blob: 424fd7c16fca96374bf09d053286d46d185ae4b4 [file] [log] [blame]
Willy Tarreaub1a34b62010-05-09 22:37:12 +02001 ----------------------
2 HAProxy how-to
3 ----------------------
Willy Tarreaub3066502017-11-26 19:50:17 +01004 version 1.9
Willy Tarreaub1a34b62010-05-09 22:37:12 +02005 willy tarreau
Willy Tarreauda7e3be2018-12-02 19:31:37 +01006 2018/12/02
willy tarreau78345332005-12-18 01:33:16 +01007
8
Willy Tarreaub1a34b62010-05-09 22:37:12 +020091) How to build it
10------------------
11
Willy Tarreaub3066502017-11-26 19:50:17 +010012This is a development version, so it is expected to break from time to time,
13to add and remove features without prior notification and it should not be used
14in production. If you are not used to build from sources or if you are not used
15to follow updates then it is recommended that instead you use the packages provided
16by your software vendor or Linux distribution. Most of them are taking this task
Willy Tarreau844028b2015-10-13 18:52:22 +020017seriously and are doing a good job at backporting important fixes. If for any
18reason you'd prefer a different version than the one packaged for your system,
19you want to be certain to have all the fixes or to get some commercial support,
20other choices are available at :
Willy Tarreau869f3512014-06-19 15:26:32 +020021
22 http://www.haproxy.com/
23
willy tarreau78345332005-12-18 01:33:16 +010024To build haproxy, you will need :
Willy Tarreaub1a34b62010-05-09 22:37:12 +020025 - GNU make. Neither Solaris nor OpenBSD's make work with the GNU Makefile.
Willy Tarreau3543cdb2014-05-10 09:12:46 +020026 If you get many syntax errors when running "make", you may want to retry
27 with "gmake" which is the name commonly used for GNU make on BSD systems.
Willy Tarreau9dbfa052018-11-19 08:11:40 +010028 - GCC between 2.95 and 8.1. Others may work, but not tested.
willy tarreau78345332005-12-18 01:33:16 +010029 - GNU ld
30
31Also, you might want to build with libpcre support, which will provide a very
Willy Tarreaub1a34b62010-05-09 22:37:12 +020032efficient regex implementation and will also fix some badness on Solaris' one.
willy tarreau78345332005-12-18 01:33:16 +010033
34To build haproxy, you have to choose your target OS amongst the following ones
35and assign it to the TARGET variable :
36
Willy Tarreau83b30c12008-05-25 10:32:50 +020037 - linux22 for Linux 2.2
38 - linux24 for Linux 2.4 and above (default)
39 - linux24e for Linux 2.4 with support for a working epoll (> 0.21)
Willy Tarreau83b30c12008-05-25 10:32:50 +020040 - linux26 for Linux 2.6 and above
Willy Tarreau869f3512014-06-19 15:26:32 +020041 - linux2628 for Linux 2.6.28, 3.x, and above (enables splice and tproxy)
Willy Tarreau83b30c12008-05-25 10:32:50 +020042 - solaris for Solaris 8 or 10 (others untested)
Willy Tarreau9dbfa052018-11-19 08:11:40 +010043 - freebsd for FreeBSD 5 to 12 (others untested)
Willy Tarreau844028b2015-10-13 18:52:22 +020044 - netbsd for NetBSD
Willy Tarreau8624cab2013-04-02 08:17:43 +020045 - osx for Mac OS/X
Daniel Jakots9705ba22016-09-27 19:22:21 +020046 - openbsd for OpenBSD 5.7 and above
Willy Tarreau50abe302014-04-02 20:44:43 +020047 - aix51 for AIX 5.1
Willy Tarreau7dec9652012-06-06 16:15:03 +020048 - aix52 for AIX 5.2
Yitzhak Sapir32087312009-06-14 18:27:54 +020049 - cygwin for Cygwin
Jerome Duval38932c32015-10-19 23:01:16 +000050 - haiku for Haiku
Willy Tarreau869f3512014-06-19 15:26:32 +020051 - generic for any other OS or version.
Willy Tarreau83b30c12008-05-25 10:32:50 +020052 - custom to manually adjust every setting
willy tarreau78345332005-12-18 01:33:16 +010053
54You may also choose your CPU to benefit from some optimizations. This is
55particularly important on UltraSparc machines. For this, you can assign
56one of the following choices to the CPU variable :
57
58 - i686 for intel PentiumPro, Pentium 2 and above, AMD Athlon
59 - i586 for intel Pentium, AMD K6, VIA C3.
