own stats.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008473
Willy Tarreaud63335a2010-02-26 12:56:52 +01008474clear counters
8475 Clear the max values of the statistics counters in each proxy (frontend &
8476 backend) and in each server. The cumulated counters are not affected. This
8477 can be used to get clean counters after an incident, without having to
8478 restart nor to clear traffic counters. This command is restricted and can
8479 only be issued on sockets configured for levels "operator" or "admin".
8480
8481clear counters all
8482 Clear all statistics counters in each proxy (frontend & backend) and in each
8483 server. This has the same effect as restarting. This command is restricted
8484 and can only be issued on sockets configured for level "admin".
8485
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02008486clear table <table> key <key>
8487 Remove entry <key> from the stick-table <table>. The key must be of the same
8488 type as the table, which currently is limited to IPv4. This is typically used
8489 un unblock some users complaining they have been abusively denied access to a
8490 service, but this can also be used to clear some stickiness entries matching
8491 a server that is going to be replaced (see "show table" below for details).
8492 Note that sometimes, removal of a key will be refused because it is currently
8493 tracked by a session. Retrying a few seconds later after the session ends is
8494 usuall enough.
8495
8496 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +02008497 $ echo "show table http_proxy" | socat stdio /tmp/sock1
8498 >>> # table: http_proxy, type: 0, size:204800, used:2
8499 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
8500 bytes_out_rate(60000)=187
8501 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
8502 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02008503
8504 $ echo "clear table http_proxy key 127.0.0.1" | socat stdio /tmp/sock1
8505
8506 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Willy Tarreau62a36c42010-08-17 15:53:10 +02008507 >>> # table: http_proxy, type: 0, size:204800, used:1
8508 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
8509 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02008510
Willy Tarreaud63335a2010-02-26 12:56:52 +01008511disable server <backend>/<server>
8512 Mark the server DOWN for maintenance. In this mode, no more checks will be
8513 performed on the server until it leaves maintenance.
8514 If the server is tracked by other servers, those servers will be set to DOWN
8515 during the maintenance.
8516
8517 In the statistics page, a server DOWN for maintenance will appear with a
8518 "MAINT" status, its tracking servers with the "MAINT(via)" one.
8519
8520 Both the backend and the server may be specified either by their name or by
8521 their numeric ID, prefixed with a dash ('#').
8522
8523 This command is restricted and can only be issued on sockets configured for
8524 level "admin".
8525
8526enable server <backend>/<server>
8527 If the server was previously marked as DOWN for maintenance, this marks the
8528 server UP and checks are re-enabled.
8529
8530 Both the backend and the server may be specified either by their name or by
8531 their numeric ID, prefixed with a dash ('#').
8532
8533 This command is restricted and can only be issued on sockets configured for
8534 level "admin".
8535
8536get weight <backend>/<server>
8537 Report the current weight and the initial weight of server <server> in
8538 backend <backend> or an error if either doesn't exist. The initial weight is
8539 the one that appears in the configuration file. Both are normally equal
8540 unless the current weight has been changed. Both the backend and the server
8541 may be specified either by their name or by their numeric ID, prefixed with a
8542 dash ('#').
8543
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008544help
8545 Print the list of known keywords and their basic usage. The same help screen
8546 is also displayed for unknown commands.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01008547
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008548prompt
8549 Toggle the prompt at the beginning of the line and enter or leave interactive
8550 mode. In interactive mode, the connection is not closed after a command
8551 completes. Instead, the prompt will appear again, indicating the user that
8552 the interpreter is waiting for a new command. The prompt consists in a right
8553 angle bracket followed by a space "> ". This mode is particularly convenient
8554 when one wants to periodically check information such as stats or errors.
8555 It is also a good idea to enter interactive mode before issuing a "help"
8556 command.
8557
8558quit
8559 Close the connection when in interactive mode.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01008560
Willy Tarreaud63335a2010-02-26 12:56:52 +01008561set timeout cli <delay>
8562 Change the CLI interface timeout for current connection. This can be useful
8563 during long debugging sessions where the user needs to constantly inspect
8564 some indicators without being disconnected. The delay is passed in seconds.
