Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 1 | ------------------------ |
| 2 | HAProxy Management Guide |
| 3 | ------------------------ |
Willy Tarreau | 29698e3 | 2022-05-31 17:05:27 +0200 | [diff] [blame] | 4 | version 2.7 |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 5 | |
| 6 | |
| 7 | This document describes how to start, stop, manage, and troubleshoot HAProxy, |
| 8 | as well as some known limitations and traps to avoid. It does not describe how |
| 9 | to configure it (for this please read configuration.txt). |
| 10 | |
| 11 | Note to documentation contributors : |
| 12 | This document is formatted with 80 columns per line, with even number of |
| 13 | spaces for indentation and without tabs. Please follow these rules strictly |
| 14 | so that it remains easily printable everywhere. If you add sections, please |
| 15 | update the summary below for easier searching. |
| 16 | |
| 17 | |
| 18 | Summary |
| 19 | ------- |
| 20 | |
| 21 | 1. Prerequisites |
| 22 | 2. Quick reminder about HAProxy's architecture |
| 23 | 3. Starting HAProxy |
| 24 | 4. Stopping and restarting HAProxy |
| 25 | 5. File-descriptor limitations |
| 26 | 6. Memory management |
| 27 | 7. CPU usage |
| 28 | 8. Logging |
| 29 | 9. Statistics and monitoring |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 30 | 9.1. CSV format |
Willy Tarreau | 5d8b979 | 2016-03-11 11:09:34 +0100 | [diff] [blame] | 31 | 9.2. Typed output format |
| 32 | 9.3. Unix Socket commands |
William Lallemand | 142db37 | 2018-12-11 18:56:45 +0100 | [diff] [blame] | 33 | 9.4. Master CLI |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 34 | 9.4.1. Master CLI commands |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 35 | 10. Tricks for easier configuration management |
| 36 | 11. Well-known traps to avoid |
| 37 | 12. Debugging and performance issues |
| 38 | 13. Security considerations |
| 39 | |
| 40 | |
| 41 | 1. Prerequisites |
| 42 | ---------------- |
| 43 | |
| 44 | In this document it is assumed that the reader has sufficient administration |
| 45 | skills on a UNIX-like operating system, uses the shell on a daily basis and is |
| 46 | familiar with troubleshooting utilities such as strace and tcpdump. |
| 47 | |
| 48 | |
| 49 | 2. Quick reminder about HAProxy's architecture |
| 50 | ---------------------------------------------- |
| 51 | |
Willy Tarreau | 3f36448 | 2019-02-27 15:01:46 +0100 | [diff] [blame] | 52 | HAProxy is a multi-threaded, event-driven, non-blocking daemon. This means is |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 53 | uses event multiplexing to schedule all of its activities instead of relying on |
| 54 | the system to schedule between multiple activities. Most of the time it runs as |
| 55 | a single process, so the output of "ps aux" on a system will report only one |
| 56 | "haproxy" process, unless a soft reload is in progress and an older process is |
| 57 | finishing its job in parallel to the new one. It is thus always easy to trace |
Willy Tarreau | 3f36448 | 2019-02-27 15:01:46 +0100 | [diff] [blame] | 58 | its activity using the strace utility. In order to scale with the number of |
| 59 | available processors, by default haproxy will start one worker thread per |
| 60 | processor it is allowed to run on. Unless explicitly configured differently, |
| 61 | the incoming traffic is spread over all these threads, all running the same |
| 62 | event loop. A great care is taken to limit inter-thread dependencies to the |
| 63 | strict minimum, so as to try to achieve near-linear scalability. This has some |
| 64 | impacts such as the fact that a given connection is served by a single thread. |
| 65 | Thus in order to use all available processing capacity, it is needed to have at |
| 66 | least as many connections as there are threads, which is almost always granted. |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 67 | |
| 68 | HAProxy is designed to isolate itself into a chroot jail during startup, where |
| 69 | it cannot perform any file-system access at all. This is also true for the |
| 70 | libraries it depends on (eg: libc, libssl, etc). The immediate effect is that |
| 71 | a running process will not be able to reload a configuration file to apply |
| 72 | changes, instead a new process will be started using the updated configuration |
| 73 | file. Some other less obvious effects are that some timezone files or resolver |
| 74 | files the libc might attempt to access at run time will not be found, though |
| 75 | this should generally not happen as they're not needed after startup. A nice |
| 76 | consequence of this principle is that the HAProxy process is totally stateless, |
| 77 | and no cleanup is needed after it's killed, so any killing method that works |
| 78 | will do the right thing. |
| 79 | |
| 80 | HAProxy doesn't write log files, but it relies on the standard syslog protocol |
| 81 | to send logs to a remote server (which is often located on the same system). |
| 82 | |
| 83 | HAProxy uses its internal clock to enforce timeouts, that is derived from the |
| 84 | system's time but where unexpected drift is corrected. This is done by limiting |
| 85 | the time spent waiting in poll() for an event, and measuring the time it really |
| 86 | took. In practice it never waits more than one second. This explains why, when |
| 87 | running strace over a completely idle process, periodic calls to poll() (or any |
| 88 | of its variants) surrounded by two gettimeofday() calls are noticed. They are |
| 89 | normal, completely harmless and so cheap that the load they imply is totally |
| 90 | undetectable at the system scale, so there's nothing abnormal there. Example : |
| 91 | |
| 92 | 16:35:40.002320 gettimeofday({1442759740, 2605}, NULL) = 0 |
| 93 | 16:35:40.002942 epoll_wait(0, {}, 200, 1000) = 0 |
| 94 | 16:35:41.007542 gettimeofday({1442759741, 7641}, NULL) = 0 |
| 95 | 16:35:41.007998 gettimeofday({1442759741, 8114}, NULL) = 0 |
| 96 | 16:35:41.008391 epoll_wait(0, {}, 200, 1000) = 0 |
| 97 | 16:35:42.011313 gettimeofday({1442759742, 11411}, NULL) = 0 |
| 98 | |
| 99 | HAProxy is a TCP proxy, not a router. It deals with established connections that |
| 100 | have been validated by the kernel, and not with packets of any form nor with |
| 101 | sockets in other states (eg: no SYN_RECV nor TIME_WAIT), though their existence |
| 102 | may prevent it from binding a port. It relies on the system to accept incoming |
| 103 | connections and to initiate outgoing connections. An immediate effect of this is |
| 104 | that there is no relation between packets observed on the two sides of a |
| 105 | forwarded connection, which can be of different size, numbers and even family. |
| 106 | Since a connection may only be accepted from a socket in LISTEN state, all the |
| 107 | sockets it is listening to are necessarily visible using the "netstat" utility |
| 108 | to show listening sockets. Example : |
| 109 | |
| 110 | # netstat -ltnp |
| 111 | Active Internet connections (only servers) |
| 112 | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name |
| 113 | tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1629/sshd |
| 114 | tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2847/haproxy |
| 115 | tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2847/haproxy |
| 116 | |
| 117 | |
| 118 | 3. Starting HAProxy |
| 119 | ------------------- |
| 120 | |
| 121 | HAProxy is started by invoking the "haproxy" program with a number of arguments |
| 122 | passed on the command line. The actual syntax is : |
| 123 | |
| 124 | $ haproxy [<options>]* |
| 125 | |
| 126 | where [<options>]* is any number of options. An option always starts with '-' |
| 127 | followed by one of more letters, and possibly followed by one or multiple extra |
| 128 | arguments. Without any option, HAProxy displays the help page with a reminder |
| 129 | about supported options. Available options may vary slightly based on the |
| 130 | operating system. A fair number of these options overlap with an equivalent one |
| 131 | if the "global" section. In this case, the command line always has precedence |
| 132 | over the configuration file, so that the command line can be used to quickly |
| 133 | enforce some settings without touching the configuration files. The current |
| 134 | list of options is : |
| 135 | |
| 136 | -- <cfgfile>* : all the arguments following "--" are paths to configuration |
Maxime de Roucy | 379d9c7 | 2016-05-13 23:52:56 +0200 | [diff] [blame] | 137 | file/directory to be loaded and processed in the declaration order. It is |
| 138 | mostly useful when relying on the shell to load many files that are |
| 139 | numerically ordered. See also "-f". The difference between "--" and "-f" is |
| 140 | that one "-f" must be placed before each file name, while a single "--" is |
| 141 | needed before all file names. Both options can be used together, the |
| 142 | command line ordering still applies. When more than one file is specified, |
| 143 | each file must start on a section boundary, so the first keyword of each |
| 144 | file must be one of "global", "defaults", "peers", "listen", "frontend", |
| 145 | "backend", and so on. A file cannot contain just a server list for example. |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 146 | |
Maxime de Roucy | 379d9c7 | 2016-05-13 23:52:56 +0200 | [diff] [blame] | 147 | -f <cfgfile|cfgdir> : adds <cfgfile> to the list of configuration files to be |
| 148 | loaded. If <cfgdir> is a directory, all the files (and only files) it |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 149 | contains are added in lexical order (using LC_COLLATE=C) to the list of |
Maxime de Roucy | 379d9c7 | 2016-05-13 23:52:56 +0200 | [diff] [blame] | 150 | configuration files to be loaded ; only files with ".cfg" extension are |
| 151 | added, only non hidden files (not prefixed with ".") are added. |
| 152 | Configuration files are loaded and processed in their declaration order. |
| 153 | This option may be specified multiple times to load multiple files. See |
| 154 | also "--". The difference between "--" and "-f" is that one "-f" must be |
| 155 | placed before each file name, while a single "--" is needed before all file |
| 156 | names. Both options can be used together, the command line ordering still |
| 157 | applies. When more than one file is specified, each file must start on a |
| 158 | section boundary, so the first keyword of each file must be one of |
| 159 | "global", "defaults", "peers", "listen", "frontend", "backend", and so on. |
| 160 | A file cannot contain just a server list for example. |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 161 | |
| 162 | -C <dir> : changes to directory <dir> before loading configuration |
| 163 | files. This is useful when using relative paths. Warning when using |
| 164 | wildcards after "--" which are in fact replaced by the shell before |
| 165 | starting haproxy. |
| 166 | |
| 167 | -D : start as a daemon. The process detaches from the current terminal after |
| 168 | forking, and errors are not reported anymore in the terminal. It is |
| 169 | equivalent to the "daemon" keyword in the "global" section of the |
| 170 | configuration. It is recommended to always force it in any init script so |
| 171 | that a faulty configuration doesn't prevent the system from booting. |
| 172 | |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 173 | -L <name> : change the local peer name to <name>, which defaults to the local |
William Lallemand | daf4cd2 | 2018-04-17 16:46:13 +0200 | [diff] [blame] | 174 | hostname. This is used only with peers replication. You can use the |
| 175 | variable $HAPROXY_LOCALPEER in the configuration file to reference the |
| 176 | peer name. |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 177 | |
| 178 | -N <limit> : sets the default per-proxy maxconn to <limit> instead of the |
| 179 | builtin default value (usually 2000). Only useful for debugging. |
| 180 | |
| 181 | -V : enable verbose mode (disables quiet mode). Reverts the effect of "-q" or |
| 182 | "quiet". |
| 183 | |
William Lallemand | e202b1e | 2017-06-01 17:38:56 +0200 | [diff] [blame] | 184 | -W : master-worker mode. It is equivalent to the "master-worker" keyword in |
| 185 | the "global" section of the configuration. This mode will launch a "master" |
| 186 | which will monitor the "workers". Using this mode, you can reload HAProxy |
| 187 | directly by sending a SIGUSR2 signal to the master. The master-worker mode |
| 188 | is compatible either with the foreground or daemon mode. It is |
| 189 | recommended to use this mode with multiprocess and systemd. |
| 190 | |
Pavlos Parissis | f65f257 | 2018-02-07 21:42:16 +0100 | [diff] [blame] | 191 | -Ws : master-worker mode with support of `notify` type of systemd service. |
| 192 | This option is only available when HAProxy was built with `USE_SYSTEMD` |
| 193 | build option enabled. |
| 194 | |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 195 | -c : only performs a check of the configuration files and exits before trying |
| 196 | to bind. The exit status is zero if everything is OK, or non-zero if an |
Willy Tarreau | bebd212 | 2020-04-15 16:06:11 +0200 | [diff] [blame] | 197 | error is encountered. Presence of warnings will be reported if any. |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 198 | |
Maximilian Mader | fc0cceb | 2021-06-06 00:50:22 +0200 | [diff] [blame] | 199 | -cc : evaluates a condition as used within a conditional block of the |
| 200 | configuration. The exit status is zero if the condition is true, 1 if the |
| 201 | condition is false or 2 if an error is encountered. |
| 202 | |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 203 | -d : enable debug mode. This disables daemon mode, forces the process to stay |
Willy Tarreau | ccf4299 | 2020-10-09 19:15:03 +0200 | [diff] [blame] | 204 | in foreground and to show incoming and outgoing events. It must never be |
| 205 | used in an init script. |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 206 | |
Amaury Denoyelle | 7b01a8d | 2021-03-29 10:29:07 +0200 | [diff] [blame] | 207 | -dD : enable diagnostic mode. This mode will output extra warnings about |
| 208 | suspicious configuration statements. This will never prevent startup even in |
| 209 | "zero-warning" mode nor change the exit status code. |
| 210 | |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 211 | -dG : disable use of getaddrinfo() to resolve host names into addresses. It |
| 212 | can be used when suspecting that getaddrinfo() doesn't work as expected. |
| 213 | This option was made available because many bogus implementations of |
| 214 | getaddrinfo() exist on various systems and cause anomalies that are |
| 215 | difficult to troubleshoot. |
| 216 | |
Willy Tarreau | 76871a4 | 2022-03-08 16:01:40 +0100 | [diff] [blame] | 217 | -dK<class[,class]*> : dumps the list of registered keywords in each class. |
| 218 | The list of classes is available with "-dKhelp". All classes may be dumped |
| 219 | using "-dKall", otherwise a selection of those shown in the help can be |
| 220 | specified as a comma-delimited list. The output format will vary depending |
| 221 | on what class of keywords is being dumped (e.g. "cfg" will show the known |
Willy Tarreau | 55b9689 | 2022-05-31 08:07:43 +0200 | [diff] [blame] | 222 | configuration keywords in a format resembling the config file format while |
Willy Tarreau | 76871a4 | 2022-03-08 16:01:40 +0100 | [diff] [blame] | 223 | "smp" will show sample fetch functions prefixed with a compatibility matrix |
| 224 | with each rule set). These may rarely be used as-is by humans but can be of |
| 225 | great help for external tools that try to detect the appearance of new |
| 226 | keywords at certain places to automatically update some documentation, |
| 227 | syntax highlighting files, configuration parsers, API etc. The output |
| 228 | format may evolve a bit over time so it is really recommended to use this |
| 229 | output mostly to detect differences with previous archives. Note that not |
| 230 | all keywords are listed because many keywords have existed long before the |
| 231 | different keyword registration subsystems were created, and they do not |
| 232 | appear there. However since new keywords are only added via the modern |
| 233 | mechanisms, it's reasonably safe to assume that this output may be used to |
| 234 | detect language additions with a good accuracy. The keywords are only |
| 235 | dumped after the configuration is fully parsed, so that even dynamically |
| 236 | created keywords can be dumped. A good way to dump and exit is to run a |
| 237 | silent config check on an existing configuration: |
| 238 | |
| 239 | ./haproxy -dKall -q -c -f foo.cfg |
| 240 | |
| 241 | If no configuration file is available, using "-f /dev/null" will work as |
| 242 | well to dump all default keywords, but then the return status will not be |
| 243 | zero since there will be no listener, and will have to be ignored. |
| 244 | |
Willy Tarreau | 654726d | 2021-12-28 15:43:11 +0100 | [diff] [blame] | 245 | -dL : dumps the list of dynamic shared libraries that are loaded at the end |
| 246 | of the config processing. This will generally also include deep dependencies |
| 247 | such as anything loaded from Lua code for example, as well as the executable |
| 248 | itself. The list is printed in a format that ought to be easy enough to |
| 249 | sanitize to directly produce a tarball of all dependencies. Since it doesn't |
| 250 | stop the program's startup, it is recommended to only use it in combination |
| 251 | with "-c" and "-q" where only the list of loaded objects will be displayed |
| 252 | (or nothing in case of error). In addition, keep in mind that when providing |
| 253 | such a package to help with a core file analysis, most libraries are in fact |
| 254 | symbolic links that need to be dereferenced when creating the archive: |
| 255 | |
| 256 | ./haproxy -W -q -c -dL -f foo.cfg | tar -T - -hzcf archive.tgz |
| 257 | |
Willy Tarreau | f4b79c4 | 2022-02-23 15:20:53 +0100 | [diff] [blame] | 258 | -dM[<byte>[,]][help|options,...] : forces memory poisoning, and/or changes |
| 259 | memory other debugging options. Memory poisonning means that each and every |
Willy Tarreau | bafbe01 | 2017-11-24 17:34:44 +0100 | [diff] [blame] | 260 | memory region allocated with malloc() or pool_alloc() will be filled with |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 261 | <byte> before being passed to the caller. When <byte> is not specified, it |
| 262 | defaults to 0x50 ('P'). While this slightly slows down operations, it is |
| 263 | useful to reliably trigger issues resulting from missing initializations in |
| 264 | the code that cause random crashes. Note that -dM0 has the effect of |
| 265 | turning any malloc() into a calloc(). In any case if a bug appears or |
| 266 | disappears when using this option it means there is a bug in haproxy, so |
Willy Tarreau | f4b79c4 | 2022-02-23 15:20:53 +0100 | [diff] [blame] | 267 | please report it. A number of other options are available either alone or |
| 268 | after a comma following the byte. The special option "help" will list the |
| 269 | currently supported options and their current value. Each debugging option |
| 270 | may be forced on or off. The most optimal options are usually chosen at |
| 271 | build time based on the operating system and do not need to be adjusted, |
| 272 | unless suggested by a developer. Supported debugging options include |
| 273 | (set/clear): |
| 274 | - fail / no-fail: |
| 275 | This enables randomly failing memory allocations, in conjunction with |
| 276 | the global "tune.fail-alloc" setting. This is used to detect missing |
| 277 | error checks in the code. |
| 278 | |
| 279 | - no-merge / merge: |
| 280 | By default, pools of very similar sizes are merged, resulting in more |
| 281 | efficiency, but this complicates the analysis of certain memory dumps. |
| 282 | This option allows to disable this mechanism, and may slightly increase |
| 283 | the memory usage. |
| 284 | |
| 285 | - cold-first / hot-first: |
| 286 | In order to optimize the CPU cache hit ratio, by default the most |
| 287 | recently released objects ("hot") are recycled for new allocations. |
| 288 | But doing so also complicates analysis of memory dumps and may hide |
| 289 | use-after-free bugs. This option allows to instead pick the coldest |
| 290 | objects first, which may result in a slight increase of CPU usage. |
| 291 | |
| 292 | - integrity / no-integrity: |
| 293 | When this option is enabled, memory integrity checks are enabled on |
| 294 | the allocated area to verify that it hasn't been modified since it was |
| 295 | last released. This works best with "no-merge", "cold-first" and "tag". |
| 296 | Enabling this option will slightly increase the CPU usage. |
| 297 | |
| 298 | - no-global / global: |
| 299 | Depending on the operating system, a process-wide global memory cache |
| 300 | may be enabled if it is estimated that the standard allocator is too |
| 301 | slow or inefficient with threads. This option allows to forcefully |
| 302 | disable it or enable it. Disabling it may result in a CPU usage |
| 303 | increase with inefficient allocators. Enabling it may result in a |
| 304 | higher memory usage with efficient allocators. |
| 305 | |
| 306 | - no-cache / cache: |
| 307 | Each thread uses a very fast local object cache for allocations, which |
| 308 | is always enabled by default. This option allows to disable it. Since |
| 309 | the global cache also passes via the local caches, this will |
| 310 | effectively result in disabling all caches and allocating directly from |
| 311 | the default allocator. This may result in a significant increase of CPU |
| 312 | usage, but may also result in small memory savings on tiny systems. |
| 313 | |
| 314 | - caller / no-caller: |
| 315 | Enabling this option reserves some extra space in each allocated object |
| 316 | to store the address of the last caller that allocated or released it. |
| 317 | This helps developers go back in time when analysing memory dumps and |
| 318 | to guess how something unexpected happened. |
| 319 | |
| 320 | - tag / no-tag: |
| 321 | Enabling this option reserves some extra space in each allocated object |
| 322 | to store a tag that allows to detect bugs such as double-free, freeing |
| 323 | an invalid object, and buffer overflows. It offers much stronger |
| 324 | reliability guarantees at the expense of 4 or 8 extra bytes per |
| 325 | allocation. It usually is the first step to detect memory corruption. |
| 326 | |
| 327 | - poison / no-poison: |
| 328 | Enabling this option will fill allocated objects with a fixed pattern |
| 329 | that will make sure that some accidental values such as 0 will not be |
| 330 | present if a newly added field was mistakenly forgotten in an |
| 331 | initialization routine. Such bugs tend to rarely reproduce, especially |
| 332 | when pools are not merged. This is normally enabled by directly passing |
| 333 | the byte's value to -dM but using this option allows to disable/enable |
| 334 | use of a previously set value. |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 335 | |
| 336 | -dS : disable use of the splice() system call. It is equivalent to the |
| 337 | "global" section's "nosplice" keyword. This may be used when splice() is |
| 338 | suspected to behave improperly or to cause performance issues, or when |
| 339 | using strace to see the forwarded data (which do not appear when using |
| 340 | splice()). |
| 341 | |
| 342 | -dV : disable SSL verify on the server side. It is equivalent to having |
| 343 | "ssl-server-verify none" in the "global" section. This is useful when |
| 344 | trying to reproduce production issues out of the production |
| 345 | environment. Never use this in an init script as it degrades SSL security |
| 346 | to the servers. |
| 347 | |
Willy Tarreau | 3eb10b8 | 2020-04-15 16:42:39 +0200 | [diff] [blame] | 348 | -dW : if set, haproxy will refuse to start if any warning was emitted while |
| 349 | processing the configuration. This helps detect subtle mistakes and keep the |
| 350 | configuration clean and portable across versions. It is recommended to set |
| 351 | this option in service scripts when configurations are managed by humans, |
| 352 | but it is recommended not to use it with generated configurations, which |
| 353 | tend to emit more warnings. It may be combined with "-c" to cause warnings |
| 354 | in checked configurations to fail. This is equivalent to global option |
| 355 | "zero-warning". |
| 356 | |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 357 | -db : disable background mode and multi-process mode. The process remains in |
| 358 | foreground. It is mainly used during development or during small tests, as |
| 359 | Ctrl-C is enough to stop the process. Never use it in an init script. |
| 360 | |
| 361 | -de : disable the use of the "epoll" poller. It is equivalent to the "global" |
| 362 | section's keyword "noepoll". It is mostly useful when suspecting a bug |
| 363 | related to this poller. On systems supporting epoll, the fallback will |
| 364 | generally be the "poll" poller. |
| 365 | |
| 366 | -dk : disable the use of the "kqueue" poller. It is equivalent to the |
| 367 | "global" section's keyword "nokqueue". It is mostly useful when suspecting |
| 368 | a bug related to this poller. On systems supporting kqueue, the fallback |
| 369 | will generally be the "poll" poller. |
| 370 | |
| 371 | -dp : disable the use of the "poll" poller. It is equivalent to the "global" |
| 372 | section's keyword "nopoll". It is mostly useful when suspecting a bug |
| 373 | related to this poller. On systems supporting poll, the fallback will |
| 374 | generally be the "select" poller, which cannot be disabled and is limited |
| 375 | to 1024 file descriptors. |
| 376 | |
Willy Tarreau | 3eed10e | 2016-11-07 21:03:16 +0100 | [diff] [blame] | 377 | -dr : ignore server address resolution failures. It is very common when |
| 378 | validating a configuration out of production not to have access to the same |
| 379 | resolvers and to fail on server address resolution, making it difficult to |
| 380 | test a configuration. This option simply appends the "none" method to the |
| 381 | list of address resolution methods for all servers, ensuring that even if |
| 382 | the libc fails to resolve an address, the startup sequence is not |
| 383 | interrupted. |
| 384 | |
Willy Tarreau | 7006045 | 2015-12-14 12:46:07 +0100 | [diff] [blame] | 385 | -m <limit> : limit the total allocatable memory to <limit> megabytes across |
| 386 | all processes. This may cause some connection refusals or some slowdowns |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 387 | depending on the amount of memory needed for normal operations. This is |
Willy Tarreau | 7006045 | 2015-12-14 12:46:07 +0100 | [diff] [blame] | 388 | mostly used to force the processes to work in a constrained resource usage |
| 389 | scenario. It is important to note that the memory is not shared between |
| 390 | processes, so in a multi-process scenario, this value is first divided by |
| 391 | global.nbproc before forking. |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 392 | |
| 393 | -n <limit> : limits the per-process connection limit to <limit>. This is |
| 394 | equivalent to the global section's keyword "maxconn". It has precedence |
| 395 | over this keyword. This may be used to quickly force lower limits to avoid |
| 396 | a service outage on systems where resource limits are too low. |
| 397 | |
| 398 | -p <file> : write all processes' pids into <file> during startup. This is |
| 399 | equivalent to the "global" section's keyword "pidfile". The file is opened |
| 400 | before entering the chroot jail, and after doing the chdir() implied by |
| 401 | "-C". Each pid appears on its own line. |
| 402 | |
| 403 | -q : set "quiet" mode. This disables some messages during the configuration |
| 404 | parsing and during startup. It can be used in combination with "-c" to |
| 405 | just check if a configuration file is valid or not. |
| 406 | |
William Lallemand | 142db37 | 2018-12-11 18:56:45 +0100 | [diff] [blame] | 407 | -S <bind>[,bind_options...]: in master-worker mode, bind a master CLI, which |
| 408 | allows the access to every processes, running or leaving ones. |
| 409 | For security reasons, it is recommended to bind the master CLI to a local |
| 410 | UNIX socket. The bind options are the same as the keyword "bind" in |
| 411 | the configuration file with words separated by commas instead of spaces. |
| 412 | |
| 413 | Note that this socket can't be used to retrieve the listening sockets from |
| 414 | an old process during a seamless reload. |
| 415 | |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 416 | -sf <pid>* : send the "finish" signal (SIGUSR1) to older processes after boot |
| 417 | completion to ask them to finish what they are doing and to leave. <pid> |
| 418 | is a list of pids to signal (one per argument). The list ends on any |
| 419 | option starting with a "-". It is not a problem if the list of pids is |
| 420 | empty, so that it can be built on the fly based on the result of a command |
Frédéric Lécaille | f717a4b | 2022-05-25 15:42:15 +0200 | [diff] [blame] | 421 | like "pidof" or "pgrep". QUIC connections will be aborted. |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 422 | |
| 423 | -st <pid>* : send the "terminate" signal (SIGTERM) to older processes after |
| 424 | boot completion to terminate them immediately without finishing what they |
| 425 | were doing. <pid> is a list of pids to signal (one per argument). The list |
| 426 | is ends on any option starting with a "-". It is not a problem if the list |
| 427 | of pids is empty, so that it can be built on the fly based on the result of |
| 428 | a command like "pidof" or "pgrep". |
| 429 | |
| 430 | -v : report the version and build date. |
| 431 | |
| 432 | -vv : display the version, build options, libraries versions and usable |
| 433 | pollers. This output is systematically requested when filing a bug report. |
| 434 | |
Olivier Houchard | d33fc3a | 2017-04-05 22:50:59 +0200 | [diff] [blame] | 435 | -x <unix_socket> : connect to the specified socket and try to retrieve any |
| 436 | listening sockets from the old process, and use them instead of trying to |
| 437 | bind new ones. This is useful to avoid missing any new connection when |
William Lallemand | f6975e9 | 2017-05-26 17:42:10 +0200 | [diff] [blame] | 438 | reloading the configuration on Linux. The capability must be enable on the |
| 439 | stats socket using "expose-fd listeners" in your configuration. |
William Lallemand | 2be557f | 2021-11-24 18:45:37 +0100 | [diff] [blame] | 440 | In master-worker mode, the master will use this option upon a reload with |
| 441 | the "sockpair@" syntax, which allows the master to connect directly to a |
| 442 | worker without using stats socket declared in the configuration. |
Olivier Houchard | d33fc3a | 2017-04-05 22:50:59 +0200 | [diff] [blame] | 443 | |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 444 | A safe way to start HAProxy from an init file consists in forcing the daemon |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 445 | mode, storing existing pids to a pid file and using this pid file to notify |
| 446 | older processes to finish before leaving : |
| 447 | |
| 448 | haproxy -f /etc/haproxy.cfg \ |
| 449 | -D -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid) |
| 450 | |
| 451 | When the configuration is split into a few specific files (eg: tcp vs http), |
| 452 | it is recommended to use the "-f" option : |
| 453 | |
| 454 | haproxy -f /etc/haproxy/global.cfg -f /etc/haproxy/stats.cfg \ |
| 455 | -f /etc/haproxy/default-tcp.cfg -f /etc/haproxy/tcp.cfg \ |
| 456 | -f /etc/haproxy/default-http.cfg -f /etc/haproxy/http.cfg \ |
| 457 | -D -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid) |
| 458 | |
| 459 | When an unknown number of files is expected, such as customer-specific files, |
| 460 | it is recommended to assign them a name starting with a fixed-size sequence |
| 461 | number and to use "--" to load them, possibly after loading some defaults : |
| 462 | |
| 463 | haproxy -f /etc/haproxy/global.cfg -f /etc/haproxy/stats.cfg \ |
| 464 | -f /etc/haproxy/default-tcp.cfg -f /etc/haproxy/tcp.cfg \ |
| 465 | -f /etc/haproxy/default-http.cfg -f /etc/haproxy/http.cfg \ |
| 466 | -D -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid) \ |
| 467 | -f /etc/haproxy/default-customers.cfg -- /etc/haproxy/customers/* |
| 468 | |
| 469 | Sometimes a failure to start may happen for whatever reason. Then it is |
| 470 | important to verify if the version of HAProxy you are invoking is the expected |
| 471 | version and if it supports the features you are expecting (eg: SSL, PCRE, |
| 472 | compression, Lua, etc). This can be verified using "haproxy -vv". Some |
| 473 | important information such as certain build options, the target system and |
| 474 | the versions of the libraries being used are reported there. It is also what |
| 475 | you will systematically be asked for when posting a bug report : |
| 476 | |
| 477 | $ haproxy -vv |
Willy Tarreau | 58000fe | 2021-05-09 06:25:16 +0200 | [diff] [blame] | 478 | HAProxy version 1.6-dev7-a088d3-4 2015/10/08 |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 479 | Copyright 2000-2015 Willy Tarreau <willy@haproxy.org> |
| 480 | |
| 481 | Build options : |
| 482 | TARGET = linux2628 |
| 483 | CPU = generic |
| 484 | CC = gcc |
| 485 | CFLAGS = -pg -O0 -g -fno-strict-aliasing -Wdeclaration-after-statement \ |
| 486 | -DBUFSIZE=8030 -DMAXREWRITE=1030 -DSO_MARK=36 -DTCP_REPAIR=19 |
| 487 | OPTIONS = USE_ZLIB=1 USE_DLMALLOC=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 |
| 488 | |
| 489 | Default settings : |
| 490 | maxconn = 2000, bufsize = 8030, maxrewrite = 1030, maxpollevents = 200 |
| 491 | |
| 492 | Encrypted password support via crypt(3): yes |
| 493 | Built with zlib version : 1.2.6 |
| 494 | Compression algorithms supported : identity("identity"), deflate("deflate"), \ |
| 495 | raw-deflate("deflate"), gzip("gzip") |
| 496 | Built with OpenSSL version : OpenSSL 1.0.1o 12 Jun 2015 |
| 497 | Running on OpenSSL version : OpenSSL 1.0.1o 12 Jun 2015 |
| 498 | OpenSSL library supports TLS extensions : yes |
| 499 | OpenSSL library supports SNI : yes |
| 500 | OpenSSL library supports prefer-server-ciphers : yes |
| 501 | Built with PCRE version : 8.12 2011-01-15 |
| 502 | PCRE library supports JIT : no (USE_PCRE_JIT not set) |
| 503 | Built with Lua version : Lua 5.3.1 |
| 504 | Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND |
| 505 | |
| 506 | Available polling systems : |
| 507 | epoll : pref=300, test result OK |
| 508 | poll : pref=200, test result OK |
| 509 | select : pref=150, test result OK |
| 510 | Total: 3 (3 usable), will use epoll. |
| 511 | |
| 512 | The relevant information that many non-developer users can verify here are : |
| 513 | - the version : 1.6-dev7-a088d3-4 above means the code is currently at commit |
| 514 | ID "a088d3" which is the 4th one after after official version "1.6-dev7". |
| 515 | Version 1.6-dev7 would show as "1.6-dev7-8c1ad7". What matters here is in |
| 516 | fact "1.6-dev7". This is the 7th development version of what will become |
| 517 | version 1.6 in the future. A development version not suitable for use in |
| 518 | production (unless you know exactly what you are doing). A stable version |
| 519 | will show as a 3-numbers version, such as "1.5.14-16f863", indicating the |
| 520 | 14th level of fix on top of version 1.5. This is a production-ready version. |
| 521 | |
| 522 | - the release date : 2015/10/08. It is represented in the universal |
| 523 | year/month/day format. Here this means August 8th, 2015. Given that stable |
| 524 | releases are issued every few months (1-2 months at the beginning, sometimes |