60 - ultrasparc : Sun UltraSparc I/II/III/IV processor
Willy Tarreau817dad52014-07-10 20:24:25 +020061 - native : use the build machine's specific processor optimizations. Use with
62 extreme care, and never in virtualized environments (known to break).
63 - generic : any other processor or no CPU-specific optimization. (default)
willy tarreau78345332005-12-18 01:33:16 +010064
Willy Tarreau83b30c12008-05-25 10:32:50 +020065Alternatively, you may just set the CPU_CFLAGS value to the optimal GCC options
66for your platform.
67
Willy Tarreau16119652018-11-19 08:15:54 +010068By default the build process runs in quiet mode and hide the details of the
69commands that are executed. This allows to more easily catch build warnings
70and see what is happening. However it is not convenient at all to observe what
71flags are passed to the compiler nor what compiler is involved. Simply append
72"V=1" to the "make" command line to switch to verbose mode and display the
73details again.
74
Willy Tarreauef7341d2009-04-11 19:45:50 +020075You may want to build specific target binaries which do not match your native
76compiler's target. This is particularly true on 64-bit systems when you want
77to build a 32-bit binary. Use the ARCH variable for this purpose. Right now
Willy Tarreaua5899aa2010-11-28 07:41:00 +010078it only knows about a few x86 variants (i386,i486,i586,i686,x86_64), two
79generic ones (32,64) and sets -m32/-m64 as well as -march=<arch> accordingly.
Willy Tarreauef7341d2009-04-11 19:45:50 +020080
willy tarreau78345332005-12-18 01:33:16 +010081If your system supports PCRE (Perl Compatible Regular Expressions), then you
82really should build with libpcre which is between 2 and 10 times faster than
83other libc implementations. Regex are used for header processing (deletion,
84rewriting, allow, deny). The only inconvenient of libpcre is that it is not
85yet widely spread, so if you build for other systems, you might get into
86trouble if they don't have the dynamic library. In this situation, you should
87statically link libpcre into haproxy so that it will not be necessary to
Willy Tarreau83b30c12008-05-25 10:32:50 +020088install it on target systems. Available build options for PCRE are :
willy tarreau78345332005-12-18 01:33:16 +010089
Willy Tarreau83b30c12008-05-25 10:32:50 +020090 - USE_PCRE=1 to use libpcre, in whatever form is available on your system
willy tarreau78345332005-12-18 01:33:16 +010091 (shared or static)
92
Willy Tarreau83b30c12008-05-25 10:32:50 +020093 - USE_STATIC_PCRE=1 to use a static version of libpcre even if the dynamic
94 one is available. This will enhance portability.
95
Willy Tarreau663148c2012-12-12 00:38:22 +010096 - with no option, use your OS libc's standard regex implementation (default).
Willy Tarreau83b30c12008-05-25 10:32:50 +020097 Warning! group references on Solaris seem broken. Use static-pcre whenever
98 possible.
willy tarreau78345332005-12-18 01:33:16 +010099
Willy Tarreaua8fc8a22015-09-28 22:36:21 +0200100If your system doesn't provide PCRE, you are encouraged to download it from
101http://www.pcre.org/ and build it yourself, it's fast and easy.
102
Willy Tarreau64bc40b2011-03-23 20:00:53 +0100103Recent systems can resolve IPv6 host names using getaddrinfo(). This primitive
104is not present in all libcs and does not work in all of them either. Support in
105glibc was broken before 2.3. Some embedded libs may not properly work either,
106thus, support is disabled by default, meaning that some host names which only
107resolve as IPv6 addresses will not resolve and configs might emit an error
108during parsing. If you know that your OS libc has reliable support for
109getaddrinfo(), you can add USE_GETADDRINFO=1 on the make command line to enable
110it. This is the recommended option for most Linux distro packagers since it's
111working fine on all recent mainstream distros. It is automatically enabled on
112Solaris 8 and above, as it's known to work.
113
Willy Tarreau3543cdb2014-05-10 09:12:46 +0200114It is possible to add native support for SSL using the GNU makefile, by passing
115"USE_OPENSSL=1" on the make command line. The libssl and libcrypto will
116automatically be linked with haproxy. Some systems also require libz, so if the
117build fails due to missing symbols such as deflateInit(), then try again with
118"ADDLIB=-lz".
