blob: ae4827a88af921d6dd56109c4cc1f16996dea0a6 [file] [log] [blame]
Willy Tarreau6a06a402007-07-15 20:15:28 +02001 ----------------------
2 HAProxy
3 Configuration Manual
4 ----------------------
Willy Tarreau21475e32010-05-23 08:46:08 +02005 version 1.5
Willy Tarreau6a06a402007-07-15 20:15:28 +02006 willy tarreau
Willy Tarreau37242fa2010-08-28 19:21:00 +02007 2010/08/28
Willy Tarreau6a06a402007-07-15 20:15:28 +02008
9
10This document covers the configuration language as implemented in the version
11specified above. It does not provide any hint, example or advice. For such
Willy Tarreau0ba27502007-12-24 16:55:16 +010012documentation, please refer to the Reference Manual or the Architecture Manual.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013The summary below is meant to help you search sections by name and navigate
14through the document.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015
Willy Tarreauc57f0e22009-05-10 13:12:33 +020016Note to documentation contributors :
17 This document is formated with 80 columns per line, with even number of
18 spaces for indentation and without tabs. Please follow these rules strictly
19 so that it remains easily printable everywhere. If a line needs to be
20 printed verbatim and does not fit, please end each line with a backslash
Willy Tarreau62a36c42010-08-17 15:53:10 +020021 ('\') and continue on next line, indented by two characters. It is also
22 sometimes useful to prefix all output lines (logs, console outs) with 3
23 closing angle brackets ('>>>') in order to help get the difference between
24 inputs and outputs when it can become ambiguous. If you add sections,
25 please update the summary below for easier searching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020026
27
28Summary
29-------
30
311. Quick reminder about HTTP
321.1. The HTTP transaction model
331.2. HTTP request
341.2.1. The Request line
351.2.2. The request headers
361.3. HTTP response
371.3.1. The Response line
381.3.2. The response headers
39
402. Configuring HAProxy
412.1. Configuration file format
422.2. Time format
Patrick Mezard35da19c2010-06-12 17:02:47 +0200432.3. Examples
Willy Tarreauc57f0e22009-05-10 13:12:33 +020044
453. Global parameters
463.1. Process management and security
473.2. Performance tuning
483.3. Debugging
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100493.4. Userlists
Willy Tarreauc57f0e22009-05-10 13:12:33 +020050
514. Proxies
524.1. Proxy keywords matrix
534.2. Alphabetically sorted keywords reference
54
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +0100555. Server and default-server options
Willy Tarreauc57f0e22009-05-10 13:12:33 +020056
576. HTTP header manipulation
58
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100597. Using ACLs and pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200607.1. Matching integers
617.2. Matching strings
627.3. Matching regular expressions (regexes)
637.4. Matching IPv4 addresses
647.5. Available matching criteria
657.5.1. Matching at Layer 4 and below
667.5.2. Matching contents at Layer 4
677.5.3. Matching at Layer 7
687.6. Pre-defined ACLs
697.7. Using ACLs to form conditions
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100707.8. Pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +020071
728. Logging
738.1. Log levels
748.2. Log formats
758.2.1. Default log format
768.2.2. TCP log format
778.2.3. HTTP log format
788.3. Advanced logging options
798.3.1. Disabling logging of external tests
808.3.2. Logging before waiting for the session to terminate
818.3.3. Raising log level upon errors
828.3.4. Disabling logging of successful connections
838.4. Timing events
848.5. Session state at disconnection
858.6. Non-printable characters
868.7. Capturing HTTP cookies
878.8. Capturing HTTP headers
888.9. Examples of logs
89
909. Statistics and monitoring
919.1. CSV format
929.2. Unix Socket commands
93
94
951. Quick reminder about HTTP
96----------------------------
97
98When haproxy is running in HTTP mode, both the request and the response are
99fully analyzed and indexed, thus it becomes possible to build matching criteria
100on almost anything found in the contents.
101
102However, it is important to understand how HTTP requests and responses are
103formed, and how HAProxy decomposes them. It will then become easier to write
104correct rules and to debug existing configurations.
105
106
1071.1. The HTTP transaction model
108-------------------------------
109
110The HTTP protocol is transaction-driven. This means that each request will lead
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100111to one and only one response. Traditionally, a TCP connection is established
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200112from the client to the server, a request is sent by the client on the
113connection, the server responds and the connection is closed. A new request
114will involve a new connection :
115
116 [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
117
118In this mode, called the "HTTP close" mode, there are as many connection
119establishments as there are HTTP transactions. Since the connection is closed
120by the server after the response, the client does not need to know the content
121length.
122
123Due to the transactional nature of the protocol, it was possible to improve it
124to avoid closing a connection between two subsequent transactions. In this mode
125however, it is mandatory that the server indicates the content length for each
126response so that the client does not wait indefinitely. For this, a special
127header is used: "Content-length". This mode is called the "keep-alive" mode :
128
129 [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ...
130
131Its advantages are a reduced latency between transactions, and less processing
132power required on the server side. It is generally better than the close mode,
133but not always because the clients often limit their concurrent connections to
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200134a smaller value.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200135
136A last improvement in the communications is the pipelining mode. It still uses
137keep-alive, but the client does not wait for the first response to send the
138second request. This is useful for fetching large number of images composing a
139page :
140
141 [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ...
142
143This can obviously have a tremendous benefit on performance because the network
144latency is eliminated between subsequent requests. Many HTTP agents do not
145correctly support pipelining since there is no way to associate a response with
146the corresponding request in HTTP. For this reason, it is mandatory for the
Cyril Bonté78caf842010-03-10 22:41:43 +0100147server to reply in the exact same order as the requests were received.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200148
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200149By default HAProxy operates in a tunnel-like mode with regards to persistent
150connections: for each connection it processes the first request and forwards
151everything else (including additional requests) to selected server. Once
152established, the connection is persisted both on the client and server
153sides. Use "option http-server-close" to preserve client persistent connections
154while handling every incoming request individually, dispatching them one after
155another to servers, in HTTP close mode. Use "option httpclose" to switch both
156sides to HTTP close mode. "option forceclose" and "option
157http-pretend-keepalive" help working around servers misbehaving in HTTP close
158mode.
159
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200160
1611.2. HTTP request
162-----------------
163
164First, let's consider this HTTP request :
165
166 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100167 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200168 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1
169 2 Host: www.mydomain.com
170 3 User-agent: my small browser
171 4 Accept: image/jpeg, image/gif
172 5 Accept: image/png
173
174
1751.2.1. The Request line
176-----------------------
177
178Line 1 is the "request line". It is always composed of 3 fields :
179
180 - a METHOD : GET
181 - a URI : /serv/login.php?lang=en&profile=2
182 - a version tag : HTTP/1.1
183
184All of them are delimited by what the standard calls LWS (linear white spaces),
185which are commonly spaces, but can also be tabs or line feeds/carriage returns
186followed by spaces/tabs. The method itself cannot contain any colon (':') and
187is limited to alphabetic letters. All those various combinations make it
188desirable that HAProxy performs the splitting itself rather than leaving it to
189the user to write a complex or inaccurate regular expression.
190
191The URI itself can have several forms :
192
193 - A "relative URI" :
194
195 /serv/login.php?lang=en&profile=2
196
197 It is a complete URL without the host part. This is generally what is
198 received by servers, reverse proxies and transparent proxies.
199
200 - An "absolute URI", also called a "URL" :
201
202 http://192.168.0.12:8080/serv/login.php?lang=en&profile=2
203
204 It is composed of a "scheme" (the protocol name followed by '://'), a host
205 name or address, optionally a colon (':') followed by a port number, then
206 a relative URI beginning at the first slash ('/') after the address part.
207 This is generally what proxies receive, but a server supporting HTTP/1.1
208 must accept this form too.
209
210 - a star ('*') : this form is only accepted in association with the OPTIONS
211 method and is not relayable. It is used to inquiry a next hop's
212 capabilities.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100213
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200214 - an address:port combination : 192.168.0.12:80
215 This is used with the CONNECT method, which is used to establish TCP
216 tunnels through HTTP proxies, generally for HTTPS, but sometimes for
217 other protocols too.
218
219In a relative URI, two sub-parts are identified. The part before the question
220mark is called the "path". It is typically the relative path to static objects
221on the server. The part after the question mark is called the "query string".
222It is mostly used with GET requests sent to dynamic scripts and is very
223specific to the language, framework or application in use.
224
225
2261.2.2. The request headers
227--------------------------
228
229The headers start at the second line. They are composed of a name at the
230beginning of the line, immediately followed by a colon (':'). Traditionally,
231an LWS is added after the colon but that's not required. Then come the values.
232Multiple identical headers may be folded into one single line, delimiting the
233values with commas, provided that their order is respected. This is commonly
234encountered in the "Cookie:" field. A header may span over multiple lines if
235the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5
236define a total of 3 values for the "Accept:" header.
237
238Contrary to a common mis-conception, header names are not case-sensitive, and
239their values are not either if they refer to other header names (such as the
240"Connection:" header).
241
242The end of the headers is indicated by the first empty line. People often say
243that it's a double line feed, which is not exact, even if a double line feed
244is one valid form of empty line.
245
246Fortunately, HAProxy takes care of all these complex combinations when indexing
247headers, checking values and counting them, so there is no reason to worry
248about the way they could be written, but it is important not to accuse an
249application of being buggy if it does unusual, valid things.
250
251Important note:
252 As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks
253 in the middle of headers by LWS in order to join multi-line headers. This
254 is necessary for proper analysis and helps less capable HTTP parsers to work
255 correctly and not to be fooled by such complex constructs.
256
257
2581.3. HTTP response
259------------------
260
261An HTTP response looks very much like an HTTP request. Both are called HTTP
262messages. Let's consider this HTTP response :
263
264 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100265 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200266 1 HTTP/1.1 200 OK
267 2 Content-length: 350
268 3 Content-Type: text/html
269
Willy Tarreau816b9792009-09-15 21:25:21 +0200270As a special case, HTTP supports so called "Informational responses" as status
271codes 1xx. These messages are special in that they don't convey any part of the
272response, they're just used as sort of a signaling message to ask a client to
Willy Tarreau5843d1a2010-02-01 15:13:32 +0100273continue to post its request for instance. In the case of a status 100 response
274the requested information will be carried by the next non-100 response message
275following the informational one. This implies that multiple responses may be
276sent to a single request, and that this only works when keep-alive is enabled
277(1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to
278correctly forward and skip them, and only process the next non-100 response. As
279such, these messages are neither logged nor transformed, unless explicitly
280state otherwise. Status 101 messages indicate that the protocol is changing
281over the same connection and that haproxy must switch to tunnel mode, just as
282if a CONNECT had occurred. Then the Upgrade header would contain additional
283information about the type of protocol the connection is switching to.
Willy Tarreau816b9792009-09-15 21:25:21 +0200284
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200285
2861.3.1. The Response line
287------------------------
288
289Line 1 is the "response line". It is always composed of 3 fields :
290
291 - a version tag : HTTP/1.1
292 - a status code : 200
293 - a reason : OK
294
295The status code is always 3-digit. The first digit indicates a general status :
Willy Tarreau816b9792009-09-15 21:25:21 +0200296 - 1xx = informational message to be skipped (eg: 100, 101)
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200297 - 2xx = OK, content is following (eg: 200, 206)
298 - 3xx = OK, no content following (eg: 302, 304)
299 - 4xx = error caused by the client (eg: 401, 403, 404)
300 - 5xx = error caused by the server (eg: 500, 502, 503)
301
302Please refer to RFC2616 for the detailed meaning of all such codes. The
Willy Tarreaud72758d2010-01-12 10:42:19 +0100303"reason" field is just a hint, but is not parsed by clients. Anything can be
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200304found there, but it's a common practice to respect the well-established
305messages. It can be composed of one or multiple words, such as "OK", "Found",
306or "Authentication Required".
307
308Haproxy may emit the following status codes by itself :
309
310 Code When / reason
311 200 access to stats page, and when replying to monitoring requests
312 301 when performing a redirection, depending on the configured code
313 302 when performing a redirection, depending on the configured code
314 303 when performing a redirection, depending on the configured code
315 400 for an invalid or too large request
316 401 when an authentication is required to perform the action (when
317 accessing the stats page)
318 403 when a request is forbidden by a "block" ACL or "reqdeny" filter
319 408 when the request timeout strikes before the request is complete
320 500 when haproxy encounters an unrecoverable internal error, such as a
321 memory allocation failure, which should never happen
322 502 when the server returns an empty, invalid or incomplete response, or
323 when an "rspdeny" filter blocks the response.