| 525 | 6 months once the product becomes very stable), if you're seeing an old date |
| 526 | here, it means you're probably affected by a number of bugs or security |
| 527 | issues that have since been fixed and that it might be worth checking on the |
| 528 | official site. |
| 529 | |
| 530 | - build options : they are relevant to people who build their packages |
| 531 | themselves, they can explain why things are not behaving as expected. For |
| 532 | example the development version above was built for Linux 2.6.28 or later, |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 533 | targeting a generic CPU (no CPU-specific optimizations), and lacks any |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 534 | code optimization (-O0) so it will perform poorly in terms of performance. |
| 535 | |
| 536 | - libraries versions : zlib version is reported as found in the library |
| 537 | itself. In general zlib is considered a very stable product and upgrades |
| 538 | are almost never needed. OpenSSL reports two versions, the version used at |
| 539 | build time and the one being used, as found on the system. These ones may |
| 540 | differ by the last letter but never by the numbers. The build date is also |
| 541 | reported because most OpenSSL bugs are security issues and need to be taken |
| 542 | seriously, so this library absolutely needs to be kept up to date. Seeing a |
| 543 | 4-months old version here is highly suspicious and indeed an update was |
| 544 | missed. PCRE provides very fast regular expressions and is highly |
| 545 | recommended. Certain of its extensions such as JIT are not present in all |
| 546 | versions and still young so some people prefer not to build with them, |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 547 | which is why the build status is reported as well. Regarding the Lua |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 548 | scripting language, HAProxy expects version 5.3 which is very young since |
| 549 | it was released a little time before HAProxy 1.6. It is important to check |
| 550 | on the Lua web site if some fixes are proposed for this branch. |
| 551 | |
| 552 | - Available polling systems will affect the process's scalability when |
| 553 | dealing with more than about one thousand of concurrent connections. These |
| 554 | ones are only available when the correct system was indicated in the TARGET |
| 555 | variable during the build. The "epoll" mechanism is highly recommended on |
| 556 | Linux, and the kqueue mechanism is highly recommended on BSD. Lacking them |
| 557 | will result in poll() or even select() being used, causing a high CPU usage |
| 558 | when dealing with a lot of connections. |
| 559 | |
| 560 | |
| 561 | 4. Stopping and restarting HAProxy |
| 562 | ---------------------------------- |
| 563 | |
| 564 | HAProxy supports a graceful and a hard stop. The hard stop is simple, when the |
| 565 | SIGTERM signal is sent to the haproxy process, it immediately quits and all |
| 566 | established connections are closed. The graceful stop is triggered when the |
| 567 | SIGUSR1 signal is sent to the haproxy process. It consists in only unbinding |
| 568 | from listening ports, but continue to process existing connections until they |
| 569 | close. Once the last connection is closed, the process leaves. |
| 570 | |
| 571 | The hard stop method is used for the "stop" or "restart" actions of the service |
| 572 | management script. The graceful stop is used for the "reload" action which |
| 573 | tries to seamlessly reload a new configuration in a new process. |
| 574 | |
| 575 | Both of these signals may be sent by the new haproxy process itself during a |
| 576 | reload or restart, so that they are sent at the latest possible moment and only |
| 577 | if absolutely required. This is what is performed by the "-st" (hard) and "-sf" |
| 578 | (graceful) options respectively. |
| 579 | |
William Lallemand | e202b1e | 2017-06-01 17:38:56 +0200 | [diff] [blame] | 580 | In master-worker mode, it is not needed to start a new haproxy process in |
| 581 | order to reload the configuration. The master process reacts to the SIGUSR2 |
| 582 | signal by reexecuting itself with the -sf parameter followed by the PIDs of |
| 583 | the workers. The master will then parse the configuration file and fork new |
| 584 | workers. |
| 585 | |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 586 | To understand better how these signals are used, it is important to understand |
| 587 | the whole restart mechanism. |
| 588 | |
| 589 | First, an existing haproxy process is running. The administrator uses a system |
Jackie Tapia | 749f74c | 2020-07-22 18:59:40 -0500 | [diff] [blame] | 590 | specific command such as "/etc/init.d/haproxy reload" to indicate they want to |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 591 | take the new configuration file into effect. What happens then is the following. |
| 592 | First, the service script (/etc/init.d/haproxy or equivalent) will verify that |
| 593 | the configuration file parses correctly using "haproxy -c". After that it will |
| 594 | try to start haproxy with this configuration file, using "-st" or "-sf". |
| 595 | |
| 596 | Then HAProxy tries to bind to all listening ports. If some fatal errors happen |
| 597 | (eg: address not present on the system, permission denied), the process quits |
| 598 | with an error. If a socket binding fails because a port is already in use, then |
| 599 | the process will first send a SIGTTOU signal to all the pids specified in the |
| 600 | "-st" or "-sf" pid list. This is what is called the "pause" signal. It instructs |
| 601 | all existing haproxy processes to temporarily stop listening to their ports so |
| 602 | that the new process can try to bind again. During this time, the old process |
| 603 | continues to process existing connections. If the binding still fails (because |
| 604 | for example a port is shared with another daemon), then the new process sends a |
| 605 | SIGTTIN signal to the old processes to instruct them to resume operations just |
| 606 | as if nothing happened. The old processes will then restart listening to the |
Jonathon Lacher | c5b5e7b | 2021-08-04 00:29:05 -0500 | [diff] [blame] | 607 | ports and continue to accept connections. Note that this mechanism is system |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 608 | dependent and some operating systems may not support it in multi-process mode. |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 609 | |
| 610 | If the new process manages to bind correctly to all ports, then it sends either |
| 611 | the SIGTERM (hard stop in case of "-st") or the SIGUSR1 (graceful stop in case |
| 612 | of "-sf") to all processes to notify them that it is now in charge of operations |
| 613 | and that the old processes will have to leave, either immediately or once they |
| 614 | have finished their job. |
| 615 | |
| 616 | It is important to note that during this timeframe, there are two small windows |
| 617 | of a few milliseconds each where it is possible that a few connection failures |
| 618 | will be noticed during high loads. Typically observed failure rates are around |
| 619 | 1 failure during a reload operation every 10000 new connections per second, |
| 620 | which means that a heavily loaded site running at 30000 new connections per |
| 621 | second may see about 3 failed connection upon every reload. The two situations |
| 622 | where this happens are : |
| 623 | |
| 624 | - if the new process fails to bind due to the presence of the old process, |
| 625 | it will first have to go through the SIGTTOU+SIGTTIN sequence, which |
| 626 | typically lasts about one millisecond for a few tens of frontends, and |
| 627 | during which some ports will not be bound to the old process and not yet |
| 628 | bound to the new one. HAProxy works around this on systems that support the |
| 629 | SO_REUSEPORT socket options, as it allows the new process to bind without |
| 630 | first asking the old one to unbind. Most BSD systems have been supporting |
| 631 | this almost forever. Linux has been supporting this in version 2.0 and |
| 632 | dropped it around 2.2, but some patches were floating around by then. It |
| 633 | was reintroduced in kernel 3.9, so if you are observing a connection |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 634 | failure rate above the one mentioned above, please ensure that your kernel |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 635 | is 3.9 or newer, or that relevant patches were backported to your kernel |
| 636 | (less likely). |
| 637 | |
| 638 | - when the old processes close the listening ports, the kernel may not always |
| 639 | redistribute any pending connection that was remaining in the socket's |
| 640 | backlog. Under high loads, a SYN packet may happen just before the socket |
| 641 | is closed, and will lead to an RST packet being sent to the client. In some |
| 642 | critical environments where even one drop is not acceptable, these ones are |
| 643 | sometimes dealt with using firewall rules to block SYN packets during the |
| 644 | reload, forcing the client to retransmit. This is totally system-dependent, |
| 645 | as some systems might be able to visit other listening queues and avoid |
| 646 | this RST. A second case concerns the ACK from the client on a local socket |
| 647 | that was in SYN_RECV state just before the close. This ACK will lead to an |
| 648 | RST packet while the haproxy process is still not aware of it. This one is |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 649 | harder to get rid of, though the firewall filtering rules mentioned above |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 650 | will work well if applied one second or so before restarting the process. |
| 651 | |
| 652 | For the vast majority of users, such drops will never ever happen since they |
| 653 | don't have enough load to trigger the race conditions. And for most high traffic |
| 654 | users, the failure rate is still fairly within the noise margin provided that at |
| 655 | least SO_REUSEPORT is properly supported on their systems. |
| 656 | |
Frédéric Lécaille | f717a4b | 2022-05-25 15:42:15 +0200 | [diff] [blame] | 657 | QUIC limitations: soft-stop is not supported. In case of reload, QUIC connections |
| 658 | will not be preserved. |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 659 | |
| 660 | 5. File-descriptor limitations |
| 661 | ------------------------------ |
| 662 | |
| 663 | In order to ensure that all incoming connections will successfully be served, |
| 664 | HAProxy computes at load time the total number of file descriptors that will be |
| 665 | needed during the process's life. A regular Unix process is generally granted |
| 666 | 1024 file descriptors by default, and a privileged process can raise this limit |
| 667 | itself. This is one reason for starting HAProxy as root and letting it adjust |
| 668 | the limit. The default limit of 1024 file descriptors roughly allow about 500 |
| 669 | concurrent connections to be processed. The computation is based on the global |
| 670 | maxconn parameter which limits the total number of connections per process, the |
| 671 | number of listeners, the number of servers which have a health check enabled, |
| 672 | the agent checks, the peers, the loggers and possibly a few other technical |
| 673 | requirements. A simple rough estimate of this number consists in simply |
| 674 | doubling the maxconn value and adding a few tens to get the approximate number |
| 675 | of file descriptors needed. |
| 676 | |
| 677 | Originally HAProxy did not know how to compute this value, and it was necessary |
| 678 | to pass the value using the "ulimit-n" setting in the global section. This |
| 679 | explains why even today a lot of configurations are seen with this setting |
| 680 | present. Unfortunately it was often miscalculated resulting in connection |
| 681 | failures when approaching maxconn instead of throttling incoming connection |
| 682 | while waiting for the needed resources. For this reason it is important to |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 683 | remove any vestigial "ulimit-n" setting that can remain from very old versions. |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 684 | |
| 685 | Raising the number of file descriptors to accept even moderate loads is |
| 686 | mandatory but comes with some OS-specific adjustments. First, the select() |
| 687 | polling system is limited to 1024 file descriptors. In fact on Linux it used |
| 688 | to be capable of handling more but since certain OS ship with excessively |
| 689 | restrictive SELinux policies forbidding the use of select() with more than |
| 690 | 1024 file descriptors, HAProxy now refuses to start in this case in order to |
| 691 | avoid any issue at run time. On all supported operating systems, poll() is |
| 692 | available and will not suffer from this limitation. It is automatically picked |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 693 | so there is nothing to do to get a working configuration. But poll's becomes |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 694 | very slow when the number of file descriptors increases. While HAProxy does its |
| 695 | best to limit this performance impact (eg: via the use of the internal file |
| 696 | descriptor cache and batched processing), a good rule of thumb is that using |
| 697 | poll() with more than a thousand concurrent connections will use a lot of CPU. |
| 698 | |
| 699 | For Linux systems base on kernels 2.6 and above, the epoll() system call will |
| 700 | be used. It's a much more scalable mechanism relying on callbacks in the kernel |
| 701 | that guarantee a constant wake up time regardless of the number of registered |
| 702 | monitored file descriptors. It is automatically used where detected, provided |
| 703 | that HAProxy had been built for one of the Linux flavors. Its presence and |
| 704 | support can be verified using "haproxy -vv". |
| 705 | |
| 706 | For BSD systems which support it, kqueue() is available as an alternative. It |
| 707 | is much faster than poll() and even slightly faster than epoll() thanks to its |
| 708 | batched handling of changes. At least FreeBSD and OpenBSD support it. Just like |
| 709 | with Linux's epoll(), its support and availability are reported in the output |
| 710 | of "haproxy -vv". |
| 711 | |
| 712 | Having a good poller is one thing, but it is mandatory that the process can |
| 713 | reach the limits. When HAProxy starts, it immediately sets the new process's |
| 714 | file descriptor limits and verifies if it succeeds. In case of failure, it |
| 715 | reports it before forking so that the administrator can see the problem. As |
| 716 | long as the process is started by as root, there should be no reason for this |
| 717 | setting to fail. However, it can fail if the process is started by an |
| 718 | unprivileged user. If there is a compelling reason for *not* starting haproxy |
| 719 | as root (eg: started by end users, or by a per-application account), then the |
| 720 | file descriptor limit can be raised by the system administrator for this |
| 721 | specific user. The effectiveness of the setting can be verified by issuing |
| 722 | "ulimit -n" from the user's command line. It should reflect the new limit. |
| 723 | |
| 724 | Warning: when an unprivileged user's limits are changed in this user's account, |
| 725 | it is fairly common that these values are only considered when the user logs in |
| 726 | and not at all in some scripts run at system boot time nor in crontabs. This is |
| 727 | totally dependent on the operating system, keep in mind to check "ulimit -n" |
| 728 | before starting haproxy when running this way. The general advice is never to |
| 729 | start haproxy as an unprivileged user for production purposes. Another good |
| 730 | reason is that it prevents haproxy from enabling some security protections. |
| 731 | |
| 732 | Once it is certain that the system will allow the haproxy process to use the |
| 733 | requested number of file descriptors, two new system-specific limits may be |
| 734 | encountered. The first one is the system-wide file descriptor limit, which is |
| 735 | the total number of file descriptors opened on the system, covering all |
| 736 | processes. When this limit is reached, accept() or socket() will typically |
| 737 | return ENFILE. The second one is the per-process hard limit on the number of |
| 738 | file descriptors, it prevents setrlimit() from being set higher. Both are very |
| 739 | dependent on the operating system. On Linux, the system limit is set at boot |
| 740 | based on the amount of memory. It can be changed with the "fs.file-max" sysctl. |
| 741 | And the per-process hard limit is set to 1048576 by default, but it can be |
| 742 | changed using the "fs.nr_open" sysctl. |
| 743 | |
| 744 | File descriptor limitations may be observed on a running process when they are |
| 745 | set too low. The strace utility will report that accept() and socket() return |
| 746 | "-1 EMFILE" when the process's limits have been reached. In this case, simply |
| 747 | raising the "ulimit-n" value (or removing it) will solve the problem. If these |
| 748 | system calls return "-1 ENFILE" then it means that the kernel's limits have |
| 749 | been reached and that something must be done on a system-wide parameter. These |
| 750 | trouble must absolutely be addressed, as they result in high CPU usage (when |
| 751 | accept() fails) and failed connections that are generally visible to the user. |
| 752 | One solution also consists in lowering the global maxconn value to enforce |
| 753 | serialization, and possibly to disable HTTP keep-alive to force connections |
| 754 | to be released and reused faster. |
| 755 | |
| 756 | |
| 757 | 6. Memory management |
| 758 | -------------------- |
| 759 | |
| 760 | HAProxy uses a simple and fast pool-based memory management. Since it relies on |
| 761 | a small number of different object types, it's much more efficient to pick new |
| 762 | objects from a pool which already contains objects of the appropriate size than |
| 763 | to call malloc() for each different size. The pools are organized as a stack or |
| 764 | LIFO, so that newly allocated objects are taken from recently released objects |
| 765 | still hot in the CPU caches. Pools of similar sizes are merged together, in |
| 766 | order to limit memory fragmentation. |
| 767 | |
| 768 | By default, since the focus is set on performance, each released object is put |
| 769 | back into the pool it came from, and allocated objects are never freed since |
| 770 | they are expected to be reused very soon. |
| 771 | |
| 772 | On the CLI, it is possible to check how memory is being used in pools thanks to |
| 773 | the "show pools" command : |
| 774 | |
| 775 | > show pools |
| 776 | Dumping pools usage. Use SIGQUIT to flush them. |
Willy Tarreau | 0a93b64 | 2018-10-16 07:58:39 +0200 | [diff] [blame] | 777 | - Pool cache_st (16 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 1 users, @0x9ccc40=03 [SHARED] |
| 778 | - Pool pipe (32 bytes) : 5 allocated (160 bytes), 5 used, 0 failures, 2 users, @0x9ccac0=00 [SHARED] |
| 779 | - Pool comp_state (48 bytes) : 3 allocated (144 bytes), 3 used, 0 failures, 5 users, @0x9cccc0=04 [SHARED] |
| 780 | - Pool filter (64 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 3 users, @0x9ccbc0=02 [SHARED] |
| 781 | - Pool vars (80 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 2 users, @0x9ccb40=01 [SHARED] |
| 782 | - Pool uniqueid (128 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 2 users, @0x9cd240=15 [SHARED] |
| 783 | - Pool task (144 bytes) : 55 allocated (7920 bytes), 55 used, 0 failures, 1 users, @0x9cd040=11 [SHARED] |
| 784 | - Pool session (160 bytes) : 1 allocated (160 bytes), 1 used, 0 failures, 1 users, @0x9cd140=13 [SHARED] |
| 785 | - Pool h2s (208 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 2 users, @0x9ccec0=08 [SHARED] |
| 786 | - Pool h2c (288 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 1 users, @0x9cce40=07 [SHARED] |
| 787 | - Pool spoe_ctx (304 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 2 users, @0x9ccf40=09 [SHARED] |
| 788 | - Pool connection (400 bytes) : 2 allocated (800 bytes), 2 used, 0 failures, 1 users, @0x9cd1c0=14 [SHARED] |
| 789 | - Pool hdr_idx (416 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 1 users, @0x9cd340=17 [SHARED] |
| 790 | - Pool dns_resolut (480 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 1 users, @0x9ccdc0=06 [SHARED] |
| 791 | - Pool dns_answer_ (576 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 1 users, @0x9ccd40=05 [SHARED] |
| 792 | - Pool stream (960 bytes) : 1 allocated (960 bytes), 1 used, 0 failures, 1 users, @0x9cd0c0=12 [SHARED] |
| 793 | - Pool requri (1024 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 1 users, @0x9cd2c0=16 [SHARED] |
| 794 | - Pool buffer (8030 bytes) : 3 allocated (24090 bytes), 2 used, 0 failures, 1 users, @0x9cd3c0=18 [SHARED] |
| 795 | - Pool trash (8062 bytes) : 1 allocated (8062 bytes), 1 used, 0 failures, 1 users, @0x9cd440=19 |
| 796 | Total: 19 pools, 42296 bytes allocated, 34266 used. |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 797 | |
| 798 | The pool name is only indicative, it's the name of the first object type using |
| 799 | this pool. The size in parenthesis is the object size for objects in this pool. |
| 800 | Object sizes are always rounded up to the closest multiple of 16 bytes. The |
| 801 | number of objects currently allocated and the equivalent number of bytes is |
| 802 | reported so that it is easy to know which pool is responsible for the highest |
| 803 | memory usage. The number of objects currently in use is reported as well in the |
| 804 | "used" field. The difference between "allocated" and "used" corresponds to the |
Willy Tarreau | 0a93b64 | 2018-10-16 07:58:39 +0200 | [diff] [blame] | 805 | objects that have been freed and are available for immediate use. The address |
| 806 | at the end of the line is the pool's address, and the following number is the |
| 807 | pool index when it exists, or is reported as -1 if no index was assigned. |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 808 | |
| 809 | It is possible to limit the amount of memory allocated per process using the |
| 810 | "-m" command line option, followed by a number of megabytes. It covers all of |
| 811 | the process's addressable space, so that includes memory used by some libraries |
| 812 | as well as the stack, but it is a reliable limit when building a resource |
| 813 | constrained system. It works the same way as "ulimit -v" on systems which have |
| 814 | it, or "ulimit -d" for the other ones. |
| 815 | |
| 816 | If a memory allocation fails due to the memory limit being reached or because |
| 817 | the system doesn't have any enough memory, then haproxy will first start to |
| 818 | free all available objects from all pools before attempting to allocate memory |
| 819 | again. This mechanism of releasing unused memory can be triggered by sending |
| 820 | the signal SIGQUIT to the haproxy process. When doing so, the pools state prior |
| 821 | to the flush will also be reported to stderr when the process runs in |
| 822 | foreground. |
| 823 | |
| 824 | During a reload operation, the process switched to the graceful stop state also |
| 825 | automatically performs some flushes after releasing any connection so that all |
| 826 | possible memory is released to save it for the new process. |
| 827 | |
| 828 | |
| 829 | 7. CPU usage |
| 830 | ------------ |
| 831 | |
| 832 | HAProxy normally spends most of its time in the system and a smaller part in |
| 833 | userland. A finely tuned 3.5 GHz CPU can sustain a rate about 80000 end-to-end |
| 834 | connection setups and closes per second at 100% CPU on a single core. When one |
| 835 | core is saturated, typical figures are : |
| 836 | - 95% system, 5% user for long TCP connections or large HTTP objects |
| 837 | - 85% system and 15% user for short TCP connections or small HTTP objects in |
| 838 | close mode |
| 839 | - 70% system and 30% user for small HTTP objects in keep-alive mode |
| 840 | |
| 841 | The amount of rules processing and regular expressions will increase the user |
| 842 | land part. The presence of firewall rules, connection tracking, complex routing |
| 843 | tables in the system will instead increase the system part. |
| 844 | |
| 845 | On most systems, the CPU time observed during network transfers can be cut in 4 |
| 846 | parts : |
| 847 | - the interrupt part, which concerns all the processing performed upon I/O |
| 848 | receipt, before the target process is even known. Typically Rx packets are |
| 849 | accounted for in interrupt. On some systems such as Linux where interrupt |
| 850 | processing may be deferred to a dedicated thread, it can appear as softirq, |
| 851 | and the thread is called ksoftirqd/0 (for CPU 0). The CPU taking care of |
| 852 | this load is generally defined by the hardware settings, though in the case |
| 853 | of softirq it is often possible to remap the processing to another CPU. |
| 854 | This interrupt part will often be perceived as parasitic since it's not |
| 855 | associated with any process, but it actually is some processing being done |
| 856 | to prepare the work for the process. |
| 857 | |
| 858 | - the system part, which concerns all the processing done using kernel code |
| 859 | called from userland. System calls are accounted as system for example. All |
| 860 | synchronously delivered Tx packets will be accounted for as system time. If |
| 861 | some packets have to be deferred due to queues filling up, they may then be |
| 862 | processed in interrupt context later (eg: upon receipt of an ACK opening a |
| 863 | TCP window). |
| 864 | |
| 865 | - the user part, which exclusively runs application code in userland. HAProxy |
| 866 | runs exclusively in this part, though it makes heavy use of system calls. |
| 867 | Rules processing, regular expressions, compression, encryption all add to |
| 868 | the user portion of CPU consumption. |
| 869 | |
| 870 | - the idle part, which is what the CPU does when there is nothing to do. For |
| 871 | example HAProxy waits for an incoming connection, or waits for some data to |
| 872 | leave, meaning the system is waiting for an ACK from the client to push |
| 873 | these data. |
| 874 | |
| 875 | In practice regarding HAProxy's activity, it is in general reasonably accurate |
| 876 | (but totally inexact) to consider that interrupt/softirq are caused by Rx |
| 877 | processing in kernel drivers, that user-land is caused by layer 7 processing |
| 878 | in HAProxy, and that system time is caused by network processing on the Tx |
| 879 | path. |
| 880 | |
| 881 | Since HAProxy runs around an event loop, it waits for new events using poll() |
| 882 | (or any alternative) and processes all these events as fast as possible before |
| 883 | going back to poll() waiting for new events. It measures the time spent waiting |
| 884 | in poll() compared to the time spent doing processing events. The ratio of |
| 885 | polling time vs total time is called the "idle" time, it's the amount of time |
| 886 | spent waiting for something to happen. This ratio is reported in the stats page |
| 887 | on the "idle" line, or "Idle_pct" on the CLI. When it's close to 100%, it means |
| 888 | the load is extremely low. When it's close to 0%, it means that there is |
| 889 | constantly some activity. While it cannot be very accurate on an overloaded |
| 890 | system due to other processes possibly preempting the CPU from the haproxy |
| 891 | process, it still provides a good estimate about how HAProxy considers it is |
| 892 | working : if the load is low and the idle ratio is low as well, it may indicate |
| 893 | that HAProxy has a lot of work to do, possibly due to very expensive rules that |
| 894 | have to be processed. Conversely, if HAProxy indicates the idle is close to |
| 895 | 100% while things are slow, it means that it cannot do anything to speed things |
| 896 | up because it is already waiting for incoming data to process. In the example |
| 897 | below, haproxy is completely idle : |
| 898 | |
| 899 | $ echo "show info" | socat - /var/run/haproxy.sock | grep ^Idle |
| 900 | Idle_pct: 100 |
| 901 | |
| 902 | When the idle ratio starts to become very low, it is important to tune the |
| 903 | system and place processes and interrupts correctly to save the most possible |
| 904 | CPU resources for all tasks. If a firewall is present, it may be worth trying |
| 905 | to disable it or to tune it to ensure it is not responsible for a large part |
| 906 | of the performance limitation. It's worth noting that unloading a stateful |
| 907 | firewall generally reduces both the amount of interrupt/softirq and of system |
| 908 | usage since such firewalls act both on the Rx and the Tx paths. On Linux, |
| 909 | unloading the nf_conntrack and ip_conntrack modules will show whether there is |
| 910 | anything to gain. If so, then the module runs with default settings and you'll |
| 911 | have to figure how to tune it for better performance. In general this consists |
| 912 | in considerably increasing the hash table size. On FreeBSD, "pfctl -d" will |
| 913 | disable the "pf" firewall and its stateful engine at the same time. |
| 914 | |
| 915 | If it is observed that a lot of time is spent in interrupt/softirq, it is |
| 916 | important to ensure that they don't run on the same CPU. Most systems tend to |
| 917 | pin the tasks on the CPU where they receive the network traffic because for |
| 918 | certain workloads it improves things. But with heavily network-bound workloads |
| 919 | it is the opposite as the haproxy process will have to fight against its kernel |
| 920 | counterpart. Pinning haproxy to one CPU core and the interrupts to another one, |
| 921 | all sharing the same L3 cache tends to sensibly increase network performance |
| 922 | because in practice the amount of work for haproxy and the network stack are |
| 923 | quite close, so they can almost fill an entire CPU each. On Linux this is done |
| 924 | using taskset (for haproxy) or using cpu-map (from the haproxy config), and the |
| 925 | interrupts are assigned under /proc/irq. Many network interfaces support |
| 926 | multiple queues and multiple interrupts. In general it helps to spread them |
| 927 | across a small number of CPU cores provided they all share the same L3 cache. |
| 928 | Please always stop irq_balance which always does the worst possible thing on |
| 929 | such workloads. |
| 930 | |
| 931 | For CPU-bound workloads consisting in a lot of SSL traffic or a lot of |
| 932 | compression, it may be worth using multiple processes dedicated to certain |
| 933 | tasks, though there is no universal rule here and experimentation will have to |
| 934 | be performed. |
| 935 | |
| 936 | In order to increase the CPU capacity, it is possible to make HAProxy run as |
| 937 | several processes, using the "nbproc" directive in the global section. There |
| 938 | are some limitations though : |
| 939 | - health checks are run per process, so the target servers will get as many |
| 940 | checks as there are running processes ; |
| 941 | - maxconn values and queues are per-process so the correct value must be set |
| 942 | to avoid overloading the servers ; |
| 943 | - outgoing connections should avoid using port ranges to avoid conflicts |
| 944 | - stick-tables are per process and are not shared between processes ; |
| 945 | - each peers section may only run on a single process at a time ; |
| 946 | - the CLI operations will only act on a single process at a time. |
| 947 | |
| 948 | With this in mind, it appears that the easiest setup often consists in having |
| 949 | one first layer running on multiple processes and in charge for the heavy |
| 950 | processing, passing the traffic to a second layer running in a single process. |
| 951 | This mechanism is suited to SSL and compression which are the two CPU-heavy |
| 952 | features. Instances can easily be chained over UNIX sockets (which are cheaper |
fengpeiyuan | cc123c6 | 2016-01-15 16:40:53 +0800 | [diff] [blame] | 953 | than TCP sockets and which do not waste ports), and the proxy protocol which is |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 954 | useful to pass client information to the next stage. When doing so, it is |
| 955 | generally a good idea to bind all the single-process tasks to process number 1 |
| 956 | and extra tasks to next processes, as this will make it easier to generate |
| 957 | similar configurations for different machines. |
| 958 | |
| 959 | On Linux versions 3.9 and above, running HAProxy in multi-process mode is much |
| 960 | more efficient when each process uses a distinct listening socket on the same |
| 961 | IP:port ; this will make the kernel evenly distribute the load across all |
| 962 | processes instead of waking them all up. Please check the "process" option of |
| 963 | the "bind" keyword lines in the configuration manual for more information. |
| 964 | |
| 965 | |
| 966 | 8. Logging |
| 967 | ---------- |
| 968 | |
| 969 | For logging, HAProxy always relies on a syslog server since it does not perform |
| 970 | any file-system access. The standard way of using it is to send logs over UDP |
| 971 | to the log server (by default on port 514). Very commonly this is configured to |
| 972 | 127.0.0.1 where the local syslog daemon is running, but it's also used over the |
| 973 | network to log to a central server. The central server provides additional |
| 974 | benefits especially in active-active scenarios where it is desirable to keep |
| 975 | the logs merged in arrival order. HAProxy may also make use of a UNIX socket to |
| 976 | send its logs to the local syslog daemon, but it is not recommended at all, |
| 977 | because if the syslog server is restarted while haproxy runs, the socket will |
| 978 | be replaced and new logs will be lost. Since HAProxy will be isolated inside a |
| 979 | chroot jail, it will not have the ability to reconnect to the new socket. It |
| 980 | has also been observed in field that the log buffers in use on UNIX sockets are |
| 981 | very small and lead to lost messages even at very light loads. But this can be |
| 982 | fine for testing however. |
| 983 | |
| 984 | It is recommended to add the following directive to the "global" section to |
| 985 | make HAProxy log to the local daemon using facility "local0" : |
| 986 | |
| 987 | log 127.0.0.1:514 local0 |
| 988 | |
| 989 | and then to add the following one to each "defaults" section or to each frontend |
| 990 | and backend section : |
| 991 | |
| 992 | log global |
| 993 | |
| 994 | This way, all logs will be centralized through the global definition of where |
| 995 | the log server is. |
| 996 | |
| 997 | Some syslog daemons do not listen to UDP traffic by default, so depending on |
| 998 | the daemon being used, the syntax to enable this will vary : |
| 999 | |
| 1000 | - on sysklogd, you need to pass argument "-r" on the daemon's command line |
| 1001 | so that it listens to a UDP socket for "remote" logs ; note that there is |
| 1002 | no way to limit it to address 127.0.0.1 so it will also receive logs from |
| 1003 | remote systems ; |
| 1004 | |
| 1005 | - on rsyslogd, the following lines must be added to the configuration file : |
| 1006 | |
| 1007 | $ModLoad imudp |
| 1008 | $UDPServerAddress * |
| 1009 | $UDPServerRun 514 |
| 1010 | |
| 1011 | - on syslog-ng, a new source can be created the following way, it then needs |
| 1012 | to be added as a valid source in one of the "log" directives : |
| 1013 | |
| 1014 | source s_udp { |
| 1015 | udp(ip(127.0.0.1) port(514)); |
| 1016 | }; |
| 1017 | |
| 1018 | Please consult your syslog daemon's manual for more information. If no logs are |