Willy Tarreaud4508812012-09-10 09:07:41 +0200119
Willy Tarreaua8fc8a22015-09-28 22:36:21 +0200120Your are strongly encouraged to always use an up-to-date version of OpenSSL, as
121found on https://www.openssl.org/ as vulnerabilities are occasionally found and
122you don't want them on your systems. HAProxy is known to build correctly on all
Willy Tarreau7ab16862017-07-18 06:58:16 +0200123currently supported branches (0.9.8, 1.0.0, 1.0.1, 1.0.2 and 1.1.0 at the time
124of writing). Branch 1.0.2 is currently recommended for the best combination of
125features and stability. Asynchronous engines require OpenSSL 1.1.0 though. It's
Joseph Herlante07bc142018-11-09 17:44:10 -0800126worth mentioning that some OpenSSL derivatives are also reported to work but
Willy Tarreau7ab16862017-07-18 06:58:16 +0200127may occasionally break. Patches to fix them are welcome but please read the
128CONTRIBUTING file first.
Willy Tarreaua8fc8a22015-09-28 22:36:21 +0200129
Lukas Tribus3fe9f1e2013-05-19 16:28:17 +0200130To link OpenSSL statically against haproxy, build OpenSSL with the no-shared
131keyword and install it to a local directory, so your system is not affected :
132
133 $ export STATICLIBSSL=/tmp/staticlibssl
134 $ ./config --prefix=$STATICLIBSSL no-shared
135 $ make && make install_sw
136
Lukas Tribus130ddf72013-10-01 00:28:03 +0200137When building haproxy, pass that path via SSL_INC and SSL_LIB to make and
138include additional libs with ADDLIB if needed (in this case for example libdl):
Willy Tarreau3543cdb2014-05-10 09:12:46 +0200139
Lukas Tribus130ddf72013-10-01 00:28:03 +0200140 $ make TARGET=linux26 USE_OPENSSL=1 SSL_INC=$STATICLIBSSL/include SSL_LIB=$STATICLIBSSL/lib ADDLIB=-ldl
Lukas Tribus3fe9f1e2013-05-19 16:28:17 +0200141
Willy Tarreaua8fc8a22015-09-28 22:36:21 +0200142It is also possible to include native support for zlib to benefit from HTTP
William Lallemand82fe75c2012-10-23 10:25:10 +0200143compression. For this, pass "USE_ZLIB=1" on the "make" command line and ensure
Willy Tarreau418b8c02015-03-29 03:32:06 +0200144that zlib is present on the system. Alternatively it is possible to use libslz
145for a faster, memory less, but slightly less efficient compression, by passing
146"USE_SLZ=1".
William Lallemand82fe75c2012-10-23 10:25:10 +0200147
Willy Tarreaua8fc8a22015-09-28 22:36:21 +0200148Zlib is commonly found on most systems, otherwise updates can be retrieved from
149http://www.zlib.net/. It is easy and fast to build. Libslz can be downloaded
150from http://1wt.eu/projects/libslz/ and is even easier to build.
151
willy tarreau78345332005-12-18 01:33:16 +0100152By default, the DEBUG variable is set to '-g' to enable debug symbols. It is
153not wise to disable it on uncommon systems, because it's often the only way to
154get a complete core when you need one. Otherwise, you can set DEBUG to '-s' to
155strip the binary.
156
157For example, I use this to build for Solaris 8 :
158
Willy Tarreau83b30c12008-05-25 10:32:50 +0200159 $ make TARGET=solaris CPU=ultrasparc USE_STATIC_PCRE=1
willy tarreau78345332005-12-18 01:33:16 +0100160
Willy Tarreau83b30c12008-05-25 10:32:50 +0200161And I build it this way on OpenBSD or FreeBSD :
willy tarreaud38e72d2006-03-19 20:56:52 +0100162
Willy Tarreau3543cdb2014-05-10 09:12:46 +0200163 $ gmake TARGET=freebsd USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
willy tarreaud38e72d2006-03-19 20:56:52 +0100164
Willy Tarreau663148c2012-12-12 00:38:22 +0100165And on a classic Linux with SSL and ZLIB support (eg: Red Hat 5.x) :
166
Willy Tarreau817dad52014-07-10 20:24:25 +0200167 $ make TARGET=linux26 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
Willy Tarreau663148c2012-12-12 00:38:22 +0100168
169And on a recent Linux >= 2.6.28 with SSL and ZLIB support :
Willy Tarreaud4508812012-09-10 09:07:41 +0200170
Willy Tarreau817dad52014-07-10 20:24:25 +0200171 $ make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
Willy Tarreaud4508812012-09-10 09:07:41 +0200172
William Lallemand82fe75c2012-10-23 10:25:10 +0200173In order to build a 32-bit binary on an x86_64 Linux system with SSL support
174without support for compression but when OpenSSL requires ZLIB anyway :
Willy Tarreauef7341d2009-04-11 19:45:50 +0200175
Willy Tarreaud4508812012-09-10 09:07:41 +0200176 $ make TARGET=linux26 ARCH=i386 USE_OPENSSL=1 ADDLIB=-lz
Willy Tarreauef7341d2009-04-11 19:45:50 +0200177
Willy Tarreaub1efede2014-05-09 00:44:48 +0200178The SSL stack supports session cache synchronization between all running
179processes. This involves some atomic operations and synchronization operations
180which come in multiple flavors depending on the system and architecture :
181
182 Atomic operations :
183 - internal assembler versions for x86/x86_64 architectures
184
185 - gcc builtins for other architectures. Some architectures might not
186 be fully supported or might require a more recent version of gcc.