324 503 when no server was available to handle the request, or in response to
325 monitoring requests which match the "monitor fail" condition
326 504 when the response timeout strikes before the server responds
327
328The error 4xx and 5xx codes above may be customized (see "errorloc" in section
3294.2).
330
331
3321.3.2. The response headers
333---------------------------
334
335Response headers work exactly like request headers, and as such, HAProxy uses
336the same parsing function for both. Please refer to paragraph 1.2.2 for more
337details.
338
339
3402. Configuring HAProxy
341----------------------
342
3432.1. Configuration file format
344------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200345
346HAProxy's configuration process involves 3 major sources of parameters :
347
348 - the arguments from the command-line, which always take precedence
349 - the "global" section, which sets process-wide parameters
350 - the proxies sections which can take form of "defaults", "listen",
351 "frontend" and "backend".
352
Willy Tarreau0ba27502007-12-24 16:55:16 +0100353The configuration file syntax consists in lines beginning with a keyword
354referenced in this manual, optionally followed by one or several parameters
355delimited by spaces. If spaces have to be entered in strings, then they must be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100356preceded by a backslash ('\') to be escaped. Backslashes also have to be
Willy Tarreau0ba27502007-12-24 16:55:16 +0100357escaped by doubling them.
358
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200359
3602.2. Time format
361----------------
362
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100363Some parameters involve values representing time, such as timeouts. These
Willy Tarreau0ba27502007-12-24 16:55:16 +0100364values are generally expressed in milliseconds (unless explicitly stated
365otherwise) but may be expressed in any other unit by suffixing the unit to the
366numeric value. It is important to consider this because it will not be repeated
367for every keyword. Supported units are :
368
369 - us : microseconds. 1 microsecond = 1/1000000 second
370 - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
371 - s : seconds. 1s = 1000ms
372 - m : minutes. 1m = 60s = 60000ms
373 - h : hours. 1h = 60m = 3600s = 3600000ms
374 - d : days. 1d = 24h = 1440m = 86400s = 86400000ms
375
376
Patrick Mezard35da19c2010-06-12 17:02:47 +02003772.3. Examples
378-------------
379
380 # Simple configuration for an HTTP proxy listening on port 80 on all
381 # interfaces and forwarding requests to a single backend "servers" with a
382 # single server "server1" listening on 127.0.0.1:8000
383 global
384 daemon
385 maxconn 256
386
387 defaults
388 mode http
389 timeout connect 5000ms
390 timeout client 50000ms
391 timeout server 50000ms
392
393 frontend http-in
394 bind *:80
395 default_backend servers
396
397 backend servers
398 server server1 127.0.0.1:8000 maxconn 32
399
400
401 # The same configuration defined with a single listen block. Shorter but
402 # less expressive, especially in HTTP mode.
403 global
404 daemon
405 maxconn 256
406
407 defaults
408 mode http
409 timeout connect 5000ms
410 timeout client 50000ms
411 timeout server 50000ms
412
413 listen http-in
414 bind *:80
415 server server1 127.0.0.1:8000 maxconn 32
416
417
418Assuming haproxy is in $PATH, test these configurations in a shell with:
419
420 $ sudo haproxy -f configuration.conf -d
421
422
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004233. Global parameters
Willy Tarreau6a06a402007-07-15 20:15:28 +0200424--------------------
425
426Parameters in the "global" section are process-wide and often OS-specific. They
427are generally set once for all and do not need being changed once correct. Some
428of them have command-line equivalents.
429
430The following keywords are supported in the "global" section :
431
432 * Process management and security
433 - chroot
434 - daemon
435 - gid
436 - group
437 - log
438 - nbproc
439 - pidfile
440 - uid
441 - ulimit-n
442 - user
Willy Tarreaufbee7132007-10-18 13:53:22 +0200443 - stats
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200444 - node
445 - description
Willy Tarreaud72758d2010-01-12 10:42:19 +0100446
Willy Tarreau6a06a402007-07-15 20:15:28 +0200447 * Performance tuning
448 - maxconn
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100449 - maxpipes
Willy Tarreau6a06a402007-07-15 20:15:28 +0200450 - noepoll
451 - nokqueue
452 - nopoll
453 - nosepoll
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100454 - nosplice
Willy Tarreaufe255b72007-10-14 23:09:26 +0200455 - spread-checks
Willy Tarreau27a674e2009-08-17 07:23:33 +0200456 - tune.bufsize
Willy Tarreau43961d52010-10-04 20:39:20 +0200457 - tune.chksize
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100458 - tune.maxaccept
459 - tune.maxpollevents
Willy Tarreau27a674e2009-08-17 07:23:33 +0200460 - tune.maxrewrite
Willy Tarreaue803de22010-01-21 17:43:04 +0100461 - tune.rcvbuf.client
462 - tune.rcvbuf.server
463 - tune.sndbuf.client
464 - tune.sndbuf.server
Willy Tarreaud72758d2010-01-12 10:42:19 +0100465
Willy Tarreau6a06a402007-07-15 20:15:28 +0200466 * Debugging
467 - debug
468 - quiet
Willy Tarreau6a06a402007-07-15 20:15:28 +0200469
470
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004713.1. Process management and security
Willy Tarreau6a06a402007-07-15 20:15:28 +0200472------------------------------------
473
474chroot <jail dir>
475 Changes current directory to <jail dir> and performs a chroot() there before
476 dropping privileges. This increases the security level in case an unknown
477 vulnerability would be exploited, since it would make it very hard for the
478 attacker to exploit the system. This only works when the process is started
479 with superuser privileges. It is important to ensure that <jail_dir> is both
480 empty and unwritable to anyone.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100481
Willy Tarreau6a06a402007-07-15 20:15:28 +0200482daemon
483 Makes the process fork into background. This is the recommended mode of
484 operation. It is equivalent to the command line "-D" argument. It can be
485 disabled by the command line "-db" argument.
486
487gid <number>
488 Changes the process' group ID to <number>. It is recommended that the group
489 ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
490 be started with a user belonging to this group, or with superuser privileges.
491 See also "group" and "uid".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100492
Willy Tarreau6a06a402007-07-15 20:15:28 +0200493group <group name>
494 Similar to "gid" but uses the GID of group name <group name> from /etc/group.
495 See also "gid" and "user".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100496
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200497log <address> <facility> [max level [min level]]
Willy Tarreau6a06a402007-07-15 20:15:28 +0200498 Adds a global syslog server. Up to two global servers can be defined. They
499 will receive logs for startups and exits, as well as all logs from proxies
Robert Tsai81ae1952007-12-05 10:47:29 +0100500 configured with "log global".
501
502 <address> can be one of:
503
Willy Tarreau2769aa02007-12-27 18:26:09 +0100504 - An IPv4 address optionally followed by a colon and a UDP port. If
Robert Tsai81ae1952007-12-05 10:47:29 +0100505 no port is specified, 514 is used by default (the standard syslog
506 port).
507
508 - A filesystem path to a UNIX domain socket, keeping in mind
509 considerations for chroot (be sure the path is accessible inside
510 the chroot) and uid/gid (be sure the path is appropriately
511 writeable).
512
513 <facility> must be one of the 24 standard syslog facilities :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200514
515 kern user mail daemon auth syslog lpr news
516 uucp cron auth2 ftp ntp audit alert cron2
517 local0 local1 local2 local3 local4 local5 local6 local7
518
519 An optional level can be specified to filter outgoing messages. By default,
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200520 all messages are sent. If a maximum level is specified, only messages with a
521 severity at least as important as this level will be sent. An optional minimum
522 level can be specified. If it is set, logs emitted with a more severe level
523 than this one will be capped to this level. This is used to avoid sending
524 "emerg" messages on all terminals on some default syslog configurations.
525 Eight levels are known :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200526
527 emerg alert crit err warning notice info debug
528
529nbproc <number>
530 Creates <number> processes when going daemon. This requires the "daemon"
531 mode. By default, only one process is created, which is the recommended mode
532 of operation. For systems limited to small sets of file descriptors per
533 process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES
534 IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon".
535
536pidfile <pidfile>
537 Writes pids of all daemons into file <pidfile>. This option is equivalent to
538 the "-p" command line argument. The file must be accessible to the user
539 starting the process. See also "daemon".
540
Willy Tarreaufbee7132007-10-18 13:53:22 +0200541stats socket <path> [{uid | user} <uid>] [{gid | group} <gid>] [mode <mode>]
Willy Tarreau6162db22009-10-10 17:13:00 +0200542 [level <level>]
543
Willy Tarreaufbee7132007-10-18 13:53:22 +0200544 Creates a UNIX socket in stream mode at location <path>. Any previously
545 existing socket will be backed up then replaced. Connections to this socket
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100546 will return various statistics outputs and even allow some commands to be
Willy Tarreau6162db22009-10-10 17:13:00 +0200547 issued. Please consult section 9.2 "Unix Socket commands" for more details.
548
549 An optional "level" parameter can be specified to restrict the nature of
550 the commands that can be issued on the socket :
551 - "user" is the least privileged level ; only non-sensitive stats can be
552 read, and no change is allowed. It would make sense on systems where it
553 is not easy to restrict access to the socket.
554
555 - "operator" is the default level and fits most common uses. All data can
556 be read, and only non-sensible changes are permitted (eg: clear max
557 counters).
558
559 - "admin" should be used with care, as everything is permitted (eg: clear
560 all counters).
Willy Tarreaua8efd362008-01-03 10:19:15 +0100561
562 On platforms which support it, it is possible to restrict access to this
563 socket by specifying numerical IDs after "uid" and "gid", or valid user and
564 group names after the "user" and "group" keywords. It is also possible to
565 restrict permissions on the socket by passing an octal value after the "mode"
566 keyword (same syntax as chmod). Depending on the platform, the permissions on
567 the socket will be inherited from the directory which hosts it, or from the
568 user the process is started with.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200569
570stats timeout <timeout, in milliseconds>
571 The default timeout on the stats socket is set to 10 seconds. It is possible
572 to change this value with "stats timeout". The value must be passed in
Willy Tarreaubefdff12007-12-02 22:27:38 +0100573 milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200574
575stats maxconn <connections>
576 By default, the stats socket is limited to 10 concurrent connections. It is
577 possible to change this value with "stats maxconn".
578
Willy Tarreau6a06a402007-07-15 20:15:28 +0200579uid <number>
580 Changes the process' user ID to <number>. It is recommended that the user ID
581 is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
582 be started with superuser privileges in order to be able to switch to another
583 one. See also "gid" and "user".
584
585ulimit-n <number>
586 Sets the maximum number of per-process file-descriptors to <number>. By
587 default, it is automatically computed, so it is recommended not to use this
588 option.
589
590user <user name>
591 Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
592 See also "uid" and "group".
593
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200594node <name>
595 Only letters, digits, hyphen and underscore are allowed, like in DNS names.
596
597 This statement is useful in HA configurations where two or more processes or
598 servers share the same IP address. By setting a different node-name on all
599 nodes, it becomes easy to immediately spot what server is handling the
600 traffic.
601
602description <text>
603 Add a text that describes the instance.
604
605 Please note that it is required to escape certain characters (# for example)
606 and this text is inserted into a html page so you should avoid using
607 "<" and ">" characters.
608
Willy Tarreau6a06a402007-07-15 20:15:28 +0200609
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006103.2. Performance tuning
Willy Tarreau6a06a402007-07-15 20:15:28 +0200611-----------------------
612
613maxconn <number>
614 Sets the maximum per-process number of concurrent connections to <number>. It
615 is equivalent to the command-line argument "-n". Proxies will stop accepting
616 connections when this limit is reached. The "ulimit-n" parameter is
617 automatically adjusted according to this value. See also "ulimit-n".
618
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100619maxpipes <number>
620 Sets the maximum per-process number of pipes to <number>. Currently, pipes
621 are only used by kernel-based tcp splicing. Since a pipe contains two file
622 descriptors, the "ulimit-n" value will be increased accordingly. The default
623 value is maxconn/4, which seems to be more than enough for most heavy usages.
624 The splice code dynamically allocates and releases pipes, and can fall back
625 to standard copy, so setting this value too low may only impact performance.
626
Willy Tarreau6a06a402007-07-15 20:15:28 +0200627noepoll
628 Disables the use of the "epoll" event polling system on Linux. It is
629 equivalent to the command-line argument "-de". The next polling system
630 used will generally be "poll". See also "nosepoll", and "nopoll".