| 1019 | seen in the system's log files, please consider the following tests : |
| 1020 | |
| 1021 | - restart haproxy. Each frontend and backend logs one line indicating it's |
| 1022 | starting. If these logs are received, it means logs are working. |
| 1023 | |
| 1024 | - run "strace -tt -s100 -etrace=sendmsg -p <haproxy's pid>" and perform some |
| 1025 | activity that you expect to be logged. You should see the log messages |
| 1026 | being sent using sendmsg() there. If they don't appear, restart using |
| 1027 | strace on top of haproxy. If you still see no logs, it definitely means |
| 1028 | that something is wrong in your configuration. |
| 1029 | |
| 1030 | - run tcpdump to watch for port 514, for example on the loopback interface if |
| 1031 | the traffic is being sent locally : "tcpdump -As0 -ni lo port 514". If the |
| 1032 | packets are seen there, it's the proof they're sent then the syslogd daemon |
| 1033 | needs to be troubleshooted. |
| 1034 | |
| 1035 | While traffic logs are sent from the frontends (where the incoming connections |
| 1036 | are accepted), backends also need to be able to send logs in order to report a |
| 1037 | server state change consecutive to a health check. Please consult HAProxy's |
| 1038 | configuration manual for more information regarding all possible log settings. |
| 1039 | |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 1040 | It is convenient to chose a facility that is not used by other daemons. HAProxy |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 1041 | examples often suggest "local0" for traffic logs and "local1" for admin logs |
| 1042 | because they're never seen in field. A single facility would be enough as well. |
| 1043 | Having separate logs is convenient for log analysis, but it's also important to |
| 1044 | remember that logs may sometimes convey confidential information, and as such |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 1045 | they must not be mixed with other logs that may accidentally be handed out to |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 1046 | unauthorized people. |
| 1047 | |
| 1048 | For in-field troubleshooting without impacting the server's capacity too much, |
| 1049 | it is recommended to make use of the "halog" utility provided with HAProxy. |
| 1050 | This is sort of a grep-like utility designed to process HAProxy log files at |
| 1051 | a very fast data rate. Typical figures range between 1 and 2 GB of logs per |
| 1052 | second. It is capable of extracting only certain logs (eg: search for some |
| 1053 | classes of HTTP status codes, connection termination status, search by response |
| 1054 | time ranges, look for errors only), count lines, limit the output to a number |
| 1055 | of lines, and perform some more advanced statistics such as sorting servers |
| 1056 | by response time or error counts, sorting URLs by time or count, sorting client |
| 1057 | addresses by access count, and so on. It is pretty convenient to quickly spot |
| 1058 | anomalies such as a bot looping on the site, and block them. |
| 1059 | |
| 1060 | |
| 1061 | 9. Statistics and monitoring |
| 1062 | ---------------------------- |
| 1063 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1064 | It is possible to query HAProxy about its status. The most commonly used |
| 1065 | mechanism is the HTTP statistics page. This page also exposes an alternative |
| 1066 | CSV output format for monitoring tools. The same format is provided on the |
| 1067 | Unix socket. |
| 1068 | |
Amaury Denoyelle | 072f97e | 2020-10-05 11:49:37 +0200 | [diff] [blame] | 1069 | Statistics are regroup in categories labelled as domains, corresponding to the |
Ilya Shipitsin | 2272d8a | 2020-12-21 01:22:40 +0500 | [diff] [blame] | 1070 | multiple components of HAProxy. There are two domains available: proxy and dns. |
Amaury Denoyelle | fbd0bc9 | 2020-10-05 11:49:46 +0200 | [diff] [blame] | 1071 | If not specified, the proxy domain is selected. Note that only the proxy |
| 1072 | statistics are printed on the HTTP page. |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1073 | |
| 1074 | 9.1. CSV format |
| 1075 | --------------- |
| 1076 | |
| 1077 | The statistics may be consulted either from the unix socket or from the HTTP |
| 1078 | page. Both means provide a CSV format whose fields follow. The first line |
| 1079 | begins with a sharp ('#') and has one word per comma-delimited field which |
| 1080 | represents the title of the column. All other lines starting at the second one |
| 1081 | use a classical CSV format using a comma as the delimiter, and the double quote |
| 1082 | ('"') as an optional text delimiter, but only if the enclosed text is ambiguous |
| 1083 | (if it contains a quote or a comma). The double-quote character ('"') in the |
| 1084 | text is doubled ('""'), which is the format that most tools recognize. Please |
| 1085 | do not insert any column before these ones in order not to break tools which |
| 1086 | use hard-coded column positions. |
| 1087 | |
Amaury Denoyelle | 50660a8 | 2020-10-05 11:49:39 +0200 | [diff] [blame] | 1088 | For proxy statistics, after each field name, the types which may have a value |
| 1089 | for that field are specified in brackets. The types are L (Listeners), F |
| 1090 | (Frontends), B (Backends), and S (Servers). There is a fixed set of static |
| 1091 | fields that are always available in the same order. A column containing the |
| 1092 | character '-' delimits the end of the static fields, after which presence or |
| 1093 | order of the fields are not guaranteed. |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1094 | |
Amaury Denoyelle | 50660a8 | 2020-10-05 11:49:39 +0200 | [diff] [blame] | 1095 | Here is the list of static fields using the proxy statistics domain: |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1096 | 0. pxname [LFBS]: proxy name |
| 1097 | 1. svname [LFBS]: service name (FRONTEND for frontend, BACKEND for backend, |
| 1098 | any name for server/listener) |
| 1099 | 2. qcur [..BS]: current queued requests. For the backend this reports the |
| 1100 | number queued without a server assigned. |
| 1101 | 3. qmax [..BS]: max value of qcur |
| 1102 | 4. scur [LFBS]: current sessions |
| 1103 | 5. smax [LFBS]: max sessions |
| 1104 | 6. slim [LFBS]: configured session limit |
Willy Tarreau | c73810f | 2016-01-11 13:52:04 +0100 | [diff] [blame] | 1105 | 7. stot [LFBS]: cumulative number of sessions |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1106 | 8. bin [LFBS]: bytes in |
| 1107 | 9. bout [LFBS]: bytes out |
| 1108 | 10. dreq [LFB.]: requests denied because of security concerns. |
| 1109 | - For tcp this is because of a matched tcp-request content rule. |
| 1110 | - For http this is because of a matched http-request or tarpit rule. |
| 1111 | 11. dresp [LFBS]: responses denied because of security concerns. |
| 1112 | - For http this is because of a matched http-request rule, or |
| 1113 | "option checkcache". |
| 1114 | 12. ereq [LF..]: request errors. Some of the possible causes are: |
| 1115 | - early termination from the client, before the request has been sent. |
| 1116 | - read error from the client |
| 1117 | - client timeout |
| 1118 | - client closed connection |
| 1119 | - various bad requests from the client. |
| 1120 | - request was tarpitted. |
| 1121 | 13. econ [..BS]: number of requests that encountered an error trying to |
| 1122 | connect to a backend server. The backend stat is the sum of the stat |
| 1123 | for all servers of that backend, plus any connection errors not |
| 1124 | associated with a particular server (such as the backend having no |
| 1125 | active servers). |
| 1126 | 14. eresp [..BS]: response errors. srv_abrt will be counted here also. |
| 1127 | Some other errors are: |
| 1128 | - write error on the client socket (won't be counted for the server stat) |
| 1129 | - failure applying filters to the response. |
| 1130 | 15. wretr [..BS]: number of times a connection to a server was retried. |
| 1131 | 16. wredis [..BS]: number of times a request was redispatched to another |
| 1132 | server. The server value counts the number of times that server was |
| 1133 | switched away from. |
Willy Tarreau | b96dd28 | 2016-11-09 14:45:51 +0100 | [diff] [blame] | 1134 | 17. status [LFBS]: status (UP/DOWN/NOLB/MAINT/MAINT(via)/MAINT(resolution)...) |
Willy Tarreau | bd71510 | 2020-10-23 22:44:30 +0200 | [diff] [blame] | 1135 | 18. weight [..BS]: total effective weight (backend), effective weight (server) |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1136 | 19. act [..BS]: number of active servers (backend), server is active (server) |
| 1137 | 20. bck [..BS]: number of backup servers (backend), server is backup (server) |
| 1138 | 21. chkfail [...S]: number of failed checks. (Only counts checks failed when |
| 1139 | the server is up.) |
| 1140 | 22. chkdown [..BS]: number of UP->DOWN transitions. The backend counter counts |
| 1141 | transitions to the whole backend being down, rather than the sum of the |
| 1142 | counters for each server. |
| 1143 | 23. lastchg [..BS]: number of seconds since the last UP<->DOWN transition |
| 1144 | 24. downtime [..BS]: total downtime (in seconds). The value for the backend |
| 1145 | is the downtime for the whole backend, not the sum of the server downtime. |
| 1146 | 25. qlimit [...S]: configured maxqueue for the server, or nothing in the |
| 1147 | value is 0 (default, meaning no limit) |
| 1148 | 26. pid [LFBS]: process id (0 for first instance, 1 for second, ...) |
| 1149 | 27. iid [LFBS]: unique proxy id |
| 1150 | 28. sid [L..S]: server id (unique inside a proxy) |
| 1151 | 29. throttle [...S]: current throttle percentage for the server, when |
| 1152 | slowstart is active, or no value if not in slowstart. |
| 1153 | 30. lbtot [..BS]: total number of times a server was selected, either for new |
| 1154 | sessions, or when re-dispatching. The server counter is the number |
| 1155 | of times that server was selected. |
| 1156 | 31. tracked [...S]: id of proxy/server if tracking is enabled. |
| 1157 | 32. type [LFBS]: (0=frontend, 1=backend, 2=server, 3=socket/listener) |
| 1158 | 33. rate [.FBS]: number of sessions per second over last elapsed second |
| 1159 | 34. rate_lim [.F..]: configured limit on new sessions per second |
| 1160 | 35. rate_max [.FBS]: max number of new sessions per second |
| 1161 | 36. check_status [...S]: status of last health check, one of: |
| 1162 | UNK -> unknown |
| 1163 | INI -> initializing |
| 1164 | SOCKERR -> socket error |
| 1165 | L4OK -> check passed on layer 4, no upper layers testing enabled |
| 1166 | L4TOUT -> layer 1-4 timeout |
| 1167 | L4CON -> layer 1-4 connection problem, for example |
| 1168 | "Connection refused" (tcp rst) or "No route to host" (icmp) |
| 1169 | L6OK -> check passed on layer 6 |
| 1170 | L6TOUT -> layer 6 (SSL) timeout |
| 1171 | L6RSP -> layer 6 invalid response - protocol error |
| 1172 | L7OK -> check passed on layer 7 |
| 1173 | L7OKC -> check conditionally passed on layer 7, for example 404 with |
| 1174 | disable-on-404 |
| 1175 | L7TOUT -> layer 7 (HTTP/SMTP) timeout |
| 1176 | L7RSP -> layer 7 invalid response - protocol error |
| 1177 | L7STS -> layer 7 response error, for example HTTP 5xx |
Daniel Schneller | b6c8b0d | 2017-09-01 19:13:55 +0200 | [diff] [blame] | 1178 | Notice: If a check is currently running, the last known status will be |
| 1179 | reported, prefixed with "* ". e. g. "* L7OK". |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1180 | 37. check_code [...S]: layer5-7 code, if available |
| 1181 | 38. check_duration [...S]: time in ms took to finish last health check |
| 1182 | 39. hrsp_1xx [.FBS]: http responses with 1xx code |
| 1183 | 40. hrsp_2xx [.FBS]: http responses with 2xx code |
| 1184 | 41. hrsp_3xx [.FBS]: http responses with 3xx code |
| 1185 | 42. hrsp_4xx [.FBS]: http responses with 4xx code |
| 1186 | 43. hrsp_5xx [.FBS]: http responses with 5xx code |
| 1187 | 44. hrsp_other [.FBS]: http responses with other codes (protocol error) |
| 1188 | 45. hanafail [...S]: failed health checks details |
| 1189 | 46. req_rate [.F..]: HTTP requests per second over last elapsed second |
| 1190 | 47. req_rate_max [.F..]: max number of HTTP requests per second observed |
Willy Tarreau | fb981bd | 2016-12-12 14:31:46 +0100 | [diff] [blame] | 1191 | 48. req_tot [.FB.]: total number of HTTP requests received |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1192 | 49. cli_abrt [..BS]: number of data transfers aborted by the client |
| 1193 | 50. srv_abrt [..BS]: number of data transfers aborted by the server |
| 1194 | (inc. in eresp) |
| 1195 | 51. comp_in [.FB.]: number of HTTP response bytes fed to the compressor |
| 1196 | 52. comp_out [.FB.]: number of HTTP response bytes emitted by the compressor |
| 1197 | 53. comp_byp [.FB.]: number of bytes that bypassed the HTTP compressor |
| 1198 | (CPU/BW limit) |
| 1199 | 54. comp_rsp [.FB.]: number of HTTP responses that were compressed |
| 1200 | 55. lastsess [..BS]: number of seconds since last session assigned to |
| 1201 | server/backend |
| 1202 | 56. last_chk [...S]: last health check contents or textual error |
| 1203 | 57. last_agt [...S]: last agent check contents or textual error |
| 1204 | 58. qtime [..BS]: the average queue time in ms over the 1024 last requests |
| 1205 | 59. ctime [..BS]: the average connect time in ms over the 1024 last requests |
| 1206 | 60. rtime [..BS]: the average response time in ms over the 1024 last requests |
| 1207 | (0 for TCP) |
| 1208 | 61. ttime [..BS]: the average total session time in ms over the 1024 last |
| 1209 | requests |
Willy Tarreau | 7f61884 | 2016-01-08 11:40:03 +0100 | [diff] [blame] | 1210 | 62. agent_status [...S]: status of last agent check, one of: |
| 1211 | UNK -> unknown |
| 1212 | INI -> initializing |
| 1213 | SOCKERR -> socket error |
| 1214 | L4OK -> check passed on layer 4, no upper layers testing enabled |
| 1215 | L4TOUT -> layer 1-4 timeout |
| 1216 | L4CON -> layer 1-4 connection problem, for example |
| 1217 | "Connection refused" (tcp rst) or "No route to host" (icmp) |
| 1218 | L7OK -> agent reported "up" |
| 1219 | L7STS -> agent reported "fail", "stop", or "down" |
| 1220 | 63. agent_code [...S]: numeric code reported by agent if any (unused for now) |
| 1221 | 64. agent_duration [...S]: time in ms taken to finish last check |
Willy Tarreau | dd7354b | 2016-01-08 13:47:26 +0100 | [diff] [blame] | 1222 | 65. check_desc [...S]: short human-readable description of check_status |
| 1223 | 66. agent_desc [...S]: short human-readable description of agent_status |
Willy Tarreau | 3141f59 | 2016-01-08 14:25:28 +0100 | [diff] [blame] | 1224 | 67. check_rise [...S]: server's "rise" parameter used by checks |
| 1225 | 68. check_fall [...S]: server's "fall" parameter used by checks |
| 1226 | 69. check_health [...S]: server's health check value between 0 and rise+fall-1 |
| 1227 | 70. agent_rise [...S]: agent's "rise" parameter, normally 1 |
| 1228 | 71. agent_fall [...S]: agent's "fall" parameter, normally 1 |
| 1229 | 72. agent_health [...S]: agent's health parameter, between 0 and rise+fall-1 |
Willy Tarreau | a6f5a73 | 2016-01-08 16:59:56 +0100 | [diff] [blame] | 1230 | 73. addr [L..S]: address:port or "unix". IPv6 has brackets around the address. |
Willy Tarreau | e4847c6 | 2016-01-08 15:43:54 +0100 | [diff] [blame] | 1231 | 74: cookie [..BS]: server's cookie value or backend's cookie name |
Willy Tarreau | f8211df | 2016-01-11 14:09:38 +0100 | [diff] [blame] | 1232 | 75: mode [LFBS]: proxy mode (tcp, http, health, unknown) |
Willy Tarreau | f1516d9 | 2016-01-11 14:48:36 +0100 | [diff] [blame] | 1233 | 76: algo [..B.]: load balancing algorithm |
Willy Tarreau | c73810f | 2016-01-11 13:52:04 +0100 | [diff] [blame] | 1234 | 77: conn_rate [.F..]: number of connections over the last elapsed second |
| 1235 | 78: conn_rate_max [.F..]: highest known conn_rate |
| 1236 | 79: conn_tot [.F..]: cumulative number of connections |
Willy Tarreau | 5b9bdff | 2016-01-11 14:40:47 +0100 | [diff] [blame] | 1237 | 80: intercepted [.FB.]: cum. number of intercepted requests (monitor, stats) |
Willy Tarreau | 8a90b8e | 2016-10-21 18:15:32 +0200 | [diff] [blame] | 1238 | 81: dcon [LF..]: requests denied by "tcp-request connection" rules |
Willy Tarreau | a5bc36b | 2016-10-21 18:16:27 +0200 | [diff] [blame] | 1239 | 82: dses [LF..]: requests denied by "tcp-request session" rules |
Willy Tarreau | ea96a82 | 2018-05-28 15:15:43 +0200 | [diff] [blame] | 1240 | 83: wrew [LFBS]: cumulative number of failed header rewriting warnings |
Jérôme Magnin | 708eb88 | 2019-07-17 09:24:46 +0200 | [diff] [blame] | 1241 | 84: connect [..BS]: cumulative number of connection establishment attempts |
| 1242 | 85: reuse [..BS]: cumulative number of connection reuses |
Willy Tarreau | 7297429 | 2019-11-08 07:29:34 +0100 | [diff] [blame] | 1243 | 86: cache_lookups [.FB.]: cumulative number of cache lookups |
Jérôme Magnin | 34ebb5c | 2019-07-17 14:04:40 +0200 | [diff] [blame] | 1244 | 87: cache_hits [.FB.]: cumulative number of cache hits |
Christopher Faulet | 2ac2574 | 2019-11-08 15:27:27 +0100 | [diff] [blame] | 1245 | 88: srv_icur [...S]: current number of idle connections available for reuse |
| 1246 | 89: src_ilim [...S]: limit on the number of available idle connections |
| 1247 | 90. qtime_max [..BS]: the maximum observed queue time in ms |
| 1248 | 91. ctime_max [..BS]: the maximum observed connect time in ms |
| 1249 | 92. rtime_max [..BS]: the maximum observed response time in ms (0 for TCP) |
| 1250 | 93. ttime_max [..BS]: the maximum observed total session time in ms |
Christopher Faulet | 0159ee4 | 2019-12-16 14:40:39 +0100 | [diff] [blame] | 1251 | 94. eint [LFBS]: cumulative number of internal errors |
Pierre Cheynier | 08eb718 | 2020-10-08 16:37:14 +0200 | [diff] [blame] | 1252 | 95. idle_conn_cur [...S]: current number of unsafe idle connections |
| 1253 | 96. safe_conn_cur [...S]: current number of safe idle connections |
| 1254 | 97. used_conn_cur [...S]: current number of connections in use |
| 1255 | 98. need_conn_est [...S]: estimated needed number of connections |
Willy Tarreau | bd71510 | 2020-10-23 22:44:30 +0200 | [diff] [blame] | 1256 | 99. uweight [..BS]: total user weight (backend), server user weight (server) |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1257 | |
Amaury Denoyelle | 50660a8 | 2020-10-05 11:49:39 +0200 | [diff] [blame] | 1258 | For all other statistics domains, the presence or the order of the fields are |
| 1259 | not guaranteed. In this case, the header line should always be used to parse |
| 1260 | the CSV data. |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1261 | |
Phil Scherer | b931f96 | 2020-12-02 19:36:08 +0000 | [diff] [blame] | 1262 | 9.2. Typed output format |
Willy Tarreau | 5d8b979 | 2016-03-11 11:09:34 +0100 | [diff] [blame] | 1263 | ------------------------ |
| 1264 | |
| 1265 | Both "show info" and "show stat" support a mode where each output value comes |
| 1266 | with its type and sufficient information to know how the value is supposed to |
| 1267 | be aggregated between processes and how it evolves. |
| 1268 | |
| 1269 | In all cases, the output consists in having a single value per line with all |
| 1270 | the information split into fields delimited by colons (':'). |
| 1271 | |
| 1272 | The first column designates the object or metric being dumped. Its format is |
| 1273 | specific to the command producing this output and will not be described in this |
| 1274 | section. Usually it will consist in a series of identifiers and field names. |
| 1275 | |
| 1276 | The second column contains 3 characters respectively indicating the origin, the |
| 1277 | nature and the scope of the value being reported. The first character (the |
| 1278 | origin) indicates where the value was extracted from. Possible characters are : |
| 1279 | |
| 1280 | M The value is a metric. It is valid at one instant any may change depending |
| 1281 | on its nature . |
| 1282 | |
| 1283 | S The value is a status. It represents a discrete value which by definition |
| 1284 | cannot be aggregated. It may be the status of a server ("UP" or "DOWN"), |
| 1285 | the PID of the process, etc. |
| 1286 | |
| 1287 | K The value is a sorting key. It represents an identifier which may be used |
| 1288 | to group some values together because it is unique among its class. All |
| 1289 | internal identifiers are keys. Some names can be listed as keys if they |
| 1290 | are unique (eg: a frontend name is unique). In general keys come from the |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 1291 | configuration, even though some of them may automatically be assigned. For |
Willy Tarreau | 5d8b979 | 2016-03-11 11:09:34 +0100 | [diff] [blame] | 1292 | most purposes keys may be considered as equivalent to configuration. |
| 1293 | |
| 1294 | C The value comes from the configuration. Certain configuration values make |
| 1295 | sense on the output, for example a concurrent connection limit or a cookie |
| 1296 | name. By definition these values are the same in all processes started |
| 1297 | from the same configuration file. |
| 1298 | |
| 1299 | P The value comes from the product itself. There are very few such values, |
| 1300 | most common use is to report the product name, version and release date. |
| 1301 | These elements are also the same between all processes. |
| 1302 | |
| 1303 | The second character (the nature) indicates the nature of the information |
| 1304 | carried by the field in order to let an aggregator decide on what operation to |
| 1305 | use to aggregate multiple values. Possible characters are : |
| 1306 | |
| 1307 | A The value represents an age since a last event. This is a bit different |
| 1308 | from the duration in that an age is automatically computed based on the |
| 1309 | current date. A typical example is how long ago did the last session |
| 1310 | happen on a server. Ages are generally aggregated by taking the minimum |
| 1311 | value and do not need to be stored. |
| 1312 | |
| 1313 | a The value represents an already averaged value. The average response times |
| 1314 | and server weights are of this nature. Averages can typically be averaged |
| 1315 | between processes. |
| 1316 | |
| 1317 | C The value represents a cumulative counter. Such measures perpetually |
| 1318 | increase until they wrap around. Some monitoring protocols need to tell |
| 1319 | the difference between a counter and a gauge to report a different type. |
| 1320 | In general counters may simply be summed since they represent events or |
| 1321 | volumes. Examples of metrics of this nature are connection counts or byte |
| 1322 | counts. |
| 1323 | |
| 1324 | D The value represents a duration for a status. There are a few usages of |
| 1325 | this, most of them include the time taken by the last health check and |
| 1326 | the time a server has spent down. Durations are generally not summed, |
| 1327 | most of the time the maximum will be retained to compute an SLA. |
| 1328 | |
| 1329 | G The value represents a gauge. It's a measure at one instant. The memory |
| 1330 | usage or the current number of active connections are of this nature. |
| 1331 | Metrics of this type are typically summed during aggregation. |
| 1332 | |
| 1333 | L The value represents a limit (generally a configured one). By nature, |
| 1334 | limits are harder to aggregate since they are specific to the point where |
| 1335 | they were retrieved. In certain situations they may be summed or be kept |
| 1336 | separate. |
| 1337 | |
| 1338 | M The value represents a maximum. In general it will apply to a gauge and |
| 1339 | keep the highest known value. An example of such a metric could be the |
| 1340 | maximum amount of concurrent connections that was encountered in the |
| 1341 | product's life time. To correctly aggregate maxima, you are supposed to |
| 1342 | output a range going from the maximum of all maxima and the sum of all |
| 1343 | of them. There is indeed no way to know if they were encountered |
| 1344 | simultaneously or not. |
| 1345 | |
| 1346 | m The value represents a minimum. In general it will apply to a gauge and |
| 1347 | keep the lowest known value. An example of such a metric could be the |
| 1348 | minimum amount of free memory pools that was encountered in the product's |
| 1349 | life time. To correctly aggregate minima, you are supposed to output a |
| 1350 | range going from the minimum of all minima and the sum of all of them. |
| 1351 | There is indeed no way to know if they were encountered simultaneously |
| 1352 | or not. |
| 1353 | |
| 1354 | N The value represents a name, so it is a string. It is used to report |
| 1355 | proxy names, server names and cookie names. Names have configuration or |
| 1356 | keys as their origin and are supposed to be the same among all processes. |
| 1357 | |
| 1358 | O The value represents a free text output. Outputs from various commands, |
| 1359 | returns from health checks, node descriptions are of such nature. |
| 1360 | |
| 1361 | R The value represents an event rate. It's a measure at one instant. It is |
| 1362 | quite similar to a gauge except that the recipient knows that this measure |
| 1363 | moves slowly and may decide not to keep all values. An example of such a |
| 1364 | metric is the measured amount of connections per second. Metrics of this |
| 1365 | type are typically summed during aggregation. |
| 1366 | |
| 1367 | T The value represents a date or time. A field emitting the current date |
| 1368 | would be of this type. The method to aggregate such information is left |
| 1369 | as an implementation choice. For now no field uses this type. |
| 1370 | |
| 1371 | The third character (the scope) indicates what extent the value reflects. Some |
| 1372 | elements may be per process while others may be per configuration or per system. |
| 1373 | The distinction is important to know whether or not a single value should be |
| 1374 | kept during aggregation or if values have to be aggregated. The following |
| 1375 | characters are currently supported : |
| 1376 | |
| 1377 | C The value is valid for a whole cluster of nodes, which is the set of nodes |
| 1378 | communicating over the peers protocol. An example could be the amount of |
| 1379 | entries present in a stick table that is replicated with other peers. At |
| 1380 | the moment no metric use this scope. |
| 1381 | |
| 1382 | P The value is valid only for the process reporting it. Most metrics use |
| 1383 | this scope. |
| 1384 | |
| 1385 | S The value is valid for the whole service, which is the set of processes |
| 1386 | started together from the same configuration file. All metrics originating |
| 1387 | from the configuration use this scope. Some other metrics may use it as |
| 1388 | well for some shared resources (eg: shared SSL cache statistics). |
| 1389 | |
| 1390 | s The value is valid for the whole system, such as the system's hostname, |
| 1391 | current date or resource usage. At the moment this scope is not used by |
| 1392 | any metric. |
| 1393 | |
| 1394 | Consumers of these information will generally have enough of these 3 characters |
| 1395 | to determine how to accurately report aggregated information across multiple |
| 1396 | processes. |
| 1397 | |
| 1398 | After this column, the third column indicates the type of the field, among "s32" |
| 1399 | (signed 32-bit integer), "s64" (signed 64-bit integer), "u32" (unsigned 32-bit |
| 1400 | integer), "u64" (unsigned 64-bit integer), "str" (string). It is important to |
| 1401 | know the type before parsing the value in order to properly read it. For example |
| 1402 | a string containing only digits is still a string an not an integer (eg: an |
| 1403 | error code extracted by a check). |
| 1404 | |
| 1405 | Then the fourth column is the value itself, encoded according to its type. |
| 1406 | Strings are dumped as-is immediately after the colon without any leading space. |
| 1407 | If a string contains a colon, it will appear normally. This means that the |
| 1408 | output should not be exclusively split around colons or some check outputs |
| 1409 | or server addresses might be truncated. |
| 1410 | |
| 1411 | |
| 1412 | 9.3. Unix Socket commands |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1413 | ------------------------- |
| 1414 | |
| 1415 | The stats socket is not enabled by default. In order to enable it, it is |
| 1416 | necessary to add one line in the global section of the haproxy configuration. |
| 1417 | A second line is recommended to set a larger timeout, always appreciated when |
| 1418 | issuing commands by hand : |
| 1419 | |
| 1420 | global |
| 1421 | stats socket /var/run/haproxy.sock mode 600 level admin |
| 1422 | stats timeout 2m |
| 1423 | |
| 1424 | It is also possible to add multiple instances of the stats socket by repeating |
| 1425 | the line, and make them listen to a TCP port instead of a UNIX socket. This is |
| 1426 | never done by default because this is dangerous, but can be handy in some |
| 1427 | situations : |
| 1428 | |
| 1429 | global |
| 1430 | stats socket /var/run/haproxy.sock mode 600 level admin |
| 1431 | stats socket ipv4@192.168.0.1:9999 level admin |
| 1432 | stats timeout 2m |
| 1433 | |
| 1434 | To access the socket, an external utility such as "socat" is required. Socat is |
| 1435 | a swiss-army knife to connect anything to anything. We use it to connect |
| 1436 | terminals to the socket, or a couple of stdin/stdout pipes to it for scripts. |
| 1437 | The two main syntaxes we'll use are the following : |
| 1438 | |
| 1439 | # socat /var/run/haproxy.sock stdio |
| 1440 | # socat /var/run/haproxy.sock readline |
| 1441 | |
| 1442 | The first one is used with scripts. It is possible to send the output of a |
| 1443 | script to haproxy, and pass haproxy's output to another script. That's useful |
| 1444 | for retrieving counters or attack traces for example. |
| 1445 | |
| 1446 | The second one is only useful for issuing commands by hand. It has the benefit |
| 1447 | that the terminal is handled by the readline library which supports line |
| 1448 | editing and history, which is very convenient when issuing repeated commands |
| 1449 | (eg: watch a counter). |
| 1450 | |
| 1451 | The socket supports two operation modes : |
| 1452 | - interactive |
| 1453 | - non-interactive |
| 1454 | |
| 1455 | The non-interactive mode is the default when socat connects to the socket. In |
| 1456 | this mode, a single line may be sent. It is processed as a whole, responses are |
| 1457 | sent back, and the connection closes after the end of the response. This is the |
| 1458 | mode that scripts and monitoring tools use. It is possible to send multiple |
| 1459 | commands in this mode, they need to be delimited by a semi-colon (';'). For |
| 1460 | example : |
| 1461 | |
| 1462 | # echo "show info;show stat;show table" | socat /var/run/haproxy stdio |
| 1463 | |
Dragan Dosen | a1c35ab | 2016-11-24 11:33:12 +0100 | [diff] [blame] | 1464 | If a command needs to use a semi-colon or a backslash (eg: in a value), it |
Joseph Herlant | 71b4b15 | 2018-11-13 16:55:16 -0800 | [diff] [blame] | 1465 | must be preceded by a backslash ('\'). |
Chad Lavoie | e3f5031 | 2016-05-26 16:42:25 -0400 | [diff] [blame] | 1466 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1467 | The interactive mode displays a prompt ('>') and waits for commands to be |
| 1468 | entered on the line, then processes them, and displays the prompt again to wait |
| 1469 | for a new command. This mode is entered via the "prompt" command which must be |
| 1470 | sent on the first line in non-interactive mode. The mode is a flip switch, if |
| 1471 | "prompt" is sent in interactive mode, it is disabled and the connection closes |
| 1472 | after processing the last command of the same line. |
| 1473 | |
| 1474 | For this reason, when debugging by hand, it's quite common to start with the |
| 1475 | "prompt" command : |
| 1476 | |
| 1477 | # socat /var/run/haproxy readline |
| 1478 | prompt |
| 1479 | > show info |
| 1480 | ... |
| 1481 | > |
| 1482 | |
| 1483 | Since multiple commands may be issued at once, haproxy uses the empty line as a |
| 1484 | delimiter to mark an end of output for each command, and takes care of ensuring |
| 1485 | that no command can emit an empty line on output. A script can thus easily |
| 1486 | parse the output even when multiple commands were pipelined on a single line. |
| 1487 | |
Aurélien Nephtali | abbf607 | 2018-04-18 13:26:46 +0200 | [diff] [blame] | 1488 | Some commands may take an optional payload. To add one to a command, the first |
| 1489 | line needs to end with the "<<\n" pattern. The next lines will be treated as |
| 1490 | the payload and can contain as many lines as needed. To validate a command with |
| 1491 | a payload, it needs to end with an empty line. |
| 1492 | |
| 1493 | Limitations do exist: the length of the whole buffer passed to the CLI must |
| 1494 | not be greater than tune.bfsize and the pattern "<<" must not be glued to the |
| 1495 | last word of the line. |
| 1496 | |
| 1497 | When entering a paylod while in interactive mode, the prompt will change from |
| 1498 | "> " to "+ ". |
| 1499 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1500 | It is important to understand that when multiple haproxy processes are started |
| 1501 | on the same sockets, any process may pick up the request and will output its |
| 1502 | own stats. |
| 1503 | |
| 1504 | The list of commands currently supported on the stats socket is provided below. |
| 1505 | If an unknown command is sent, haproxy displays the usage message which reminds |
| 1506 | all supported commands. Some commands support a more complex syntax, generally |
| 1507 | it will explain what part of the command is invalid when this happens. |
| 1508 | |
Olivier Doucet | d8703e8 | 2017-08-31 11:05:10 +0200 | [diff] [blame] | 1509 | Some commands require a higher level of privilege to work. If you do not have |
| 1510 | enough privilege, you will get an error "Permission denied". Please check |
| 1511 | the "level" option of the "bind" keyword lines in the configuration manual |
| 1512 | for more information. |
| 1513 | |
Remi Tricot-Le Breton | e88a2ca | 2021-04-08 15:30:23 +0200 | [diff] [blame] | 1514 | abort ssl ca-file <cafile> |
| 1515 | Abort and destroy a temporary CA file update transaction. |
| 1516 | |
| 1517 | See also "set ssl ca-file" and "commit ssl ca-file". |
| 1518 | |
William Lallemand | 6ab08b3 | 2019-11-29 16:48:43 +0100 | [diff] [blame] | 1519 | abort ssl cert <filename> |
| 1520 | Abort and destroy a temporary SSL certificate update transaction. |
| 1521 | |
| 1522 | See also "set ssl cert" and "commit ssl cert". |
| 1523 | |
Remi Tricot-Le Breton | 3c222bd | 2021-04-27 16:28:25 +0200 | [diff] [blame] | 1524 | abort ssl crl-file <crlfile> |
| 1525 | Abort and destroy a temporary CRL file update transaction. |
| 1526 | |
| 1527 | See also "set ssl crl-file" and "commit ssl crl-file". |
| 1528 | |
Willy Tarreau | bb51c44 | 2021-04-30 15:23:36 +0200 | [diff] [blame] | 1529 | add acl [@<ver>] <acl> <pattern> |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1530 | Add an entry into the acl <acl>. <acl> is the #<id> or the <file> returned by |
Willy Tarreau | bb51c44 | 2021-04-30 15:23:36 +0200 | [diff] [blame] | 1531 | "show acl". This command does not verify if the entry already exists. Entries |
| 1532 | are added to the current version of the ACL, unless a specific version is |
| 1533 | specified with "@<ver>". This version number must have preliminary been |
| 1534 | allocated by "prepare acl", and it will be comprised between the versions |
| 1535 | reported in "curr_ver" and "next_ver" on the output of "show acl". Entries |
| 1536 | added with a specific version number will not match until a "commit acl" |
| 1537 | operation is performed on them. They may however be consulted using the |
| 1538 | "show acl @<ver>" command, and cleared using a "clear acl @<ver>" command. |