187 If your architecture is not supported, you willy have to either use
188 pthread if supported, or to disable the shared cache.
189
190 - pthread (posix threads). Pthreads are very common but inter-process
191 support is not that common, and some older operating systems did not
192 report an error when enabling multi-process mode, so they used to
193 silently fail, possibly causing crashes. Linux's implementation is
194 fine. OpenBSD doesn't support them and doesn't build. FreeBSD 9 builds
195 and reports an error at runtime, while certain older versions might
196 silently fail. Pthreads are enabled using USE_PTHREAD_PSHARED=1.
197
198 Synchronization operations :
Joseph Herlante07bc142018-11-09 17:44:10 -0800199 - internal spinlock : this mode is OS-independent, light but will not
Willy Tarreaub1efede2014-05-09 00:44:48 +0200200 scale well to many processes. However, accesses to the session cache
201 are rare enough that this mode could certainly always be used. This
202 is the default mode.
203
204 - Futexes, which are Linux-specific highly scalable light weight mutexes
205 implemented in user-space with some limited assistance from the kernel.
206 This is the default on Linux 2.6 and above and is enabled by passing
207 USE_FUTEX=1
208
209 - pthread (posix threads). See above.
210
211If none of these mechanisms is supported by your platform, you may need to
212build with USE_PRIVATE_CACHE=1 to totally disable SSL cache sharing. Then
213it is better not to run SSL on multiple processes.
214
willy tarreau78345332005-12-18 01:33:16 +0100215If you need to pass other defines, includes, libraries, etc... then please
216check the Makefile to see which ones will be available in your case, and
Willy Tarreau3543cdb2014-05-10 09:12:46 +0200217use the USE_* variables in the Makefile.
willy tarreau78345332005-12-18 01:33:16 +0100218
Willy Tarreau97ec9692010-01-28 20:52:05 +0100219AIX 5.3 is known to work with the generic target. However, for the binary to
220also run on 5.2 or earlier, you need to build with DEFINE="-D_MSGQSUPPORT",
Willy Tarreau869f3512014-06-19 15:26:32 +0200221otherwise __fd_select() will be used while not being present in the libc, but
222this is easily addressed using the "aix52" target. If you get build errors
223because of strange symbols or section mismatches, simply remove -g from
224DEBUG_CFLAGS.
Willy Tarreau97ec9692010-01-28 20:52:05 +0100225
Willy Tarreau32e65ef2013-04-02 08:14:29 +0200226You can easily define your own target with the GNU Makefile. Unknown targets
227are processed with no default option except USE_POLL=default. So you can very
228well use that property to define your own set of options. USE_POLL can even be
229disabled by setting USE_POLL="". For example :
230
231 $ gmake TARGET=tiny USE_POLL="" TARGET_CFLAGS=-fomit-frame-pointer
232
Willy Tarreaub1a34b62010-05-09 22:37:12 +0200233
Willy Tarreau29b25312016-11-08 14:57:29 +01002341.1) Device Detection
235---------------------
David Carlierb5efa012015-06-01 14:21:47 +0200236
Willy Tarreau29b25312016-11-08 14:57:29 +0100237HAProxy supports several device detection modules relying on third party
238products. Some of them may provide free code, others free libs, others free
239evaluation licenses. Please read about their respective details in the
240following files :
David Carlierb5efa012015-06-01 14:21:47 +0200241
Willy Tarreau29b25312016-11-08 14:57:29 +0100242 doc/DeviceAtlas-device-detection.txt for DeviceAtlas
243 doc/51Degrees-device-detection.txt for 51Degrees
244 doc/WURFL-device-detection.txt for Scientiamobile WURFL
scientiamobiled0027ed2016-11-04 10:55:08 +0100245
scientiamobiled0027ed2016-11-04 10:55:08 +0100246
Willy Tarreaub1a34b62010-05-09 22:37:12 +02002472) How to install it
248--------------------
249
250To install haproxy, you can either copy the single resulting binary to the
251place you want, or run :
252
253 $ sudo make install
254
255If you're packaging it for another system, you can specify its root directory
256in the usual DESTDIR variable.