631
632nokqueue
633 Disables the use of the "kqueue" event polling system on BSD. It is
634 equivalent to the command-line argument "-dk". The next polling system
635 used will generally be "poll". See also "nopoll".
636
637nopoll
638 Disables the use of the "poll" event polling system. It is equivalent to the
639 command-line argument "-dp". The next polling system used will be "select".
Willy Tarreau0ba27502007-12-24 16:55:16 +0100640 It should never be needed to disable "poll" since it's available on all
Willy Tarreau6a06a402007-07-15 20:15:28 +0200641 platforms supported by HAProxy. See also "nosepoll", and "nopoll" and
642 "nokqueue".
643
644nosepoll
645 Disables the use of the "speculative epoll" event polling system on Linux. It
646 is equivalent to the command-line argument "-ds". The next polling system
647 used will generally be "epoll". See also "nosepoll", and "nopoll".
648
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100649nosplice
650 Disables the use of kernel tcp splicing between sockets on Linux. It is
651 equivalent to the command line argument "-dS". Data will then be copied
652 using conventional and more portable recv/send calls. Kernel tcp splicing is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100653 limited to some very recent instances of kernel 2.6. Most versions between
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100654 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not
655 be used. This option makes it easier to globally disable kernel splicing in
656 case of doubt. See also "option splice-auto", "option splice-request" and
657 "option splice-response".
658
Willy Tarreaufe255b72007-10-14 23:09:26 +0200659spread-checks <0..50, in percent>
660 Sometimes it is desirable to avoid sending health checks to servers at exact
661 intervals, for instance when many logical servers are located on the same
662 physical server. With the help of this parameter, it becomes possible to add
663 some randomness in the check interval between 0 and +/- 50%. A value between
664 2 and 5 seems to show good results. The default value remains at 0.
665
Willy Tarreau27a674e2009-08-17 07:23:33 +0200666tune.bufsize <number>
667 Sets the buffer size to this size (in bytes). Lower values allow more
668 sessions to coexist in the same amount of RAM, and higher values allow some
669 applications with very large cookies to work. The default value is 16384 and
670 can be changed at build time. It is strongly recommended not to change this
671 from the default value, as very low values will break some services such as
672 statistics, and values larger than default size will increase memory usage,
673 possibly causing the system to run out of memory. At least the global maxconn
674 parameter should be decreased by the same factor as this one is increased.
675
Willy Tarreau43961d52010-10-04 20:39:20 +0200676tune.chksize <number>
677 Sets the check buffer size to this size (in bytes). Higher values may help
678 find string or regex patterns in very large pages, though doing so may imply
679 more memory and CPU usage. The default value is 16384 and can be changed at
680 build time. It is not recommended to change this value, but to use better
681 checks whenever possible.
682
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100683tune.maxaccept <number>
684 Sets the maximum number of consecutive accepts that a process may perform on
685 a single wake up. High values give higher priority to high connection rates,
686 while lower values give higher priority to already established connections.
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100687 This value is limited to 100 by default in single process mode. However, in
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100688 multi-process mode (nbproc > 1), it defaults to 8 so that when one process
689 wakes up, it does not take all incoming connections for itself and leaves a
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100690 part of them to other processes. Setting this value to -1 completely disables
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100691 the limitation. It should normally not be needed to tweak this value.
692
693tune.maxpollevents <number>
694 Sets the maximum amount of events that can be processed at once in a call to
695 the polling system. The default value is adapted to the operating system. It
696 has been noticed that reducing it below 200 tends to slightly decrease
697 latency at the expense of network bandwidth, and increasing it above 200
698 tends to trade latency for slightly increased bandwidth.
699
Willy Tarreau27a674e2009-08-17 07:23:33 +0200700tune.maxrewrite <number>
701 Sets the reserved buffer space to this size in bytes. The reserved space is
702 used for header rewriting or appending. The first reads on sockets will never
703 fill more than bufsize-maxrewrite. Historically it has defaulted to half of
704 bufsize, though that does not make much sense since there are rarely large
705 numbers of headers to add. Setting it too high prevents processing of large
706 requests or responses. Setting it too low prevents addition of new headers
707 to already large requests or to POST requests. It is generally wise to set it
708 to about 1024. It is automatically readjusted to half of bufsize if it is
709 larger than that. This means you don't have to worry about it when changing
710 bufsize.
711
Willy Tarreaue803de22010-01-21 17:43:04 +0100712tune.rcvbuf.client <number>
713tune.rcvbuf.server <number>
714 Forces the kernel socket receive buffer size on the client or the server side
715 to the specified value in bytes. This value applies to all TCP/HTTP frontends
716 and backends. It should normally never be set, and the default size (0) lets
717 the kernel autotune this value depending on the amount of available memory.
718 However it can sometimes help to set it to very low values (eg: 4096) in
719 order to save kernel memory by preventing it from buffering too large amounts
720 of received data. Lower values will significantly increase CPU usage though.
721
722tune.sndbuf.client <number>
723tune.sndbuf.server <number>
724 Forces the kernel socket send buffer size on the client or the server side to
725 the specified value in bytes. This value applies to all TCP/HTTP frontends
726 and backends. It should normally never be set, and the default size (0) lets
727 the kernel autotune this value depending on the amount of available memory.
728 However it can sometimes help to set it to very low values (eg: 4096) in
729 order to save kernel memory by preventing it from buffering too large amounts
730 of received data. Lower values will significantly increase CPU usage though.
731 Another use case is to prevent write timeouts with extremely slow clients due
732 to the kernel waiting for a large part of the buffer to be read before
733 notifying haproxy again.
734
Willy Tarreau6a06a402007-07-15 20:15:28 +0200735
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007363.3. Debugging
737--------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200738
739debug
740 Enables debug mode which dumps to stdout all exchanges, and disables forking
741 into background. It is the equivalent of the command-line argument "-d". It
742 should never be used in a production configuration since it may prevent full
743 system startup.
744
745quiet
746 Do not display any message during startup. It is equivalent to the command-
747 line argument "-q".
748
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01007493.4. Userlists
750--------------
751It is possible to control access to frontend/backend/listen sections or to
752http stats by allowing only authenticated and authorized users. To do this,
753it is required to create at least one userlist and to define users.
754
755userlist <listname>
Cyril Bonté78caf842010-03-10 22:41:43 +0100756 Creates new userlist with name <listname>. Many independent userlists can be
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100757 used to store authentication & authorization data for independent customers.
758
759group <groupname> [users <user>,<user>,(...)]
Cyril Bonté78caf842010-03-10 22:41:43 +0100760 Adds group <groupname> to the current userlist. It is also possible to
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100761 attach users to this group by using a comma separated list of names
762 proceeded by "users" keyword.
763
Cyril Bontéf0c60612010-02-06 14:44:47 +0100764user <username> [password|insecure-password <password>]
765 [groups <group>,<group>,(...)]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100766 Adds user <username> to the current userlist. Both secure (encrypted) and
767 insecure (unencrypted) passwords can be used. Encrypted passwords are
Cyril Bonté78caf842010-03-10 22:41:43 +0100768 evaluated using the crypt(3) function so depending of the system's
769 capabilities, different algorithms are supported. For example modern Glibc
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100770 based Linux system supports MD5, SHA-256, SHA-512 and of course classic,
771 DES-based method of crypting passwords.
772
773
774 Example:
Cyril Bontéf0c60612010-02-06 14:44:47 +0100775 userlist L1
776 group G1 users tiger,scott
777 group G2 users xdb,scott
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100778
Cyril Bontéf0c60612010-02-06 14:44:47 +0100779 user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91
780 user scott insecure-password elgato
781 user xdb insecure-password hello
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100782
Cyril Bontéf0c60612010-02-06 14:44:47 +0100783 userlist L2
784 group G1
785 group G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100786
Cyril Bontéf0c60612010-02-06 14:44:47 +0100787 user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1
788 user scott insecure-password elgato groups G1,G2
789 user xdb insecure-password hello groups G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100790
791 Please note that both lists are functionally identical.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200792
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007934. Proxies
Willy Tarreau6a06a402007-07-15 20:15:28 +0200794----------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100795
Willy Tarreau6a06a402007-07-15 20:15:28 +0200796Proxy configuration can be located in a set of sections :
797 - defaults <name>
798 - frontend <name>
799 - backend <name>
800 - listen <name>
801
802A "defaults" section sets default parameters for all other sections following
803its declaration. Those default parameters are reset by the next "defaults"
804section. See below for the list of parameters which can be set in a "defaults"
Willy Tarreau0ba27502007-12-24 16:55:16 +0100805section. The name is optional but its use is encouraged for better readability.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200806
807A "frontend" section describes a set of listening sockets accepting client
808connections.
809
810A "backend" section describes a set of servers to which the proxy will connect
811to forward incoming connections.
812
813A "listen" section defines a complete proxy with its frontend and backend
814parts combined in one section. It is generally useful for TCP-only traffic.
815
Willy Tarreau0ba27502007-12-24 16:55:16 +0100816All proxy names must be formed from upper and lower case letters, digits,
817'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
818case-sensitive, which means that "www" and "WWW" are two different proxies.
819
820Historically, all proxy names could overlap, it just caused troubles in the
821logs. Since the introduction of content switching, it is mandatory that two
822proxies with overlapping capabilities (frontend/backend) have different names.
823However, it is still permitted that a frontend and a backend share the same
824name, as this configuration seems to be commonly encountered.
825
826Right now, two major proxy modes are supported : "tcp", also known as layer 4,
827and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100828bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the
Willy Tarreau0ba27502007-12-24 16:55:16 +0100829protocol, and can interact with it by allowing, blocking, switching, adding,
830modifying, or removing arbitrary contents in requests or responses, based on
831arbitrary criteria.