| 1539 | This command cannot be used if the reference <acl> is a file also used with |
| 1540 | a map. In this case, the "add map" command must be used instead. |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1541 | |
Willy Tarreau | bb51c44 | 2021-04-30 15:23:36 +0200 | [diff] [blame] | 1542 | add map [@<ver>] <map> <key> <value> |
| 1543 | add map [@<ver>] <map> <payload> |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1544 | Add an entry into the map <map> to associate the value <value> to the key |
| 1545 | <key>. This command does not verify if the entry already exists. It is |
Willy Tarreau | bb51c44 | 2021-04-30 15:23:36 +0200 | [diff] [blame] | 1546 | mainly used to fill a map after a "clear" or "prepare" operation. Entries |
| 1547 | are added to the current version of the ACL, unless a specific version is |
| 1548 | specified with "@<ver>". This version number must have preliminary been |
| 1549 | allocated by "prepare acl", and it will be comprised between the versions |
| 1550 | reported in "curr_ver" and "next_ver" on the output of "show acl". Entries |
| 1551 | added with a specific version number will not match until a "commit map" |
| 1552 | operation is performed on them. They may however be consulted using the |
| 1553 | "show map @<ver>" command, and cleared using a "clear acl @<ver>" command. |
| 1554 | If the designated map is also used as an ACL, the ACL will only match the |
| 1555 | <key> part and will ignore the <value> part. Using the payload syntax it is |
| 1556 | possible to add multiple key/value pairs by entering them on separate lines. |
| 1557 | On each new line, the first word is the key and the rest of the line is |
| 1558 | considered to be the value which can even contains spaces. |
Aurélien Nephtali | 25650ce | 2018-04-18 14:04:47 +0200 | [diff] [blame] | 1559 | |
| 1560 | Example: |
| 1561 | |
| 1562 | # socat /tmp/sock1 - |
| 1563 | prompt |
| 1564 | |
| 1565 | > add map #-1 << |
| 1566 | + key1 value1 |
| 1567 | + key2 value2 with spaces |
| 1568 | + key3 value3 also with spaces |
| 1569 | + key4 value4 |
| 1570 | |
| 1571 | > |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1572 | |
Amaury Denoyelle | f99f77a | 2021-03-08 17:13:32 +0100 | [diff] [blame] | 1573 | add server <backend>/<server> [args]* |
Amaury Denoyelle | 76e8b70 | 2022-03-09 15:07:31 +0100 | [diff] [blame] | 1574 | Instantiate a new server attached to the backend <backend>. |
Amaury Denoyelle | f99f77a | 2021-03-08 17:13:32 +0100 | [diff] [blame] | 1575 | |
| 1576 | The <server> name must not be already used in the backend. A special |
Amaury Denoyelle | eafd701 | 2021-04-29 14:59:42 +0200 | [diff] [blame] | 1577 | restriction is put on the backend which must used a dynamic load-balancing |
| 1578 | algorithm. A subset of keywords from the server config file statement can be |
| 1579 | used to configure the server behavior. Also note that no settings will be |
| 1580 | reused from an hypothetical 'default-server' statement in the same backend. |
Amaury Denoyelle | fc465a5 | 2021-03-09 17:36:23 +0100 | [diff] [blame] | 1581 | |
Amaury Denoyelle | efbf35c | 2021-06-10 17:34:10 +0200 | [diff] [blame] | 1582 | Currently a dynamic server is statically initialized with the "none" |
| 1583 | init-addr method. This means that no resolution will be undertaken if a FQDN |
| 1584 | is specified as an address, even if the server creation will be validated. |
| 1585 | |
Amaury Denoyelle | 14c3c5c | 2021-08-23 14:10:51 +0200 | [diff] [blame] | 1586 | To support the reload operations, it is expected that the server created via |
| 1587 | the CLI is also manually inserted in the relevant haproxy configuration file. |
| 1588 | A dynamic server not present in the configuration won't be restored after a |
| 1589 | reload operation. |
| 1590 | |
Amaury Denoyelle | 56eb8ed | 2021-07-13 10:36:03 +0200 | [diff] [blame] | 1591 | A dynamic server may use the "track" keyword to follow the check status of |
| 1592 | another server from the configuration. However, it is not possible to track |
| 1593 | another dynamic server. This is to ensure that the tracking chain is kept |
| 1594 | consistent even in the case of dynamic servers deletion. |
| 1595 | |
Amaury Denoyelle | 2fc4d39 | 2021-07-22 16:04:59 +0200 | [diff] [blame] | 1596 | Use the "check" keyword to enable health-check support. Note that the |
| 1597 | health-check is disabled by default and must be enabled independently from |
Amaury Denoyelle | b65f4ca | 2021-08-04 11:33:14 +0200 | [diff] [blame] | 1598 | the server using the "enable health" command. For agent checks, use the |
| 1599 | "agent-check" keyword and the "enable agent" command. Note that in this case |
| 1600 | the server may be activated via the agent depending on the status reported, |
| 1601 | without an explicit "enable server" command. This also means that extra care |
| 1602 | is required when removing a dynamic server with agent check. The agent should |
| 1603 | be first deactivated via "disable agent" to be able to put the server in the |
| 1604 | required maintenance mode before removal. |
Amaury Denoyelle | 2fc4d39 | 2021-07-22 16:04:59 +0200 | [diff] [blame] | 1605 | |
Amaury Denoyelle | 414a612 | 2021-08-06 10:25:32 +0200 | [diff] [blame] | 1606 | It may be possible to reach the fd limit when using a large number of dynamic |
| 1607 | servers. Please refer to the "u-limit" global keyword documentation in this |
| 1608 | case. |
| 1609 | |
Amaury Denoyelle | fc465a5 | 2021-03-09 17:36:23 +0100 | [diff] [blame] | 1610 | Here is the list of the currently supported keywords : |
| 1611 | |
Amaury Denoyelle | b65f4ca | 2021-08-04 11:33:14 +0200 | [diff] [blame] | 1612 | - agent-addr |
| 1613 | - agent-check |
| 1614 | - agent-inter |
| 1615 | - agent-port |
| 1616 | - agent-send |
Amaury Denoyelle | 34897d2 | 2021-05-19 09:49:41 +0200 | [diff] [blame] | 1617 | - allow-0rtt |
| 1618 | - alpn |
Amaury Denoyelle | 2fc4d39 | 2021-07-22 16:04:59 +0200 | [diff] [blame] | 1619 | - addr |
Amaury Denoyelle | fc465a5 | 2021-03-09 17:36:23 +0100 | [diff] [blame] | 1620 | - backup |
Amaury Denoyelle | 34897d2 | 2021-05-19 09:49:41 +0200 | [diff] [blame] | 1621 | - ca-file |
Amaury Denoyelle | 2fc4d39 | 2021-07-22 16:04:59 +0200 | [diff] [blame] | 1622 | - check |
Amaury Denoyelle | 79b90e8 | 2021-09-20 15:15:19 +0200 | [diff] [blame] | 1623 | - check-alpn |
Amaury Denoyelle | 2fc4d39 | 2021-07-22 16:04:59 +0200 | [diff] [blame] | 1624 | - check-proto |
| 1625 | - check-send-proxy |
Amaury Denoyelle | 79b90e8 | 2021-09-20 15:15:19 +0200 | [diff] [blame] | 1626 | - check-sni |
| 1627 | - check-ssl |
Amaury Denoyelle | 2fc4d39 | 2021-07-22 16:04:59 +0200 | [diff] [blame] | 1628 | - check-via-socks4 |
Amaury Denoyelle | 34897d2 | 2021-05-19 09:49:41 +0200 | [diff] [blame] | 1629 | - ciphers |
| 1630 | - ciphersuites |
| 1631 | - crl-file |
| 1632 | - crt |
Amaury Denoyelle | fc465a5 | 2021-03-09 17:36:23 +0100 | [diff] [blame] | 1633 | - disabled |
Amaury Denoyelle | 2fc4d39 | 2021-07-22 16:04:59 +0200 | [diff] [blame] | 1634 | - downinter |
Amaury Denoyelle | fc465a5 | 2021-03-09 17:36:23 +0100 | [diff] [blame] | 1635 | - enabled |
Amaury Denoyelle | 725f8d2 | 2021-09-20 15:16:12 +0200 | [diff] [blame] | 1636 | - error-limit |
Amaury Denoyelle | 2fc4d39 | 2021-07-22 16:04:59 +0200 | [diff] [blame] | 1637 | - fall |
| 1638 | - fastinter |
Amaury Denoyelle | 34897d2 | 2021-05-19 09:49:41 +0200 | [diff] [blame] | 1639 | - force-sslv3/tlsv10/tlsv11/tlsv12/tlsv13 |
Amaury Denoyelle | fc465a5 | 2021-03-09 17:36:23 +0100 | [diff] [blame] | 1640 | - id |
Amaury Denoyelle | 2fc4d39 | 2021-07-22 16:04:59 +0200 | [diff] [blame] | 1641 | - inter |
Amaury Denoyelle | fc465a5 | 2021-03-09 17:36:23 +0100 | [diff] [blame] | 1642 | - maxconn |
| 1643 | - maxqueue |
| 1644 | - minconn |
Amaury Denoyelle | 34897d2 | 2021-05-19 09:49:41 +0200 | [diff] [blame] | 1645 | - no-ssl-reuse |
| 1646 | - no-sslv3/tlsv10/tlsv11/tlsv12/tlsv13 |
| 1647 | - no-tls-tickets |
| 1648 | - npn |
Amaury Denoyelle | 725f8d2 | 2021-09-20 15:16:12 +0200 | [diff] [blame] | 1649 | - observe |
| 1650 | - on-error |
| 1651 | - on-marked-down |
| 1652 | - on-marked-up |
Amaury Denoyelle | fc465a5 | 2021-03-09 17:36:23 +0100 | [diff] [blame] | 1653 | - pool-low-conn |
| 1654 | - pool-max-conn |
| 1655 | - pool-purge-delay |
Amaury Denoyelle | 2fc4d39 | 2021-07-22 16:04:59 +0200 | [diff] [blame] | 1656 | - port |
Amaury Denoyelle | 3046723 | 2021-03-12 18:03:27 +0100 | [diff] [blame] | 1657 | - proto |
Amaury Denoyelle | fc465a5 | 2021-03-09 17:36:23 +0100 | [diff] [blame] | 1658 | - proxy-v2-options |
Amaury Denoyelle | 2fc4d39 | 2021-07-22 16:04:59 +0200 | [diff] [blame] | 1659 | - rise |
Amaury Denoyelle | fc465a5 | 2021-03-09 17:36:23 +0100 | [diff] [blame] | 1660 | - send-proxy |
| 1661 | - send-proxy-v2 |
Amaury Denoyelle | 34897d2 | 2021-05-19 09:49:41 +0200 | [diff] [blame] | 1662 | - send-proxy-v2-ssl |
| 1663 | - send-proxy-v2-ssl-cn |
Amaury Denoyelle | cd8a6f2 | 2021-09-21 11:51:54 +0200 | [diff] [blame] | 1664 | - slowstart |
Amaury Denoyelle | 34897d2 | 2021-05-19 09:49:41 +0200 | [diff] [blame] | 1665 | - sni |
Amaury Denoyelle | fc465a5 | 2021-03-09 17:36:23 +0100 | [diff] [blame] | 1666 | - source |
Amaury Denoyelle | 34897d2 | 2021-05-19 09:49:41 +0200 | [diff] [blame] | 1667 | - ssl |
| 1668 | - ssl-max-ver |
| 1669 | - ssl-min-ver |
Amaury Denoyelle | fc465a5 | 2021-03-09 17:36:23 +0100 | [diff] [blame] | 1670 | - tfo |
Amaury Denoyelle | 34897d2 | 2021-05-19 09:49:41 +0200 | [diff] [blame] | 1671 | - tls-tickets |
Amaury Denoyelle | 56eb8ed | 2021-07-13 10:36:03 +0200 | [diff] [blame] | 1672 | - track |
Amaury Denoyelle | fc465a5 | 2021-03-09 17:36:23 +0100 | [diff] [blame] | 1673 | - usesrc |
Amaury Denoyelle | 34897d2 | 2021-05-19 09:49:41 +0200 | [diff] [blame] | 1674 | - verify |
| 1675 | - verifyhost |
Amaury Denoyelle | fc465a5 | 2021-03-09 17:36:23 +0100 | [diff] [blame] | 1676 | - weight |
Amaury Denoyelle | f9d5957 | 2021-10-18 14:40:29 +0200 | [diff] [blame] | 1677 | - ws |
Amaury Denoyelle | fc465a5 | 2021-03-09 17:36:23 +0100 | [diff] [blame] | 1678 | |
| 1679 | Their syntax is similar to the server line from the configuration file, |
| 1680 | please refer to their individual documentation for details. |
Amaury Denoyelle | f99f77a | 2021-03-08 17:13:32 +0100 | [diff] [blame] | 1681 | |
William Lallemand | 62c0b99 | 2022-07-29 17:50:58 +0200 | [diff] [blame] | 1682 | add ssl ca-file <cafile> <payload> |
| 1683 | Add a new certificate to a ca-file. This command is useful when you reached |
| 1684 | the buffer size limit on the CLI and want to add multiple certicates. |
| 1685 | Instead of doing a "set" with all the certificates you are able to add each |
| 1686 | certificate individually. A "set ssl ca-file" will reset the ca-file. |
| 1687 | |
| 1688 | Example: |
| 1689 | echo -e "set ssl ca-file cafile.pem <<\n$(cat rootCA.crt)\n" | \ |
| 1690 | socat /var/run/haproxy.stat - |
| 1691 | echo -e "add ssl ca-file cafile.pem <<\n$(cat intermediate1.crt)\n" | \ |
| 1692 | socat /var/run/haproxy.stat - |
| 1693 | echo -e "add ssl ca-file cafile.pem <<\n$(cat intermediate2.crt)\n" | \ |
| 1694 | socat /var/run/haproxy.stat - |
| 1695 | echo "commit ssl ca-file cafile.pem" | socat /var/run/haproxy.stat - |
| 1696 | |
William Lallemand | accac23 | 2020-04-02 17:42:51 +0200 | [diff] [blame] | 1697 | add ssl crt-list <crtlist> <certificate> |
| 1698 | add ssl crt-list <crtlist> <payload> |
| 1699 | Add an certificate in a crt-list. It can also be used for directories since |
| 1700 | directories are now loaded the same way as the crt-lists. This command allow |
| 1701 | you to use a certificate name in parameter, to use SSL options or filters a |
| 1702 | crt-list line must sent as a payload instead. Only one crt-list line is |
| 1703 | supported in the payload. This command will load the certificate for every |
| 1704 | bind lines using the crt-list. To push a new certificate to HAProxy the |
| 1705 | commands "new ssl cert" and "set ssl cert" must be used. |
| 1706 | |
| 1707 | Example: |
| 1708 | $ echo "new ssl cert foobar.pem" | socat /tmp/sock1 - |
| 1709 | $ echo -e "set ssl cert foobar.pem <<\n$(cat foobar.pem)\n" | socat |
| 1710 | /tmp/sock1 - |
| 1711 | $ echo "commit ssl cert foobar.pem" | socat /tmp/sock1 - |
| 1712 | $ echo "add ssl crt-list certlist1 foobar.pem" | socat /tmp/sock1 - |
| 1713 | |
| 1714 | $ echo -e 'add ssl crt-list certlist1 <<\nfoobar.pem [allow-0rtt] foo.bar.com |
| 1715 | !test1.com\n' | socat /tmp/sock1 - |
| 1716 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1717 | clear counters |
| 1718 | Clear the max values of the statistics counters in each proxy (frontend & |
Willy Tarreau | d80cb4e | 2018-01-20 19:30:13 +0100 | [diff] [blame] | 1719 | backend) and in each server. The accumulated counters are not affected. The |
| 1720 | internal activity counters reported by "show activity" are also reset. This |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1721 | can be used to get clean counters after an incident, without having to |
| 1722 | restart nor to clear traffic counters. This command is restricted and can |
| 1723 | only be issued on sockets configured for levels "operator" or "admin". |
| 1724 | |
| 1725 | clear counters all |
| 1726 | Clear all statistics counters in each proxy (frontend & backend) and in each |
| 1727 | server. This has the same effect as restarting. This command is restricted |
| 1728 | and can only be issued on sockets configured for level "admin". |
| 1729 | |
Willy Tarreau | ff3feeb | 2021-04-30 13:31:43 +0200 | [diff] [blame] | 1730 | clear acl [@<ver>] <acl> |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1731 | Remove all entries from the acl <acl>. <acl> is the #<id> or the <file> |
| 1732 | returned by "show acl". Note that if the reference <acl> is a file and is |
Willy Tarreau | ff3feeb | 2021-04-30 13:31:43 +0200 | [diff] [blame] | 1733 | shared with a map, this map will be also cleared. By default only the current |
| 1734 | version of the ACL is cleared (the one being matched against). However it is |
| 1735 | possible to specify another version using '@' followed by this version. |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1736 | |
Willy Tarreau | ff3feeb | 2021-04-30 13:31:43 +0200 | [diff] [blame] | 1737 | clear map [@<ver>] <map> |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1738 | Remove all entries from the map <map>. <map> is the #<id> or the <file> |
| 1739 | returned by "show map". Note that if the reference <map> is a file and is |
Willy Tarreau | ff3feeb | 2021-04-30 13:31:43 +0200 | [diff] [blame] | 1740 | shared with a acl, this acl will be also cleared. By default only the current |
| 1741 | version of the map is cleared (the one being matched against). However it is |
| 1742 | possible to specify another version using '@' followed by this version. |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1743 | |
| 1744 | clear table <table> [ data.<type> <operator> <value> ] | [ key <key> ] |
| 1745 | Remove entries from the stick-table <table>. |
| 1746 | |
| 1747 | This is typically used to unblock some users complaining they have been |
| 1748 | abusively denied access to a service, but this can also be used to clear some |
| 1749 | stickiness entries matching a server that is going to be replaced (see "show |
| 1750 | table" below for details). Note that sometimes, removal of an entry will be |
| 1751 | refused because it is currently tracked by a session. Retrying a few seconds |
| 1752 | later after the session ends is usual enough. |
| 1753 | |
| 1754 | In the case where no options arguments are given all entries will be removed. |
| 1755 | |
| 1756 | When the "data." form is used entries matching a filter applied using the |
| 1757 | stored data (see "stick-table" in section 4.2) are removed. A stored data |
| 1758 | type must be specified in <type>, and this data type must be stored in the |
| 1759 | table otherwise an error is reported. The data is compared according to |
| 1760 | <operator> with the 64-bit integer <value>. Operators are the same as with |
| 1761 | the ACLs : |
| 1762 | |
| 1763 | - eq : match entries whose data is equal to this value |
| 1764 | - ne : match entries whose data is not equal to this value |
| 1765 | - le : match entries whose data is less than or equal to this value |
| 1766 | - ge : match entries whose data is greater than or equal to this value |
| 1767 | - lt : match entries whose data is less than this value |
| 1768 | - gt : match entries whose data is greater than this value |
| 1769 | |
| 1770 | When the key form is used the entry <key> is removed. The key must be of the |
| 1771 | same type as the table, which currently is limited to IPv4, IPv6, integer and |
| 1772 | string. |
| 1773 | |
| 1774 | Example : |
| 1775 | $ echo "show table http_proxy" | socat stdio /tmp/sock1 |
| 1776 | >>> # table: http_proxy, type: ip, size:204800, used:2 |
| 1777 | >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \ |
| 1778 | bytes_out_rate(60000)=187 |
| 1779 | >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \ |
| 1780 | bytes_out_rate(60000)=191 |
| 1781 | |
| 1782 | $ echo "clear table http_proxy key 127.0.0.1" | socat stdio /tmp/sock1 |
| 1783 | |
| 1784 | $ echo "show table http_proxy" | socat stdio /tmp/sock1 |
| 1785 | >>> # table: http_proxy, type: ip, size:204800, used:1 |
| 1786 | >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \ |
| 1787 | bytes_out_rate(60000)=191 |
| 1788 | $ echo "clear table http_proxy data.gpc0 eq 1" | socat stdio /tmp/sock1 |
| 1789 | $ echo "show table http_proxy" | socat stdio /tmp/sock1 |
| 1790 | >>> # table: http_proxy, type: ip, size:204800, used:1 |
| 1791 | |
Willy Tarreau | 7a562ca | 2021-04-30 15:10:01 +0200 | [diff] [blame] | 1792 | commit acl @<ver> <acl> |
| 1793 | Commit all changes made to version <ver> of ACL <acl>, and deletes all past |
| 1794 | versions. <acl> is the #<id> or the <file> returned by "show acl". The |
| 1795 | version number must be between "curr_ver"+1 and "next_ver" as reported in |
| 1796 | "show acl". The contents to be committed to the ACL can be consulted with |
| 1797 | "show acl @<ver> <acl>" if desired. The specified version number has normally |
| 1798 | been created with the "prepare acl" command. The replacement is atomic. It |
| 1799 | consists in atomically updating the current version to the specified version, |
| 1800 | which will instantly cause all entries in other versions to become invisible, |
| 1801 | and all entries in the new version to become visible. It is also possible to |
| 1802 | use this command to perform an atomic removal of all visible entries of an |
| 1803 | ACL by calling "prepare acl" first then committing without adding any |
| 1804 | entries. This command cannot be used if the reference <acl> is a file also |
| 1805 | used as a map. In this case, the "commit map" command must be used instead. |
| 1806 | |
| 1807 | commit map @<ver> <map> |
| 1808 | Commit all changes made to version <ver> of map <map>, and deletes all past |
| 1809 | versions. <map> is the #<id> or the <file> returned by "show map". The |
| 1810 | version number must be between "curr_ver"+1 and "next_ver" as reported in |
| 1811 | "show map". The contents to be committed to the map can be consulted with |
| 1812 | "show map @<ver> <map>" if desired. The specified version number has normally |
| 1813 | been created with the "prepare map" command. The replacement is atomic. It |
| 1814 | consists in atomically updating the current version to the specified version, |
| 1815 | which will instantly cause all entries in other versions to become invisible, |
| 1816 | and all entries in the new version to become visible. It is also possible to |
| 1817 | use this command to perform an atomic removal of all visible entries of an |
| 1818 | map by calling "prepare map" first then committing without adding any |
| 1819 | entries. |
| 1820 | |
Remi Tricot-Le Breton | e88a2ca | 2021-04-08 15:30:23 +0200 | [diff] [blame] | 1821 | commit ssl ca-file <cafile> |
| 1822 | Commit a temporary SSL CA file update transaction. |
| 1823 | |
| 1824 | In the case of an existing CA file (in a "Used" state in "show ssl ca-file"), |
| 1825 | the new CA file tree entry is inserted in the CA file tree and every instance |
| 1826 | that used the CA file entry is rebuilt, along with the SSL contexts it needs. |
| 1827 | All the contexts previously used by the rebuilt instances are removed. |
| 1828 | Upon success, the previous CA file entry is removed from the tree. |
| 1829 | Upon failure, nothing is removed or deleted, and all the original SSL |
| 1830 | contexts are kept and used. |
| 1831 | Once the temporary transaction is committed, it is destroyed. |
| 1832 | |
| 1833 | In the case of a new CA file (after a "new ssl ca-file" and in a "Unused" |
| 1834 | state in "show ssl ca-file"), the CA file will be inserted in the CA file |
| 1835 | tree but it won't be used anywhere in HAProxy. To use it and generate SSL |
| 1836 | contexts that use it, you will need to add it to a crt-list with "add ssl |
| 1837 | crt-list". |
| 1838 | |
William Lallemand | 62c0b99 | 2022-07-29 17:50:58 +0200 | [diff] [blame] | 1839 | See also "new ssl ca-file", "set ssl ca-file", "add ssl ca-file", |
| 1840 | "abort ssl ca-file" and "add ssl crt-list". |
Remi Tricot-Le Breton | e88a2ca | 2021-04-08 15:30:23 +0200 | [diff] [blame] | 1841 | |
William Lallemand | 6ab08b3 | 2019-11-29 16:48:43 +0100 | [diff] [blame] | 1842 | commit ssl cert <filename> |
William Lallemand | c184d87 | 2020-06-26 15:39:57 +0200 | [diff] [blame] | 1843 | Commit a temporary SSL certificate update transaction. |
| 1844 | |
| 1845 | In the case of an existing certificate (in a "Used" state in "show ssl |
| 1846 | cert"), generate every SSL contextes and SNIs it need, insert them, and |
| 1847 | remove the previous ones. Replace in memory the previous SSL certificates |
| 1848 | everywhere the <filename> was used in the configuration. Upon failure it |
| 1849 | doesn't remove or insert anything. Once the temporary transaction is |
| 1850 | committed, it is destroyed. |
| 1851 | |
| 1852 | In the case of a new certificate (after a "new ssl cert" and in a "Unused" |
Ilya Shipitsin | 2272d8a | 2020-12-21 01:22:40 +0500 | [diff] [blame] | 1853 | state in "show ssl cert"), the certificate will be committed in a certificate |
William Lallemand | c184d87 | 2020-06-26 15:39:57 +0200 | [diff] [blame] | 1854 | storage, but it won't be used anywhere in haproxy. To use it and generate |
| 1855 | its SNIs you will need to add it to a crt-list or a directory with "add ssl |
| 1856 | crt-list". |
William Lallemand | 6ab08b3 | 2019-11-29 16:48:43 +0100 | [diff] [blame] | 1857 | |
Remi Tricot-Le Breton | e88a2ca | 2021-04-08 15:30:23 +0200 | [diff] [blame] | 1858 | See also "new ssl cert", "set ssl cert", "abort ssl cert" and |
William Lallemand | c184d87 | 2020-06-26 15:39:57 +0200 | [diff] [blame] | 1859 | "add ssl crt-list". |
William Lallemand | 6ab08b3 | 2019-11-29 16:48:43 +0100 | [diff] [blame] | 1860 | |
Remi Tricot-Le Breton | 3c222bd | 2021-04-27 16:28:25 +0200 | [diff] [blame] | 1861 | commit ssl crl-file <crlfile> |
| 1862 | Commit a temporary SSL CRL file update transaction. |
| 1863 | |
| 1864 | In the case of an existing CRL file (in a "Used" state in "show ssl |
| 1865 | crl-file"), the new CRL file entry is inserted in the CA file tree (which |
| 1866 | holds both the CA files and the CRL files) and every instance that used the |
| 1867 | CRL file entry is rebuilt, along with the SSL contexts it needs. |
| 1868 | All the contexts previously used by the rebuilt instances are removed. |
| 1869 | Upon success, the previous CRL file entry is removed from the tree. |
| 1870 | Upon failure, nothing is removed or deleted, and all the original SSL |
| 1871 | contexts are kept and used. |
| 1872 | Once the temporary transaction is committed, it is destroyed. |
| 1873 | |
| 1874 | In the case of a new CRL file (after a "new ssl crl-file" and in a "Unused" |
| 1875 | state in "show ssl crl-file"), the CRL file will be inserted in the CRL file |
| 1876 | tree but it won't be used anywhere in HAProxy. To use it and generate SSL |
| 1877 | contexts that use it, you will need to add it to a crt-list with "add ssl |
| 1878 | crt-list". |
| 1879 | |
| 1880 | See also "new ssl crl-file", "set ssl crl-file", "abort ssl crl-file" and |
| 1881 | "add ssl crt-list". |
| 1882 | |
Willy Tarreau | 6bdf3e9 | 2019-05-20 14:25:05 +0200 | [diff] [blame] | 1883 | debug dev <command> [args]* |
Willy Tarreau | b24ab22 | 2019-10-24 18:03:39 +0200 | [diff] [blame] | 1884 | Call a developer-specific command. Only supported on a CLI connection running |
| 1885 | in expert mode (see "expert-mode on"). Such commands are extremely dangerous |
| 1886 | and not forgiving, any misuse may result in a crash of the process. They are |
| 1887 | intended for experts only, and must really not be used unless told to do so. |
| 1888 | Some of them are only available when haproxy is built with DEBUG_DEV defined |
| 1889 | because they may have security implications. All of these commands require |
| 1890 | admin privileges, and are purposely not documented to avoid encouraging their |
| 1891 | use by people who are not at ease with the source code. |
Willy Tarreau | 6bdf3e9 | 2019-05-20 14:25:05 +0200 | [diff] [blame] | 1892 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1893 | del acl <acl> [<key>|#<ref>] |
| 1894 | Delete all the acl entries from the acl <acl> corresponding to the key <key>. |
| 1895 | <acl> is the #<id> or the <file> returned by "show acl". If the <ref> is used, |
| 1896 | this command delete only the listed reference. The reference can be found with |
| 1897 | listing the content of the acl. Note that if the reference <acl> is a file and |
| 1898 | is shared with a map, the entry will be also deleted in the map. |
| 1899 | |
| 1900 | del map <map> [<key>|#<ref>] |
| 1901 | Delete all the map entries from the map <map> corresponding to the key <key>. |
| 1902 | <map> is the #<id> or the <file> returned by "show map". If the <ref> is used, |
| 1903 | this command delete only the listed reference. The reference can be found with |
| 1904 | listing the content of the map. Note that if the reference <map> is a file and |
| 1905 | is shared with a acl, the entry will be also deleted in the map. |
| 1906 | |
Remi Tricot-Le Breton | e88a2ca | 2021-04-08 15:30:23 +0200 | [diff] [blame] | 1907 | del ssl ca-file <cafile> |
| 1908 | Delete a CA file tree entry from HAProxy. The CA file must be unused and |
| 1909 | removed from any crt-list. "show ssl ca-file" displays the status of the CA |
| 1910 | files. The deletion doesn't work with a certificate referenced directly with |
| 1911 | the "ca-file" or "ca-verify-file" directives in the configuration. |
| 1912 | |
William Lallemand | 419e634 | 2020-04-08 12:05:39 +0200 | [diff] [blame] | 1913 | del ssl cert <certfile> |
| 1914 | Delete a certificate store from HAProxy. The certificate must be unused and |
| 1915 | removed from any crt-list or directory. "show ssl cert" displays the status |
| 1916 | of the certificate. The deletion doesn't work with a certificate referenced |
| 1917 | directly with the "crt" directive in the configuration. |
| 1918 | |
Remi Tricot-Le Breton | 3c222bd | 2021-04-27 16:28:25 +0200 | [diff] [blame] | 1919 | del ssl crl-file <crlfile> |
| 1920 | Delete a CRL file tree entry from HAProxy. The CRL file must be unused and |
| 1921 | removed from any crt-list. "show ssl crl-file" displays the status of the CRL |
| 1922 | files. The deletion doesn't work with a certificate referenced directly with |
| 1923 | the "crl-file" directive in the configuration. |
| 1924 | |
William Lallemand | 0a9b941 | 2020-04-06 17:43:05 +0200 | [diff] [blame] | 1925 | del ssl crt-list <filename> <certfile[:line]> |
| 1926 | Delete an entry in a crt-list. This will delete every SNIs used for this |
| 1927 | entry in the frontends. If a certificate is used several time in a crt-list, |
| 1928 | you will need to provide which line you want to delete. To display the line |
| 1929 | numbers, use "show ssl crt-list -n <crtlist>". |
| 1930 | |
Amaury Denoyelle | e558043 | 2021-04-15 14:41:20 +0200 | [diff] [blame] | 1931 | del server <backend>/<server> |
Amaury Denoyelle | 14c3c5c | 2021-08-23 14:10:51 +0200 | [diff] [blame] | 1932 | Remove a server attached to the backend <backend>. All servers are eligible, |
| 1933 | except servers which are referenced by other configuration elements. The |
| 1934 | server must be put in maintenance mode prior to its deletion. The operation |
| 1935 | is cancelled if the serveur still has active or idle connection or its |
| 1936 | connection queue is not empty. |
Amaury Denoyelle | e558043 | 2021-04-15 14:41:20 +0200 | [diff] [blame] | 1937 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1938 | disable agent <backend>/<server> |
| 1939 | Mark the auxiliary agent check as temporarily stopped. |
| 1940 | |
| 1941 | In the case where an agent check is being run as a auxiliary check, due |
| 1942 | to the agent-check parameter of a server directive, new checks are only |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 1943 | initialized when the agent is in the enabled. Thus, disable agent will |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1944 | prevent any new agent checks from begin initiated until the agent |
| 1945 | re-enabled using enable agent. |
| 1946 | |
| 1947 | When an agent is disabled the processing of an auxiliary agent check that |
| 1948 | was initiated while the agent was set as enabled is as follows: All |
| 1949 | results that would alter the weight, specifically "drain" or a weight |
| 1950 | returned by the agent, are ignored. The processing of agent check is |
| 1951 | otherwise unchanged. |
| 1952 | |
| 1953 | The motivation for this feature is to allow the weight changing effects |
| 1954 | of the agent checks to be paused to allow the weight of a server to be |
| 1955 | configured using set weight without being overridden by the agent. |
| 1956 | |
| 1957 | This command is restricted and can only be issued on sockets configured for |
| 1958 | level "admin". |
| 1959 | |
Olivier Houchard | 614f8d7 | 2017-03-14 20:08:46 +0100 | [diff] [blame] | 1960 | disable dynamic-cookie backend <backend> |
Ilya Shipitsin | 2a950d0 | 2020-03-06 13:07:38 +0500 | [diff] [blame] | 1961 | Disable the generation of dynamic cookies for the backend <backend> |
Olivier Houchard | 614f8d7 | 2017-03-14 20:08:46 +0100 | [diff] [blame] | 1962 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 1963 | disable frontend <frontend> |
| 1964 | Mark the frontend as temporarily stopped. This corresponds to the mode which |
| 1965 | is used during a soft restart : the frontend releases the port but can be |
| 1966 | enabled again if needed. This should be used with care as some non-Linux OSes |
| 1967 | are unable to enable it back. This is intended to be used in environments |
| 1968 | where stopping a proxy is not even imaginable but a misconfigured proxy must |
| 1969 | be fixed. That way it's possible to release the port and bind it into another |
| 1970 | process to restore operations. The frontend will appear with status "STOP" |
| 1971 | on the stats page. |
| 1972 | |
| 1973 | The frontend may be specified either by its name or by its numeric ID, |
| 1974 | prefixed with a sharp ('#'). |
| 1975 | |
| 1976 | This command is restricted and can only be issued on sockets configured for |
| 1977 | level "admin". |
| 1978 | |
| 1979 | disable health <backend>/<server> |
| 1980 | Mark the primary health check as temporarily stopped. This will disable |
| 1981 | sending of health checks, and the last health check result will be ignored. |
| 1982 | The server will be in unchecked state and considered UP unless an auxiliary |
| 1983 | agent check forces it down. |
| 1984 | |
| 1985 | This command is restricted and can only be issued on sockets configured for |
| 1986 | level "admin". |
| 1987 | |
| 1988 | disable server <backend>/<server> |
| 1989 | Mark the server DOWN for maintenance. In this mode, no more checks will be |
| 1990 | performed on the server until it leaves maintenance. |
| 1991 | If the server is tracked by other servers, those servers will be set to DOWN |
| 1992 | during the maintenance. |
| 1993 | |
| 1994 | In the statistics page, a server DOWN for maintenance will appear with a |
| 1995 | "MAINT" status, its tracking servers with the "MAINT(via)" one. |
| 1996 | |
| 1997 | Both the backend and the server may be specified either by their name or by |
| 1998 | their numeric ID, prefixed with a sharp ('#'). |
| 1999 | |
| 2000 | This command is restricted and can only be issued on sockets configured for |
| 2001 | level "admin". |
| 2002 | |
| 2003 | enable agent <backend>/<server> |
| 2004 | Resume auxiliary agent check that was temporarily stopped. |
| 2005 | |
| 2006 | See "disable agent" for details of the effect of temporarily starting |
| 2007 | and stopping an auxiliary agent. |
| 2008 | |
| 2009 | This command is restricted and can only be issued on sockets configured for |
| 2010 | level "admin". |
| 2011 | |
Olivier Houchard | 614f8d7 | 2017-03-14 20:08:46 +0100 | [diff] [blame] | 2012 | enable dynamic-cookie backend <backend> |
n9@users.noreply.github.com | 25a1c8e | 2019-08-23 11:21:05 +0200 | [diff] [blame] | 2013 | Enable the generation of dynamic cookies for the backend <backend>. |
| 2014 | A secret key must also be provided. |
Olivier Houchard | 614f8d7 | 2017-03-14 20:08:46 +0100 | [diff] [blame] | 2015 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2016 | enable frontend <frontend> |
| 2017 | Resume a frontend which was temporarily stopped. It is possible that some of |
| 2018 | the listening ports won't be able to bind anymore (eg: if another process |
| 2019 | took them since the 'disable frontend' operation). If this happens, an error |
| 2020 | is displayed. Some operating systems might not be able to resume a frontend |
| 2021 | which was disabled. |
| 2022 | |
| 2023 | The frontend may be specified either by its name or by its numeric ID, |
| 2024 | prefixed with a sharp ('#'). |
| 2025 | |
| 2026 | This command is restricted and can only be issued on sockets configured for |
| 2027 | level "admin". |
| 2028 | |
| 2029 | enable health <backend>/<server> |
| 2030 | Resume a primary health check that was temporarily stopped. This will enable |
| 2031 | sending of health checks again. Please see "disable health" for details. |
| 2032 | |
| 2033 | This command is restricted and can only be issued on sockets configured for |
| 2034 | level "admin". |
| 2035 | |
| 2036 | enable server <backend>/<server> |
| 2037 | If the server was previously marked as DOWN for maintenance, this marks the |
| 2038 | server UP and checks are re-enabled. |
| 2039 | |
| 2040 | Both the backend and the server may be specified either by their name or by |
| 2041 | their numeric ID, prefixed with a sharp ('#'). |
| 2042 | |
| 2043 | This command is restricted and can only be issued on sockets configured for |
| 2044 | level "admin". |
| 2045 | |
Amaury Denoyelle | 18487fb | 2021-03-18 15:32:53 +0100 | [diff] [blame] | 2046 | experimental-mode [on|off] |
| 2047 | Without options, this indicates whether the experimental mode is enabled or |
| 2048 | disabled on the current connection. When passed "on", it turns the |
| 2049 | experimental mode on for the current CLI connection only. With "off" it turns |
| 2050 | it off. |
| 2051 | |
| 2052 | The experimental mode is used to access to extra features still in |
| 2053 | development. These features are currently not stable and should be used with |
Ilya Shipitsin | ba13f16 | 2021-03-19 22:21:44 +0500 | [diff] [blame] | 2054 | care. They may be subject to breaking changes across versions. |
Amaury Denoyelle | 18487fb | 2021-03-18 15:32:53 +0100 | [diff] [blame] | 2055 | |