8565
8566set weight <backend>/<server> <weight>[%]
8567 Change a server's weight to the value passed in argument. If the value ends
8568 with the '%' sign, then the new weight will be relative to the initially
8569 configured weight. Relative weights are only permitted between 0 and 100%,
8570 and absolute weights are permitted between 0 and 256. Servers which are part
8571 of a farm running a static load-balancing algorithm have stricter limitations
8572 because the weight cannot change once set. Thus for these servers, the only
8573 accepted values are 0 and 100% (or 0 and the initial weight). Changes take
8574 effect immediately, though certain LB algorithms require a certain amount of
8575 requests to consider changes. A typical usage of this command is to disable
8576 a server during an update by setting its weight to zero, then to enable it
8577 again after the update by setting it back to 100%. This command is restricted
8578 and can only be issued on sockets configured for level "admin". Both the
8579 backend and the server may be specified either by their name or by their
8580 numeric ID, prefixed with a dash ('#').
8581
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +01008582show errors [<iid>]
8583 Dump last known request and response errors collected by frontends and
8584 backends. If <iid> is specified, the limit the dump to errors concerning
Willy Tarreau6162db22009-10-10 17:13:00 +02008585 either frontend or backend whose ID is <iid>. This command is restricted
8586 and can only be issued on sockets configured for levels "operator" or
8587 "admin".
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +01008588
8589 The errors which may be collected are the last request and response errors
8590 caused by protocol violations, often due to invalid characters in header
8591 names. The report precisely indicates what exact character violated the
8592 protocol. Other important information such as the exact date the error was
8593 detected, frontend and backend names, the server name (when known), the
8594 internal session ID and the source address which has initiated the session
8595 are reported too.
8596
8597 All characters are returned, and non-printable characters are encoded. The
8598 most common ones (\t = 9, \n = 10, \r = 13 and \e = 27) are encoded as one
8599 letter following a backslash. The backslash itself is encoded as '\\' to
8600 avoid confusion. Other non-printable characters are encoded '\xNN' where
8601 NN is the two-digits hexadecimal representation of the character's ASCII
8602 code.
8603
8604 Lines are prefixed with the position of their first character, starting at 0
8605 for the beginning of the buffer. At most one input line is printed per line,
8606 and large lines will be broken into multiple consecutive output lines so that
8607 the output never goes beyond 79 characters wide. It is easy to detect if a
8608 line was broken, because it will not end with '\n' and the next line's offset
8609 will be followed by a '+' sign, indicating it is a continuation of previous
8610 line.
8611
8612 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +02008613 $ echo "show errors" | socat stdio /tmp/sock1
8614 >>> [04/Mar/2009:15:46:56.081] backend http-in (#2) : invalid response
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +01008615 src 127.0.0.1, session #54, frontend fe-eth0 (#1), server s2 (#1)
8616 response length 213 bytes, error at position 23:
8617
8618 00000 HTTP/1.0 200 OK\r\n
8619 00017 header/bizarre:blah\r\n
8620 00038 Location: blah\r\n
8621 00054 Long-line: this is a very long line which should b
8622 00104+ e broken into multiple lines on the output buffer,
8623 00154+ otherwise it would be too large to print in a ter
8624 00204+ minal\r\n
8625 00211 \r\n
8626
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008627 In the example above, we see that the backend "http-in" which has internal
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +01008628 ID 2 has blocked an invalid response from its server s2 which has internal
8629 ID 1. The request was on session 54 initiated by source 127.0.0.1 and
8630 received by frontend fe-eth0 whose ID is 1. The total response length was
8631 213 bytes when the error was detected, and the error was at byte 23. This
8632 is the slash ('/') in header name "header/bizarre", which is not a valid
8633 HTTP character for a header name.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01008634
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008635show info
8636 Dump info about haproxy status on current process.
8637
8638show sess
8639 Dump all known sessions. Avoid doing this on slow connections as this can
Willy Tarreau6162db22009-10-10 17:13:00 +02008640 be huge. This command is restricted and can only be issued on sockets
8641 configured for levels "operator" or "admin".
8642
Willy Tarreau66dc20a2010-03-05 17:53:32 +01008643show sess <id>
8644 Display a lot of internal information about the specified session identifier.
8645 This identifier is the first field at the beginning of the lines in the dumps
8646 of "show sess" (it corresponds to the session pointer). Those information are
8647 useless to most users but may be used by haproxy developers to troubleshoot a
8648 complex bug. The output format is intentionally not documented so that it can
8649 freely evolve depending on demands.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008650
8651show stat [<iid> <type> <sid>]
8652 Dump statistics in the CSV format. By passing <id>, <type> and <sid>, it is
8653 possible to dump only selected items :
8654 - <iid> is a proxy ID, -1 to dump everything
8655 - <type> selects the type of dumpable objects : 1 for frontends, 2 for
8656 backends, 4 for servers, -1 for everything. These values can be ORed,
8657 for example:
8658 1 + 2 = 3 -> frontend + backend.