832
Willy Tarreau0ba27502007-12-24 16:55:16 +0100833
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008344.1. Proxy keywords matrix
835--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100836
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200837The following list of keywords is supported. Most of them may only be used in a
838limited set of section types. Some of them are marked as "deprecated" because
839they are inherited from an old syntax which may be confusing or functionally
840limited, and there are new recommended keywords to replace them. Keywords
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100841marked with "(*)" can be optionally inverted using the "no" prefix, eg. "no
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200842option contstats". This makes sense when the option has been enabled by default
Willy Tarreau3842f002009-06-14 11:39:52 +0200843and must be disabled for a specific instance. Such options may also be prefixed
844with "default" in order to restore default settings regardless of what has been
845specified in a previous "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +0100846
Willy Tarreau6a06a402007-07-15 20:15:28 +0200847
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100848 keyword defaults frontend listen backend
849------------------------------------+----------+----------+---------+---------
850acl - X X X
851appsession - - X X
852backlog X X X -
853balance X - X X
854bind - X X -
855bind-process X X X X
856block - X X X
857capture cookie - X X -
858capture request header - X X -
859capture response header - X X -
860clitimeout (deprecated) X X X -
861contimeout (deprecated) X - X X
862cookie X - X X
863default-server X - X X
864default_backend X X X -
865description - X X X
866disabled X X X X
867dispatch - - X X
868enabled X X X X
869errorfile X X X X
870errorloc X X X X
871errorloc302 X X X X
872-- keyword -------------------------- defaults - frontend - listen -- backend -
873errorloc303 X X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +0200874force-persist - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100875fullconn X - X X
876grace X X X X
877hash-type X - X X
878http-check disable-on-404 X - X X
Willy Tarreaubd741542010-03-16 18:46:54 +0100879http-check expect - - X X
Willy Tarreau7ab6aff2010-10-12 06:30:16 +0200880http-check send-state X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100881http-request - X X X
882id - X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +0200883ignore-persist - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100884log X X X X
885maxconn X X X -
886mode X X X X
887monitor fail - X X -
888monitor-net X X X -
889monitor-uri X X X -
890option abortonclose (*) X - X X
891option accept-invalid-http-request (*) X X X -
892option accept-invalid-http-response (*) X - X X
893option allbackups (*) X - X X
894option checkcache (*) X - X X
895option clitcpka (*) X X X -
896option contstats (*) X X X -
897option dontlog-normal (*) X X X -
898option dontlognull (*) X X X -
899option forceclose (*) X X X X
900-- keyword -------------------------- defaults - frontend - listen -- backend -
901option forwardfor X X X X
Willy Tarreau8a8e1d92010-04-05 16:15:16 +0200902option http-pretend-keepalive (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100903option http-server-close (*) X X X X
904option http-use-proxy-header (*) X X X -
905option httpchk X - X X
906option httpclose (*) X X X X
907option httplog X X X X
908option http_proxy (*) X X X X
909option independant-streams (*) X X X X
Gabor Lekenyb4c81e42010-09-29 18:17:05 +0200910option ldap-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100911option log-health-checks (*) X - X X
912option log-separate-errors (*) X X X -
913option logasap (*) X X X -
914option mysql-check X - X X
915option nolinger (*) X X X X
916option originalto X X X X
917option persist (*) X - X X
918option redispatch (*) X - X X
919option smtpchk X - X X
920option socket-stats (*) X X X -
921option splice-auto (*) X X X X
922option splice-request (*) X X X X
923option splice-response (*) X X X X
924option srvtcpka (*) X - X X
925option ssl-hello-chk X - X X
926-- keyword -------------------------- defaults - frontend - listen -- backend -
927option tcp-smart-accept (*) X X X -
928option tcp-smart-connect (*) X - X X
929option tcpka X X X X
930option tcplog X X X X
931option transparent (*) X - X X
932persist rdp-cookie X - X X
933rate-limit sessions X X X -
934redirect - X X X
935redisp (deprecated) X - X X
936redispatch (deprecated) X - X X
937reqadd - X X X
938reqallow - X X X
939reqdel - X X X
940reqdeny - X X X
941reqiallow - X X X
942reqidel - X X X
943reqideny - X X X
944reqipass - X X X
945reqirep - X X X
946reqisetbe - X X X
947reqitarpit - X X X
948reqpass - X X X
949reqrep - X X X
950-- keyword -------------------------- defaults - frontend - listen -- backend -
951reqsetbe - X X X
952reqtarpit - X X X
953retries X - X X
954rspadd - X X X
955rspdel - X X X
956rspdeny - X X X
957rspidel - X X X
958rspideny - X X X
959rspirep - X X X
960rsprep - X X X
961server - - X X
962source X - X X
963srvtimeout (deprecated) X - X X
Cyril Bonté66c327d2010-10-12 00:14:37 +0200964stats admin - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100965stats auth X - X X
966stats enable X - X X
967stats hide-version X - X X
Cyril Bonté2be1b3f2010-09-30 23:46:30 +0200968stats http-request - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100969stats realm X - X X
970stats refresh X - X X
971stats scope X - X X
972stats show-desc X - X X
973stats show-legends X - X X
974stats show-node X - X X
975stats uri X - X X
976-- keyword -------------------------- defaults - frontend - listen -- backend -
977stick match - - X X
978stick on - - X X
979stick store-request - - X X
980stick-table - - X X
Willy Tarreaue9656522010-08-17 15:40:09 +0200981tcp-request connection - X X -
982tcp-request content - X X X
Willy Tarreaua56235c2010-09-14 11:31:36 +0200983tcp-request inspect-delay - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +0100984timeout check X - X X
985timeout client X X X -
986timeout clitimeout (deprecated) X X X -
987timeout connect X - X X
988timeout contimeout (deprecated) X - X X
989timeout http-keep-alive X X X X
990timeout http-request X X X X
991timeout queue X - X X
992timeout server X - X X
993timeout srvtimeout (deprecated) X - X X
994timeout tarpit X X X X
995transparent (deprecated) X - X X
996use_backend - X X -
997------------------------------------+----------+----------+---------+---------
998 keyword defaults frontend listen backend
Willy Tarreau6a06a402007-07-15 20:15:28 +0200999
Willy Tarreau0ba27502007-12-24 16:55:16 +01001000
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010014.2. Alphabetically sorted keywords reference
1002---------------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001003
1004This section provides a description of each keyword and its usage.
1005
1006
1007acl <aclname> <criterion> [flags] [operator] <value> ...
1008 Declare or complete an access list.
1009 May be used in sections : defaults | frontend | listen | backend
1010 no | yes | yes | yes
1011 Example:
1012 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1013 acl invalid_src src_port 0:1023
1014 acl local_dst hdr(host) -i localhost
1015
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001016 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001017
1018
Cyril Bontéb21570a2009-11-29 20:04:48 +01001019appsession <cookie> len <length> timeout <holdtime>
1020 [request-learn] [prefix] [mode <path-parameters|query-string>]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001021 Define session stickiness on an existing application cookie.
1022 May be used in sections : defaults | frontend | listen | backend
1023 no | no | yes | yes
1024 Arguments :
1025 <cookie> this is the name of the cookie used by the application and which
1026 HAProxy will have to learn for each new session.
1027
Cyril Bontéb21570a2009-11-29 20:04:48 +01001028 <length> this is the max number of characters that will be memorized and
Willy Tarreau0ba27502007-12-24 16:55:16 +01001029 checked in each cookie value.
1030
1031 <holdtime> this is the time after which the cookie will be removed from
1032 memory if unused. If no unit is specified, this time is in
1033 milliseconds.
1034
Cyril Bontébf47aeb2009-10-15 00:15:40 +02001035 request-learn
1036 If this option is specified, then haproxy will be able to learn
1037 the cookie found in the request in case the server does not
1038 specify any in response. This is typically what happens with
1039 PHPSESSID cookies, or when haproxy's session expires before
1040 the application's session and the correct server is selected.
1041 It is recommended to specify this option to improve reliability.
1042
Cyril Bontéb21570a2009-11-29 20:04:48 +01001043 prefix When this option is specified, haproxy will match on the cookie
1044 prefix (or URL parameter prefix). The appsession value is the
1045 data following this prefix.
1046
1047 Example :
1048 appsession ASPSESSIONID len 64 timeout 3h prefix
1049
1050 This will match the cookie ASPSESSIONIDXXXX=XXXXX,
1051 the appsession value will be XXXX=XXXXX.
1052
1053 mode This option allows to change the URL parser mode.
1054 2 modes are currently supported :
1055 - path-parameters :
1056 The parser looks for the appsession in the path parameters
1057 part (each parameter is separated by a semi-colon), which is
1058 convenient for JSESSIONID for example.
1059 This is the default mode if the option is not set.
1060 - query-string :
1061 In this mode, the parser will look for the appsession in the
1062 query string.
1063
Willy Tarreau0ba27502007-12-24 16:55:16 +01001064 When an application cookie is defined in a backend, HAProxy will check when
1065 the server sets such a cookie, and will store its value in a table, and
1066 associate it with the server's identifier. Up to <length> characters from
1067 the value will be retained. On each connection, haproxy will look for this
Cyril Bontéb21570a2009-11-29 20:04:48 +01001068 cookie both in the "Cookie:" headers, and as a URL parameter (depending on
1069 the mode used). If a known value is found, the client will be directed to the
1070 server associated with this value. Otherwise, the load balancing algorithm is
Willy Tarreau0ba27502007-12-24 16:55:16 +01001071 applied. Cookies are automatically removed from memory when they have been
1072 unused for a duration longer than <holdtime>.
1073
1074 The definition of an application cookie is limited to one per backend.
1075
1076 Example :
1077 appsession JSESSIONID len 52 timeout 3h
1078
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02001079 See also : "cookie", "capture cookie", "balance", "stick", "stick-table"
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001080 and "ignore-persist"
Willy Tarreau0ba27502007-12-24 16:55:16 +01001081
1082
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001083backlog <conns>
1084 Give hints to the system about the approximate listen backlog desired size
1085 May be used in sections : defaults | frontend | listen | backend
1086 yes | yes | yes | no
1087 Arguments :
1088 <conns> is the number of pending connections. Depending on the operating
1089 system, it may represent the number of already acknowledged
1090 connections, of non-acknowledged ones, or both.
1091
1092 In order to protect against SYN flood attacks, one solution is to increase
1093 the system's SYN backlog size. Depending on the system, sometimes it is just
1094 tunable via a system parameter, sometimes it is not adjustable at all, and
1095 sometimes the system relies on hints given by the application at the time of
1096 the listen() syscall. By default, HAProxy passes the frontend's maxconn value
1097 to the listen() syscall. On systems which can make use of this value, it can
1098 sometimes be useful to be able to specify a different value, hence this
1099 backlog parameter.
1100
1101 On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
1102 used as a hint and the system accepts up to the smallest greater power of
1103 two, and never more than some limits (usually 32768).
1104
1105 See also : "maxconn" and the target operating system's tuning guide.
1106
1107
Willy Tarreau0ba27502007-12-24 16:55:16 +01001108balance <algorithm> [ <arguments> ]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001109balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001110 Define the load balancing algorithm to be used in a backend.
1111 May be used in sections : defaults | frontend | listen | backend
1112 yes | no | yes | yes
1113 Arguments :
1114 <algorithm> is the algorithm used to select a server when doing load
1115 balancing. This only applies when no persistence information
1116 is available, or when a connection is redispatched to another
1117 server. <algorithm> may be one of the following :
1118
1119 roundrobin Each server is used in turns, according to their weights.
1120 This is the smoothest and fairest algorithm when the server's
1121 processing time remains equally distributed. This algorithm
1122 is dynamic, which means that server weights may be adjusted
Willy Tarreau9757a382009-10-03 12:56:50 +02001123 on the fly for slow starts for instance. It is limited by
1124 design to 4128 active servers per backend. Note that in some
1125 large farms, when a server becomes up after having been down
1126 for a very short time, it may sometimes take a few hundreds
1127 requests for it to be re-integrated into the farm and start
1128 receiving traffic. This is normal, though very rare. It is
1129 indicated here in case you would have the chance to observe
1130 it, so that you don't worry.
1131
1132 static-rr Each server is used in turns, according to their weights.
1133 This algorithm is as similar to roundrobin except that it is
1134 static, which means that changing a server's weight on the
1135 fly will have no effect. On the other hand, it has no design
1136 limitation on the number of servers, and when a server goes
1137 up, it is always immediately reintroduced into the farm, once
1138 the full map is recomputed. It also uses slightly less CPU to
1139 run (around -1%).
Willy Tarreau0ba27502007-12-24 16:55:16 +01001140
Willy Tarreau2d2a7f82008-03-17 12:07:56 +01001141 leastconn The server with the lowest number of connections receives the
1142 connection. Round-robin is performed within groups of servers
1143 of the same load to ensure that all servers will be used. Use
1144 of this algorithm is recommended where very long sessions are
1145 expected, such as LDAP, SQL, TSE, etc... but is not very well
1146 suited for protocols using short sessions such as HTTP. This
1147 algorithm is dynamic, which means that server weights may be
1148 adjusted on the fly for slow starts for instance.
1149
Willy Tarreau0ba27502007-12-24 16:55:16 +01001150 source The source IP address is hashed and divided by the total
1151 weight of the running servers to designate which server will
1152 receive the request. This ensures that the same client IP
1153 address will always reach the same server as long as no
1154 server goes down or up. If the hash result changes due to the
1155 number of running servers changing, many clients will be
1156 directed to a different server. This algorithm is generally
1157 used in TCP mode where no cookie may be inserted. It may also
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001158 be used on the Internet to provide a best-effort stickiness
Willy Tarreau0ba27502007-12-24 16:55:16 +01001159 to clients which refuse session cookies. This algorithm is
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001160 static by default, which means that changing a server's
1161 weight on the fly will have no effect, but this can be
1162 changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001163
1164 uri The left part of the URI (before the question mark) is hashed
1165 and divided by the total weight of the running servers. The
1166 result designates which server will receive the request. This
1167 ensures that a same URI will always be directed to the same
1168 server as long as no server goes up or down. This is used
1169 with proxy caches and anti-virus proxies in order to maximize
1170 the cache hit rate. Note that this algorithm may only be used
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001171 in an HTTP backend. This algorithm is static by default,
1172 which means that changing a server's weight on the fly will
1173 have no effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001174
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001175 This algorithm support two optional parameters "len" and
1176 "depth", both followed by a positive integer number. These
1177 options may be helpful when it is needed to balance servers
1178 based on the beginning of the URI only. The "len" parameter
1179 indicates that the algorithm should only consider that many
1180 characters at the beginning of the URI to compute the hash.
1181 Note that having "len" set to 1 rarely makes sense since most
1182 URIs start with a leading "/".
1183
1184 The "depth" parameter indicates the maximum directory depth
1185 to be used to compute the hash. One level is counted for each
1186 slash in the request. If both parameters are specified, the
1187 evaluation stops when either is reached.
1188
Willy Tarreau0ba27502007-12-24 16:55:16 +01001189 url_param The URL parameter specified in argument will be looked up in
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001190 the query string of each HTTP GET request.