257
258
2593) How to set it up
260-------------------
261
262There is some documentation in the doc/ directory :
263
Willy Tarreaud8e42b62015-08-18 21:51:36 +0200264 - intro.txt : this is an introduction to haproxy, it explains what it is
265 what it is not. Useful for beginners or to re-discover it when planning
266 for an upgrade.
267
Willy Tarreaub1a34b62010-05-09 22:37:12 +0200268 - architecture.txt : this is the architecture manual. It is quite old and
269 does not tell about the nice new features, but it's still a good starting
270 point when you know what you want but don't know how to do it.
271
272 - configuration.txt : this is the configuration manual. It recalls a few
273 essential HTTP basic concepts, and details all the configuration file
274 syntax (keywords, units). It also describes the log and stats format. It
275 is normally always up to date. If you see that something is missing from
Willy Tarreau74774c02014-04-23 00:57:08 +0200276 it, please report it as this is a bug. Please note that this file is
277 huge and that it's generally more convenient to review Cyril Bonté's
278 HTML translation online here :
279
Willy Tarreau844028b2015-10-13 18:52:22 +0200280 http://cbonte.github.io/haproxy-dconv/configuration-1.6.html
Willy Tarreaub1a34b62010-05-09 22:37:12 +0200281
Willy Tarreau373933d2015-10-13 16:32:20 +0200282 - management.txt : it explains how to start haproxy, how to manage it at
283 runtime, how to manage it on multiple nodes, how to proceed with seamless
284 upgrades.
Willy Tarreaub1a34b62010-05-09 22:37:12 +0200285
286 - gpl.txt / lgpl.txt : the copy of the licenses covering the software. See
287 the 'LICENSE' file at the top for more information.
288
289 - the rest is mainly for developers.
290
291There are also a number of nice configuration examples in the "examples"
292directory as well as on several sites and articles on the net which are linked
293to from the haproxy web site.
294
295
2964) How to report a bug
297----------------------
298
299It is possible that from time to time you'll find a bug. A bug is a case where
300what you see is not what is documented. Otherwise it can be a misdesign. If you
301find that something is stupidly design, please discuss it on the list (see the
302"how to contribute" section below). If you feel like you're proceeding right
303and haproxy doesn't obey, then first ask yourself if it is possible that nobody
304before you has even encountered this issue. If it's unlikely, the you probably
305have an issue in your setup. Just in case of doubt, please consult the mailing
306list archives :
307
Willy Tarreaub1a34b62010-05-09 22:37:12 +0200308 http://marc.info/?l=haproxy
309
310Otherwise, please try to gather the maximum amount of information to help
311reproduce the issue and send that to the mailing list :
312
313 haproxy@formilux.org
314
315Please include your configuration and logs. You can mask your IP addresses and
316passwords, we don't need them. But it's essential that you post your config if
317you want people to guess what is happening.
318
319Also, keep in mind that haproxy is designed to NEVER CRASH. If you see it die
320without any reason, then it definitely is a critical bug that must be reported
321and urgently fixed. It has happened a couple of times in the past, essentially
322on development versions running on new architectures. If you think your setup
323is fairly common, then it is possible that the issue is totally unrelated.
324Anyway, if that happens, feel free to contact me directly, as I will give you
325instructions on how to collect a usable core file, and will probably ask for
326other captures that you'll not want to share with the list.
327
328
3295) How to contribute
330--------------------
331
Willy Tarreau11e334d92015-09-20 22:31:42 +0200332Please carefully read the CONTRIBUTING file that comes with the sources. It is
333mandatory.
Willy Tarreaub1a34b62010-05-09 22:37:12 +0200334
willy tarreau78345332005-12-18 01:33:16 +0100335-- end