William Lallemand | 7267f78 | 2022-02-01 16:08:50 +0100 | [diff] [blame] | 2056 | When used from the master CLI, this command shouldn't be prefixed, as it will |
| 2057 | set the mode for any worker when connecting to its CLI. |
| 2058 | |
| 2059 | Example: |
Amaury Denoyelle | 76e8b70 | 2022-03-09 15:07:31 +0100 | [diff] [blame] | 2060 | echo "@1; experimental-mode on; <experimental_cmd>..." | socat /var/run/haproxy.master - |
| 2061 | echo "experimental-mode on; @1 <experimental_cmd>..." | socat /var/run/haproxy.master - |
William Lallemand | 7267f78 | 2022-02-01 16:08:50 +0100 | [diff] [blame] | 2062 | |
Willy Tarreau | abb9f9b | 2019-10-24 17:55:53 +0200 | [diff] [blame] | 2063 | expert-mode [on|off] |
Amaury Denoyelle | 18487fb | 2021-03-18 15:32:53 +0100 | [diff] [blame] | 2064 | This command is similar to experimental-mode but is used to toggle the |
| 2065 | expert mode. |
| 2066 | |
| 2067 | The expert mode enables displaying of expert commands that can be extremely |
Willy Tarreau | abb9f9b | 2019-10-24 17:55:53 +0200 | [diff] [blame] | 2068 | dangerous for the process and which may occasionally help developers collect |
| 2069 | important information about complex bugs. Any misuse of these features will |
| 2070 | likely lead to a process crash. Do not use this option without being invited |
| 2071 | to do so. Note that this command is purposely not listed in the help message. |
| 2072 | This command is only accessible in admin level. Changing to another level |
| 2073 | automatically resets the expert mode. |
| 2074 | |
William Lallemand | 7267f78 | 2022-02-01 16:08:50 +0100 | [diff] [blame] | 2075 | When used from the master CLI, this command shouldn't be prefixed, as it will |
| 2076 | set the mode for any worker when connecting to its CLI. |
| 2077 | |
| 2078 | Example: |
| 2079 | echo "@1; expert-mode on; debug dev exit 1" | socat /var/run/haproxy.master - |
| 2080 | echo "expert-mode on; @1 debug dev exit 1" | socat /var/run/haproxy.master - |
| 2081 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2082 | get map <map> <value> |
| 2083 | get acl <acl> <value> |
| 2084 | Lookup the value <value> in the map <map> or in the ACL <acl>. <map> or <acl> |
| 2085 | are the #<id> or the <file> returned by "show map" or "show acl". This command |
| 2086 | returns all the matching patterns associated with this map. This is useful for |
| 2087 | debugging maps and ACLs. The output format is composed by one line par |
| 2088 | matching type. Each line is composed by space-delimited series of words. |
| 2089 | |
| 2090 | The first two words are: |
| 2091 | |
| 2092 | <match method>: The match method applied. It can be "found", "bool", |
| 2093 | "int", "ip", "bin", "len", "str", "beg", "sub", "dir", |
| 2094 | "dom", "end" or "reg". |
| 2095 | |
| 2096 | <match result>: The result. Can be "match" or "no-match". |
| 2097 | |
| 2098 | The following words are returned only if the pattern matches an entry. |
| 2099 | |
| 2100 | <index type>: "tree" or "list". The internal lookup algorithm. |
| 2101 | |
| 2102 | <case>: "case-insensitive" or "case-sensitive". The |
| 2103 | interpretation of the case. |
| 2104 | |
| 2105 | <entry matched>: match="<entry>". Return the matched pattern. It is |
| 2106 | useful with regular expressions. |
| 2107 | |
| 2108 | The two last word are used to show the returned value and its type. With the |
| 2109 | "acl" case, the pattern doesn't exist. |
| 2110 | |
| 2111 | return=nothing: No return because there are no "map". |
| 2112 | return="<value>": The value returned in the string format. |
| 2113 | return=cannot-display: The value cannot be converted as string. |
| 2114 | |
| 2115 | type="<type>": The type of the returned sample. |
| 2116 | |
Willy Tarreau | c35eb38 | 2021-03-26 14:51:31 +0100 | [diff] [blame] | 2117 | get var <name> |
| 2118 | Show the existence, type and contents of the process-wide variable 'name'. |
| 2119 | Only process-wide variables are readable, so the name must begin with |
| 2120 | 'proc.' otherwise no variable will be found. This command requires levels |
| 2121 | "operator" or "admin". |
| 2122 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2123 | get weight <backend>/<server> |
| 2124 | Report the current weight and the initial weight of server <server> in |
| 2125 | backend <backend> or an error if either doesn't exist. The initial weight is |
| 2126 | the one that appears in the configuration file. Both are normally equal |
| 2127 | unless the current weight has been changed. Both the backend and the server |
| 2128 | may be specified either by their name or by their numeric ID, prefixed with a |
| 2129 | sharp ('#'). |
| 2130 | |
Willy Tarreau | 0b1b830 | 2021-05-09 20:59:23 +0200 | [diff] [blame] | 2131 | help [<command>] |
| 2132 | Print the list of known keywords and their basic usage, or commands matching |
| 2133 | the requested one. The same help screen is also displayed for unknown |
| 2134 | commands. |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2135 | |
William Lallemand | b175c23 | 2021-10-19 14:53:55 +0200 | [diff] [blame] | 2136 | httpclient <method> <URI> |
| 2137 | Launch an HTTP client request and print the response on the CLI. Only |
| 2138 | supported on a CLI connection running in expert mode (see "expert-mode on"). |
| 2139 | It's only meant for debugging. It currently can't resolve FQDN so your URI must |
| 2140 | contains an IP. |
| 2141 | |
Remi Tricot-Le Breton | e88a2ca | 2021-04-08 15:30:23 +0200 | [diff] [blame] | 2142 | new ssl ca-file <cafile> |
| 2143 | Create a new empty CA file tree entry to be filled with a set of CA |
| 2144 | certificates and added to a crt-list. This command should be used in |
William Lallemand | 62c0b99 | 2022-07-29 17:50:58 +0200 | [diff] [blame] | 2145 | combination with "set ssl ca-file", "add ssl ca-file" and "add ssl crt-list". |
Remi Tricot-Le Breton | e88a2ca | 2021-04-08 15:30:23 +0200 | [diff] [blame] | 2146 | |
William Lallemand | accac23 | 2020-04-02 17:42:51 +0200 | [diff] [blame] | 2147 | new ssl cert <filename> |
| 2148 | Create a new empty SSL certificate store to be filled with a certificate and |
| 2149 | added to a directory or a crt-list. This command should be used in |
| 2150 | combination with "set ssl cert" and "add ssl crt-list". |
| 2151 | |
Remi Tricot-Le Breton | 3c222bd | 2021-04-27 16:28:25 +0200 | [diff] [blame] | 2152 | new ssl crl-file <crlfile> |
| 2153 | Create a new empty CRL file tree entry to be filled with a set of CRLs |
| 2154 | and added to a crt-list. This command should be used in combination with "set |
| 2155 | ssl crl-file" and "add ssl crt-list". |
| 2156 | |
Willy Tarreau | 97218ce | 2021-04-30 14:57:03 +0200 | [diff] [blame] | 2157 | prepare acl <acl> |
| 2158 | Allocate a new version number in ACL <acl> for atomic replacement. <acl> is |
| 2159 | the #<id> or the <file> returned by "show acl". The new version number is |
| 2160 | shown in response after "New version created:". This number will then be |
| 2161 | usable to prepare additions of new entries into the ACL which will then |
| 2162 | atomically replace the current ones once committed. It is reported as |
| 2163 | "next_ver" in "show acl". There is no impact of allocating new versions, as |
| 2164 | unused versions will automatically be removed once a more recent version is |
| 2165 | committed. Version numbers are unsigned 32-bit values which wrap at the end, |
| 2166 | so care must be taken when comparing them in an external program. This |
| 2167 | command cannot be used if the reference <acl> is a file also used as a map. |
| 2168 | In this case, the "prepare map" command must be used instead. |
| 2169 | |
| 2170 | prepare map <map> |
| 2171 | Allocate a new version number in map <map> for atomic replacement. <map> is |
| 2172 | the #<id> or the <file> returned by "show map". The new version number is |
| 2173 | shown in response after "New version created:". This number will then be |
| 2174 | usable to prepare additions of new entries into the map which will then |
| 2175 | atomically replace the current ones once committed. It is reported as |
| 2176 | "next_ver" in "show map". There is no impact of allocating new versions, as |
| 2177 | unused versions will automatically be removed once a more recent version is |
| 2178 | committed. Version numbers are unsigned 32-bit values which wrap at the end, |
| 2179 | so care must be taken when comparing them in an external program. |
| 2180 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2181 | prompt |
| 2182 | Toggle the prompt at the beginning of the line and enter or leave interactive |
| 2183 | mode. In interactive mode, the connection is not closed after a command |
| 2184 | completes. Instead, the prompt will appear again, indicating the user that |
| 2185 | the interpreter is waiting for a new command. The prompt consists in a right |
| 2186 | angle bracket followed by a space "> ". This mode is particularly convenient |
| 2187 | when one wants to periodically check information such as stats or errors. |
| 2188 | It is also a good idea to enter interactive mode before issuing a "help" |
| 2189 | command. |
| 2190 | |
| 2191 | quit |
| 2192 | Close the connection when in interactive mode. |
| 2193 | |
Olivier Houchard | 614f8d7 | 2017-03-14 20:08:46 +0100 | [diff] [blame] | 2194 | set dynamic-cookie-key backend <backend> <value> |
| 2195 | Modify the secret key used to generate the dynamic persistent cookies. |
| 2196 | This will break the existing sessions. |
| 2197 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2198 | set map <map> [<key>|#<ref>] <value> |
| 2199 | Modify the value corresponding to each key <key> in a map <map>. <map> is the |
| 2200 | #<id> or <file> returned by "show map". If the <ref> is used in place of |
| 2201 | <key>, only the entry pointed by <ref> is changed. The new value is <value>. |
| 2202 | |
| 2203 | set maxconn frontend <frontend> <value> |
| 2204 | Dynamically change the specified frontend's maxconn setting. Any positive |
| 2205 | value is allowed including zero, but setting values larger than the global |
| 2206 | maxconn does not make much sense. If the limit is increased and connections |
| 2207 | were pending, they will immediately be accepted. If it is lowered to a value |
| 2208 | below the current number of connections, new connections acceptation will be |
| 2209 | delayed until the threshold is reached. The frontend might be specified by |
| 2210 | either its name or its numeric ID prefixed with a sharp ('#'). |
| 2211 | |
Andrew Hayworth | edb93a7 | 2015-10-27 21:46:25 +0000 | [diff] [blame] | 2212 | set maxconn server <backend/server> <value> |
| 2213 | Dynamically change the specified server's maxconn setting. Any positive |
| 2214 | value is allowed including zero, but setting values larger than the global |
| 2215 | maxconn does not make much sense. |
| 2216 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2217 | set maxconn global <maxconn> |
| 2218 | Dynamically change the global maxconn setting within the range defined by the |
| 2219 | initial global maxconn setting. If it is increased and connections were |
| 2220 | pending, they will immediately be accepted. If it is lowered to a value below |
| 2221 | the current number of connections, new connections acceptation will be |
| 2222 | delayed until the threshold is reached. A value of zero restores the initial |
| 2223 | setting. |
| 2224 | |
Willy Tarreau | 00dd44f | 2021-05-05 16:44:23 +0200 | [diff] [blame] | 2225 | set profiling { tasks | memory } { auto | on | off } |
| 2226 | Enables or disables CPU or memory profiling for the indicated subsystem. This |
| 2227 | is equivalent to setting or clearing the "profiling" settings in the "global" |
Willy Tarreau | cfa7101 | 2021-01-29 11:56:21 +0100 | [diff] [blame] | 2228 | section of the configuration file. Please also see "show profiling". Note |
| 2229 | that manually setting the tasks profiling to "on" automatically resets the |
| 2230 | scheduler statistics, thus allows to check activity over a given interval. |
Willy Tarreau | 00dd44f | 2021-05-05 16:44:23 +0200 | [diff] [blame] | 2231 | The memory profiling is limited to certain operating systems (known to work |
| 2232 | on the linux-glibc target), and requires USE_MEMORY_PROFILING to be set at |
| 2233 | compile time. |
Willy Tarreau | 75c62c2 | 2018-11-22 11:02:09 +0100 | [diff] [blame] | 2234 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2235 | set rate-limit connections global <value> |
| 2236 | Change the process-wide connection rate limit, which is set by the global |
| 2237 | 'maxconnrate' setting. A value of zero disables the limitation. This limit |
| 2238 | applies to all frontends and the change has an immediate effect. The value |
| 2239 | is passed in number of connections per second. |
| 2240 | |
| 2241 | set rate-limit http-compression global <value> |
| 2242 | Change the maximum input compression rate, which is set by the global |
| 2243 | 'maxcomprate' setting. A value of zero disables the limitation. The value is |
| 2244 | passed in number of kilobytes per second. The value is available in the "show |
| 2245 | info" on the line "CompressBpsRateLim" in bytes. |
| 2246 | |
| 2247 | set rate-limit sessions global <value> |
| 2248 | Change the process-wide session rate limit, which is set by the global |
| 2249 | 'maxsessrate' setting. A value of zero disables the limitation. This limit |
| 2250 | applies to all frontends and the change has an immediate effect. The value |
| 2251 | is passed in number of sessions per second. |
| 2252 | |
| 2253 | set rate-limit ssl-sessions global <value> |
| 2254 | Change the process-wide SSL session rate limit, which is set by the global |
| 2255 | 'maxsslrate' setting. A value of zero disables the limitation. This limit |
| 2256 | applies to all frontends and the change has an immediate effect. The value |
| 2257 | is passed in number of sessions per second sent to the SSL stack. It applies |
| 2258 | before the handshake in order to protect the stack against handshake abuses. |
| 2259 | |
Baptiste Assmann | 3749ebf | 2016-08-03 22:34:12 +0200 | [diff] [blame] | 2260 | set server <backend>/<server> addr <ip4 or ip6 address> [port <port>] |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2261 | Replace the current IP address of a server by the one provided. |
Michael Prokop | 4438c60 | 2019-05-24 10:25:45 +0200 | [diff] [blame] | 2262 | Optionally, the port can be changed using the 'port' parameter. |
Baptiste Assmann | 3749ebf | 2016-08-03 22:34:12 +0200 | [diff] [blame] | 2263 | Note that changing the port also support switching from/to port mapping |
| 2264 | (notation with +X or -Y), only if a port is configured for the health check. |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2265 | |
| 2266 | set server <backend>/<server> agent [ up | down ] |
| 2267 | Force a server's agent to a new state. This can be useful to immediately |
| 2268 | switch a server's state regardless of some slow agent checks for example. |
| 2269 | Note that the change is propagated to tracking servers if any. |
| 2270 | |
William Dauchy | 7cabc06 | 2021-02-11 22:51:24 +0100 | [diff] [blame] | 2271 | set server <backend>/<server> agent-addr <addr> [port <port>] |
Misiek | 4397290 | 2017-01-09 09:53:06 +0100 | [diff] [blame] | 2272 | Change addr for servers agent checks. Allows to migrate agent-checks to |
| 2273 | another address at runtime. You can specify both IP and hostname, it will be |
| 2274 | resolved. |
William Dauchy | 7cabc06 | 2021-02-11 22:51:24 +0100 | [diff] [blame] | 2275 | Optionally, change the port agent. |
| 2276 | |
| 2277 | set server <backend>/<server> agent-port <port> |
| 2278 | Change the port used for agent checks. |
Misiek | 4397290 | 2017-01-09 09:53:06 +0100 | [diff] [blame] | 2279 | |
| 2280 | set server <backend>/<server> agent-send <value> |
| 2281 | Change agent string sent to agent check target. Allows to update string while |
| 2282 | changing server address to keep those two matching. |
| 2283 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2284 | set server <backend>/<server> health [ up | stopping | down ] |
| 2285 | Force a server's health to a new state. This can be useful to immediately |
| 2286 | switch a server's state regardless of some slow health checks for example. |
| 2287 | Note that the change is propagated to tracking servers if any. |
| 2288 | |
William Dauchy | b456e1f | 2021-02-11 22:51:23 +0100 | [diff] [blame] | 2289 | set server <backend>/<server> check-addr <ip4 | ip6> [port <port>] |
| 2290 | Change the IP address used for server health checks. |
| 2291 | Optionally, change the port used for server health checks. |
| 2292 | |
Baptiste Assmann | 5094656 | 2016-08-31 23:26:29 +0200 | [diff] [blame] | 2293 | set server <backend>/<server> check-port <port> |
| 2294 | Change the port used for health checking to <port> |
| 2295 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2296 | set server <backend>/<server> state [ ready | drain | maint ] |
| 2297 | Force a server's administrative state to a new state. This can be useful to |
| 2298 | disable load balancing and/or any traffic to a server. Setting the state to |
| 2299 | "ready" puts the server in normal mode, and the command is the equivalent of |
| 2300 | the "enable server" command. Setting the state to "maint" disables any traffic |
| 2301 | to the server as well as any health checks. This is the equivalent of the |
| 2302 | "disable server" command. Setting the mode to "drain" only removes the server |
| 2303 | from load balancing but still allows it to be checked and to accept new |
| 2304 | persistent connections. Changes are propagated to tracking servers if any. |
| 2305 | |
| 2306 | set server <backend>/<server> weight <weight>[%] |
| 2307 | Change a server's weight to the value passed in argument. This is the exact |
| 2308 | equivalent of the "set weight" command below. |
| 2309 | |
Frédéric Lécaille | b418c12 | 2017-04-26 11:24:02 +0200 | [diff] [blame] | 2310 | set server <backend>/<server> fqdn <FQDN> |
Lukas Tribus | c5dd5a5 | 2018-08-14 11:39:35 +0200 | [diff] [blame] | 2311 | Change a server's FQDN to the value passed in argument. This requires the |
| 2312 | internal run-time DNS resolver to be configured and enabled for this server. |
Frédéric Lécaille | b418c12 | 2017-04-26 11:24:02 +0200 | [diff] [blame] | 2313 | |
William Lallemand | 9998a33 | 2022-01-19 15:17:08 +0100 | [diff] [blame] | 2314 | set server <backend>/<server> ssl [ on | off ] (deprecated) |
William Dauchy | f637044 | 2020-11-14 19:25:33 +0100 | [diff] [blame] | 2315 | This option configures SSL ciphering on outgoing connections to the server. |
William Dauchy | a087f87 | 2022-01-06 16:57:15 +0100 | [diff] [blame] | 2316 | When switch off, all traffic becomes plain text; health check path is not |
| 2317 | changed. |
William Dauchy | f637044 | 2020-11-14 19:25:33 +0100 | [diff] [blame] | 2318 | |
William Lallemand | 9998a33 | 2022-01-19 15:17:08 +0100 | [diff] [blame] | 2319 | This command is deprecated, create a new server dynamically with or without |
| 2320 | SSL instead, using the "add server" command. |
| 2321 | |
Andjelko Iharos | c4df59e | 2017-07-20 11:59:48 +0200 | [diff] [blame] | 2322 | set severity-output [ none | number | string ] |
| 2323 | Change the severity output format of the stats socket connected to for the |
| 2324 | duration of the current session. |
| 2325 | |
Remi Tricot-Le Breton | e88a2ca | 2021-04-08 15:30:23 +0200 | [diff] [blame] | 2326 | set ssl ca-file <cafile> <payload> |
William Lallemand | 62c0b99 | 2022-07-29 17:50:58 +0200 | [diff] [blame] | 2327 | this command is part of a transaction system, the "commit ssl ca-file" and |
Remi Tricot-Le Breton | e88a2ca | 2021-04-08 15:30:23 +0200 | [diff] [blame] | 2328 | "abort ssl ca-file" commands could be required. |
William Lallemand | 62c0b99 | 2022-07-29 17:50:58 +0200 | [diff] [blame] | 2329 | if there is no on-going transaction, it will create a ca file tree entry into |
| 2330 | which the certificates contained in the payload will be stored. the ca file |
| 2331 | entry will not be stored in the ca file tree and will only be kept in a |
| 2332 | temporary transaction. if a transaction with the same filename already exists, |
| 2333 | the previous ca file entry will be deleted and replaced by the new one. |
| 2334 | once the modifications are done, you have to commit the transaction through |
| 2335 | a "commit ssl ca-file" call. If you want to add multiple certificates |
| 2336 | separately, you can use the "add ssl ca-file" command |
Remi Tricot-Le Breton | e88a2ca | 2021-04-08 15:30:23 +0200 | [diff] [blame] | 2337 | |
| 2338 | Example: |
| 2339 | echo -e "set ssl ca-file cafile.pem <<\n$(cat rootCA.crt)\n" | \ |
| 2340 | socat /var/run/haproxy.stat - |
| 2341 | echo "commit ssl ca-file cafile.pem" | socat /var/run/haproxy.stat - |
| 2342 | |
William Lallemand | 6ab08b3 | 2019-11-29 16:48:43 +0100 | [diff] [blame] | 2343 | set ssl cert <filename> <payload> |
| 2344 | This command is part of a transaction system, the "commit ssl cert" and |
| 2345 | "abort ssl cert" commands could be required. |
Remi Tricot-Le Breton | 3445909 | 2021-04-14 16:19:28 +0200 | [diff] [blame] | 2346 | This whole transaction system works on any certificate displayed by the |
Remi Tricot-Le Breton | b5f0fac | 2021-04-14 16:19:29 +0200 | [diff] [blame] | 2347 | "show ssl cert" command, so on any frontend or backend certificate. |
William Lallemand | 6ab08b3 | 2019-11-29 16:48:43 +0100 | [diff] [blame] | 2348 | If there is no on-going transaction, it will duplicate the certificate |
| 2349 | <filename> in memory to a temporary transaction, then update this |
| 2350 | transaction with the PEM file in the payload. If a transaction exists with |
| 2351 | the same filename, it will update this transaction. It's also possible to |
| 2352 | update the files linked to a certificate (.issuer, .sctl, .oscp etc.) |
| 2353 | Once the modification are done, you have to "commit ssl cert" the |
| 2354 | transaction. |
| 2355 | |
William Lallemand | ed8bfad | 2021-09-16 17:30:51 +0200 | [diff] [blame] | 2356 | Injection of files over the CLI must be done with caution since an empty line |
| 2357 | is used to notify the end of the payload. It is recommended to inject a PEM |
| 2358 | file which has been sanitized. A simple method would be to remove every empty |
| 2359 | line and only leave what are in the PEM sections. It could be achieved with a |
| 2360 | sed command. |
| 2361 | |
William Lallemand | 6ab08b3 | 2019-11-29 16:48:43 +0100 | [diff] [blame] | 2362 | Example: |
William Lallemand | ed8bfad | 2021-09-16 17:30:51 +0200 | [diff] [blame] | 2363 | |
| 2364 | # With some simple sanitizing |
| 2365 | echo -e "set ssl cert localhost.pem <<\n$(sed -n '/^$/d;/-BEGIN/,/-END/p' 127.0.0.1.pem)\n" | \ |
| 2366 | socat /var/run/haproxy.stat - |
| 2367 | |
| 2368 | # Complete example with commit |
William Lallemand | 6ab08b3 | 2019-11-29 16:48:43 +0100 | [diff] [blame] | 2369 | echo -e "set ssl cert localhost.pem <<\n$(cat 127.0.0.1.pem)\n" | \ |
| 2370 | socat /var/run/haproxy.stat - |
| 2371 | echo -e \ |
| 2372 | "set ssl cert localhost.pem.issuer <<\n $(cat 127.0.0.1.pem.issuer)\n" | \ |
| 2373 | socat /var/run/haproxy.stat - |
| 2374 | echo -e \ |
| 2375 | "set ssl cert localhost.pem.ocsp <<\n$(base64 -w 1000 127.0.0.1.pem.ocsp)\n" | \ |
| 2376 | socat /var/run/haproxy.stat - |
| 2377 | echo "commit ssl cert localhost.pem" | socat /var/run/haproxy.stat - |
| 2378 | |
Remi Tricot-Le Breton | 3c222bd | 2021-04-27 16:28:25 +0200 | [diff] [blame] | 2379 | set ssl crl-file <crlfile> <payload> |
| 2380 | This command is part of a transaction system, the "commit ssl crl-file" and |
| 2381 | "abort ssl crl-file" commands could be required. |
| 2382 | If there is no on-going transaction, it will create a CRL file tree entry into |
| 2383 | which the Revocation Lists contained in the payload will be stored. The CRL |
| 2384 | file entry will not be stored in the CRL file tree and will only be kept in a |
| 2385 | temporary transaction. If a transaction with the same filename already exists, |
| 2386 | the previous CRL file entry will be deleted and replaced by the new one. |
| 2387 | Once the modifications are done, you have to commit the transaction through |
| 2388 | a "commit ssl crl-file" call. |
| 2389 | |
| 2390 | Example: |
| 2391 | echo -e "set ssl crl-file crlfile.pem <<\n$(cat rootCRL.pem)\n" | \ |
| 2392 | socat /var/run/haproxy.stat - |
| 2393 | echo "commit ssl crl-file crlfile.pem" | socat /var/run/haproxy.stat - |
| 2394 | |
Aurélien Nephtali | 1e0867c | 2018-04-18 14:04:58 +0200 | [diff] [blame] | 2395 | set ssl ocsp-response <response | payload> |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2396 | This command is used to update an OCSP Response for a certificate (see "crt" |
| 2397 | on "bind" lines). Same controls are performed as during the initial loading of |
| 2398 | the response. The <response> must be passed as a base64 encoded string of the |
Emmanuel Hocdet | 2c32d8f | 2017-05-22 14:58:00 +0200 | [diff] [blame] | 2399 | DER encoded response from the OCSP server. This command is not supported with |
| 2400 | BoringSSL. |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2401 | |
| 2402 | Example: |
| 2403 | openssl ocsp -issuer issuer.pem -cert server.pem \ |
| 2404 | -host ocsp.issuer.com:80 -respout resp.der |
| 2405 | echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ |
| 2406 | socat stdio /var/run/haproxy.stat |
| 2407 | |
Aurélien Nephtali | 1e0867c | 2018-04-18 14:04:58 +0200 | [diff] [blame] | 2408 | using the payload syntax: |
| 2409 | echo -e "set ssl ocsp-response <<\n$(base64 resp.der)\n" | \ |
| 2410 | socat stdio /var/run/haproxy.stat |
| 2411 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2412 | set ssl tls-key <id> <tlskey> |
| 2413 | Set the next TLS key for the <id> listener to <tlskey>. This key becomes the |
| 2414 | ultimate key, while the penultimate one is used for encryption (others just |
| 2415 | decrypt). The oldest TLS key present is overwritten. <id> is either a numeric |
| 2416 | #<id> or <file> returned by "show tls-keys". <tlskey> is a base64 encoded 48 |
Emeric Brun | 9e75477 | 2019-01-10 17:51:55 +0100 | [diff] [blame] | 2417 | or 80 bits TLS ticket key (ex. openssl rand 80 | openssl base64 -A). |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2418 | |
| 2419 | set table <table> key <key> [data.<data_type> <value>]* |
| 2420 | Create or update a stick-table entry in the table. If the key is not present, |
| 2421 | an entry is inserted. See stick-table in section 4.2 to find all possible |
| 2422 | values for <data_type>. The most likely use consists in dynamically entering |
| 2423 | entries for source IP addresses, with a flag in gpc0 to dynamically block an |
| 2424 | IP address or affect its quality of service. It is possible to pass multiple |
| 2425 | data_types in a single call. |
| 2426 | |
| 2427 | set timeout cli <delay> |
| 2428 | Change the CLI interface timeout for current connection. This can be useful |
| 2429 | during long debugging sessions where the user needs to constantly inspect |
| 2430 | some indicators without being disconnected. The delay is passed in seconds. |
| 2431 | |
Willy Tarreau | 4000ff0 | 2021-04-30 14:45:53 +0200 | [diff] [blame] | 2432 | set var <name> <expression> |
Willy Tarreau | e93bff4 | 2021-09-03 09:47:37 +0200 | [diff] [blame] | 2433 | set var <name> expr <expression> |
| 2434 | set var <name> fmt <format> |
Willy Tarreau | 4000ff0 | 2021-04-30 14:45:53 +0200 | [diff] [blame] | 2435 | Allows to set or overwrite the process-wide variable 'name' with the result |
Willy Tarreau | e93bff4 | 2021-09-03 09:47:37 +0200 | [diff] [blame] | 2436 | of expression <expression> or format string <format>. Only process-wide |
| 2437 | variables may be used, so the name must begin with 'proc.' otherwise no |
| 2438 | variable will be set. The <expression> and <format> may only involve |
| 2439 | "internal" sample fetch keywords and converters even though the most likely |
| 2440 | useful ones will be str('something'), int(), simple strings or references to |
| 2441 | other variables. Note that the command line parser doesn't know about quotes, |
| 2442 | so any space in the expression must be preceded by a backslash. This command |
| 2443 | requires levels "operator" or "admin". This command is only supported on a |
| 2444 | CLI connection running in experimental mode (see "experimental-mode on"). |
Willy Tarreau | 4000ff0 | 2021-04-30 14:45:53 +0200 | [diff] [blame] | 2445 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2446 | set weight <backend>/<server> <weight>[%] |
| 2447 | Change a server's weight to the value passed in argument. If the value ends |
| 2448 | with the '%' sign, then the new weight will be relative to the initially |
| 2449 | configured weight. Absolute weights are permitted between 0 and 256. |
| 2450 | Relative weights must be positive with the resulting absolute weight is |
| 2451 | capped at 256. Servers which are part of a farm running a static |
| 2452 | load-balancing algorithm have stricter limitations because the weight |
| 2453 | cannot change once set. Thus for these servers, the only accepted values |
| 2454 | are 0 and 100% (or 0 and the initial weight). Changes take effect |
| 2455 | immediately, though certain LB algorithms require a certain amount of |
| 2456 | requests to consider changes. A typical usage of this command is to |
| 2457 | disable a server during an update by setting its weight to zero, then to |
| 2458 | enable it again after the update by setting it back to 100%. This command |
| 2459 | is restricted and can only be issued on sockets configured for level |
| 2460 | "admin". Both the backend and the server may be specified either by their |
| 2461 | name or by their numeric ID, prefixed with a sharp ('#'). |
| 2462 | |
Willy Tarreau | 95f753e | 2021-04-30 12:09:54 +0200 | [diff] [blame] | 2463 | show acl [[@<ver>] <acl>] |
Willy Tarreau | d6129fc | 2017-07-28 16:52:23 +0200 | [diff] [blame] | 2464 | Dump info about acl converters. Without argument, the list of all available |
Willy Tarreau | 95f753e | 2021-04-30 12:09:54 +0200 | [diff] [blame] | 2465 | acls is returned. If a <acl> is specified, its contents are dumped. <acl> is |
| 2466 | the #<id> or <file>. By default the current version of the ACL is shown (the |
| 2467 | version currently being matched against and reported as 'curr_ver' in the ACL |
| 2468 | list). It is possible to instead dump other versions by prepending '@<ver>' |
| 2469 | before the ACL's identifier. The version works as a filter and non-existing |
| 2470 | versions will simply report no result. The dump format is the same as for the |
| 2471 | maps even for the sample values. The data returned are not a list of |
| 2472 | available ACL, but are the list of all patterns composing any ACL. Many of |
Dragan Dosen | a75eea7 | 2021-05-21 16:59:15 +0200 | [diff] [blame] | 2473 | these patterns can be shared with maps. The 'entry_cnt' value represents the |
| 2474 | count of all the ACL entries, not just the active ones, which means that it |
| 2475 | also includes entries currently being added. |
Willy Tarreau | d6129fc | 2017-07-28 16:52:23 +0200 | [diff] [blame] | 2476 | |
| 2477 | show backend |
| 2478 | Dump the list of backends available in the running process |
| 2479 | |
William Lallemand | 67a234f | 2018-12-13 09:05:45 +0100 | [diff] [blame] | 2480 | show cli level |
| 2481 | Display the CLI level of the current CLI session. The result could be |
| 2482 | 'admin', 'operator' or 'user'. See also the 'operator' and 'user' commands. |
| 2483 | |
| 2484 | Example : |
| 2485 | |
| 2486 | $ socat /tmp/sock1 readline |
| 2487 | prompt |
| 2488 | > operator |
| 2489 | > show cli level |
| 2490 | operator |
| 2491 | > user |
| 2492 | > show cli level |
| 2493 | user |
| 2494 | > operator |
| 2495 | Permission denied |
| 2496 | |
| 2497 | operator |
| 2498 | Decrease the CLI level of the current CLI session to operator. It can't be |
Amaury Denoyelle | 18487fb | 2021-03-18 15:32:53 +0100 | [diff] [blame] | 2499 | increased. It also drops expert and experimental mode. See also "show cli |
| 2500 | level". |
William Lallemand | 67a234f | 2018-12-13 09:05:45 +0100 | [diff] [blame] | 2501 | |
| 2502 | user |
| 2503 | Decrease the CLI level of the current CLI session to user. It can't be |
Amaury Denoyelle | 18487fb | 2021-03-18 15:32:53 +0100 | [diff] [blame] | 2504 | increased. It also drops expert and experimental mode. See also "show cli |
| 2505 | level". |
William Lallemand | 67a234f | 2018-12-13 09:05:45 +0100 | [diff] [blame] | 2506 | |
Willy Tarreau | 9a7fa90 | 2022-07-15 16:51:16 +0200 | [diff] [blame] | 2507 | show activity [-1 | 0 | thread_num] |
Willy Tarreau | 4c35693 | 2019-05-16 17:39:32 +0200 | [diff] [blame] | 2508 | Reports some counters about internal events that will help developers and |
| 2509 | more generally people who know haproxy well enough to narrow down the causes |
| 2510 | of reports of abnormal behaviours. A typical example would be a properly |
| 2511 | running process never sleeping and eating 100% of the CPU. The output fields |
| 2512 | will be made of one line per metric, and per-thread counters on the same |
Thayne McCombs | cdbcca9 | 2021-01-07 21:24:41 -0700 | [diff] [blame] | 2513 | line. These counters are 32-bit and will wrap during the process's life, which |
Willy Tarreau | 4c35693 | 2019-05-16 17:39:32 +0200 | [diff] [blame] | 2514 | is not a problem since calls to this command will typically be performed |
| 2515 | twice. The fields are purposely not documented so that their exact meaning is |
| 2516 | verified in the code where the counters are fed. These values are also reset |
Willy Tarreau | 9a7fa90 | 2022-07-15 16:51:16 +0200 | [diff] [blame] | 2517 | by the "clear counters" command. On multi-threaded deployments, the first |
| 2518 | column will indicate the total (or average depending on the nature of the |
| 2519 | metric) for all threads, and the list of all threads' values will be |
| 2520 | represented between square brackets in the thread order. Optionally the |
| 2521 | thread number to be dumped may be specified in argument. The special value |
| 2522 | "0" will report the aggregated value (first column), and "-1", which is the |
| 2523 | default, will display all the columns. Note that just like in single-threaded |
| 2524 | mode, there will be no brackets when a single column is requested. |
Willy Tarreau | 4c35693 | 2019-05-16 17:39:32 +0200 | [diff] [blame] | 2525 | |
William Lallemand | 5113216 | 2016-12-16 16:38:58 +0100 | [diff] [blame] | 2526 | show cli sockets |
| 2527 | List CLI sockets. The output format is composed of 3 fields separated by |
| 2528 | spaces. The first field is the socket address, it can be a unix socket, a |
| 2529 | ipv4 address:port couple or a ipv6 one. Socket of other types won't be dump. |
| 2530 | The second field describe the level of the socket: 'admin', 'user' or |
| 2531 | 'operator'. The last field list the processes on which the socket is bound, |
| 2532 | separated by commas, it can be numbers or 'all'. |
| 2533 | |
| 2534 | Example : |
| 2535 | |
| 2536 | $ echo 'show cli sockets' | socat stdio /tmp/sock1 |
| 2537 | # socket lvl processes |
| 2538 | /tmp/sock1 admin all |
| 2539 | 127.0.0.1:9999 user 2,3,4 |
| 2540 | 127.0.0.2:9969 user 2 |
| 2541 | [::1]:9999 operator 2 |
| 2542 | |
William Lallemand | 86d0df0 | 2017-11-24 21:36:45 +0100 | [diff] [blame] | 2543 | show cache |
Cyril Bonté | 7b888f1 | 2017-11-26 22:24:31 +0100 | [diff] [blame] | 2544 | List the configured caches and the objects stored in each cache tree. |
William Lallemand | 86d0df0 | 2017-11-24 21:36:45 +0100 | [diff] [blame] | 2545 | |
| 2546 | $ echo 'show cache' | socat stdio /tmp/sock1 |
| 2547 | 0x7f6ac6c5b03a: foobar (shctx:0x7f6ac6c5b000, available blocks:3918) |
| 2548 | 1 2 3 4 |
| 2549 | |
| 2550 | 1. pointer to the cache structure |
| 2551 | 2. cache name |
| 2552 | 3. pointer to the mmap area (shctx) |