1191
1192 If the modifier "check_post" is used, then an HTTP POST
1193 request entity will be searched for the parameter argument,
1194 when the question mark indicating a query string ('?') is not
1195 present in the URL. Optionally, specify a number of octets to
1196 wait for before attempting to search the message body. If the
1197 entity can not be searched, then round robin is used for each
1198 request. For instance, if your clients always send the LB
1199 parameter in the first 128 bytes, then specify that. The
1200 default is 48. The entity data will not be scanned until the
1201 required number of octets have arrived at the gateway, this
1202 is the minimum of: (default/max_wait, Content-Length or first
1203 chunk length). If Content-Length is missing or zero, it does
1204 not need to wait for more data than the client promised to
1205 send. When Content-Length is present and larger than
1206 <max_wait>, then waiting is limited to <max_wait> and it is
1207 assumed that this will be enough data to search for the
1208 presence of the parameter. In the unlikely event that
1209 Transfer-Encoding: chunked is used, only the first chunk is
1210 scanned. Parameter values separated by a chunk boundary, may
1211 be randomly balanced if at all.
1212
1213 If the parameter is found followed by an equal sign ('=') and
1214 a value, then the value is hashed and divided by the total
1215 weight of the running servers. The result designates which
1216 server will receive the request.
1217
1218 This is used to track user identifiers in requests and ensure
1219 that a same user ID will always be sent to the same server as
1220 long as no server goes up or down. If no value is found or if
1221 the parameter is not found, then a round robin algorithm is
1222 applied. Note that this algorithm may only be used in an HTTP
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001223 backend. This algorithm is static by default, which means
1224 that changing a server's weight on the fly will have no
1225 effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001226
Benoitaffb4812009-03-25 13:02:10 +01001227 hdr(name) The HTTP header <name> will be looked up in each HTTP request.
1228 Just as with the equivalent ACL 'hdr()' function, the header
1229 name in parenthesis is not case sensitive. If the header is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001230 absent or if it does not contain any value, the roundrobin
Benoitaffb4812009-03-25 13:02:10 +01001231 algorithm is applied instead.
1232
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001233 An optional 'use_domain_only' parameter is available, for
Benoitaffb4812009-03-25 13:02:10 +01001234 reducing the hash algorithm to the main domain part with some
1235 specific headers such as 'Host'. For instance, in the Host
1236 value "haproxy.1wt.eu", only "1wt" will be considered.
1237
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001238 This algorithm is static by default, which means that
1239 changing a server's weight on the fly will have no effect,
1240 but this can be changed using "hash-type".
1241
Emeric Brun736aa232009-06-30 17:56:00 +02001242 rdp-cookie
1243 rdp-cookie(name)
1244 The RDP cookie <name> (or "mstshash" if omitted) will be
1245 looked up and hashed for each incoming TCP request. Just as
1246 with the equivalent ACL 'req_rdp_cookie()' function, the name
1247 is not case-sensitive. This mechanism is useful as a degraded
1248 persistence mode, as it makes it possible to always send the
1249 same user (or the same session ID) to the same server. If the
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001250 cookie is not found, the normal roundrobin algorithm is
Emeric Brun736aa232009-06-30 17:56:00 +02001251 used instead.
1252
1253 Note that for this to work, the frontend must ensure that an
1254 RDP cookie is already present in the request buffer. For this
1255 you must use 'tcp-request content accept' rule combined with
1256 a 'req_rdp_cookie_cnt' ACL.
1257
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001258 This algorithm is static by default, which means that
1259 changing a server's weight on the fly will have no effect,
1260 but this can be changed using "hash-type".
1261
Willy Tarreau0ba27502007-12-24 16:55:16 +01001262 <arguments> is an optional list of arguments which may be needed by some
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001263 algorithms. Right now, only "url_param" and "uri" support an
1264 optional argument.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001265
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001266 balance uri [len <len>] [depth <depth>]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001267 balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001268
Willy Tarreau3cd9af22009-03-15 14:06:41 +01001269 The load balancing algorithm of a backend is set to roundrobin when no other
1270 algorithm, mode nor option have been set. The algorithm may only be set once
1271 for each backend.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001272
1273 Examples :
1274 balance roundrobin
1275 balance url_param userid
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001276 balance url_param session_id check_post 64
Benoitaffb4812009-03-25 13:02:10 +01001277 balance hdr(User-Agent)
1278 balance hdr(host)
1279 balance hdr(Host) use_domain_only
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001280
1281 Note: the following caveats and limitations on using the "check_post"
1282 extension with "url_param" must be considered :
1283
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001284 - all POST requests are eligible for consideration, because there is no way
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001285 to determine if the parameters will be found in the body or entity which
1286 may contain binary data. Therefore another method may be required to
1287 restrict consideration of POST requests that have no URL parameters in
1288 the body. (see acl reqideny http_end)
1289
1290 - using a <max_wait> value larger than the request buffer size does not
1291 make sense and is useless. The buffer size is set at build time, and
1292 defaults to 16 kB.
1293
1294 - Content-Encoding is not supported, the parameter search will probably
1295 fail; and load balancing will fall back to Round Robin.
1296
1297 - Expect: 100-continue is not supported, load balancing will fall back to
1298 Round Robin.
1299
1300 - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk.
1301 If the entire parameter value is not present in the first chunk, the
1302 selection of server is undefined (actually, defined by how little
1303 actually appeared in the first chunk).
1304
1305 - This feature does not support generation of a 100, 411 or 501 response.
1306
1307 - In some cases, requesting "check_post" MAY attempt to scan the entire
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001308 contents of a message body. Scanning normally terminates when linear
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001309 white space or control characters are found, indicating the end of what
1310 might be a URL parameter list. This is probably not a concern with SGML
1311 type message bodies.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001312
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001313 See also : "dispatch", "cookie", "appsession", "transparent", "hash-type" and
1314 "http_proxy".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001315
1316
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001317bind [<address>]:<port_range> [, ...]
1318bind [<address>]:<port_range> [, ...] interface <interface>
1319bind [<address>]:<port_range> [, ...] mss <maxseg>
1320bind [<address>]:<port_range> [, ...] transparent
1321bind [<address>]:<port_range> [, ...] id <id>
1322bind [<address>]:<port_range> [, ...] name <name>
1323bind [<address>]:<port_range> [, ...] defer-accept
Willy Tarreau0ba27502007-12-24 16:55:16 +01001324 Define one or several listening addresses and/or ports in a frontend.
1325 May be used in sections : defaults | frontend | listen | backend
1326 no | yes | yes | no
1327 Arguments :
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001328 <address> is optional and can be a host name, an IPv4 address, an IPv6
1329 address, or '*'. It designates the address the frontend will
1330 listen on. If unset, all IPv4 addresses of the system will be
1331 listened on. The same will apply for '*' or the system's
1332 special address "0.0.0.0".
1333
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001334 <port_range> is either a unique TCP port, or a port range for which the
1335 proxy will accept connections for the IP address specified
1336 above. The port is mandatory. Note that in the case of an
1337 IPv6 address, the port is always the number after the last
1338 colon (':'). A range can either be :
1339 - a numerical port (ex: '80')
1340 - a dash-delimited ports range explicitly stating the lower
1341 and upper bounds (ex: '2000-2100') which are included in
1342 the range.
1343
1344 Particular care must be taken against port ranges, because
1345 every <address:port> couple consumes one socket (= a file
1346 descriptor), so it's easy to consume lots of descriptors
1347 with a simple range, and to run out of sockets. Also, each
1348 <address:port> couple must be used only once among all
1349 instances running on a same system. Please note that binding
1350 to ports lower than 1024 generally require particular
1351 privileges to start the program, which are independant of
1352 the 'uid' parameter.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001353
Willy Tarreau5e6e2042009-02-04 17:19:29 +01001354 <interface> is an optional physical interface name. This is currently
1355 only supported on Linux. The interface must be a physical
1356 interface, not an aliased interface. When specified, all
1357 addresses on the same line will only be accepted if the
1358 incoming packet physically come through the designated
1359 interface. It is also possible to bind multiple frontends to
1360 the same address if they are bound to different interfaces.
1361 Note that binding to a physical interface requires root
1362 privileges.
1363
Willy Tarreaube1b9182009-06-14 18:48:19 +02001364 <maxseg> is an optional TCP Maximum Segment Size (MSS) value to be
1365 advertised on incoming connections. This can be used to force
1366 a lower MSS for certain specific ports, for instance for
1367 connections passing through a VPN. Note that this relies on a
1368 kernel feature which is theorically supported under Linux but
1369 was buggy in all versions prior to 2.6.28. It may or may not
1370 work on other operating systems. The commonly advertised
1371 value on Ethernet networks is 1460 = 1500(MTU) - 40(IP+TCP).
1372
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02001373 <id> is a persistent value for socket ID. Must be positive and
1374 unique in the proxy. An unused value will automatically be
1375 assigned if unset. Can only be used when defining only a
1376 single socket.
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02001377
1378 <name> is an optional name provided for stats
1379
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001380 transparent is an optional keyword which is supported only on certain
1381 Linux kernels. It indicates that the addresses will be bound
1382 even if they do not belong to the local machine. Any packet
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001383 targeting any of these addresses will be caught just as if
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001384 the address was locally configured. This normally requires
1385 that IP forwarding is enabled. Caution! do not use this with
1386 the default address '*', as it would redirect any traffic for
1387 the specified port. This keyword is available only when
1388 HAProxy is built with USE_LINUX_TPROXY=1.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001389
Willy Tarreau59f89202010-10-02 11:54:00 +02001390 defer-accept is an optional keyword which is supported only on certain
Willy Tarreaucb6cd432009-10-13 07:34:14 +02001391 Linux kernels. It states that a connection will only be
1392 accepted once some data arrive on it, or at worst after the
1393 first retransmit. This should be used only on protocols for
1394 which the client talks first (eg: HTTP). It can slightly
1395 improve performance by ensuring that most of the request is
1396 already available when the connection is accepted. On the
1397 other hand, it will not be able to detect connections which
1398 don't talk. It is important to note that this option is
1399 broken in all kernels up to 2.6.31, as the connection is
1400 never accepted until the client talks. This can cause issues
1401 with front firewalls which would see an established
1402 connection while the proxy will only see it in SYN_RECV.
1403
Willy Tarreau0ba27502007-12-24 16:55:16 +01001404 It is possible to specify a list of address:port combinations delimited by
1405 commas. The frontend will then listen on all of these addresses. There is no
1406 fixed limit to the number of addresses and ports which can be listened on in
1407 a frontend, as well as there is no limit to the number of "bind" statements
1408 in a frontend.
1409
1410 Example :
1411 listen http_proxy
1412 bind :80,:443
1413 bind 10.0.0.1:10080,10.0.0.1:10443
1414
1415 See also : "source".
1416
1417
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001418bind-process [ all | odd | even | <number 1-32> ] ...
1419 Limit visibility of an instance to a certain set of processes numbers.
1420 May be used in sections : defaults | frontend | listen | backend
1421 yes | yes | yes | yes
1422 Arguments :
1423 all All process will see this instance. This is the default. It
1424 may be used to override a default value.
1425
1426 odd This instance will be enabled on processes 1,3,5,...31. This
1427 option may be combined with other numbers.
1428
1429 even This instance will be enabled on processes 2,4,6,...32. This
1430 option may be combined with other numbers. Do not use it
1431 with less than 2 processes otherwise some instances might be
1432 missing from all processes.
1433
1434 number The instance will be enabled on this process number, between
1435 1 and 32. You must be careful not to reference a process
1436 number greater than the configured global.nbproc, otherwise
1437 some instances might be missing from all processes.
1438
1439 This keyword limits binding of certain instances to certain processes. This
1440 is useful in order not to have too many processes listening to the same
1441 ports. For instance, on a dual-core machine, it might make sense to set
1442 'nbproc 2' in the global section, then distributes the listeners among 'odd'
1443 and 'even' instances.
1444
1445 At the moment, it is not possible to reference more than 32 processes using
1446 this keyword, but this should be more than enough for most setups. Please
1447 note that 'all' really means all processes and is not limited to the first
1448 32.
1449
1450 If some backends are referenced by frontends bound to other processes, the
1451 backend automatically inherits the frontend's processes.
1452
1453 Example :
1454 listen app_ip1
1455 bind 10.0.0.1:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001456 bind-process odd
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001457
1458 listen app_ip2
1459 bind 10.0.0.2:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001460 bind-process even
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001461
1462 listen management
1463 bind 10.0.0.3:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001464 bind-process 1 2 3 4
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001465
1466 See also : "nbproc" in global section.
1467
1468
Willy Tarreau0ba27502007-12-24 16:55:16 +01001469block { if | unless } <condition>
1470 Block a layer 7 request if/unless a condition is matched
1471 May be used in sections : defaults | frontend | listen | backend
1472 no | yes | yes | yes
1473
1474 The HTTP request will be blocked very early in the layer 7 processing
1475 if/unless <condition> is matched. A 403 error will be returned if the request
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001476 is blocked. The condition has to reference ACLs (see section 7). This is
Willy Tarreau0ba27502007-12-24 16:55:16 +01001477 typically used to deny access to certain sensible resources if some
1478 conditions are met or not met. There is no fixed limit to the number of
1479 "block" statements per instance.