8659 1 + 2 + 4 = 7 -> frontend + backend + server.
8660 - <sid> is a server ID, -1 to dump everything from the selected proxy.
8661
8662 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +02008663 $ echo "show info;show stat" | socat stdio unix-connect:/tmp/sock1
8664 >>> Name: HAProxy
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008665 Version: 1.4-dev2-49
8666 Release_date: 2009/09/23
8667 Nbproc: 1
8668 Process_num: 1
8669 (...)
8670
8671 # pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq, (...)
8672 stats,FRONTEND,,,0,0,1000,0,0,0,0,0,0,,,,,OPEN,,,,,,,,,1,1,0, (...)
8673 stats,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,0,0,0,,0,250,(...)
8674 (...)
8675 www1,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,1,1,0,,0,250, (...)
8676
8677 $
8678
8679 Here, two commands have been issued at once. That way it's easy to find
8680 which process the stats apply to in multi-process mode. Notice the empty
8681 line after the information output which marks the end of the first block.
8682 A similar empty line appears at the end of the second block (stats) so that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008683 the reader knows the output has not been truncated.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02008684
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02008685show table
8686 Dump general information on all known stick-tables. Their name is returned
8687 (the name of the proxy which holds them), their type (currently zero, always
8688 IP), their size in maximum possible number of entries, and the number of
8689 entries currently in use.
8690
8691 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +02008692 $ echo "show table" | socat stdio /tmp/sock1
8693 >>> # table: front_pub, type: 0, size:204800, used:171454
8694 >>> # table: back_rdp, type: 0, size:204800, used:0
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02008695
8696show table <name> [ data.<type> <operator> <value> ]
8697 Dump contents of stick-table <name>. In this mode, a first line of generic
8698 information about the table is reported as with "show table", then all
8699 entries are dumped. Since this can be quite heavy, it is possible to specify
8700 a filter in order to specify what entries to display. The filter then applies
8701 to the stored data (see "stick-table" in section 4.2). One stored data type
8702 has to be specified in <type>, and this data type must be stored in the table
8703 otherwise an error is reported. The data is compared according to <operator>
8704 with the 64-bit integer <value>. Operators are the same as with the ACLs :
8705 - eq : match entries whose data is equal to this value
8706 - ne : match entries whose data is not equal to this value
8707 - le : match entries whose data is less than or equal to this value
8708 - ge : match entries whose data is greater than or equal to this value
8709 - lt : match entries whose data is less than this value
8710 - gt : match entries whose data is greater than this value
8711
8712 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +02008713 $ echo "show table http_proxy" | socat stdio /tmp/sock1
8714 >>> # table: http_proxy, type: 0, size:204800, used:2
8715 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
8716 bytes_out_rate(60000)=187
8717 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
8718 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02008719
Willy Tarreau62a36c42010-08-17 15:53:10 +02008720 $ echo "show table http_proxy data.gpc0 gt 0" | socat stdio /tmp/sock1
8721 >>> # table: http_proxy, type: 0, size:204800, used:2
8722 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
8723 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02008724
Willy Tarreau62a36c42010-08-17 15:53:10 +02008725 $ echo "show table http_proxy data.conn_rate gt 5" | \
8726 socat stdio /tmp/sock1
8727 >>> # table: http_proxy, type: 0, size:204800, used:2
8728 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
8729 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02008730
8731 When the data criterion applies to a dynamic value dependent on time such as
8732 a bytes rate, the value is dynamically computed during the evaluation of the
8733 entry in order to decide whether it has to be dumped or not. This means that
8734 such a filter could match for some time then not match anymore because as
8735 time goes, the average event rate drops.
8736
8737 It is possible to use this to extract lists of IP addresses abusing the
8738 service, in order to monitor them or even blacklist them in a firewall.
8739 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +02008740 $ echo "show table http_proxy data.gpc0 gt 0" \
8741 | socat stdio /tmp/sock1 \
Willy Tarreau88bc4ec2010-08-01 07:58:48 +02008742 | fgrep 'key=' | cut -d' ' -f2 | cut -d= -f2 > abusers-ip.txt
8743 ( or | awk '/key/{ print a[split($2,a,"=")]; }' )
Krzysztof Piotr Oledzki719e7262009-10-04 15:02:46 +02008744
Willy Tarreau0ba27502007-12-24 16:55:16 +01008745/*
8746 * Local variables:
8747 * fill-column: 79
8748 * End:
8749 */