| 2553 | 4. number of blocks available for reuse in the shctx |
| 2554 | |
Remi Tricot-Le Breton | e3e1e5f | 2020-11-27 15:48:40 +0100 | [diff] [blame] | 2555 | 0x7f6ac6c5b4cc hash:286881868 vary:0x0011223344556677 size:39114 (39 blocks), refcount:9, expire:237 |
| 2556 | 1 2 3 4 5 6 7 |
William Lallemand | 86d0df0 | 2017-11-24 21:36:45 +0100 | [diff] [blame] | 2557 | |
| 2558 | 1. pointer to the cache entry |
| 2559 | 2. first 32 bits of the hash |
Remi Tricot-Le Breton | e3e1e5f | 2020-11-27 15:48:40 +0100 | [diff] [blame] | 2560 | 3. secondary hash of the entry in case of vary |
| 2561 | 4. size of the object in bytes |
| 2562 | 5. number of blocks used for the object |
| 2563 | 6. number of transactions using the entry |
| 2564 | 7. expiration time, can be negative if already expired |
William Lallemand | 86d0df0 | 2017-11-24 21:36:45 +0100 | [diff] [blame] | 2565 | |
Willy Tarreau | ae79572 | 2016-02-16 11:27:28 +0100 | [diff] [blame] | 2566 | show env [<name>] |
| 2567 | Dump one or all environment variables known by the process. Without any |
| 2568 | argument, all variables are dumped. With an argument, only the specified |
| 2569 | variable is dumped if it exists. Otherwise "Variable not found" is emitted. |
| 2570 | Variables are dumped in the same format as they are stored or returned by the |
| 2571 | "env" utility, that is, "<name>=<value>". This can be handy when debugging |
| 2572 | certain configuration files making heavy use of environment variables to |
| 2573 | ensure that they contain the expected values. This command is restricted and |
| 2574 | can only be issued on sockets configured for levels "operator" or "admin". |
| 2575 | |
Willy Tarreau | 35069f8 | 2016-11-25 09:16:37 +0100 | [diff] [blame] | 2576 | show errors [<iid>|<proxy>] [request|response] |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2577 | Dump last known request and response errors collected by frontends and |
| 2578 | backends. If <iid> is specified, the limit the dump to errors concerning |
Willy Tarreau | 234ba2d | 2016-11-25 08:39:10 +0100 | [diff] [blame] | 2579 | either frontend or backend whose ID is <iid>. Proxy ID "-1" will cause |
| 2580 | all instances to be dumped. If a proxy name is specified instead, its ID |
Willy Tarreau | 35069f8 | 2016-11-25 09:16:37 +0100 | [diff] [blame] | 2581 | will be used as the filter. If "request" or "response" is added after the |
| 2582 | proxy name or ID, only request or response errors will be dumped. This |
| 2583 | command is restricted and can only be issued on sockets configured for |
| 2584 | levels "operator" or "admin". |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2585 | |
| 2586 | The errors which may be collected are the last request and response errors |
| 2587 | caused by protocol violations, often due to invalid characters in header |
| 2588 | names. The report precisely indicates what exact character violated the |
| 2589 | protocol. Other important information such as the exact date the error was |
| 2590 | detected, frontend and backend names, the server name (when known), the |
| 2591 | internal session ID and the source address which has initiated the session |
| 2592 | are reported too. |
| 2593 | |
| 2594 | All characters are returned, and non-printable characters are encoded. The |
| 2595 | most common ones (\t = 9, \n = 10, \r = 13 and \e = 27) are encoded as one |
| 2596 | letter following a backslash. The backslash itself is encoded as '\\' to |
| 2597 | avoid confusion. Other non-printable characters are encoded '\xNN' where |
| 2598 | NN is the two-digits hexadecimal representation of the character's ASCII |
| 2599 | code. |
| 2600 | |
| 2601 | Lines are prefixed with the position of their first character, starting at 0 |
| 2602 | for the beginning of the buffer. At most one input line is printed per line, |
| 2603 | and large lines will be broken into multiple consecutive output lines so that |
| 2604 | the output never goes beyond 79 characters wide. It is easy to detect if a |
| 2605 | line was broken, because it will not end with '\n' and the next line's offset |
| 2606 | will be followed by a '+' sign, indicating it is a continuation of previous |
| 2607 | line. |
| 2608 | |
| 2609 | Example : |
Willy Tarreau | 35069f8 | 2016-11-25 09:16:37 +0100 | [diff] [blame] | 2610 | $ echo "show errors -1 response" | socat stdio /tmp/sock1 |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2611 | >>> [04/Mar/2009:15:46:56.081] backend http-in (#2) : invalid response |
| 2612 | src 127.0.0.1, session #54, frontend fe-eth0 (#1), server s2 (#1) |
| 2613 | response length 213 bytes, error at position 23: |
| 2614 | |
| 2615 | 00000 HTTP/1.0 200 OK\r\n |
| 2616 | 00017 header/bizarre:blah\r\n |
| 2617 | 00038 Location: blah\r\n |
| 2618 | 00054 Long-line: this is a very long line which should b |
| 2619 | 00104+ e broken into multiple lines on the output buffer, |
| 2620 | 00154+ otherwise it would be too large to print in a ter |
| 2621 | 00204+ minal\r\n |
| 2622 | 00211 \r\n |
| 2623 | |
| 2624 | In the example above, we see that the backend "http-in" which has internal |
| 2625 | ID 2 has blocked an invalid response from its server s2 which has internal |
| 2626 | ID 1. The request was on session 54 initiated by source 127.0.0.1 and |
| 2627 | received by frontend fe-eth0 whose ID is 1. The total response length was |
| 2628 | 213 bytes when the error was detected, and the error was at byte 23. This |
| 2629 | is the slash ('/') in header name "header/bizarre", which is not a valid |
| 2630 | HTTP character for a header name. |
| 2631 | |
Willy Tarreau | 1d181e4 | 2019-08-30 11:17:01 +0200 | [diff] [blame] | 2632 | show events [<sink>] [-w] [-n] |
Willy Tarreau | 9f830d7 | 2019-08-26 18:17:04 +0200 | [diff] [blame] | 2633 | With no option, this lists all known event sinks and their types. With an |
| 2634 | option, it will dump all available events in the designated sink if it is of |
Willy Tarreau | 1d181e4 | 2019-08-30 11:17:01 +0200 | [diff] [blame] | 2635 | type buffer. If option "-w" is passed after the sink name, then once the end |
| 2636 | of the buffer is reached, the command will wait for new events and display |
| 2637 | them. It is possible to stop the operation by entering any input (which will |
| 2638 | be discarded) or by closing the session. Finally, option "-n" is used to |
| 2639 | directly seek to the end of the buffer, which is often convenient when |
| 2640 | combined with "-w" to only report new events. For convenience, "-wn" or "-nw" |
| 2641 | may be used to enable both options at once. |
Willy Tarreau | 9f830d7 | 2019-08-26 18:17:04 +0200 | [diff] [blame] | 2642 | |
Willy Tarreau | 7a4a0ac | 2017-07-25 19:32:50 +0200 | [diff] [blame] | 2643 | show fd [<fd>] |
| 2644 | Dump the list of either all open file descriptors or just the one number <fd> |
| 2645 | if specified. This is only aimed at developers who need to observe internal |
| 2646 | states in order to debug complex issues such as abnormal CPU usages. One fd |
| 2647 | is reported per lines, and for each of them, its state in the poller using |
| 2648 | upper case letters for enabled flags and lower case for disabled flags, using |
| 2649 | "P" for "polled", "R" for "ready", "A" for "active", the events status using |
| 2650 | "H" for "hangup", "E" for "error", "O" for "output", "P" for "priority" and |
| 2651 | "I" for "input", a few other flags like "N" for "new" (just added into the fd |
| 2652 | cache), "U" for "updated" (received an update in the fd cache), "L" for |
| 2653 | "linger_risk", "C" for "cloned", then the cached entry position, the pointer |
| 2654 | to the internal owner, the pointer to the I/O callback and its name when |
| 2655 | known. When the owner is a connection, the connection flags, and the target |
| 2656 | are reported (frontend, proxy or server). When the owner is a listener, the |
| 2657 | listener's state and its frontend are reported. There is no point in using |
| 2658 | this command without a good knowledge of the internals. It's worth noting |
| 2659 | that the output format may evolve over time so this output must not be parsed |
Willy Tarreau | 8050efe | 2021-01-21 08:26:06 +0100 | [diff] [blame] | 2660 | by tools designed to be durable. Some internal structure states may look |
| 2661 | suspicious to the function listing them, in this case the output line will be |
| 2662 | suffixed with an exclamation mark ('!'). This may help find a starting point |
| 2663 | when trying to diagnose an incident. |
Willy Tarreau | 7a4a0ac | 2017-07-25 19:32:50 +0200 | [diff] [blame] | 2664 | |
Willy Tarreau | 2745620 | 2021-05-08 07:54:24 +0200 | [diff] [blame] | 2665 | show info [typed|json] [desc] [float] |
Willy Tarreau | 5d8b979 | 2016-03-11 11:09:34 +0100 | [diff] [blame] | 2666 | Dump info about haproxy status on current process. If "typed" is passed as an |
| 2667 | optional argument, field numbers, names and types are emitted as well so that |
| 2668 | external monitoring products can easily retrieve, possibly aggregate, then |
| 2669 | report information found in fields they don't know. Each field is dumped on |
Simon Horman | 05ee213 | 2017-01-04 09:37:25 +0100 | [diff] [blame] | 2670 | its own line. If "json" is passed as an optional argument then |
| 2671 | information provided by "typed" output is provided in JSON format as a |
| 2672 | list of JSON objects. By default, the format contains only two columns |
| 2673 | delimited by a colon (':'). The left one is the field name and the right |
| 2674 | one is the value. It is very important to note that in typed output |
| 2675 | format, the dump for a single object is contiguous so that there is no |
Willy Tarreau | 2745620 | 2021-05-08 07:54:24 +0200 | [diff] [blame] | 2676 | need for a consumer to store everything at once. If "float" is passed as an |
| 2677 | optional argument, some fields usually emitted as integers may switch to |
| 2678 | floats for higher accuracy. It is purposely unspecified which ones are |
| 2679 | concerned as this might evolve over time. Using this option implies that the |
| 2680 | consumer is able to process floats. The output format used is sprintf("%f"). |
Willy Tarreau | 5d8b979 | 2016-03-11 11:09:34 +0100 | [diff] [blame] | 2681 | |
| 2682 | When using the typed output format, each line is made of 4 columns delimited |
| 2683 | by colons (':'). The first column is a dot-delimited series of 3 elements. The |
| 2684 | first element is the numeric position of the field in the list (starting at |
| 2685 | zero). This position shall not change over time, but holes are to be expected, |
| 2686 | depending on build options or if some fields are deleted in the future. The |
| 2687 | second element is the field name as it appears in the default "show info" |
| 2688 | output. The third element is the relative process number starting at 1. |
| 2689 | |
| 2690 | The rest of the line starting after the first colon follows the "typed output |
| 2691 | format" described in the section above. In short, the second column (after the |
| 2692 | first ':') indicates the origin, nature and scope of the variable. The third |
| 2693 | column indicates the type of the field, among "s32", "s64", "u32", "u64" and |
| 2694 | "str". Then the fourth column is the value itself, which the consumer knows |
| 2695 | how to parse thanks to column 3 and how to process thanks to column 2. |
| 2696 | |
| 2697 | Thus the overall line format in typed mode is : |
| 2698 | |
| 2699 | <field_pos>.<field_name>.<process_num>:<tags>:<type>:<value> |
| 2700 | |
Willy Tarreau | 6b19b14 | 2019-10-09 15:44:21 +0200 | [diff] [blame] | 2701 | When "desc" is appended to the command, one extra colon followed by a quoted |
| 2702 | string is appended with a description for the metric. At the time of writing, |
| 2703 | this is only supported for the "typed" and default output formats. |
| 2704 | |
Willy Tarreau | 5d8b979 | 2016-03-11 11:09:34 +0100 | [diff] [blame] | 2705 | Example : |
| 2706 | |
| 2707 | > show info |
| 2708 | Name: HAProxy |
| 2709 | Version: 1.7-dev1-de52ea-146 |
| 2710 | Release_date: 2016/03/11 |
| 2711 | Nbproc: 1 |
| 2712 | Process_num: 1 |
| 2713 | Pid: 28105 |
| 2714 | Uptime: 0d 0h00m04s |
| 2715 | Uptime_sec: 4 |
| 2716 | Memmax_MB: 0 |
| 2717 | PoolAlloc_MB: 0 |
| 2718 | PoolUsed_MB: 0 |
| 2719 | PoolFailed: 0 |
| 2720 | (...) |
| 2721 | |
| 2722 | > show info typed |
| 2723 | 0.Name.1:POS:str:HAProxy |
| 2724 | 1.Version.1:POS:str:1.7-dev1-de52ea-146 |
| 2725 | 2.Release_date.1:POS:str:2016/03/11 |
| 2726 | 3.Nbproc.1:CGS:u32:1 |
| 2727 | 4.Process_num.1:KGP:u32:1 |
| 2728 | 5.Pid.1:SGP:u32:28105 |
| 2729 | 6.Uptime.1:MDP:str:0d 0h00m08s |
| 2730 | 7.Uptime_sec.1:MDP:u32:8 |
| 2731 | 8.Memmax_MB.1:CLP:u32:0 |
| 2732 | 9.PoolAlloc_MB.1:MGP:u32:0 |
| 2733 | 10.PoolUsed_MB.1:MGP:u32:0 |
| 2734 | 11.PoolFailed.1:MCP:u32:0 |
| 2735 | (...) |
| 2736 | |
Simon Horman | 1084a36 | 2016-11-21 17:00:24 +0100 | [diff] [blame] | 2737 | In the typed format, the presence of the process ID at the end of the |
| 2738 | first column makes it very easy to visually aggregate outputs from |
| 2739 | multiple processes. |
Willy Tarreau | 5d8b979 | 2016-03-11 11:09:34 +0100 | [diff] [blame] | 2740 | Example : |
| 2741 | |
| 2742 | $ ( echo show info typed | socat /var/run/haproxy.sock1 ; \ |
| 2743 | echo show info typed | socat /var/run/haproxy.sock2 ) | \ |
| 2744 | sort -t . -k 1,1n -k 2,2 -k 3,3n |
| 2745 | 0.Name.1:POS:str:HAProxy |
| 2746 | 0.Name.2:POS:str:HAProxy |
| 2747 | 1.Version.1:POS:str:1.7-dev1-868ab3-148 |
| 2748 | 1.Version.2:POS:str:1.7-dev1-868ab3-148 |
| 2749 | 2.Release_date.1:POS:str:2016/03/11 |
| 2750 | 2.Release_date.2:POS:str:2016/03/11 |
| 2751 | 3.Nbproc.1:CGS:u32:2 |
| 2752 | 3.Nbproc.2:CGS:u32:2 |
| 2753 | 4.Process_num.1:KGP:u32:1 |
| 2754 | 4.Process_num.2:KGP:u32:2 |
| 2755 | 5.Pid.1:SGP:u32:30120 |
| 2756 | 5.Pid.2:SGP:u32:30121 |
| 2757 | 6.Uptime.1:MDP:str:0d 0h01m28s |
| 2758 | 6.Uptime.2:MDP:str:0d 0h01m28s |
| 2759 | (...) |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2760 | |
Simon Horman | 05ee213 | 2017-01-04 09:37:25 +0100 | [diff] [blame] | 2761 | The format of JSON output is described in a schema which may be output |
Simon Horman | 6f6bb38 | 2017-01-04 09:37:26 +0100 | [diff] [blame] | 2762 | using "show schema json". |
Simon Horman | 05ee213 | 2017-01-04 09:37:25 +0100 | [diff] [blame] | 2763 | |
| 2764 | The JSON output contains no extra whitespace in order to reduce the |
| 2765 | volume of output. For human consumption passing the output through a |
| 2766 | pretty printer may be helpful. Example : |
| 2767 | |
| 2768 | $ echo "show info json" | socat /var/run/haproxy.sock stdio | \ |
| 2769 | python -m json.tool |
| 2770 | |
Simon Horman | 6f6bb38 | 2017-01-04 09:37:26 +0100 | [diff] [blame] | 2771 | The JSON output contains no extra whitespace in order to reduce the |
| 2772 | volume of output. For human consumption passing the output through a |
| 2773 | pretty printer may be helpful. Example : |
| 2774 | |
| 2775 | $ echo "show info json" | socat /var/run/haproxy.sock stdio | \ |
| 2776 | python -m json.tool |
| 2777 | |
Willy Tarreau | 6ab7b21 | 2021-12-28 09:57:10 +0100 | [diff] [blame] | 2778 | show libs |
| 2779 | Dump the list of loaded shared dynamic libraries and object files, on systems |
| 2780 | that support it. When available, for each shared object the range of virtual |
| 2781 | addresses will be indicated, the size and the path to the object. This can be |
| 2782 | used for example to try to estimate what library provides a function that |
| 2783 | appears in a dump. Note that on many systems, addresses will change upon each |
| 2784 | restart (address space randomization), so that this list would need to be |
| 2785 | retrieved upon startup if it is expected to be used to analyse a core file. |
| 2786 | This command may only be issued on sockets configured for levels "operator" |
| 2787 | or "admin". Note that the output format may vary between operating systems, |
| 2788 | architectures and even haproxy versions, and ought not to be relied on in |
| 2789 | scripts. |
| 2790 | |
Willy Tarreau | 95f753e | 2021-04-30 12:09:54 +0200 | [diff] [blame] | 2791 | show map [[@<ver>] <map>] |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2792 | Dump info about map converters. Without argument, the list of all available |
| 2793 | maps is returned. If a <map> is specified, its contents are dumped. <map> is |
Willy Tarreau | 95f753e | 2021-04-30 12:09:54 +0200 | [diff] [blame] | 2794 | the #<id> or <file>. By default the current version of the map is shown (the |
| 2795 | version currently being matched against and reported as 'curr_ver' in the map |
| 2796 | list). It is possible to instead dump other versions by prepending '@<ver>' |
| 2797 | before the map's identifier. The version works as a filter and non-existing |
Dragan Dosen | a75eea7 | 2021-05-21 16:59:15 +0200 | [diff] [blame] | 2798 | versions will simply report no result. The 'entry_cnt' value represents the |
| 2799 | count of all the map entries, not just the active ones, which means that it |
| 2800 | also includes entries currently being added. |
Willy Tarreau | 95f753e | 2021-04-30 12:09:54 +0200 | [diff] [blame] | 2801 | |
| 2802 | In the output, the first column is a unique entry identifier, which is usable |
| 2803 | as a reference for operations "del map" and "set map". The second column is |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2804 | the pattern and the third column is the sample if available. The data returned |
| 2805 | are not directly a list of available maps, but are the list of all patterns |
| 2806 | composing any map. Many of these patterns can be shared with ACL. |
| 2807 | |
Willy Tarreau | 49962b5 | 2021-02-12 16:56:22 +0100 | [diff] [blame] | 2808 | show peers [dict|-] [<peers section>] |
Frédéric Lécaille | 21dde50 | 2019-04-15 13:50:23 +0200 | [diff] [blame] | 2809 | Dump info about the peers configured in "peers" sections. Without argument, |
| 2810 | the list of the peers belonging to all the "peers" sections are listed. If |
| 2811 | <peers section> is specified, only the information about the peers belonging |
Willy Tarreau | 49962b5 | 2021-02-12 16:56:22 +0100 | [diff] [blame] | 2812 | to this "peers" section are dumped. When "dict" is specified before the peers |
| 2813 | section name, the entire Tx/Rx dictionary caches will also be dumped (very |
| 2814 | large). Passing "-" may be required to dump a peers section called "dict". |
Frédéric Lécaille | 21dde50 | 2019-04-15 13:50:23 +0200 | [diff] [blame] | 2815 | |
Michael Prokop | 4438c60 | 2019-05-24 10:25:45 +0200 | [diff] [blame] | 2816 | Here are two examples of outputs where hostA, hostB and hostC peers belong to |
Frédéric Lécaille | 21dde50 | 2019-04-15 13:50:23 +0200 | [diff] [blame] | 2817 | "sharedlb" peers sections. Only hostA and hostB are connected. Only hostA has |
| 2818 | sent data to hostB. |
| 2819 | |
| 2820 | $ echo "show peers" | socat - /tmp/hostA |
| 2821 | 0x55deb0224320: [15/Apr/2019:11:28:01] id=sharedlb state=0 flags=0x3 \ |
Emeric Brun | 0bbec0f | 2019-04-18 11:39:43 +0200 | [diff] [blame] | 2822 | resync_timeout=<PAST> task_calls=45122 |
Frédéric Lécaille | 21dde50 | 2019-04-15 13:50:23 +0200 | [diff] [blame] | 2823 | 0x55deb022b540: id=hostC(remote) addr=127.0.0.12:10002 status=CONN \ |
| 2824 | reconnect=4s confirm=0 |
| 2825 | flags=0x0 |
| 2826 | 0x55deb022a440: id=hostA(local) addr=127.0.0.10:10000 status=NONE \ |
| 2827 | reconnect=<NEVER> confirm=0 |
| 2828 | flags=0x0 |
| 2829 | 0x55deb0227d70: id=hostB(remote) addr=127.0.0.11:10001 status=ESTA |
| 2830 | reconnect=2s confirm=0 |
Emeric Brun | 0bbec0f | 2019-04-18 11:39:43 +0200 | [diff] [blame] | 2831 | flags=0x20000200 appctx:0x55deb028fba0 st0=7 st1=0 task_calls=14456 \ |
| 2832 | state=EST |
Frédéric Lécaille | 21dde50 | 2019-04-15 13:50:23 +0200 | [diff] [blame] | 2833 | xprt=RAW src=127.0.0.1:37257 addr=127.0.0.10:10000 |
| 2834 | remote_table:0x55deb0224a10 id=stkt local_id=1 remote_id=1 |
| 2835 | last_local_table:0x55deb0224a10 id=stkt local_id=1 remote_id=1 |
| 2836 | shared tables: |
| 2837 | 0x55deb0224a10 local_id=1 remote_id=1 flags=0x0 remote_data=0x65 |
| 2838 | last_acked=0 last_pushed=3 last_get=0 teaching_origin=0 update=3 |
| 2839 | table:0x55deb022d6a0 id=stkt update=3 localupdate=3 \ |
| 2840 | commitupdate=3 syncing=0 |
| 2841 | |
| 2842 | $ echo "show peers" | socat - /tmp/hostB |
| 2843 | 0x55871b5ab320: [15/Apr/2019:11:28:03] id=sharedlb state=0 flags=0x3 \ |
Emeric Brun | 0bbec0f | 2019-04-18 11:39:43 +0200 | [diff] [blame] | 2844 | resync_timeout=<PAST> task_calls=3 |
Frédéric Lécaille | 21dde50 | 2019-04-15 13:50:23 +0200 | [diff] [blame] | 2845 | 0x55871b5b2540: id=hostC(remote) addr=127.0.0.12:10002 status=CONN \ |
| 2846 | reconnect=3s confirm=0 |
| 2847 | flags=0x0 |
| 2848 | 0x55871b5b1440: id=hostB(local) addr=127.0.0.11:10001 status=NONE \ |
| 2849 | reconnect=<NEVER> confirm=0 |
| 2850 | flags=0x0 |
| 2851 | 0x55871b5aed70: id=hostA(remote) addr=127.0.0.10:10000 status=ESTA \ |
| 2852 | reconnect=2s confirm=0 |
Emeric Brun | 0bbec0f | 2019-04-18 11:39:43 +0200 | [diff] [blame] | 2853 | flags=0x20000200 appctx:0x7fa46800ee00 st0=7 st1=0 task_calls=62356 \ |
| 2854 | state=EST |
Frédéric Lécaille | 21dde50 | 2019-04-15 13:50:23 +0200 | [diff] [blame] | 2855 | remote_table:0x55871b5ab960 id=stkt local_id=1 remote_id=1 |
| 2856 | last_local_table:0x55871b5ab960 id=stkt local_id=1 remote_id=1 |
| 2857 | shared tables: |
| 2858 | 0x55871b5ab960 local_id=1 remote_id=1 flags=0x0 remote_data=0x65 |
| 2859 | last_acked=3 last_pushed=0 last_get=3 teaching_origin=0 update=0 |
| 2860 | table:0x55871b5b46a0 id=stkt update=1 localupdate=0 \ |
| 2861 | commitupdate=0 syncing=0 |
| 2862 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2863 | show pools |
| 2864 | Dump the status of internal memory pools. This is useful to track memory |
| 2865 | usage when suspecting a memory leak for example. It does exactly the same |
| 2866 | as the SIGQUIT when running in foreground except that it does not flush |
| 2867 | the pools. |
| 2868 | |
Willy Tarreau | e86bc35 | 2022-09-08 16:38:10 +0200 | [diff] [blame] | 2869 | show profiling [{all | status | tasks | memory}] [byaddr|bytime|aggr|<max_lines>]* |
Willy Tarreau | 75c62c2 | 2018-11-22 11:02:09 +0100 | [diff] [blame] | 2870 | Dumps the current profiling settings, one per line, as well as the command |
Willy Tarreau | 1bd67e9 | 2021-01-29 00:07:40 +0100 | [diff] [blame] | 2871 | needed to change them. When tasks profiling is enabled, some per-function |
| 2872 | statistics collected by the scheduler will also be emitted, with a summary |
Willy Tarreau | 42712cb | 2021-05-05 17:48:13 +0200 | [diff] [blame] | 2873 | covering the number of calls, total/avg CPU time and total/avg latency. When |
| 2874 | memory profiling is enabled, some information such as the number of |
| 2875 | allocations/releases and their sizes will be reported. It is possible to |
| 2876 | limit the dump to only the profiling status, the tasks, or the memory |
| 2877 | profiling by specifying the respective keywords; by default all profiling |
| 2878 | information are dumped. It is also possible to limit the number of lines |
Willy Tarreau | f1c8a38 | 2021-05-13 10:00:17 +0200 | [diff] [blame] | 2879 | of output of each category by specifying a numeric limit. If is possible to |
Willy Tarreau | e86bc35 | 2022-09-08 16:38:10 +0200 | [diff] [blame] | 2880 | request that the output is sorted by address or by total execution time |
| 2881 | instead of usage, e.g. to ease comparisons between subsequent calls or to |
| 2882 | check what needs to be optimized, and to aggregate task activity by called |
| 2883 | function instead of seeing the details. Please note that profiling is |
Willy Tarreau | f1c8a38 | 2021-05-13 10:00:17 +0200 | [diff] [blame] | 2884 | essentially aimed at developers since it gives hints about where CPU cycles |
| 2885 | or memory are wasted in the code. There is nothing useful to monitor there. |
Willy Tarreau | 75c62c2 | 2018-11-22 11:02:09 +0100 | [diff] [blame] | 2886 | |
Willy Tarreau | 87ef323 | 2021-01-29 12:01:46 +0100 | [diff] [blame] | 2887 | show resolvers [<resolvers section id>] |
| 2888 | Dump statistics for the given resolvers section, or all resolvers sections |
| 2889 | if no section is supplied. |
| 2890 | |
| 2891 | For each name server, the following counters are reported: |
| 2892 | sent: number of DNS requests sent to this server |
| 2893 | valid: number of DNS valid responses received from this server |
| 2894 | update: number of DNS responses used to update the server's IP address |
| 2895 | cname: number of CNAME responses |
| 2896 | cname_error: CNAME errors encountered with this server |
| 2897 | any_err: number of empty response (IE: server does not support ANY type) |
| 2898 | nx: non existent domain response received from this server |
| 2899 | timeout: how many time this server did not answer in time |
| 2900 | refused: number of requests refused by this server |
| 2901 | other: any other DNS errors |
| 2902 | invalid: invalid DNS response (from a protocol point of view) |
| 2903 | too_big: too big response |
| 2904 | outdated: number of response arrived too late (after an other name server) |
| 2905 | |
Willy Tarreau | 69f591e | 2020-07-01 07:00:59 +0200 | [diff] [blame] | 2906 | show servers conn [<backend>] |
| 2907 | Dump the current and idle connections state of the servers belonging to the |
| 2908 | designated backend (or all backends if none specified). A backend name or |
| 2909 | identifier may be used. |
| 2910 | |
| 2911 | The output consists in a header line showing the fields titles, then one |
| 2912 | server per line with for each, the backend name and ID, server name and ID, |
| 2913 | the address, port and a series or values. The number of fields varies |
| 2914 | depending on thread count. |
| 2915 | |
| 2916 | Given the threaded nature of idle connections, it's important to understand |
| 2917 | that some values may change once read, and that as such, consistency within a |
| 2918 | line isn't granted. This output is mostly provided as a debugging tool and is |
| 2919 | not relevant to be routinely monitored nor graphed. |
| 2920 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2921 | show servers state [<backend>] |
| 2922 | Dump the state of the servers found in the running configuration. A backend |
| 2923 | name or identifier may be provided to limit the output to this backend only. |
| 2924 | |
| 2925 | The dump has the following format: |
| 2926 | - first line contains the format version (1 in this specification); |
| 2927 | - second line contains the column headers, prefixed by a sharp ('#'); |
| 2928 | - third line and next ones contain data; |
| 2929 | - each line starting by a sharp ('#') is considered as a comment. |
| 2930 | |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 2931 | Since multiple versions of the output may co-exist, below is the list of |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2932 | fields and their order per file format version : |
| 2933 | 1: |
| 2934 | be_id: Backend unique id. |
| 2935 | be_name: Backend label. |
| 2936 | srv_id: Server unique id (in the backend). |
| 2937 | srv_name: Server label. |
| 2938 | srv_addr: Server IP address. |
| 2939 | srv_op_state: Server operational state (UP/DOWN/...). |
Cyril Bonté | 5b2ce8a | 2016-11-02 00:19:58 +0100 | [diff] [blame] | 2940 | 0 = SRV_ST_STOPPED |
| 2941 | The server is down. |
| 2942 | 1 = SRV_ST_STARTING |
| 2943 | The server is warming up (up but |
| 2944 | throttled). |
| 2945 | 2 = SRV_ST_RUNNING |
| 2946 | The server is fully up. |
| 2947 | 3 = SRV_ST_STOPPING |
| 2948 | The server is up but soft-stopping |
| 2949 | (eg: 404). |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2950 | srv_admin_state: Server administrative state (MAINT/DRAIN/...). |
Cyril Bonté | 5b2ce8a | 2016-11-02 00:19:58 +0100 | [diff] [blame] | 2951 | The state is actually a mask of values : |
| 2952 | 0x01 = SRV_ADMF_FMAINT |
| 2953 | The server was explicitly forced into |
| 2954 | maintenance. |
| 2955 | 0x02 = SRV_ADMF_IMAINT |
| 2956 | The server has inherited the maintenance |
| 2957 | status from a tracked server. |
| 2958 | 0x04 = SRV_ADMF_CMAINT |
| 2959 | The server is in maintenance because of |
| 2960 | the configuration. |
| 2961 | 0x08 = SRV_ADMF_FDRAIN |
| 2962 | The server was explicitly forced into |
| 2963 | drain state. |
| 2964 | 0x10 = SRV_ADMF_IDRAIN |
| 2965 | The server has inherited the drain status |
| 2966 | from a tracked server. |
Baptiste Assmann | 89aa7f3 | 2016-11-02 21:31:27 +0100 | [diff] [blame] | 2967 | 0x20 = SRV_ADMF_RMAINT |
| 2968 | The server is in maintenance because of an |
| 2969 | IP address resolution failure. |
Frédéric Lécaille | b418c12 | 2017-04-26 11:24:02 +0200 | [diff] [blame] | 2970 | 0x40 = SRV_ADMF_HMAINT |
| 2971 | The server FQDN was set from stats socket. |
| 2972 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2973 | srv_uweight: User visible server's weight. |
| 2974 | srv_iweight: Server's initial weight. |
| 2975 | srv_time_since_last_change: Time since last operational change. |
| 2976 | srv_check_status: Last health check status. |
| 2977 | srv_check_result: Last check result (FAILED/PASSED/...). |
Cyril Bonté | 5b2ce8a | 2016-11-02 00:19:58 +0100 | [diff] [blame] | 2978 | 0 = CHK_RES_UNKNOWN |
| 2979 | Initialized to this by default. |
| 2980 | 1 = CHK_RES_NEUTRAL |
| 2981 | Valid check but no status information. |
| 2982 | 2 = CHK_RES_FAILED |
| 2983 | Check failed. |
| 2984 | 3 = CHK_RES_PASSED |
| 2985 | Check succeeded and server is fully up |
| 2986 | again. |
| 2987 | 4 = CHK_RES_CONDPASS |
| 2988 | Check reports the server doesn't want new |
| 2989 | sessions. |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 2990 | srv_check_health: Checks rise / fall current counter. |
| 2991 | srv_check_state: State of the check (ENABLED/PAUSED/...). |
Cyril Bonté | 5b2ce8a | 2016-11-02 00:19:58 +0100 | [diff] [blame] | 2992 | The state is actually a mask of values : |
| 2993 | 0x01 = CHK_ST_INPROGRESS |
| 2994 | A check is currently running. |
| 2995 | 0x02 = CHK_ST_CONFIGURED |
| 2996 | This check is configured and may be |
| 2997 | enabled. |
| 2998 | 0x04 = CHK_ST_ENABLED |
| 2999 | This check is currently administratively |
| 3000 | enabled. |
| 3001 | 0x08 = CHK_ST_PAUSED |
| 3002 | Checks are paused because of maintenance |
| 3003 | (health only). |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 3004 | srv_agent_state: State of the agent check (ENABLED/PAUSED/...). |
Cyril Bonté | 5b2ce8a | 2016-11-02 00:19:58 +0100 | [diff] [blame] | 3005 | This state uses the same mask values as |
| 3006 | "srv_check_state", adding this specific one : |
| 3007 | 0x10 = CHK_ST_AGENT |
| 3008 | Check is an agent check (otherwise it's a |
| 3009 | health check). |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 3010 | bk_f_forced_id: Flag to know if the backend ID is forced by |
| 3011 | configuration. |
| 3012 | srv_f_forced_id: Flag to know if the server's ID is forced by |
| 3013 | configuration. |
Frédéric Lécaille | b418c12 | 2017-04-26 11:24:02 +0200 | [diff] [blame] | 3014 | srv_fqdn: Server FQDN. |
Frédéric Lécaille | 3169471 | 2017-08-01 08:47:19 +0200 | [diff] [blame] | 3015 | srv_port: Server port. |
Baptiste Assmann | 6d0f38f | 2018-07-02 17:00:54 +0200 | [diff] [blame] | 3016 | srvrecord: DNS SRV record associated to this SRV. |
William Dauchy | f637044 | 2020-11-14 19:25:33 +0100 | [diff] [blame] | 3017 | srv_use_ssl: use ssl for server connections. |
William Dauchy | d1a7b85 | 2021-02-11 22:51:26 +0100 | [diff] [blame] | 3018 | srv_check_port: Server health check port. |
| 3019 | srv_check_addr: Server health check address. |
| 3020 | srv_agent_addr: Server health agent address. |
| 3021 | srv_agent_port: Server health agent port. |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 3022 | |
| 3023 | show sess |
| 3024 | Dump all known sessions. Avoid doing this on slow connections as this can |
| 3025 | be huge. This command is restricted and can only be issued on sockets |
Willy Tarreau | c6e7a1b | 2020-06-28 01:24:12 +0200 | [diff] [blame] | 3026 | configured for levels "operator" or "admin". Note that on machines with |
| 3027 | quickly recycled connections, it is possible that this output reports less |
| 3028 | entries than really exist because it will dump all existing sessions up to |
| 3029 | the last one that was created before the command was entered; those which |
| 3030 | die in the mean time will not appear. |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 3031 | |
| 3032 | show sess <id> |
| 3033 | Display a lot of internal information about the specified session identifier. |
| 3034 | This identifier is the first field at the beginning of the lines in the dumps |
| 3035 | of "show sess" (it corresponds to the session pointer). Those information are |
| 3036 | useless to most users but may be used by haproxy developers to troubleshoot a |
| 3037 | complex bug. The output format is intentionally not documented so that it can |
| 3038 | freely evolve depending on demands. You may find a description of all fields |
| 3039 | returned in src/dumpstats.c |
| 3040 | |
| 3041 | The special id "all" dumps the states of all sessions, which must be avoided |
| 3042 | as much as possible as it is highly CPU intensive and can take a lot of time. |
| 3043 | |
Daniel Corbett | c40edac | 2020-11-01 10:54:17 -0500 | [diff] [blame] | 3044 | show stat [domain <dns|proxy>] [{<iid>|<proxy>} <type> <sid>] [typed|json] \ |
Willy Tarreau | 698097b | 2020-10-23 20:19:47 +0200 | [diff] [blame] | 3045 | [desc] [up|no-maint] |
Daniel Corbett | c40edac | 2020-11-01 10:54:17 -0500 | [diff] [blame] | 3046 | Dump statistics. The domain is used to select which statistics to print; dns |
| 3047 | and proxy are available for now. By default, the CSV format is used; you can |
Amaury Denoyelle | 072f97e | 2020-10-05 11:49:37 +0200 | [diff] [blame] | 3048 | activate the extended typed output format described in the section above if |
| 3049 | "typed" is passed after the other arguments; or in JSON if "json" is passed |
| 3050 | after the other arguments. By passing <id>, <type> and <sid>, it is possible |
| 3051 | to dump only selected items : |
Willy Tarreau | a1b1ed5 | 2016-11-25 08:50:58 +0100 | [diff] [blame] | 3052 | - <iid> is a proxy ID, -1 to dump everything. Alternatively, a proxy name |
| 3053 | <proxy> may be specified. In this case, this proxy's ID will be used as |
| 3054 | the ID selector. |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 3055 | - <type> selects the type of dumpable objects : 1 for frontends, 2 for |
| 3056 | backends, 4 for servers, -1 for everything. These values can be ORed, |
| 3057 | for example: |
| 3058 | 1 + 2 = 3 -> frontend + backend. |
| 3059 | 1 + 2 + 4 = 7 -> frontend + backend + server. |
| 3060 | - <sid> is a server ID, -1 to dump everything from the selected proxy. |
| 3061 | |
| 3062 | Example : |
| 3063 | $ echo "show info;show stat" | socat stdio unix-connect:/tmp/sock1 |
| 3064 | >>> Name: HAProxy |
| 3065 | Version: 1.4-dev2-49 |
| 3066 | Release_date: 2009/09/23 |
| 3067 | Nbproc: 1 |
| 3068 | Process_num: 1 |
| 3069 | (...) |
| 3070 | |
| 3071 | # pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq, (...) |
| 3072 | stats,FRONTEND,,,0,0,1000,0,0,0,0,0,0,,,,,OPEN,,,,,,,,,1,1,0, (...) |
| 3073 | stats,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,0,0,0,,0,250,(...) |
| 3074 | (...) |
| 3075 | www1,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,1,1,0,,0,250, (...) |
| 3076 | |
| 3077 | $ |
| 3078 | |
Willy Tarreau | 5d8b979 | 2016-03-11 11:09:34 +0100 | [diff] [blame] | 3079 | In this example, two commands have been issued at once. That way it's easy to |
| 3080 | find which process the stats apply to in multi-process mode. This is not |
| 3081 | needed in the typed output format as the process number is reported on each |