1480
1481 Example:
1482 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1483 acl invalid_src src_port 0:1023
1484 acl local_dst hdr(host) -i localhost
1485 block if invalid_src || local_dst
1486
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001487 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001488
1489
1490capture cookie <name> len <length>
1491 Capture and log a cookie in the request and in the response.
1492 May be used in sections : defaults | frontend | listen | backend
1493 no | yes | yes | no
1494 Arguments :
1495 <name> is the beginning of the name of the cookie to capture. In order
1496 to match the exact name, simply suffix the name with an equal
1497 sign ('='). The full name will appear in the logs, which is
1498 useful with application servers which adjust both the cookie name
1499 and value (eg: ASPSESSIONXXXXX).
1500
1501 <length> is the maximum number of characters to report in the logs, which
1502 include the cookie name, the equal sign and the value, all in the
1503 standard "name=value" form. The string will be truncated on the
1504 right if it exceeds <length>.
1505
1506 Only the first cookie is captured. Both the "cookie" request headers and the
1507 "set-cookie" response headers are monitored. This is particularly useful to
1508 check for application bugs causing session crossing or stealing between
1509 users, because generally the user's cookies can only change on a login page.
1510
1511 When the cookie was not presented by the client, the associated log column
1512 will report "-". When a request does not cause a cookie to be assigned by the
1513 server, a "-" is reported in the response column.
1514
1515 The capture is performed in the frontend only because it is necessary that
1516 the log format does not change for a given frontend depending on the
1517 backends. This may change in the future. Note that there can be only one
1518 "capture cookie" statement in a frontend. The maximum capture length is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001519 configured in the sources by default to 64 characters. It is not possible to
Willy Tarreau0ba27502007-12-24 16:55:16 +01001520 specify a capture in a "defaults" section.
1521
1522 Example:
1523 capture cookie ASPSESSION len 32
1524
1525 See also : "capture request header", "capture response header" as well as
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001526 section 8 about logging.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001527
1528
1529capture request header <name> len <length>
1530 Capture and log the first occurrence of the specified request header.
1531 May be used in sections : defaults | frontend | listen | backend
1532 no | yes | yes | no
1533 Arguments :
1534 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001535 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001536 appear in the requests, with the first letter of each word in
1537 upper case. The header name will not appear in the logs, only the
1538 value is reported, but the position in the logs is respected.
1539
1540 <length> is the maximum number of characters to extract from the value and
1541 report in the logs. The string will be truncated on the right if
1542 it exceeds <length>.
1543
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001544 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001545 value will be added to the logs between braces ('{}'). If multiple headers
1546 are captured, they will be delimited by a vertical bar ('|') and will appear
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001547 in the same order they were declared in the configuration. Non-existent
1548 headers will be logged just as an empty string. Common uses for request
1549 header captures include the "Host" field in virtual hosting environments, the
1550 "Content-length" when uploads are supported, "User-agent" to quickly
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001551 differentiate between real users and robots, and "X-Forwarded-For" in proxied
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001552 environments to find where the request came from.
1553
1554 Note that when capturing headers such as "User-agent", some spaces may be
1555 logged, making the log analysis more difficult. Thus be careful about what
1556 you log if you know your log parser is not smart enough to rely on the
1557 braces.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001558
1559 There is no limit to the number of captured request headers, but each capture
1560 is limited to 64 characters. In order to keep log format consistent for a
1561 same frontend, header captures can only be declared in a frontend. It is not
1562 possible to specify a capture in a "defaults" section.
1563
1564 Example:
1565 capture request header Host len 15
1566 capture request header X-Forwarded-For len 15
1567 capture request header Referrer len 15
1568
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001569 See also : "capture cookie", "capture response header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001570 about logging.
1571
1572
1573capture response header <name> len <length>
1574 Capture and log the first occurrence of the specified response header.
1575 May be used in sections : defaults | frontend | listen | backend
1576 no | yes | yes | no
1577 Arguments :
1578 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001579 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001580 appear in the response, with the first letter of each word in
1581 upper case. The header name will not appear in the logs, only the
1582 value is reported, but the position in the logs is respected.
1583
1584 <length> is the maximum number of characters to extract from the value and
1585 report in the logs. The string will be truncated on the right if
1586 it exceeds <length>.
1587
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001588 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001589 result will be added to the logs between braces ('{}') after the captured
1590 request headers. If multiple headers are captured, they will be delimited by
1591 a vertical bar ('|') and will appear in the same order they were declared in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001592 the configuration. Non-existent headers will be logged just as an empty
1593 string. Common uses for response header captures include the "Content-length"
1594 header which indicates how many bytes are expected to be returned, the
1595 "Location" header to track redirections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001596
1597 There is no limit to the number of captured response headers, but each
1598 capture is limited to 64 characters. In order to keep log format consistent
1599 for a same frontend, header captures can only be declared in a frontend. It
1600 is not possible to specify a capture in a "defaults" section.
1601
1602 Example:
1603 capture response header Content-length len 9
1604 capture response header Location len 15
1605
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001606 See also : "capture cookie", "capture request header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001607 about logging.
1608
1609
Cyril Bontéf0c60612010-02-06 14:44:47 +01001610clitimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01001611 Set the maximum inactivity time on the client side.
1612 May be used in sections : defaults | frontend | listen | backend
1613 yes | yes | yes | no
1614 Arguments :
1615 <timeout> is the timeout value is specified in milliseconds by default, but
1616 can be in any other unit if the number is suffixed by the unit,
1617 as explained at the top of this document.
1618
1619 The inactivity timeout applies when the client is expected to acknowledge or
1620 send data. In HTTP mode, this timeout is particularly important to consider
1621 during the first phase, when the client sends the request, and during the
1622 response while it is reading data sent by the server. The value is specified
1623 in milliseconds by default, but can be in any other unit if the number is
1624 suffixed by the unit, as specified at the top of this document. In TCP mode
1625 (and to a lesser extent, in HTTP mode), it is highly recommended that the
1626 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001627 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01001628 losses by specifying timeouts that are slightly above multiples of 3 seconds
1629 (eg: 4 or 5 seconds).
1630
1631 This parameter is specific to frontends, but can be specified once for all in
1632 "defaults" sections. This is in fact one of the easiest solutions not to
1633 forget about it. An unspecified timeout results in an infinite timeout, which
1634 is not recommended. Such a usage is accepted and works but reports a warning
1635 during startup because it may results in accumulation of expired sessions in
1636 the system if the system's timeouts are not configured either.
1637
1638 This parameter is provided for compatibility but is currently deprecated.
1639 Please use "timeout client" instead.
1640
Willy Tarreau036fae02008-01-06 13:24:40 +01001641 See also : "timeout client", "timeout http-request", "timeout server", and
1642 "srvtimeout".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001643
1644
Cyril Bontéf0c60612010-02-06 14:44:47 +01001645contimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01001646 Set the maximum time to wait for a connection attempt to a server to succeed.
1647 May be used in sections : defaults | frontend | listen | backend
1648 yes | no | yes | yes
1649 Arguments :
1650 <timeout> is the timeout value is specified in milliseconds by default, but
1651 can be in any other unit if the number is suffixed by the unit,
1652 as explained at the top of this document.
1653
1654 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001655 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01001656 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01001657 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
1658 connect timeout also presets the queue timeout to the same value if this one
1659 has not been specified. Historically, the contimeout was also used to set the
1660 tarpit timeout in a listen section, which is not possible in a pure frontend.
1661
1662 This parameter is specific to backends, but can be specified once for all in
1663 "defaults" sections. This is in fact one of the easiest solutions not to
1664 forget about it. An unspecified timeout results in an infinite timeout, which
1665 is not recommended. Such a usage is accepted and works but reports a warning
1666 during startup because it may results in accumulation of failed sessions in
1667 the system if the system's timeouts are not configured either.
1668
1669 This parameter is provided for backwards compatibility but is currently
1670 deprecated. Please use "timeout connect", "timeout queue" or "timeout tarpit"
1671 instead.
1672
1673 See also : "timeout connect", "timeout queue", "timeout tarpit",
1674 "timeout server", "contimeout".
1675
1676
Willy Tarreau55165fe2009-05-10 12:02:55 +02001677cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001678 [ postonly ] [ preserve ] [ domain <domain> ]*
Willy Tarreau996a92c2010-10-13 19:30:47 +02001679 [ maxidle <idle> ] [ maxlife <life> ]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001680 Enable cookie-based persistence in a backend.
1681 May be used in sections : defaults | frontend | listen | backend
1682 yes | no | yes | yes
1683 Arguments :
1684 <name> is the name of the cookie which will be monitored, modified or
1685 inserted in order to bring persistence. This cookie is sent to
1686 the client via a "Set-Cookie" header in the response, and is
1687 brought back by the client in a "Cookie" header in all requests.
1688 Special care should be taken to choose a name which does not
1689 conflict with any likely application cookie. Also, if the same
1690 backends are subject to be used by the same clients (eg:
1691 HTTP/HTTPS), care should be taken to use different cookie names
1692 between all backends if persistence between them is not desired.
1693
1694 rewrite This keyword indicates that the cookie will be provided by the
1695 server and that haproxy will have to modify its value to set the
1696 server's identifier in it. This mode is handy when the management
1697 of complex combinations of "Set-cookie" and "Cache-control"
1698 headers is left to the application. The application can then
1699 decide whether or not it is appropriate to emit a persistence
1700 cookie. Since all responses should be monitored, this mode only
1701 works in HTTP close mode. Unless the application behaviour is
1702 very complex and/or broken, it is advised not to start with this
1703 mode for new deployments. This keyword is incompatible with
1704 "insert" and "prefix".
1705
1706 insert This keyword indicates that the persistence cookie will have to
Willy Tarreaua79094d2010-08-31 22:54:15 +02001707 be inserted by haproxy in server responses if the client did not
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001708
Willy Tarreaua79094d2010-08-31 22:54:15 +02001709 already have a cookie that would have permitted it to access this
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001710 server. When used without the "preserve" option, if the server
1711 emits a cookie with the same name, it will be remove before
1712 processing. For this reason, this mode can be used to upgrade
1713 existing configurations running in the "rewrite" mode. The cookie
1714 will only be a session cookie and will not be stored on the
1715 client's disk. By default, unless the "indirect" option is added,
1716 the server will see the cookies emitted by the client. Due to
1717 caching effects, it is generally wise to add the "nocache" or
1718 "postonly" keywords (see below). The "insert" keyword is not
1719 compatible with "rewrite" and "prefix".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001720
1721 prefix This keyword indicates that instead of relying on a dedicated
1722 cookie for the persistence, an existing one will be completed.
1723 This may be needed in some specific environments where the client
1724 does not support more than one single cookie and the application
1725 already needs it. In this case, whenever the server sets a cookie
1726 named <name>, it will be prefixed with the server's identifier
1727 and a delimiter. The prefix will be removed from all client
1728 requests so that the server still finds the cookie it emitted.
1729 Since all requests and responses are subject to being modified,
1730 this mode requires the HTTP close mode. The "prefix" keyword is
1731 not compatible with "rewrite" and "insert".
1732
Willy Tarreaua79094d2010-08-31 22:54:15 +02001733 indirect When this option is specified, no cookie will be emitted to a
1734 client which already has a valid one for the server which has
1735 processed the request. If the server sets such a cookie itself,
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001736 it will be removed, unless the "preserve" option is also set. In
1737 "insert" mode, this will additionally remove cookies from the
1738 requests transmitted to the server, making the persistence
1739 mechanism totally transparent from an application point of view.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001740
1741 nocache This option is recommended in conjunction with the insert mode
1742 when there is a cache between the client and HAProxy, as it
1743 ensures that a cacheable response will be tagged non-cacheable if
1744 a cookie needs to be inserted. This is important because if all
1745 persistence cookies are added on a cacheable home page for
1746 instance, then all customers will then fetch the page from an
1747 outer cache and will all share the same persistence cookie,
1748 leading to one server receiving much more traffic than others.
1749 See also the "insert" and "postonly" options.
1750
1751 postonly This option ensures that cookie insertion will only be performed
1752 on responses to POST requests. It is an alternative to the
1753 "nocache" option, because POST responses are not cacheable, so
1754 this ensures that the persistence cookie will never get cached.
1755 Since most sites do not need any sort of persistence before the
1756 first POST which generally is a login request, this is a very
1757 efficient method to optimize caching without risking to find a
1758 persistence cookie in the cache.
1759 See also the "insert" and "nocache" options.
1760
Willy Tarreauba4c5be2010-10-23 12:46:42 +02001761 preserve This option may only be used with "insert" and/or "indirect". It
1762 allows the server to emit the persistence cookie itself. In this
1763 case, if a cookie is found in the response, haproxy will leave it
1764 untouched. This is useful in order to end persistence after a
1765 logout request for instance. For this, the server just has to
1766 emit a cookie with an invalid value (eg: empty) or with a date in
1767 the past. By combining this mechanism with the "disable-on-404"
1768 check option, it is possible to perform a completely graceful
1769 shutdown because users will definitely leave the server after
1770 they logout.
1771
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02001772 domain This option allows to specify the domain at which a cookie is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001773 inserted. It requires exactly one parameter: a valid domain
Willy Tarreau68a897b2009-12-03 23:28:34 +01001774 name. If the domain begins with a dot, the browser is allowed to
1775 use it for any host ending with that name. It is also possible to
1776 specify several domain names by invoking this option multiple
1777 times. Some browsers might have small limits on the number of
1778 domains, so be careful when doing that. For the record, sending
1779 10 domains to MSIE 6 or Firefox 2 works as expected.
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02001780
Willy Tarreau996a92c2010-10-13 19:30:47 +02001781 maxidle This option allows inserted cookies to be ignored after some idle
1782 time. It only works with insert-mode cookies. When a cookie is
1783 sent to the client, the date this cookie was emitted is sent too.
1784 Upon further presentations of this cookie, if the date is older
1785 than the delay indicated by the parameter (in seconds), it will
1786 be ignored. Otherwise, it will be refreshed if needed when the
1787 response is sent to the client. This is particularly useful to
1788 prevent users who never close their browsers from remaining for
1789 too long on the same server (eg: after a farm size change). When
1790 this option is set and a cookie has no date, it is always
1791 accepted, but gets refreshed in the response. This maintains the
1792 ability for admins to access their sites. Cookies that have a
1793 date in the future further than 24 hours are ignored. Doing so
1794 lets admins fix timezone issues without risking kicking users off
1795 the site.
1796
1797 maxlife This option allows inserted cookies to be ignored after some life
1798 time, whether they're in use or not. It only works with insert
1799 mode cookies. When a cookie is first sent to the client, the date
1800 this cookie was emitted is sent too. Upon further presentations
1801 of this cookie, if the date is older than the delay indicated by
1802 the parameter (in seconds), it will be ignored. If the cookie in
1803 the request has no date, it is accepted and a date will be set.
1804 Cookies that have a date in the future further than 24 hours are
1805 ignored. Doing so lets admins fix timezone issues without risking
1806 kicking users off the site. Contrary to maxidle, this value is
1807 not refreshed, only the first visit date counts. Both maxidle and
1808 maxlife may be used at the time. This is particularly useful to
1809 prevent users who never close their browsers from remaining for
1810 too long on the same server (eg: after a farm size change). This
1811 is stronger than the maxidle method in that it forces a
1812 redispatch after some absolute delay.
1813
Willy Tarreau0ba27502007-12-24 16:55:16 +01001814 There can be only one persistence cookie per HTTP backend, and it can be
1815 declared in a defaults section. The value of the cookie will be the value
1816 indicated after the "cookie" keyword in a "server" statement. If no cookie
1817 is declared for a given server, the cookie is not set.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001818
Willy Tarreau0ba27502007-12-24 16:55:16 +01001819 Examples :
1820 cookie JSESSIONID prefix
1821 cookie SRV insert indirect nocache
1822 cookie SRV insert postonly indirect
Willy Tarreau996a92c2010-10-13 19:30:47 +02001823 cookie SRV insert indirect nocache maxidle 30m maxlife 8h
Willy Tarreau0ba27502007-12-24 16:55:16 +01001824
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02001825 See also : "appsession", "balance source", "capture cookie", "server"
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001826 and "ignore-persist".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001827
Willy Tarreau983e01e2010-01-11 18:42:06 +01001828
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01001829default-server [param*]
1830 Change default options for a server in a backend
1831 May be used in sections : defaults | frontend | listen | backend
1832 yes | no | yes | yes
1833 Arguments:
Willy Tarreau983e01e2010-01-11 18:42:06 +01001834 <param*> is a list of parameters for this server. The "default-server"
1835 keyword accepts an important number of options and has a complete
1836 section dedicated to it. Please refer to section 5 for more
1837 details.
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01001838
Willy Tarreau983e01e2010-01-11 18:42:06 +01001839 Example :
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01001840 default-server inter 1000 weight 13
1841
1842 See also: "server" and section 5 about server options
Willy Tarreau0ba27502007-12-24 16:55:16 +01001843
Willy Tarreau983e01e2010-01-11 18:42:06 +01001844
Willy Tarreau0ba27502007-12-24 16:55:16 +01001845default_backend <backend>
1846 Specify the backend to use when no "use_backend" rule has been matched.
1847 May be used in sections : defaults | frontend | listen | backend
1848 yes | yes | yes | no
1849 Arguments :
1850 <backend> is the name of the backend to use.
1851
1852 When doing content-switching between frontend and backends using the
1853 "use_backend" keyword, it is often useful to indicate which backend will be
1854 used when no rule has matched. It generally is the dynamic backend which
1855 will catch all undetermined requests.
1856
Willy Tarreau0ba27502007-12-24 16:55:16 +01001857 Example :
1858
1859 use_backend dynamic if url_dyn
1860 use_backend static if url_css url_img extension_img
1861 default_backend dynamic
1862
Willy Tarreau2769aa02007-12-27 18:26:09 +01001863 See also : "use_backend", "reqsetbe", "reqisetbe"
1864
Willy Tarreau0ba27502007-12-24 16:55:16 +01001865
1866disabled
1867 Disable a proxy, frontend or backend.
1868 May be used in sections : defaults | frontend | listen | backend
1869 yes | yes | yes | yes
1870 Arguments : none
1871
1872 The "disabled" keyword is used to disable an instance, mainly in order to
1873 liberate a listening port or to temporarily disable a service. The instance
1874 will still be created and its configuration will be checked, but it will be
1875 created in the "stopped" state and will appear as such in the statistics. It
1876 will not receive any traffic nor will it send any health-checks or logs. It
1877 is possible to disable many instances at once by adding the "disabled"
1878 keyword in a "defaults" section.
1879
1880 See also : "enabled"
1881
1882
Willy Tarreau5ce94572010-06-07 14:35:41 +02001883dispatch <address>:<port>
1884 Set a default server address
1885 May be used in sections : defaults | frontend | listen | backend
1886 no | no | yes | yes
1887 Arguments : none
1888
1889 <address> is the IPv4 address of the default server. Alternatively, a
1890 resolvable hostname is supported, but this name will be resolved
1891 during start-up.
1892
1893 <ports> is a mandatory port specification. All connections will be sent
1894 to this port, and it is not permitted to use port offsets as is
1895 possible with normal servers.
1896
1897 The "disabled" keyword designates a default server for use when no other
1898 server can take the connection. In the past it was used to forward non
1899 persistent connections to an auxiliary load balancer. Due to its simple
1900 syntax, it has also been used for simple TCP relays. It is recommended not to
1901 use it for more clarity, and to use the "server" directive instead.
1902
1903 See also : "server"
1904
1905
Willy Tarreau0ba27502007-12-24 16:55:16 +01001906enabled
1907 Enable a proxy, frontend or backend.
1908 May be used in sections : defaults | frontend | listen | backend
1909 yes | yes | yes | yes
1910 Arguments : none
1911
1912 The "enabled" keyword is used to explicitly enable an instance, when the
1913 defaults has been set to "disabled". This is very rarely used.
1914
1915 See also : "disabled"
1916
1917
1918errorfile <code> <file>
1919 Return a file contents instead of errors generated by HAProxy
1920 May be used in sections : defaults | frontend | listen | backend
1921 yes | yes | yes | yes
1922 Arguments :
1923 <code> is the HTTP status code. Currently, HAProxy is capable of
1924 generating codes 400, 403, 408, 500, 502, 503, and 504.
1925
1926 <file> designates a file containing the full HTTP response. It is
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001927 recommended to follow the common practice of appending ".http" to
Willy Tarreau0ba27502007-12-24 16:55:16 +01001928 the filename so that people do not confuse the response with HTML
Willy Tarreau59140a22009-02-22 12:02:30 +01001929 error pages, and to use absolute paths, since files are read
1930 before any chroot is performed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001931
1932 It is important to understand that this keyword is not meant to rewrite
1933 errors returned by the server, but errors detected and returned by HAProxy.
1934 This is why the list of supported errors is limited to a small set.
1935
1936 The files are returned verbatim on the TCP socket. This allows any trick such
1937 as redirections to another URL or site, as well as tricks to clean cookies,
1938 force enable or disable caching, etc... The package provides default error
1939 files returning the same contents as default errors.
1940
Willy Tarreau59140a22009-02-22 12:02:30 +01001941 The files should not exceed the configured buffer size (BUFSIZE), which
1942 generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
1943 not to put any reference to local contents (eg: images) in order to avoid
1944 loops between the client and HAProxy when all servers are down, causing an
1945 error to be returned instead of an image. For better HTTP compliance, it is
1946 recommended that all header lines end with CR-LF and not LF alone.
1947
Willy Tarreau0ba27502007-12-24 16:55:16 +01001948 The files are read at the same time as the configuration and kept in memory.
1949 For this reason, the errors continue to be returned even when the process is
1950 chrooted, and no file change is considered while the process is running. A
Willy Tarreauc27debf2008-01-06 08:57:02 +01001951 simple method for developing those files consists in associating them to the
Willy Tarreau0ba27502007-12-24 16:55:16 +01001952 403 status code and interrogating a blocked URL.
1953
1954 See also : "errorloc", "errorloc302", "errorloc303"
1955
Willy Tarreau59140a22009-02-22 12:02:30 +01001956 Example :
1957 errorfile 400 /etc/haproxy/errorfiles/400badreq.http
1958 errorfile 403 /etc/haproxy/errorfiles/403forbid.http
1959 errorfile 503 /etc/haproxy/errorfiles/503sorry.http
1960
Willy Tarreau2769aa02007-12-27 18:26:09 +01001961
1962errorloc <code> <url>
1963errorloc302 <code> <url>
1964 Return an HTTP redirection to a URL instead of errors generated by HAProxy
1965 May be used in sections : defaults | frontend | listen | backend
1966 yes | yes | yes | yes
1967 Arguments :
1968 <code> is the HTTP status code. Currently, HAProxy is capable of
1969 generating codes 400, 403, 408, 500, 502, 503, and 504.
1970
1971 <url> it is the exact contents of the "Location" header. It may contain
1972 either a relative URI to an error page hosted on the same site,
1973 or an absolute URI designating an error page on another site.
1974 Special care should be given to relative URIs to avoid redirect
1975 loops if the URI itself may generate the same error (eg: 500).
1976
1977 It is important to understand that this keyword is not meant to rewrite
1978 errors returned by the server, but errors detected and returned by HAProxy.
1979 This is why the list of supported errors is limited to a small set.
1980
1981 Note that both keyword return the HTTP 302 status code, which tells the
1982 client to fetch the designated URL using the same HTTP method. This can be
1983 quite problematic in case of non-GET methods such as POST, because the URL
1984 sent to the client might not be allowed for something other than GET. To
1985 workaround this problem, please use "errorloc303" which send the HTTP 303
1986 status code, indicating to the client that the URL must be fetched with a GET
1987 request.
1988
1989 See also : "errorfile", "errorloc303"
1990
1991
1992errorloc303 <code> <url>
1993 Return an HTTP redirection to a URL instead of errors generated by HAProxy
1994 May be used in sections : defaults | frontend | listen | backend
1995 yes | yes | yes | yes
1996 Arguments :
1997 <code> is the HTTP status code. Currently, HAProxy is capable of
1998 generating codes 400, 403, 408, 500, 502, 503, and 504.
1999
2000 <url> it is the exact contents of the "Location" header. It may contain
2001 either a relative URI to an error page hosted on the same site,
2002 or an absolute URI designating an error page on another site.