| 3082 | line. Notice the empty line after the information output which marks the end |
| 3083 | of the first block. A similar empty line appears at the end of the second |
| 3084 | block (stats) so that the reader knows the output has not been truncated. |
| 3085 | |
| 3086 | When "typed" is specified, the output format is more suitable to monitoring |
| 3087 | tools because it provides numeric positions and indicates the type of each |
| 3088 | output field. Each value stands on its own line with process number, element |
| 3089 | number, nature, origin and scope. This same format is available via the HTTP |
| 3090 | stats by passing ";typed" after the URI. It is very important to note that in |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 3091 | typed output format, the dump for a single object is contiguous so that there |
Willy Tarreau | 5d8b979 | 2016-03-11 11:09:34 +0100 | [diff] [blame] | 3092 | is no need for a consumer to store everything at once. |
| 3093 | |
Willy Tarreau | 698097b | 2020-10-23 20:19:47 +0200 | [diff] [blame] | 3094 | The "up" modifier will result in listing only servers which reportedly up or |
| 3095 | not checked. Those down, unresolved, or in maintenance will not be listed. |
| 3096 | This is analogous to the ";up" option on the HTTP stats. Similarly, the |
| 3097 | "no-maint" modifier will act like the ";no-maint" HTTP modifier and will |
| 3098 | result in disabled servers not to be listed. The difference is that those |
| 3099 | which are enabled but down will not be evicted. |
| 3100 | |
Willy Tarreau | 5d8b979 | 2016-03-11 11:09:34 +0100 | [diff] [blame] | 3101 | When using the typed output format, each line is made of 4 columns delimited |
| 3102 | by colons (':'). The first column is a dot-delimited series of 5 elements. The |
| 3103 | first element is a letter indicating the type of the object being described. |
| 3104 | At the moment the following object types are known : 'F' for a frontend, 'B' |
| 3105 | for a backend, 'L' for a listener, and 'S' for a server. The second element |
| 3106 | The second element is a positive integer representing the unique identifier of |
| 3107 | the proxy the object belongs to. It is equivalent to the "iid" column of the |
| 3108 | CSV output and matches the value in front of the optional "id" directive found |
| 3109 | in the frontend or backend section. The third element is a positive integer |
| 3110 | containing the unique object identifier inside the proxy, and corresponds to |
| 3111 | the "sid" column of the CSV output. ID 0 is reported when dumping a frontend |
| 3112 | or a backend. For a listener or a server, this corresponds to their respective |
| 3113 | ID inside the proxy. The fourth element is the numeric position of the field |
| 3114 | in the list (starting at zero). This position shall not change over time, but |
| 3115 | holes are to be expected, depending on build options or if some fields are |
| 3116 | deleted in the future. The fifth element is the field name as it appears in |
| 3117 | the CSV output. The sixth element is a positive integer and is the relative |
| 3118 | process number starting at 1. |
| 3119 | |
| 3120 | The rest of the line starting after the first colon follows the "typed output |
| 3121 | format" described in the section above. In short, the second column (after the |
| 3122 | first ':') indicates the origin, nature and scope of the variable. The third |
Willy Tarreau | 589722e | 2021-05-08 07:46:44 +0200 | [diff] [blame] | 3123 | column indicates the field type, among "s32", "s64", "u32", "u64", "flt' and |
Willy Tarreau | 5d8b979 | 2016-03-11 11:09:34 +0100 | [diff] [blame] | 3124 | "str". Then the fourth column is the value itself, which the consumer knows |
| 3125 | how to parse thanks to column 3 and how to process thanks to column 2. |
| 3126 | |
Willy Tarreau | 6b19b14 | 2019-10-09 15:44:21 +0200 | [diff] [blame] | 3127 | When "desc" is appended to the command, one extra colon followed by a quoted |
| 3128 | string is appended with a description for the metric. At the time of writing, |
| 3129 | this is only supported for the "typed" output format. |
| 3130 | |
Willy Tarreau | 5d8b979 | 2016-03-11 11:09:34 +0100 | [diff] [blame] | 3131 | Thus the overall line format in typed mode is : |
| 3132 | |
| 3133 | <obj>.<px_id>.<id>.<fpos>.<fname>.<process_num>:<tags>:<type>:<value> |
| 3134 | |
| 3135 | Here's an example of typed output format : |
| 3136 | |
| 3137 | $ echo "show stat typed" | socat stdio unix-connect:/tmp/sock1 |
| 3138 | F.2.0.0.pxname.1:MGP:str:private-frontend |
| 3139 | F.2.0.1.svname.1:MGP:str:FRONTEND |
| 3140 | F.2.0.8.bin.1:MGP:u64:0 |
| 3141 | F.2.0.9.bout.1:MGP:u64:0 |
| 3142 | F.2.0.40.hrsp_2xx.1:MGP:u64:0 |
| 3143 | L.2.1.0.pxname.1:MGP:str:private-frontend |
| 3144 | L.2.1.1.svname.1:MGP:str:sock-1 |
| 3145 | L.2.1.17.status.1:MGP:str:OPEN |
| 3146 | L.2.1.73.addr.1:MGP:str:0.0.0.0:8001 |
| 3147 | S.3.13.60.rtime.1:MCP:u32:0 |
| 3148 | S.3.13.61.ttime.1:MCP:u32:0 |
| 3149 | S.3.13.62.agent_status.1:MGP:str:L4TOUT |
| 3150 | S.3.13.64.agent_duration.1:MGP:u64:2001 |
| 3151 | S.3.13.65.check_desc.1:MCP:str:Layer4 timeout |
| 3152 | S.3.13.66.agent_desc.1:MCP:str:Layer4 timeout |
| 3153 | S.3.13.67.check_rise.1:MCP:u32:2 |
| 3154 | S.3.13.68.check_fall.1:MCP:u32:3 |
| 3155 | S.3.13.69.check_health.1:SGP:u32:0 |
| 3156 | S.3.13.70.agent_rise.1:MaP:u32:1 |
| 3157 | S.3.13.71.agent_fall.1:SGP:u32:1 |
| 3158 | S.3.13.72.agent_health.1:SGP:u32:1 |
| 3159 | S.3.13.73.addr.1:MCP:str:1.255.255.255:8888 |
| 3160 | S.3.13.75.mode.1:MAP:str:http |
| 3161 | B.3.0.0.pxname.1:MGP:str:private-backend |
| 3162 | B.3.0.1.svname.1:MGP:str:BACKEND |
| 3163 | B.3.0.2.qcur.1:MGP:u32:0 |
| 3164 | B.3.0.3.qmax.1:MGP:u32:0 |
| 3165 | B.3.0.4.scur.1:MGP:u32:0 |
| 3166 | B.3.0.5.smax.1:MGP:u32:0 |
| 3167 | B.3.0.6.slim.1:MGP:u32:1000 |
| 3168 | B.3.0.55.lastsess.1:MMP:s32:-1 |
| 3169 | (...) |
| 3170 | |
Simon Horman | 1084a36 | 2016-11-21 17:00:24 +0100 | [diff] [blame] | 3171 | In the typed format, the presence of the process ID at the end of the |
| 3172 | first column makes it very easy to visually aggregate outputs from |
| 3173 | multiple processes, as show in the example below where each line appears |
| 3174 | for each process : |
Willy Tarreau | 5d8b979 | 2016-03-11 11:09:34 +0100 | [diff] [blame] | 3175 | |
| 3176 | $ ( echo show stat typed | socat /var/run/haproxy.sock1 - ; \ |
| 3177 | echo show stat typed | socat /var/run/haproxy.sock2 - ) | \ |
| 3178 | sort -t . -k 1,1 -k 2,2n -k 3,3n -k 4,4n -k 5,5 -k 6,6n |
| 3179 | B.3.0.0.pxname.1:MGP:str:private-backend |
| 3180 | B.3.0.0.pxname.2:MGP:str:private-backend |
| 3181 | B.3.0.1.svname.1:MGP:str:BACKEND |
| 3182 | B.3.0.1.svname.2:MGP:str:BACKEND |
| 3183 | B.3.0.2.qcur.1:MGP:u32:0 |
| 3184 | B.3.0.2.qcur.2:MGP:u32:0 |
| 3185 | B.3.0.3.qmax.1:MGP:u32:0 |
| 3186 | B.3.0.3.qmax.2:MGP:u32:0 |
| 3187 | B.3.0.4.scur.1:MGP:u32:0 |
| 3188 | B.3.0.4.scur.2:MGP:u32:0 |
| 3189 | B.3.0.5.smax.1:MGP:u32:0 |
| 3190 | B.3.0.5.smax.2:MGP:u32:0 |
| 3191 | B.3.0.6.slim.1:MGP:u32:1000 |
| 3192 | B.3.0.6.slim.2:MGP:u32:1000 |
| 3193 | (...) |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 3194 | |
Simon Horman | 05ee213 | 2017-01-04 09:37:25 +0100 | [diff] [blame] | 3195 | The format of JSON output is described in a schema which may be output |
Simon Horman | 6f6bb38 | 2017-01-04 09:37:26 +0100 | [diff] [blame] | 3196 | using "show schema json". |
| 3197 | |
| 3198 | The JSON output contains no extra whitespace in order to reduce the |
| 3199 | volume of output. For human consumption passing the output through a |
| 3200 | pretty printer may be helpful. Example : |
| 3201 | |
| 3202 | $ echo "show stat json" | socat /var/run/haproxy.sock stdio | \ |
| 3203 | python -m json.tool |
Simon Horman | 05ee213 | 2017-01-04 09:37:25 +0100 | [diff] [blame] | 3204 | |
| 3205 | The JSON output contains no extra whitespace in order to reduce the |
| 3206 | volume of output. For human consumption passing the output through a |
| 3207 | pretty printer may be helpful. Example : |
| 3208 | |
| 3209 | $ echo "show stat json" | socat /var/run/haproxy.sock stdio | \ |
| 3210 | python -m json.tool |
| 3211 | |
Remi Tricot-Le Breton | e88a2ca | 2021-04-08 15:30:23 +0200 | [diff] [blame] | 3212 | show ssl ca-file [<cafile>[:<index>]] |
| 3213 | Display the list of CA files used by HAProxy and their respective certificate |
| 3214 | counts. If a filename is prefixed by an asterisk, it is a transaction which |
| 3215 | is not committed yet. If a <cafile> is specified without <index>, it will show |
| 3216 | the status of the CA file ("Used"/"Unused") followed by details about all the |
| 3217 | certificates contained in the CA file. The details displayed for every |
| 3218 | certificate are the same as the ones displayed by a "show ssl cert" command. |
| 3219 | If a <cafile> is specified followed by an <index>, it will only display the |
| 3220 | details of the certificate having the specified index. Indexes start from 1. |
| 3221 | If the index is invalid (too big for instance), nothing will be displayed. |
| 3222 | This command can be useful to check if a CA file was properly updated. |
| 3223 | You can also display the details of an ongoing transaction by prefixing the |
| 3224 | filename by an asterisk. |
| 3225 | |
| 3226 | Example : |
| 3227 | |
| 3228 | $ echo "show ssl ca-file" | socat /var/run/haproxy.master - |
| 3229 | # transaction |
| 3230 | *cafile.crt - 2 certificate(s) |
| 3231 | # filename |
| 3232 | cafile.crt - 1 certificate(s) |
| 3233 | |
| 3234 | $ echo "show ssl ca-file cafile.crt" | socat /var/run/haproxy.master - |
| 3235 | Filename: /home/tricot/work/haproxy/reg-tests/ssl/set_cafile_ca2.crt |
| 3236 | Status: Used |
| 3237 | |
| 3238 | Certificate #1: |
| 3239 | Serial: 11A4D2200DC84376E7D233CAFF39DF44BF8D1211 |
| 3240 | notBefore: Apr 1 07:40:53 2021 GMT |
| 3241 | notAfter: Aug 17 07:40:53 2048 GMT |
| 3242 | Subject Alternative Name: |
| 3243 | Algorithm: RSA4096 |
| 3244 | SHA1 FingerPrint: A111EF0FEFCDE11D47FE3F33ADCA8435EBEA4864 |
| 3245 | Subject: /C=FR/ST=Some-State/O=HAProxy Technologies/CN=HAProxy Technologies CA |
| 3246 | Issuer: /C=FR/ST=Some-State/O=HAProxy Technologies/CN=HAProxy Technologies CA |
| 3247 | |
| 3248 | $ echo "show ssl ca-file *cafile.crt:2" | socat /var/run/haproxy.master - |
| 3249 | Filename: */home/tricot/work/haproxy/reg-tests/ssl/set_cafile_ca2.crt |
| 3250 | Status: Unused |
| 3251 | |
| 3252 | Certificate #2: |
| 3253 | Serial: 587A1CE5ED855040A0C82BF255FF300ADB7C8136 |
| 3254 | [...] |
| 3255 | |
William Lallemand | d4f946c | 2019-12-05 10:26:40 +0100 | [diff] [blame] | 3256 | show ssl cert [<filename>] |
Remi Tricot-Le Breton | b5f0fac | 2021-04-14 16:19:29 +0200 | [diff] [blame] | 3257 | Display the list of certificates used on frontends and backends. |
| 3258 | If a filename is prefixed by an asterisk, it is a transaction which is not |
| 3259 | committed yet. If a filename is specified, it will show details about the |
| 3260 | certificate. This command can be useful to check if a certificate was well |
| 3261 | updated. You can also display details on a transaction by prefixing the |
| 3262 | filename by an asterisk. |
Remi Tricot-Le Breton | 6056e61 | 2021-06-10 13:51:15 +0200 | [diff] [blame] | 3263 | This command can also be used to display the details of a certificate's OCSP |
| 3264 | response by suffixing the filename with a ".ocsp" extension. It works for |
| 3265 | committed certificates as well as for ongoing transactions. On a committed |
| 3266 | certificate, this command is equivalent to calling "show ssl ocsp-response" |
| 3267 | with the certificate's corresponding OCSP response ID. |
William Lallemand | d4f946c | 2019-12-05 10:26:40 +0100 | [diff] [blame] | 3268 | |
| 3269 | Example : |
| 3270 | |
| 3271 | $ echo "@1 show ssl cert" | socat /var/run/haproxy.master - |
| 3272 | # transaction |
| 3273 | *test.local.pem |
| 3274 | # filename |
| 3275 | test.local.pem |
| 3276 | |
| 3277 | $ echo "@1 show ssl cert test.local.pem" | socat /var/run/haproxy.master - |
| 3278 | Filename: test.local.pem |
| 3279 | Serial: 03ECC19BA54B25E85ABA46EE561B9A10D26F |
| 3280 | notBefore: Sep 13 21:20:24 2019 GMT |
| 3281 | notAfter: Dec 12 21:20:24 2019 GMT |
| 3282 | Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 |
| 3283 | Subject: /CN=test.local |
| 3284 | Subject Alternative Name: DNS:test.local, DNS:imap.test.local |
| 3285 | Algorithm: RSA2048 |
| 3286 | SHA1 FingerPrint: 417A11CAE25F607B24F638B4A8AEE51D1E211477 |
| 3287 | |
| 3288 | $ echo "@1 show ssl cert *test.local.pem" | socat /var/run/haproxy.master - |
| 3289 | Filename: *test.local.pem |
| 3290 | [...] |
| 3291 | |
Remi Tricot-Le Breton | 3c222bd | 2021-04-27 16:28:25 +0200 | [diff] [blame] | 3292 | show ssl crl-file [<crlfile>[:<index>]] |
| 3293 | Display the list of CRL files used by HAProxy. |
| 3294 | If a filename is prefixed by an asterisk, it is a transaction which is not |
| 3295 | committed yet. If a <crlfile> is specified without <index>, it will show the |
| 3296 | status of the CRL file ("Used"/"Unused") followed by details about all the |
| 3297 | Revocation Lists contained in the CRL file. The details displayed for every |
| 3298 | list are based on the output of "openssl crl -text -noout -in <file>". |
| 3299 | If a <crlfile> is specified followed by an <index>, it will only display the |
| 3300 | details of the list having the specified index. Indexes start from 1. |
| 3301 | If the index is invalid (too big for instance), nothing will be displayed. |
| 3302 | This command can be useful to check if a CRL file was properly updated. |
| 3303 | You can also display the details of an ongoing transaction by prefixing the |
| 3304 | filename by an asterisk. |
| 3305 | |
| 3306 | Example : |
| 3307 | |
| 3308 | $ echo "show ssl crl-file" | socat /var/run/haproxy.master - |
| 3309 | # transaction |
| 3310 | *crlfile.pem |
| 3311 | # filename |
| 3312 | crlfile.pem |
| 3313 | |
| 3314 | $ echo "show ssl crl-file crlfile.pem" | socat /var/run/haproxy.master - |
| 3315 | Filename: /home/tricot/work/haproxy/reg-tests/ssl/crlfile.pem |
| 3316 | Status: Used |
| 3317 | |
| 3318 | Certificate Revocation List #1: |
| 3319 | Version 1 |
| 3320 | Signature Algorithm: sha256WithRSAEncryption |
| 3321 | Issuer: /C=FR/O=HAProxy Technologies/CN=Intermediate CA2 |
| 3322 | Last Update: Apr 23 14:45:39 2021 GMT |
| 3323 | Next Update: Sep 8 14:45:39 2048 GMT |
| 3324 | Revoked Certificates: |
| 3325 | Serial Number: 1008 |
| 3326 | Revocation Date: Apr 23 14:45:36 2021 GMT |
| 3327 | |
| 3328 | Certificate Revocation List #2: |
| 3329 | Version 1 |
| 3330 | Signature Algorithm: sha256WithRSAEncryption |
| 3331 | Issuer: /C=FR/O=HAProxy Technologies/CN=Root CA |
| 3332 | Last Update: Apr 23 14:30:44 2021 GMT |
| 3333 | Next Update: Sep 8 14:30:44 2048 GMT |
| 3334 | No Revoked Certificates. |
| 3335 | |
William Lallemand | c69f02d | 2020-04-06 19:07:03 +0200 | [diff] [blame] | 3336 | show ssl crt-list [-n] [<filename>] |
William Lallemand | accac23 | 2020-04-02 17:42:51 +0200 | [diff] [blame] | 3337 | Display the list of crt-list and directories used in the HAProxy |
William Lallemand | c69f02d | 2020-04-06 19:07:03 +0200 | [diff] [blame] | 3338 | configuration. If a filename is specified, dump the content of a crt-list or |
| 3339 | a directory. Once dumped the output can be used as a crt-list file. |
| 3340 | The '-n' option can be used to display the line number, which is useful when |
| 3341 | combined with the 'del ssl crt-list' option when a entry is duplicated. The |
| 3342 | output with the '-n' option is not compatible with the crt-list format and |
| 3343 | not loadable by haproxy. |
William Lallemand | accac23 | 2020-04-02 17:42:51 +0200 | [diff] [blame] | 3344 | |
| 3345 | Example: |
William Lallemand | c69f02d | 2020-04-06 19:07:03 +0200 | [diff] [blame] | 3346 | echo "show ssl crt-list -n localhost.crt-list" | socat /tmp/sock1 - |
William Lallemand | accac23 | 2020-04-02 17:42:51 +0200 | [diff] [blame] | 3347 | # localhost.crt-list |
William Lallemand | c69f02d | 2020-04-06 19:07:03 +0200 | [diff] [blame] | 3348 | common.pem:1 !not.test1.com *.test1.com !localhost |
| 3349 | common.pem:2 |
| 3350 | ecdsa.pem:3 [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3] localhost !www.test1.com |
| 3351 | ecdsa.pem:4 [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3] |
William Lallemand | accac23 | 2020-04-02 17:42:51 +0200 | [diff] [blame] | 3352 | |
Remi Tricot-Le Breton | d92fd11 | 2021-06-10 13:51:13 +0200 | [diff] [blame] | 3353 | show ssl ocsp-response [<id>] |
| 3354 | Display the IDs of the OCSP tree entries corresponding to all the OCSP |
| 3355 | responses used in HAProxy, as well as the issuer's name and key hash and the |
| 3356 | serial number of the certificate for which the OCSP response was built. |
| 3357 | If a valid <id> is provided, display the contents of the corresponding OCSP |
| 3358 | response. The information displayed is the same as in an "openssl ocsp -respin |
| 3359 | <ocsp-response> -text" call. |
| 3360 | |
| 3361 | Example : |
| 3362 | |
| 3363 | $ echo "show ssl ocsp-response" | socat /var/run/haproxy.master - |
| 3364 | # Certificate IDs |
| 3365 | Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100a |
| 3366 | Certificate ID: |
Remi Tricot-Le Breton | d92fd11 | 2021-06-10 13:51:13 +0200 | [diff] [blame] | 3367 | Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A |
| 3368 | Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A |
| 3369 | Serial Number: 100A |
| 3370 | |
| 3371 | $ echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100a" | socat /var/run/haproxy.master - |
| 3372 | OCSP Response Data: |
| 3373 | OCSP Response Status: successful (0x0) |
| 3374 | Response Type: Basic OCSP Response |
| 3375 | Version: 1 (0x0) |
| 3376 | Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com |
| 3377 | Produced At: May 27 15:43:38 2021 GMT |
| 3378 | Responses: |
| 3379 | Certificate ID: |
| 3380 | Hash Algorithm: sha1 |
| 3381 | Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A |
| 3382 | Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A |
| 3383 | Serial Number: 100A |
| 3384 | Cert Status: good |
| 3385 | This Update: May 27 15:43:38 2021 GMT |
| 3386 | Next Update: Oct 12 15:43:38 2048 GMT |
| 3387 | [...] |
| 3388 | |
Remi Tricot-Le Breton | f87c67e | 2022-04-21 12:06:41 +0200 | [diff] [blame] | 3389 | show ssl providers |
| 3390 | Display the names of the providers loaded by OpenSSL during init. Provider |
| 3391 | loading can indeed be configured via the OpenSSL configuration file and this |
| 3392 | option allows to check that the right providers were loaded. This command is |
| 3393 | only available with OpenSSL v3. |
| 3394 | |
| 3395 | Example : |
| 3396 | $ echo "show ssl providers" | socat /var/run/haproxy.master - |
| 3397 | Loaded providers : |
| 3398 | - fips |
| 3399 | - base |
| 3400 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 3401 | show table |
| 3402 | Dump general information on all known stick-tables. Their name is returned |
| 3403 | (the name of the proxy which holds them), their type (currently zero, always |
| 3404 | IP), their size in maximum possible number of entries, and the number of |
| 3405 | entries currently in use. |
| 3406 | |
| 3407 | Example : |
| 3408 | $ echo "show table" | socat stdio /tmp/sock1 |
| 3409 | >>> # table: front_pub, type: ip, size:204800, used:171454 |
| 3410 | >>> # table: back_rdp, type: ip, size:204800, used:0 |
| 3411 | |
Adis Nezirovic | 1a693fc | 2020-01-16 15:19:29 +0100 | [diff] [blame] | 3412 | show table <name> [ data.<type> <operator> <value> [data.<type> ...]] | [ key <key> ] |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 3413 | Dump contents of stick-table <name>. In this mode, a first line of generic |
| 3414 | information about the table is reported as with "show table", then all |
| 3415 | entries are dumped. Since this can be quite heavy, it is possible to specify |
| 3416 | a filter in order to specify what entries to display. |
| 3417 | |
| 3418 | When the "data." form is used the filter applies to the stored data (see |
| 3419 | "stick-table" in section 4.2). A stored data type must be specified |
| 3420 | in <type>, and this data type must be stored in the table otherwise an |
| 3421 | error is reported. The data is compared according to <operator> with the |
| 3422 | 64-bit integer <value>. Operators are the same as with the ACLs : |
| 3423 | |
| 3424 | - eq : match entries whose data is equal to this value |
| 3425 | - ne : match entries whose data is not equal to this value |
| 3426 | - le : match entries whose data is less than or equal to this value |
| 3427 | - ge : match entries whose data is greater than or equal to this value |
| 3428 | - lt : match entries whose data is less than this value |
| 3429 | - gt : match entries whose data is greater than this value |
| 3430 | |
Adis Nezirovic | 1a693fc | 2020-01-16 15:19:29 +0100 | [diff] [blame] | 3431 | In this form, you can use multiple data filter entries, up to a maximum |
| 3432 | defined during build time (4 by default). |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 3433 | |
| 3434 | When the key form is used the entry <key> is shown. The key must be of the |
| 3435 | same type as the table, which currently is limited to IPv4, IPv6, integer, |
| 3436 | and string. |
| 3437 | |
| 3438 | Example : |
| 3439 | $ echo "show table http_proxy" | socat stdio /tmp/sock1 |
| 3440 | >>> # table: http_proxy, type: ip, size:204800, used:2 |
| 3441 | >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \ |
| 3442 | bytes_out_rate(60000)=187 |
| 3443 | >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \ |
| 3444 | bytes_out_rate(60000)=191 |
| 3445 | |
| 3446 | $ echo "show table http_proxy data.gpc0 gt 0" | socat stdio /tmp/sock1 |
| 3447 | >>> # table: http_proxy, type: ip, size:204800, used:2 |
| 3448 | >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \ |
| 3449 | bytes_out_rate(60000)=191 |
| 3450 | |
| 3451 | $ echo "show table http_proxy data.conn_rate gt 5" | \ |
| 3452 | socat stdio /tmp/sock1 |
| 3453 | >>> # table: http_proxy, type: ip, size:204800, used:2 |
| 3454 | >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \ |
| 3455 | bytes_out_rate(60000)=191 |
| 3456 | |
| 3457 | $ echo "show table http_proxy key 127.0.0.2" | \ |
| 3458 | socat stdio /tmp/sock1 |
| 3459 | >>> # table: http_proxy, type: ip, size:204800, used:2 |
| 3460 | >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \ |
| 3461 | bytes_out_rate(60000)=191 |
| 3462 | |
| 3463 | When the data criterion applies to a dynamic value dependent on time such as |
| 3464 | a bytes rate, the value is dynamically computed during the evaluation of the |
| 3465 | entry in order to decide whether it has to be dumped or not. This means that |
| 3466 | such a filter could match for some time then not match anymore because as |
| 3467 | time goes, the average event rate drops. |
| 3468 | |
| 3469 | It is possible to use this to extract lists of IP addresses abusing the |
| 3470 | service, in order to monitor them or even blacklist them in a firewall. |
| 3471 | Example : |
| 3472 | $ echo "show table http_proxy data.gpc0 gt 0" \ |
| 3473 | | socat stdio /tmp/sock1 \ |
| 3474 | | fgrep 'key=' | cut -d' ' -f2 | cut -d= -f2 > abusers-ip.txt |
| 3475 | ( or | awk '/key/{ print a[split($2,a,"=")]; }' ) |
| 3476 | |
Willy Tarreau | 7eff06e | 2021-01-29 11:32:55 +0100 | [diff] [blame] | 3477 | show tasks |
| 3478 | Dumps the number of tasks currently in the run queue, with the number of |
| 3479 | occurrences for each function, and their average latency when it's known |
| 3480 | (for pure tasks with task profiling enabled). The dump is a snapshot of the |
| 3481 | instant it's done, and there may be variations depending on what tasks are |
| 3482 | left in the queue at the moment it happens, especially in mono-thread mode |
| 3483 | as there's less chance that I/Os can refill the queue (unless the queue is |
| 3484 | full). This command takes exclusive access to the process and can cause |
| 3485 | minor but measurable latencies when issued on a highly loaded process, so |
| 3486 | it must not be abused by monitoring bots. |
| 3487 | |
Willy Tarreau | 4e2b646 | 2019-05-16 17:44:30 +0200 | [diff] [blame] | 3488 | show threads |
| 3489 | Dumps some internal states and structures for each thread, that may be useful |
| 3490 | to help developers understand a problem. The output tries to be readable by |
Willy Tarreau | c7091d8 | 2019-05-17 10:08:49 +0200 | [diff] [blame] | 3491 | showing one block per thread. When haproxy is built with USE_THREAD_DUMP=1, |
| 3492 | an advanced dump mechanism involving thread signals is used so that each |
| 3493 | thread can dump its own state in turn. Without this option, the thread |
| 3494 | processing the command shows all its details but the other ones are less |
Willy Tarreau | e6a02fa | 2019-05-22 07:06:44 +0200 | [diff] [blame] | 3495 | detailed. A star ('*') is displayed in front of the thread handling the |
| 3496 | command. A right angle bracket ('>') may also be displayed in front of |
| 3497 | threads which didn't make any progress since last invocation of this command, |
| 3498 | indicating a bug in the code which must absolutely be reported. When this |
| 3499 | happens between two threads it usually indicates a deadlock. If a thread is |
| 3500 | alone, it's a different bug like a corrupted list. In all cases the process |
| 3501 | needs is not fully functional anymore and needs to be restarted. |
| 3502 | |
| 3503 | The output format is purposely not documented so that it can easily evolve as |
| 3504 | new needs are identified, without having to maintain any form of backwards |
| 3505 | compatibility, and just like with "show activity", the values are meaningless |
| 3506 | without the code at hand. |
Willy Tarreau | 4e2b646 | 2019-05-16 17:44:30 +0200 | [diff] [blame] | 3507 | |
William Lallemand | bb93346 | 2016-05-31 21:09:53 +0200 | [diff] [blame] | 3508 | show tls-keys [id|*] |
| 3509 | Dump all loaded TLS ticket keys references. The TLS ticket key reference ID |
| 3510 | and the file from which the keys have been loaded is shown. Both of those |
| 3511 | can be used to update the TLS keys using "set ssl tls-key". If an ID is |
| 3512 | specified as parameter, it will dump the tickets, using * it will dump every |
| 3513 | keys from every references. |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 3514 | |
Simon Horman | 6f6bb38 | 2017-01-04 09:37:26 +0100 | [diff] [blame] | 3515 | show schema json |
| 3516 | Dump the schema used for the output of "show info json" and "show stat json". |
| 3517 | |
| 3518 | The contains no extra whitespace in order to reduce the volume of output. |
| 3519 | For human consumption passing the output through a pretty printer may be |
| 3520 | helpful. Example : |
| 3521 | |
| 3522 | $ echo "show schema json" | socat /var/run/haproxy.sock stdio | \ |
| 3523 | python -m json.tool |
| 3524 | |
| 3525 | The schema follows "JSON Schema" (json-schema.org) and accordingly |
| 3526 | verifiers may be used to verify the output of "show info json" and "show |
| 3527 | stat json" against the schema. |
| 3528 | |
Willy Tarreau | f909c91 | 2019-08-22 20:06:04 +0200 | [diff] [blame] | 3529 | show trace [<source>] |
| 3530 | Show the current trace status. For each source a line is displayed with a |
| 3531 | single-character status indicating if the trace is stopped, waiting, or |
| 3532 | running. The output sink used by the trace is indicated (or "none" if none |
| 3533 | was set), as well as the number of dropped events in this sink, followed by a |
| 3534 | brief description of the source. If a source name is specified, a detailed |
| 3535 | list of all events supported by the source, and their status for each action |
| 3536 | (report, start, pause, stop), indicated by a "+" if they are enabled, or a |
| 3537 | "-" otherwise. All these events are independent and an event might trigger |
| 3538 | a start without being reported and conversely. |
Simon Horman | 6f6bb38 | 2017-01-04 09:37:26 +0100 | [diff] [blame] | 3539 | |
William Lallemand | 740629e | 2021-12-14 15:22:29 +0100 | [diff] [blame] | 3540 | show version |
| 3541 | Show the version of the current HAProxy process. This is available from |
| 3542 | master and workers CLI. |
| 3543 | Example: |
| 3544 | |
| 3545 | $ echo "show version" | socat /var/run/haproxy.sock stdio |
| 3546 | 2.4.9 |
| 3547 | |
| 3548 | $ echo "show version" | socat /var/run/haproxy-master.sock stdio |
| 3549 | 2.5.0 |
| 3550 | |
Willy Tarreau | 44aed90 | 2015-10-13 14:45:29 +0200 | [diff] [blame] | 3551 | shutdown frontend <frontend> |
| 3552 | Completely delete the specified frontend. All the ports it was bound to will |
| 3553 | be released. It will not be possible to enable the frontend anymore after |
| 3554 | this operation. This is intended to be used in environments where stopping a |
| 3555 | proxy is not even imaginable but a misconfigured proxy must be fixed. That |
| 3556 | way it's possible to release the port and bind it into another process to |
| 3557 | restore operations. The frontend will not appear at all on the stats page |
| 3558 | once it is terminated. |
| 3559 | |
| 3560 | The frontend may be specified either by its name or by its numeric ID, |
| 3561 | prefixed with a sharp ('#'). |
| 3562 | |
| 3563 | This command is restricted and can only be issued on sockets configured for |
| 3564 | level "admin". |
| 3565 | |
| 3566 | shutdown session <id> |
| 3567 | Immediately terminate the session matching the specified session identifier. |
| 3568 | This identifier is the first field at the beginning of the lines in the dumps |
| 3569 | of "show sess" (it corresponds to the session pointer). This can be used to |
| 3570 | terminate a long-running session without waiting for a timeout or when an |
| 3571 | endless transfer is ongoing. Such terminated sessions are reported with a 'K' |
| 3572 | flag in the logs. |
| 3573 | |
| 3574 | shutdown sessions server <backend>/<server> |
| 3575 | Immediately terminate all the sessions attached to the specified server. This |
| 3576 | can be used to terminate long-running sessions after a server is put into |
| 3577 | maintenance mode, for instance. Such terminated sessions are reported with a |
| 3578 | 'K' flag in the logs. |
| 3579 | |
Willy Tarreau | f909c91 | 2019-08-22 20:06:04 +0200 | [diff] [blame] | 3580 | trace |
| 3581 | The "trace" command alone lists the trace sources, their current status, and |
| 3582 | their brief descriptions. It is only meant as a menu to enter next levels, |
| 3583 | see other "trace" commands below. |
| 3584 | |
| 3585 | trace 0 |
| 3586 | Immediately stops all traces. This is made to be used as a quick solution |
| 3587 | to terminate a debugging session or as an emergency action to be used in case |
| 3588 | complex traces were enabled on multiple sources and impact the service. |
| 3589 | |
| 3590 | trace <source> event [ [+|-|!]<name> ] |
| 3591 | Without argument, this will list all the events supported by the designated |
| 3592 | source. They are prefixed with a "-" if they are not enabled, or a "+" if |
| 3593 | they are enabled. It is important to note that a single trace may be labelled |
| 3594 | with multiple events, and as long as any of the enabled events matches one of |
| 3595 | the events labelled on the trace, the event will be passed to the trace |
| 3596 | subsystem. For example, receiving an HTTP/2 frame of type HEADERS may trigger |
| 3597 | a frame event and a stream event since the frame creates a new stream. If |
| 3598 | either the frame event or the stream event are enabled for this source, the |
| 3599 | frame will be passed to the trace framework. |
| 3600 | |
| 3601 | With an argument, it is possible to toggle the state of each event and |
| 3602 | individually enable or disable them. Two special keywords are supported, |
| 3603 | "none", which matches no event, and is used to disable all events at once, |
| 3604 | and "any" which matches all events, and is used to enable all events at |
| 3605 | once. Other events are specific to the event source. It is possible to |
| 3606 | enable one event by specifying its name, optionally prefixed with '+' for |
| 3607 | better readability. It is possible to disable one event by specifying its |
| 3608 | name prefixed by a '-' or a '!'. |
| 3609 | |
| 3610 | One way to completely disable a trace source is to pass "event none", and |
| 3611 | this source will instantly be totally ignored. |
| 3612 | |
| 3613 | trace <source> level [<level>] |
Willy Tarreau | 2ea549b | 2019-08-29 08:01:48 +0200 | [diff] [blame] | 3614 | Without argument, this will list all trace levels for this source, and the |
Willy Tarreau | f909c91 | 2019-08-22 20:06:04 +0200 | [diff] [blame] | 3615 | current one will be indicated by a star ('*') prepended in front of it. With |
Willy Tarreau | 2ea549b | 2019-08-29 08:01:48 +0200 | [diff] [blame] | 3616 | an argument, this will change the trace level to the specified level. Detail |
Willy Tarreau | f909c91 | 2019-08-22 20:06:04 +0200 | [diff] [blame] | 3617 | levels are a form of filters that are applied before reporting the events. |
Willy Tarreau | 2ea549b | 2019-08-29 08:01:48 +0200 | [diff] [blame] | 3618 | These filters are used to selectively include or exclude events depending on |
| 3619 | their level of importance. For example a developer might need to know |
| 3620 | precisely where in the code an HTTP header was considered invalid while the |
| 3621 | end user may not even care about this header's validity at all. There are |
| 3622 | currently 5 distinct levels for a trace : |
Willy Tarreau | f909c91 | 2019-08-22 20:06:04 +0200 | [diff] [blame] | 3623 | |
| 3624 | user this will report information that are suitable for use by a |
| 3625 | regular haproxy user who wants to observe his traffic. |
| 3626 | Typically some HTTP requests and responses will be reported |
| 3627 | without much detail. Most sources will set this as the |
| 3628 | default level to ease operations. |
| 3629 | |
Willy Tarreau | 2ea549b | 2019-08-29 08:01:48 +0200 | [diff] [blame] | 3630 | proto in addition to what is reported at the "user" level, it also |
| 3631 | displays protocol-level updates. This can for example be the |
| 3632 | frame types or HTTP headers after decoding. |
Willy Tarreau | f909c91 | 2019-08-22 20:06:04 +0200 | [diff] [blame] | 3633 | |
| 3634 | state in addition to what is reported at the "proto" level, it |
| 3635 | will also display state transitions (or failed transitions) |
| 3636 | which happen in parsers, so this will show attempts to |
| 3637 | perform an operation while the "proto" level only shows |
| 3638 | the final operation. |
| 3639 | |
Willy Tarreau | 2ea549b | 2019-08-29 08:01:48 +0200 | [diff] [blame] | 3640 | data in addition to what is reported at the "state" level, it |
| 3641 | will also include data transfers between the various layers. |
| 3642 | |
Willy Tarreau | f909c91 | 2019-08-22 20:06:04 +0200 | [diff] [blame] | 3643 | developer it reports everything available, which can include advanced |
| 3644 | information such as "breaking out of this loop" that are |
| 3645 | only relevant to a developer trying to understand a bug that |
Willy Tarreau | 09fb0df | 2019-08-29 08:40:59 +0200 | [diff] [blame] | 3646 | only happens once in a while in field. Function names are |
| 3647 | only reported at this level. |
Willy Tarreau | f909c91 | 2019-08-22 20:06:04 +0200 | [diff] [blame] | 3648 | |
| 3649 | It is highly recommended to always use the "user" level only and switch to |
| 3650 | other levels only if instructed to do so by a developer. Also it is a good |
| 3651 | idea to first configure the events before switching to higher levels, as it |
| 3652 | may save from dumping many lines if no filter is applied. |
| 3653 | |
| 3654 | trace <source> lock [criterion] |
| 3655 | Without argument, this will list all the criteria supported by this source |
| 3656 | for lock-on processing, and display the current choice by a star ('*') in |
| 3657 | front of it. Lock-on means that the source will focus on the first matching |
| 3658 | event and only stick to the criterion which triggered this event, and ignore |
| 3659 | all other ones until the trace stops. This allows for example to take a trace |
| 3660 | on a single connection or on a single stream. The following criteria are |
| 3661 | supported by some traces, though not necessarily all, since some of them |
| 3662 | might not be available to the source : |
| 3663 | |
| 3664 | backend lock on the backend that started the trace |
| 3665 | connection lock on the connection that started the trace |
| 3666 | frontend lock on the frontend that started the trace |
| 3667 | listener lock on the listener that started the trace |
| 3668 | nothing do not lock on anything |
| 3669 | server lock on the server that started the trace |
| 3670 | session lock on the session that started the trace |
| 3671 | thread lock on the thread that started the trace |
| 3672 | |
| 3673 | In addition to this, each source may provide up to 4 specific criteria such |
| 3674 | as internal states or connection IDs. For example in HTTP/2 it is possible |
| 3675 | to lock on the H2 stream and ignore other streams once a strace starts. |
| 3676 | |
| 3677 | When a criterion is passed in argument, this one is used instead of the |
| 3678 | other ones and any existing tracking is immediately terminated so that it can |
| 3679 | restart with the new criterion. The special keyword "nothing" is supported by |
| 3680 | all sources to permanently disable tracking. |
| 3681 | |
| 3682 | trace <source> { pause | start | stop } [ [+|-|!]event] |
| 3683 | Without argument, this will list the events enabled to automatically pause, |
| 3684 | start, or stop a trace for this source. These events are specific to each |
| 3685 | trace source. With an argument, this will either enable the event for the |
| 3686 | specified action (if optionally prefixed by a '+') or disable it (if |
| 3687 | prefixed by a '-' or '!'). The special keyword "now" is not an event and |
| 3688 | requests to take the action immediately. The keywords "none" and "any" are |
| 3689 | supported just like in "trace event". |
| 3690 | |
| 3691 | The 3 supported actions are respectively "pause", "start" and "stop". The |
| 3692 | "pause" action enumerates events which will cause a running trace to stop and |
| 3693 | wait for a new start event to restart it. The "start" action enumerates the |
| 3694 | events which switch the trace into the waiting mode until one of the start |
| 3695 | events appears. And the "stop" action enumerates the events which definitely |
| 3696 | stop the trace until it is manually enabled again. In practice it makes sense |
| 3697 | to manually start a trace using "start now" without caring about events, and |
| 3698 | to stop it using "stop now". In order to capture more subtle event sequences, |
| 3699 | setting "start" to a normal event (like receiving an HTTP request) and "stop" |
| 3700 | to a very rare event like emitting a certain error, will ensure that the last |
| 3701 | captured events will match the desired criteria. And the pause event is |
| 3702 | useful to detect the end of a sequence, disable the lock-on and wait for |
| 3703 | another opportunity to take a capture. In this case it can make sense to |
| 3704 | enable lock-on to spot only one specific criterion (e.g. a stream), and have |
| 3705 | "start" set to anything that starts this criterion (e.g. all events which |
| 3706 | create a stream), "stop" set to the expected anomaly, and "pause" to anything |
| 3707 | that ends that criterion (e.g. any end of stream event). In this case the |
| 3708 | trace log will contain complete sequences of perfectly clean series affecting |
| 3709 | a single object, until the last sequence containing everything from the |
| 3710 | beginning to the anomaly. |
| 3711 | |
| 3712 | trace <source> sink [<sink>] |
| 3713 | Without argument, this will list all event sinks available for this source, |
| 3714 | and the currently configured one will have a star ('*') prepended in front |
| 3715 | of it. Sink "none" is always available and means that all events are simply |
| 3716 | dropped, though their processing is not ignored (e.g. lock-on does occur). |
| 3717 | Other sinks are available depending on configuration and build options, but |
| 3718 | typically "stdout" and "stderr" will be usable in debug mode, and in-memory |
| 3719 | ring buffers should be available as well. When a name is specified, the sink |
| 3720 | instantly changes for the specified source. Events are not changed during a |
| 3721 | sink change. In the worst case some may be lost if an invalid sink is used |
| 3722 | (or "none"), but operations do continue to a different destination. |
| 3723 | |
Willy Tarreau | 370a694 | 2019-08-29 08:24:16 +0200 | [diff] [blame] | 3724 | trace <source> verbosity [<level>] |
| 3725 | Without argument, this will list all verbosity levels for this source, and the |
| 3726 | current one will be indicated by a star ('*') prepended in front of it. With |
| 3727 | an argument, this will change the verbosity level to the specified one. |
| 3728 | |
| 3729 | Verbosity levels indicate how far the trace decoder should go to provide |
| 3730 | detailed information. It depends on the trace source, since some sources will |
| 3731 | not even provide a specific decoder. Level "quiet" is always available and |
| 3732 | disables any decoding. It can be useful when trying to figure what's |
| 3733 | happening before trying to understand the details, since it will have a very |
| 3734 | low impact on performance and trace size. When no verbosity levels are |
| 3735 | declared by a source, level "default" is available and will cause a decoder |
| 3736 | to be called when specified in the traces. It is an opportunistic decoding. |
| 3737 | When the source declares some verbosity levels, these ones are listed with |
| 3738 | a description of what they correspond to. In this case the trace decoder |
| 3739 | provided by the source will be as accurate as possible based on the |
| 3740 | information available at the trace point. The first level above "quiet" is |
| 3741 | set by default. |
| 3742 | |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 3743 | |
William Lallemand | 142db37 | 2018-12-11 18:56:45 +0100 | [diff] [blame] | 3744 | 9.4. Master CLI |
| 3745 | --------------- |
| 3746 | |
| 3747 | The master CLI is a socket bound to the master process in master-worker mode. |
| 3748 | This CLI gives access to the unix socket commands in every running or leaving |
| 3749 | processes and allows a basic supervision of those processes. |
| 3750 | |
| 3751 | The master CLI is configurable only from the haproxy program arguments with |
| 3752 | the -S option. This option also takes bind options separated by commas. |
| 3753 | |
| 3754 | Example: |
| 3755 | |
| 3756 | # haproxy -W -S 127.0.0.1:1234 -f test1.cfg |
| 3757 | # haproxy -Ws -S /tmp/master-socket,uid,1000,gid,1000,mode,600 -f test1.cfg |
William Lallemand | b7ea141 | 2018-12-13 09:05:47 +0100 | [diff] [blame] | 3758 | # haproxy -W -S /tmp/master-socket,level,user -f test1.cfg |
William Lallemand | 142db37 | 2018-12-11 18:56:45 +0100 | [diff] [blame] | 3759 | |
William Lallemand | 142db37 | 2018-12-11 18:56:45 +0100 | [diff] [blame] | 3760 | |
William Lallemand | a662275 | 2022-03-31 15:26:51 +0200 | [diff] [blame] | 3761 | 9.4.1. Master CLI commands |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 3762 | -------------------------- |
William Lallemand | 142db37 | 2018-12-11 18:56:45 +0100 | [diff] [blame] | 3763 | |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 3764 | @<[!]pid> |
| 3765 | The master CLI uses a special prefix notation to access the multiple |
| 3766 | processes. This notation is easily identifiable as it begins by a @. |
William Lallemand | 142db37 | 2018-12-11 18:56:45 +0100 | [diff] [blame] | 3767 | |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 3768 | A @ prefix can be followed by a relative process number or by an exclamation |
| 3769 | point and a PID. (e.g. @1 or @!1271). A @ alone could be use to specify the |
| 3770 | master. Leaving processes are only accessible with the PID as relative process |
| 3771 | number are only usable with the current processes. |
William Lallemand | 142db37 | 2018-12-11 18:56:45 +0100 | [diff] [blame] | 3772 | |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 3773 | Examples: |
William Lallemand | 142db37 | 2018-12-11 18:56:45 +0100 | [diff] [blame] | 3774 | |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 3775 | $ socat /var/run/haproxy-master.sock readline |
| 3776 | prompt |
| 3777 | master> @1 show info; @2 show info |
| 3778 | [...] |
| 3779 | Process_num: 1 |
| 3780 | Pid: 1271 |
| 3781 | [...] |
| 3782 | Process_num: 2 |
| 3783 | Pid: 1272 |
| 3784 | [...] |
| 3785 | master> |
Willy Tarreau | 52880f9 | 2018-12-15 13:30:03 +0100 | [diff] [blame] | 3786 | |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 3787 | $ echo '@!1271 show info; @!1272 show info' | socat /var/run/haproxy-master.sock - |
| 3788 | [...] |
William Lallemand | 142db37 | 2018-12-11 18:56:45 +0100 | [diff] [blame] | 3789 | |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 3790 | A prefix could be use as a command, which will send every next commands to |
| 3791 | the specified process. |
William Lallemand | 142db37 | 2018-12-11 18:56:45 +0100 | [diff] [blame] | 3792 | |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 3793 | Examples: |
William Lallemand | 142db37 | 2018-12-11 18:56:45 +0100 | [diff] [blame] | 3794 | |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 3795 | $ socat /var/run/haproxy-master.sock readline |
| 3796 | prompt |
| 3797 | master> @1 |
| 3798 | 1271> show info |
| 3799 | [...] |
| 3800 | 1271> show stat |
| 3801 | [...] |
| 3802 | 1271> @ |
| 3803 | master> |
William Lallemand | 142db37 | 2018-12-11 18:56:45 +0100 | [diff] [blame] | 3804 | |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 3805 | $ echo '@1; show info; show stat; @2; show info; show stat' | socat /var/run/haproxy-master.sock - |
| 3806 | [...] |
William Lallemand | 142db37 | 2018-12-11 18:56:45 +0100 | [diff] [blame] | 3807 | |
William Lallemand | a5ce28b | 2022-02-02 15:29:21 +0100 | [diff] [blame] | 3808 | expert-mode [on|off] |
| 3809 | This command activates the "expert-mode" for every worker accessed from the |
William Lallemand | 2a17191 | 2022-02-02 11:43:20 +0100 | [diff] [blame] | 3810 | master CLI. Combined with "mcli-debug-mode" it also activates the command on |
William Lallemand | dae12c7 | 2022-02-02 14:13:54 +0100 | [diff] [blame] | 3811 | the master. Display the flag "e" in the master CLI prompt. |
William Lallemand | a5ce28b | 2022-02-02 15:29:21 +0100 | [diff] [blame] | 3812 | |
William Lallemand | 2a17191 | 2022-02-02 11:43:20 +0100 | [diff] [blame] | 3813 | See also "expert-mode" in Section 9.3 and "mcli-debug-mode" in 9.4.1. |
William Lallemand | a5ce28b | 2022-02-02 15:29:21 +0100 | [diff] [blame] | 3814 | |
| 3815 | experimental-mode [on|off] |
| 3816 | This command activates the "experimental-mode" for every worker accessed from |
William Lallemand | 2a17191 | 2022-02-02 11:43:20 +0100 | [diff] [blame] | 3817 | the master CLI. Combined with "mcli-debug-mode" it also activates the command on |
William Lallemand | dae12c7 | 2022-02-02 14:13:54 +0100 | [diff] [blame] | 3818 | the master. Display the flag "x" in the master CLI prompt. |
William Lallemand | 2a17191 | 2022-02-02 11:43:20 +0100 | [diff] [blame] | 3819 | |
| 3820 | See also "experimental-mode" in Section 9.3 and "mcli-debug-mode" in 9.4.1. |
William Lallemand | a5ce28b | 2022-02-02 15:29:21 +0100 | [diff] [blame] | 3821 | |
William Lallemand | 2a17191 | 2022-02-02 11:43:20 +0100 | [diff] [blame] | 3822 | mcli-debug-mode [on|off] |
| 3823 | This keyword allows a special mode in the master CLI which enables every |
| 3824 | keywords that were meant for a worker CLI on the master CLI, allowing to debug |
| 3825 | the master process. Once activated, you list the new available keywords with |
| 3826 | "help". Combined with "experimental-mode" or "expert-mode" it enables even |
William Lallemand | dae12c7 | 2022-02-02 14:13:54 +0100 | [diff] [blame] | 3827 | more keywords. Display the flag "d" in the master CLI prompt. |
William Lallemand | a5ce28b | 2022-02-02 15:29:21 +0100 | [diff] [blame] | 3828 | |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 3829 | prompt |
| 3830 | When the prompt is enabled (via the "prompt" command), the context the CLI is |
| 3831 | working on is displayed in the prompt. The master is identified by the "master" |
| 3832 | string, and other processes are identified with their PID. In case the last |
| 3833 | reload failed, the master prompt will be changed to "master[ReloadFailed]>" so |
| 3834 | that it becomes visible that the process is still running on the previous |
| 3835 | configuration and that the new configuration is not operational. |
William Lallemand | 142db37 | 2018-12-11 18:56:45 +0100 | [diff] [blame] | 3836 | |
William Lallemand | dae12c7 | 2022-02-02 14:13:54 +0100 | [diff] [blame] | 3837 | The prompt of the master CLI is able to display several flags which are the |
| 3838 | enable modes. "d" for mcli-debug-mode, "e" for expert-mode, "x" for |
| 3839 | experimental-mode. |
| 3840 | |
| 3841 | Example: |
| 3842 | $ socat /var/run/haproxy-master.sock - |
| 3843 | prompt |
| 3844 | master> expert-mode on |
| 3845 | master(e)> experimental-mode on |
| 3846 | master(xe)> mcli-debug-mode on |
| 3847 | master(xed)> @1 |
| 3848 | 95191(xed)> |
| 3849 | |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 3850 | reload |
| 3851 | You can also reload the HAProxy master process with the "reload" command which |
| 3852 | does the same as a `kill -USR2` on the master process, provided that the user |
| 3853 | has at least "operator" or "admin" privileges. |
William Lallemand | 142db37 | 2018-12-11 18:56:45 +0100 | [diff] [blame] | 3854 | |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 3855 | Example: |
William Lallemand | 142db37 | 2018-12-11 18:56:45 +0100 | [diff] [blame] | 3856 | |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 3857 | $ echo "reload" | socat /var/run/haproxy-master.sock stdin |
William Lallemand | 142db37 | 2018-12-11 18:56:45 +0100 | [diff] [blame] | 3858 | |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 3859 | Note that a reload will close the connection to the master CLI. |
William Lallemand | a57b7e3 | 2018-12-14 21:11:31 +0100 | [diff] [blame] | 3860 | |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 3861 | show proc |
| 3862 | The master CLI introduces a 'show proc' command to surpervise the |
| 3863 | processe. |
William Lallemand | a57b7e3 | 2018-12-14 21:11:31 +0100 | [diff] [blame] | 3864 | |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 3865 | Example: |
William Lallemand | a57b7e3 | 2018-12-14 21:11:31 +0100 | [diff] [blame] | 3866 | |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 3867 | $ echo 'show proc' | socat /var/run/haproxy-master.sock - |
| 3868 | #<PID> <type> <reloads> <uptime> <version> |
| 3869 | 1162 master 5 [failed: 0] 0d00h02m07s 2.5-dev13 |
| 3870 | # workers |
| 3871 | 1271 worker 1 0d00h00m00s 2.5-dev13 |
| 3872 | # old workers |
| 3873 | 1233 worker 3 0d00h00m43s 2.0-dev3-6019f6-289 |
| 3874 | # programs |
| 3875 | 1244 foo 0 0d00h00m00s - |
| 3876 | 1255 bar 0 0d00h00m00s - |
William Lallemand | a57b7e3 | 2018-12-14 21:11:31 +0100 | [diff] [blame] | 3877 | |
William Lallemand | af140ab | 2022-02-02 14:44:19 +0100 | [diff] [blame] | 3878 | In this example, the master has been reloaded 5 times but one of the old |
| 3879 | worker is still running and survived 3 reloads. You could access the CLI of |
| 3880 | this worker to understand what's going on. |
William Lallemand | 142db37 | 2018-12-11 18:56:45 +0100 | [diff] [blame] | 3881 | |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 3882 | 10. Tricks for easier configuration management |
| 3883 | ---------------------------------------------- |
| 3884 | |
| 3885 | It is very common that two HAProxy nodes constituting a cluster share exactly |
| 3886 | the same configuration modulo a few addresses. Instead of having to maintain a |
| 3887 | duplicate configuration for each node, which will inevitably diverge, it is |
| 3888 | possible to include environment variables in the configuration. Thus multiple |
| 3889 | configuration may share the exact same file with only a few different system |
| 3890 | wide environment variables. This started in version 1.5 where only addresses |
| 3891 | were allowed to include environment variables, and 1.6 goes further by |
| 3892 | supporting environment variables everywhere. The syntax is the same as in the |
| 3893 | UNIX shell, a variable starts with a dollar sign ('$'), followed by an opening |
| 3894 | curly brace ('{'), then the variable name followed by the closing brace ('}'). |
| 3895 | Except for addresses, environment variables are only interpreted in arguments |
| 3896 | surrounded with double quotes (this was necessary not to break existing setups |
| 3897 | using regular expressions involving the dollar symbol). |
| 3898 | |
| 3899 | Environment variables also make it convenient to write configurations which are |
| 3900 | expected to work on various sites where only the address changes. It can also |
| 3901 | permit to remove passwords from some configs. Example below where the the file |
| 3902 | "site1.env" file is sourced by the init script upon startup : |
| 3903 | |
| 3904 | $ cat site1.env |
| 3905 | LISTEN=192.168.1.1 |
| 3906 | CACHE_PFX=192.168.11 |
| 3907 | SERVER_PFX=192.168.22 |
| 3908 | LOGGER=192.168.33.1 |
| 3909 | STATSLP=admin:pa$$w0rd |
| 3910 | ABUSERS=/etc/haproxy/abuse.lst |
| 3911 | TIMEOUT=10s |
| 3912 | |
| 3913 | $ cat haproxy.cfg |
| 3914 | global |
| 3915 | log "${LOGGER}:514" local0 |
| 3916 | |
| 3917 | defaults |
| 3918 | mode http |
| 3919 | timeout client "${TIMEOUT}" |
| 3920 | timeout server "${TIMEOUT}" |
| 3921 | timeout connect 5s |
| 3922 | |
| 3923 | frontend public |
| 3924 | bind "${LISTEN}:80" |
| 3925 | http-request reject if { src -f "${ABUSERS}" } |
| 3926 | stats uri /stats |
| 3927 | stats auth "${STATSLP}" |
| 3928 | use_backend cache if { path_end .jpg .css .ico } |
| 3929 | default_backend server |
| 3930 | |
| 3931 | backend cache |
| 3932 | server cache1 "${CACHE_PFX}.1:18080" check |
| 3933 | server cache2 "${CACHE_PFX}.2:18080" check |
| 3934 | |
| 3935 | backend server |
| 3936 | server cache1 "${SERVER_PFX}.1:8080" check |
| 3937 | server cache2 "${SERVER_PFX}.2:8080" check |
| 3938 | |
| 3939 | |
| 3940 | 11. Well-known traps to avoid |
| 3941 | ----------------------------- |
| 3942 | |
| 3943 | Once in a while, someone reports that after a system reboot, the haproxy |
| 3944 | service wasn't started, and that once they start it by hand it works. Most |
| 3945 | often, these people are running a clustered IP address mechanism such as |
| 3946 | keepalived, to assign the service IP address to the master node only, and while |
| 3947 | it used to work when they used to bind haproxy to address 0.0.0.0, it stopped |
| 3948 | working after they bound it to the virtual IP address. What happens here is |
| 3949 | that when the service starts, the virtual IP address is not yet owned by the |
| 3950 | local node, so when HAProxy wants to bind to it, the system rejects this |
| 3951 | because it is not a local IP address. The fix doesn't consist in delaying the |
| 3952 | haproxy service startup (since it wouldn't stand a restart), but instead to |
| 3953 | properly configure the system to allow binding to non-local addresses. This is |
| 3954 | easily done on Linux by setting the net.ipv4.ip_nonlocal_bind sysctl to 1. This |
| 3955 | is also needed in order to transparently intercept the IP traffic that passes |
| 3956 | through HAProxy for a specific target address. |
| 3957 | |
| 3958 | Multi-process configurations involving source port ranges may apparently seem |
| 3959 | to work but they will cause some random failures under high loads because more |
| 3960 | than one process may try to use the same source port to connect to the same |
| 3961 | server, which is not possible. The system will report an error and a retry will |
| 3962 | happen, picking another port. A high value in the "retries" parameter may hide |
| 3963 | the effect to a certain extent but this also comes with increased CPU usage and |
| 3964 | processing time. Logs will also report a certain number of retries. For this |
| 3965 | reason, port ranges should be avoided in multi-process configurations. |
| 3966 | |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 3967 | Since HAProxy uses SO_REUSEPORT and supports having multiple independent |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 3968 | processes bound to the same IP:port, during troubleshooting it can happen that |
| 3969 | an old process was not stopped before a new one was started. This provides |
| 3970 | absurd test results which tend to indicate that any change to the configuration |
| 3971 | is ignored. The reason is that in fact even the new process is restarted with a |
| 3972 | new configuration, the old one also gets some incoming connections and |
| 3973 | processes them, returning unexpected results. When in doubt, just stop the new |
| 3974 | process and try again. If it still works, it very likely means that an old |
| 3975 | process remains alive and has to be stopped. Linux's "netstat -lntp" is of good |
| 3976 | help here. |
| 3977 | |
| 3978 | When adding entries to an ACL from the command line (eg: when blacklisting a |
| 3979 | source address), it is important to keep in mind that these entries are not |
| 3980 | synchronized to the file and that if someone reloads the configuration, these |
| 3981 | updates will be lost. While this is often the desired effect (for blacklisting) |
| 3982 | it may not necessarily match expectations when the change was made as a fix for |
| 3983 | a problem. See the "add acl" action of the CLI interface. |
| 3984 | |
| 3985 | |
| 3986 | 12. Debugging and performance issues |
| 3987 | ------------------------------------ |
| 3988 | |
| 3989 | When HAProxy is started with the "-d" option, it will stay in the foreground |
| 3990 | and will print one line per event, such as an incoming connection, the end of a |
| 3991 | connection, and for each request or response header line seen. This debug |
| 3992 | output is emitted before the contents are processed, so they don't consider the |
| 3993 | local modifications. The main use is to show the request and response without |
| 3994 | having to run a network sniffer. The output is less readable when multiple |
| 3995 | connections are handled in parallel, though the "debug2ansi" and "debug2html" |
| 3996 | scripts found in the examples/ directory definitely help here by coloring the |
| 3997 | output. |
| 3998 | |
| 3999 | If a request or response is rejected because HAProxy finds it is malformed, the |
| 4000 | best thing to do is to connect to the CLI and issue "show errors", which will |
| 4001 | report the last captured faulty request and response for each frontend and |
| 4002 | backend, with all the necessary information to indicate precisely the first |
| 4003 | character of the input stream that was rejected. This is sometimes needed to |
| 4004 | prove to customers or to developers that a bug is present in their code. In |
| 4005 | this case it is often possible to relax the checks (but still keep the |
| 4006 | captures) using "option accept-invalid-http-request" or its equivalent for |
| 4007 | responses coming from the server "option accept-invalid-http-response". Please |
| 4008 | see the configuration manual for more details. |
| 4009 | |
| 4010 | Example : |
| 4011 | |
| 4012 | > show errors |
| 4013 | Total events captured on [13/Oct/2015:13:43:47.169] : 1 |
| 4014 | |
| 4015 | [13/Oct/2015:13:43:40.918] frontend HAProxyLocalStats (#2): invalid request |
| 4016 | backend <NONE> (#-1), server <NONE> (#-1), event #0 |
| 4017 | src 127.0.0.1:51981, session #0, session flags 0x00000080 |
| 4018 | HTTP msg state 26, msg flags 0x00000000, tx flags 0x00000000 |
| 4019 | HTTP chunk len 0 bytes, HTTP body len 0 bytes |
| 4020 | buffer flags 0x00808002, out 0 bytes, total 31 bytes |
| 4021 | pending 31 bytes, wrapping at 8040, error at position 13: |
| 4022 | |
| 4023 | 00000 GET /invalid request HTTP/1.1\r\n |
| 4024 | |
| 4025 | |
| 4026 | The output of "show info" on the CLI provides a number of useful information |
| 4027 | regarding the maximum connection rate ever reached, maximum SSL key rate ever |
| 4028 | reached, and in general all information which can help to explain temporary |
| 4029 | issues regarding CPU or memory usage. Example : |
| 4030 | |
| 4031 | > show info |
| 4032 | Name: HAProxy |
| 4033 | Version: 1.6-dev7-e32d18-17 |
| 4034 | Release_date: 2015/10/12 |
| 4035 | Nbproc: 1 |
| 4036 | Process_num: 1 |
| 4037 | Pid: 7949 |
| 4038 | Uptime: 0d 0h02m39s |
| 4039 | Uptime_sec: 159 |
| 4040 | Memmax_MB: 0 |
| 4041 | Ulimit-n: 120032 |
| 4042 | Maxsock: 120032 |
| 4043 | Maxconn: 60000 |
| 4044 | Hard_maxconn: 60000 |
| 4045 | CurrConns: 0 |
| 4046 | CumConns: 3 |
| 4047 | CumReq: 3 |
| 4048 | MaxSslConns: 0 |
| 4049 | CurrSslConns: 0 |
| 4050 | CumSslConns: 0 |
| 4051 | Maxpipes: 0 |
| 4052 | PipesUsed: 0 |
| 4053 | PipesFree: 0 |
| 4054 | ConnRate: 0 |
| 4055 | ConnRateLimit: 0 |
| 4056 | MaxConnRate: 1 |
| 4057 | SessRate: 0 |
| 4058 | SessRateLimit: 0 |
| 4059 | MaxSessRate: 1 |
| 4060 | SslRate: 0 |
| 4061 | SslRateLimit: 0 |
| 4062 | MaxSslRate: 0 |
| 4063 | SslFrontendKeyRate: 0 |
| 4064 | SslFrontendMaxKeyRate: 0 |
| 4065 | SslFrontendSessionReuse_pct: 0 |
| 4066 | SslBackendKeyRate: 0 |
| 4067 | SslBackendMaxKeyRate: 0 |
| 4068 | SslCacheLookups: 0 |
| 4069 | SslCacheMisses: 0 |
| 4070 | CompressBpsIn: 0 |
| 4071 | CompressBpsOut: 0 |
| 4072 | CompressBpsRateLim: 0 |
| 4073 | ZlibMemUsage: 0 |
| 4074 | MaxZlibMemUsage: 0 |
| 4075 | Tasks: 5 |
| 4076 | Run_queue: 1 |
| 4077 | Idle_pct: 100 |
| 4078 | node: wtap |
| 4079 | description: |
| 4080 | |
| 4081 | When an issue seems to randomly appear on a new version of HAProxy (eg: every |
| 4082 | second request is aborted, occasional crash, etc), it is worth trying to enable |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 4083 | memory poisoning so that each call to malloc() is immediately followed by the |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 4084 | filling of the memory area with a configurable byte. By default this byte is |
| 4085 | 0x50 (ASCII for 'P'), but any other byte can be used, including zero (which |
| 4086 | will have the same effect as a calloc() and which may make issues disappear). |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 4087 | Memory poisoning is enabled on the command line using the "-dM" option. It |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 4088 | slightly hurts performance and is not recommended for use in production. If |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 4089 | an issue happens all the time with it or never happens when poisoning uses |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 4090 | byte zero, it clearly means you've found a bug and you definitely need to |
| 4091 | report it. Otherwise if there's no clear change, the problem it is not related. |
| 4092 | |
| 4093 | When debugging some latency issues, it is important to use both strace and |
| 4094 | tcpdump on the local machine, and another tcpdump on the remote system. The |
| 4095 | reason for this is that there are delays everywhere in the processing chain and |
| 4096 | it is important to know which one is causing latency to know where to act. In |
| 4097 | practice, the local tcpdump will indicate when the input data come in. Strace |
| 4098 | will indicate when haproxy receives these data (using recv/recvfrom). Warning, |
| 4099 | openssl uses read()/write() syscalls instead of recv()/send(). Strace will also |
| 4100 | show when haproxy sends the data, and tcpdump will show when the system sends |
| 4101 | these data to the interface. Then the external tcpdump will show when the data |
| 4102 | sent are really received (since the local one only shows when the packets are |
| 4103 | queued). The benefit of sniffing on the local system is that strace and tcpdump |
| 4104 | will use the same reference clock. Strace should be used with "-tts200" to get |
| 4105 | complete timestamps and report large enough chunks of data to read them. |
| 4106 | Tcpdump should be used with "-nvvttSs0" to report full packets, real sequence |
| 4107 | numbers and complete timestamps. |
| 4108 | |
| 4109 | In practice, received data are almost always immediately received by haproxy |
| 4110 | (unless the machine has a saturated CPU or these data are invalid and not |
| 4111 | delivered). If these data are received but not sent, it generally is because |
| 4112 | the output buffer is saturated (ie: recipient doesn't consume the data fast |
| 4113 | enough). This can be confirmed by seeing that the polling doesn't notify of |
| 4114 | the ability to write on the output file descriptor for some time (it's often |
| 4115 | easier to spot in the strace output when the data finally leave and then roll |
| 4116 | back to see when the write event was notified). It generally matches an ACK |
| 4117 | received from the recipient, and detected by tcpdump. Once the data are sent, |
| 4118 | they may spend some time in the system doing nothing. Here again, the TCP |
| 4119 | congestion window may be limited and not allow these data to leave, waiting for |
| 4120 | an ACK to open the window. If the traffic is idle and the data take 40 ms or |
| 4121 | 200 ms to leave, it's a different issue (which is not an issue), it's the fact |
| 4122 | that the Nagle algorithm prevents empty packets from leaving immediately, in |
| 4123 | hope that they will be merged with subsequent data. HAProxy automatically |
| 4124 | disables Nagle in pure TCP mode and in tunnels. However it definitely remains |
| 4125 | enabled when forwarding an HTTP body (and this contributes to the performance |
| 4126 | improvement there by reducing the number of packets). Some HTTP non-compliant |
| 4127 | applications may be sensitive to the latency when delivering incomplete HTTP |
| 4128 | response messages. In this case you will have to enable "option http-no-delay" |
| 4129 | to disable Nagle in order to work around their design, keeping in mind that any |
| 4130 | other proxy in the chain may similarly be impacted. If tcpdump reports that data |
| 4131 | leave immediately but the other end doesn't see them quickly, it can mean there |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 4132 | is a congested WAN link, a congested LAN with flow control enabled and |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 4133 | preventing the data from leaving, or more commonly that HAProxy is in fact |
| 4134 | running in a virtual machine and that for whatever reason the hypervisor has |
| 4135 | decided that the data didn't need to be sent immediately. In virtualized |
| 4136 | environments, latency issues are almost always caused by the virtualization |
| 4137 | layer, so in order to save time, it's worth first comparing tcpdump in the VM |
| 4138 | and on the external components. Any difference has to be credited to the |
| 4139 | hypervisor and its accompanying drivers. |
| 4140 | |
| 4141 | When some TCP SACK segments are seen in tcpdump traces (using -vv), it always |
| 4142 | means that the side sending them has got the proof of a lost packet. While not |
| 4143 | seeing them doesn't mean there are no losses, seeing them definitely means the |
| 4144 | network is lossy. Losses are normal on a network, but at a rate where SACKs are |
| 4145 | not noticeable at the naked eye. If they appear a lot in the traces, it is |
| 4146 | worth investigating exactly what happens and where the packets are lost. HTTP |
| 4147 | doesn't cope well with TCP losses, which introduce huge latencies. |
| 4148 | |
| 4149 | The "netstat -i" command will report statistics per interface. An interface |
| 4150 | where the Rx-Ovr counter grows indicates that the system doesn't have enough |
| 4151 | resources to receive all incoming packets and that they're lost before being |
| 4152 | processed by the network driver. Rx-Drp indicates that some received packets |
| 4153 | were lost in the network stack because the application doesn't process them |
| 4154 | fast enough. This can happen during some attacks as well. Tx-Drp means that |
| 4155 | the output queues were full and packets had to be dropped. When using TCP it |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 4156 | should be very rare, but will possibly indicate a saturated outgoing link. |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 4157 | |
| 4158 | |
| 4159 | 13. Security considerations |
| 4160 | --------------------------- |
| 4161 | |
| 4162 | HAProxy is designed to run with very limited privileges. The standard way to |
| 4163 | use it is to isolate it into a chroot jail and to drop its privileges to a |
| 4164 | non-root user without any permissions inside this jail so that if any future |
| 4165 | vulnerability were to be discovered, its compromise would not affect the rest |
| 4166 | of the system. |
| 4167 | |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 4168 | In order to perform a chroot, it first needs to be started as a root user. It is |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 4169 | pointless to build hand-made chroots to start the process there, these ones are |
| 4170 | painful to build, are never properly maintained and always contain way more |
| 4171 | bugs than the main file-system. And in case of compromise, the intruder can use |
| 4172 | the purposely built file-system. Unfortunately many administrators confuse |
| 4173 | "start as root" and "run as root", resulting in the uid change to be done prior |
| 4174 | to starting haproxy, and reducing the effective security restrictions. |
| 4175 | |
| 4176 | HAProxy will need to be started as root in order to : |
| 4177 | - adjust the file descriptor limits |
| 4178 | - bind to privileged port numbers |
| 4179 | - bind to a specific network interface |
| 4180 | - transparently listen to a foreign address |
| 4181 | - isolate itself inside the chroot jail |
| 4182 | - drop to another non-privileged UID |
| 4183 | |
| 4184 | HAProxy may require to be run as root in order to : |
| 4185 | - bind to an interface for outgoing connections |
| 4186 | - bind to privileged source ports for outgoing connections |
Dan Lloyd | 8e48b87 | 2016-07-01 21:01:18 -0400 | [diff] [blame] | 4187 | - transparently bind to a foreign address for outgoing connections |
Willy Tarreau | 2212e6a | 2015-10-13 14:40:55 +0200 | [diff] [blame] | 4188 | |
| 4189 | Most users will never need the "run as root" case. But the "start as root" |
| 4190 | covers most usages. |
| 4191 | |
| 4192 | A safe configuration will have : |
| 4193 | |
| 4194 | - a chroot statement pointing to an empty location without any access |
| 4195 | permissions. This can be prepared this way on the UNIX command line : |
| 4196 | |
| 4197 | # mkdir /var/empty && chmod 0 /var/empty || echo "Failed" |
| 4198 | |
| 4199 | and referenced like this in the HAProxy configuration's global section : |
| 4200 | |
| 4201 | chroot /var/empty |
| 4202 | |
| 4203 | - both a uid/user and gid/group statements in the global section : |
| 4204 | |
| 4205 | user haproxy |
| 4206 | group haproxy |
| 4207 | |
| 4208 | - a stats socket whose mode, uid and gid are set to match the user and/or |
| 4209 | group allowed to access the CLI so that nobody may access it : |
| 4210 | |
| 4211 | stats socket /var/run/haproxy.stat uid hatop gid hatop mode 600 |
| 4212 | |