2003 Special care should be given to relative URIs to avoid redirect
2004 loops if the URI itself may generate the same error (eg: 500).
2005
2006 It is important to understand that this keyword is not meant to rewrite
2007 errors returned by the server, but errors detected and returned by HAProxy.
2008 This is why the list of supported errors is limited to a small set.
2009
2010 Note that both keyword return the HTTP 303 status code, which tells the
2011 client to fetch the designated URL using the same HTTP GET method. This
2012 solves the usual problems associated with "errorloc" and the 302 code. It is
2013 possible that some very old browsers designed before HTTP/1.1 do not support
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002014 it, but no such problem has been reported till now.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002015
2016 See also : "errorfile", "errorloc", "errorloc302"
2017
2018
Willy Tarreau4de91492010-01-22 19:10:05 +01002019force-persist { if | unless } <condition>
2020 Declare a condition to force persistence on down servers
2021 May be used in sections: defaults | frontend | listen | backend
2022 no | yes | yes | yes
2023
2024 By default, requests are not dispatched to down servers. It is possible to
2025 force this using "option persist", but it is unconditional and redispatches
2026 to a valid server if "option redispatch" is set. That leaves with very little
2027 possibilities to force some requests to reach a server which is artificially
2028 marked down for maintenance operations.
2029
2030 The "force-persist" statement allows one to declare various ACL-based
2031 conditions which, when met, will cause a request to ignore the down status of
2032 a server and still try to connect to it. That makes it possible to start a
2033 server, still replying an error to the health checks, and run a specially
2034 configured browser to test the service. Among the handy methods, one could
2035 use a specific source IP address, or a specific cookie. The cookie also has
2036 the advantage that it can easily be added/removed on the browser from a test
2037 page. Once the service is validated, it is then possible to open the service
2038 to the world by returning a valid response to health checks.
2039
2040 The forced persistence is enabled when an "if" condition is met, or unless an
2041 "unless" condition is met. The final redispatch is always disabled when this
2042 is used.
2043
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002044 See also : "option redispatch", "ignore-persist", "persist",
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02002045 and section 7 about ACL usage.
Willy Tarreau4de91492010-01-22 19:10:05 +01002046
2047
Willy Tarreau2769aa02007-12-27 18:26:09 +01002048fullconn <conns>
2049 Specify at what backend load the servers will reach their maxconn
2050 May be used in sections : defaults | frontend | listen | backend
2051 yes | no | yes | yes
2052 Arguments :
2053 <conns> is the number of connections on the backend which will make the
2054 servers use the maximal number of connections.
2055
Willy Tarreau198a7442008-01-17 12:05:32 +01002056 When a server has a "maxconn" parameter specified, it means that its number
Willy Tarreau2769aa02007-12-27 18:26:09 +01002057 of concurrent connections will never go higher. Additionally, if it has a
Willy Tarreau198a7442008-01-17 12:05:32 +01002058 "minconn" parameter, it indicates a dynamic limit following the backend's
Willy Tarreau2769aa02007-12-27 18:26:09 +01002059 load. The server will then always accept at least <minconn> connections,
2060 never more than <maxconn>, and the limit will be on the ramp between both
2061 values when the backend has less than <conns> concurrent connections. This
2062 makes it possible to limit the load on the servers during normal loads, but
2063 push it further for important loads without overloading the servers during
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002064 exceptional loads.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002065
2066 Example :
2067 # The servers will accept between 100 and 1000 concurrent connections each
2068 # and the maximum of 1000 will be reached when the backend reaches 10000
2069 # connections.
2070 backend dynamic
2071 fullconn 10000
2072 server srv1 dyn1:80 minconn 100 maxconn 1000
2073 server srv2 dyn2:80 minconn 100 maxconn 1000
2074
2075 See also : "maxconn", "server"
2076
2077
2078grace <time>
2079 Maintain a proxy operational for some time after a soft stop
2080 May be used in sections : defaults | frontend | listen | backend
Cyril Bonté99ed3272010-01-24 23:29:44 +01002081 yes | yes | yes | yes
Willy Tarreau2769aa02007-12-27 18:26:09 +01002082 Arguments :
2083 <time> is the time (by default in milliseconds) for which the instance
2084 will remain operational with the frontend sockets still listening
2085 when a soft-stop is received via the SIGUSR1 signal.
2086
2087 This may be used to ensure that the services disappear in a certain order.
2088 This was designed so that frontends which are dedicated to monitoring by an
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002089 external equipment fail immediately while other ones remain up for the time
Willy Tarreau2769aa02007-12-27 18:26:09 +01002090 needed by the equipment to detect the failure.
2091
2092 Note that currently, there is very little benefit in using this parameter,
2093 and it may in fact complicate the soft-reconfiguration process more than
2094 simplify it.
2095
Willy Tarreau0ba27502007-12-24 16:55:16 +01002096
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002097hash-type <method>
2098 Specify a method to use for mapping hashes to servers
2099 May be used in sections : defaults | frontend | listen | backend
2100 yes | no | yes | yes
2101 Arguments :
2102 map-based the hash table is a static array containing all alive servers.
2103 The hashes will be very smooth, will consider weights, but will
2104 be static in that weight changes while a server is up will be
2105 ignored. This means that there will be no slow start. Also,
2106 since a server is selected by its position in the array, most
2107 mappings are changed when the server count changes. This means
2108 that when a server goes up or down, or when a server is added
2109 to a farm, most connections will be redistributed to different
2110 servers. This can be inconvenient with caches for instance.
2111
2112 consistent the hash table is a tree filled with many occurrences of each
2113 server. The hash key is looked up in the tree and the closest
2114 server is chosen. This hash is dynamic, it supports changing
2115 weights while the servers are up, so it is compatible with the
2116 slow start feature. It has the advantage that when a server
2117 goes up or down, only its associations are moved. When a server
2118 is added to the farm, only a few part of the mappings are
2119 redistributed, making it an ideal algorithm for caches.
2120 However, due to its principle, the algorithm will never be very
2121 smooth and it may sometimes be necessary to adjust a server's
2122 weight or its ID to get a more balanced distribution. In order
2123 to get the same distribution on multiple load balancers, it is
2124 important that all servers have the same IDs.
2125
2126 The default hash type is "map-based" and is recommended for most usages.
2127
2128 See also : "balance", "server"
2129
2130
Willy Tarreau0ba27502007-12-24 16:55:16 +01002131http-check disable-on-404
2132 Enable a maintenance mode upon HTTP/404 response to health-checks
2133 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau2769aa02007-12-27 18:26:09 +01002134 yes | no | yes | yes
Willy Tarreau0ba27502007-12-24 16:55:16 +01002135 Arguments : none
2136
2137 When this option is set, a server which returns an HTTP code 404 will be
2138 excluded from further load-balancing, but will still receive persistent
2139 connections. This provides a very convenient method for Web administrators
2140 to perform a graceful shutdown of their servers. It is also important to note
2141 that a server which is detected as failed while it was in this mode will not
2142 generate an alert, just a notice. If the server responds 2xx or 3xx again, it
2143 will immediately be reinserted into the farm. The status on the stats page
2144 reports "NOLB" for a server in this mode. It is important to note that this
Willy Tarreaubd741542010-03-16 18:46:54 +01002145 option only works in conjunction with the "httpchk" option. If this option
2146 is used with "http-check expect", then it has precedence over it so that 404
2147 responses will still be considered as soft-stop.
2148
2149 See also : "option httpchk", "http-check expect"
2150
2151
2152http-check expect [!] <match> <pattern>
2153 Make HTTP health checks consider reponse contents or specific status codes
2154 May be used in sections : defaults | frontend | listen | backend
2155 no | no | yes | yes
2156 Arguments :
2157 <match> is a keyword indicating how to look for a specific pattern in the
2158 response. The keyword may be one of "status", "rstatus",
2159 "string", or "rstring". The keyword may be preceeded by an
2160 exclamation mark ("!") to negate the match. Spaces are allowed
2161 between the exclamation mark and the keyword. See below for more
2162 details on the supported keywords.
2163
2164 <pattern> is the pattern to look for. It may be a string or a regular
2165 expression. If the pattern contains spaces, they must be escaped
2166 with the usual backslash ('\').
2167
2168 By default, "option httpchk" considers that response statuses 2xx and 3xx
2169 are valid, and that others are invalid. When "http-check expect" is used,
2170 it defines what is considered valid or invalid. Only one "http-check"
2171 statement is supported in a backend. If a server fails to respond or times
2172 out, the check obviously fails. The available matches are :
2173
2174 status <string> : test the exact string match for the HTTP status code.
2175 A health check respose will be considered valid if the
2176 response's status code is exactly this string. If the
2177 "status" keyword is prefixed with "!", then the response
2178 will be considered invalid if the status code matches.
2179
2180 rstatus <regex> : test a regular expression for the HTTP status code.
2181 A health check respose will be considered valid if the
2182 response's status code matches the expression. If the
2183 "rstatus" keyword is prefixed with "!", then the response
2184 will be considered invalid if the status code matches.
2185 This is mostly used to check for multiple codes.
2186
2187 string <string> : test the exact string match in the HTTP response body.
2188 A health check respose will be considered valid if the
2189 response's body contains this exact string. If the
2190 "string" keyword is prefixed with "!", then the response
2191 will be considered invalid if the body contains this
2192 string. This can be used to look for a mandatory word at
2193 the end of a dynamic page, or to detect a failure when a
2194 specific error appears on the check page (eg: a stack
2195 trace).
2196
2197 rstring <regex> : test a regular expression on the HTTP response body.
2198 A health check respose will be considered valid if the
2199 response's body matches this expression. If the "rstring"
2200 keyword is prefixed with "!", then the response will be
2201 considered invalid if the body matches the expression.
2202 This can be used to look for a mandatory word at the end
2203 of a dynamic page, or to detect a failure when a specific
2204 error appears on the check page (eg: a stack trace).
2205
2206 It is important to note that the responses will be limited to a certain size
2207 defined by the global "tune.chksize" option, which defaults to 16384 bytes.
2208 Thus, too large responses may not contain the mandatory pattern when using
2209 "string" or "rstring". If a large response is absolutely required, it is
2210 possible to change the default max size by setting the global variable.
2211 However, it is worth keeping in mind that parsing very large responses can
2212 waste some CPU cycles, especially when regular expressions are used, and that
2213 it is always better to focus the checks on smaller resources.
2214
2215 Last, if "http-check expect" is combined with "http-check disable-on-404",
2216 then this last one has precedence when the server responds with 404.
2217
2218 Examples :
2219 # only accept status 200 as valid
2220 http-request expect status 200
2221
2222 # consider SQL errors as errors
2223 http-request expect ! string SQL\ Error
2224
2225 # consider status 5xx only as errors
2226 http-request expect ! rstatus ^5
2227
2228 # check that we have a correct hexadecimal tag before /html
2229 http-request expect rstring <!--tag:[0-9a-f]*</html>
Willy Tarreau0ba27502007-12-24 16:55:16 +01002230
Willy Tarreaubd741542010-03-16 18:46:54 +01002231 See also : "option httpchk", "http-check disable-on-404"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002232
2233
Willy Tarreauef781042010-01-27 11:53:01 +01002234http-check send-state
2235 Enable emission of a state header with HTTP health checks
2236 May be used in sections : defaults | frontend | listen | backend
2237 yes | no | yes | yes
2238 Arguments : none
2239
2240 When this option is set, haproxy will systematically send a special header
2241 "X-Haproxy-Server-State" with a list of parameters indicating to each server
2242 how they are seen by haproxy. This can be used for instance when a server is
2243 manipulated without access to haproxy and the operator needs to know whether
2244 haproxy still sees it up or not, or if the server is the last one in a farm.
2245
2246 The header is composed of fields delimited by semi-colons, the first of which
2247 is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid
2248 checks on the total number before transition, just as appears in the stats
2249 interface. Next headers are in the form "<variable>=<value>", indicating in
2250 no specific order some values available in the stats interface :
2251 - a variable "name", containing the name of the backend followed by a slash
2252 ("/") then the name of the server. This can be used when a server is
2253 checked in multiple backends.
2254
2255 - a variable "node" containing the name of the haproxy node, as set in the
2256 global "node" variable, otherwise the system's hostname if unspecified.
2257
2258 - a variable "weight" indicating the weight of the server, a slash ("/")
2259 and the total weight of the farm (just counting usable servers). This
2260 helps to know if other servers are available to handle the load when this
2261 one fails.
2262
2263 - a variable "scur" indicating the current number of concurrent connections
2264 on the server, followed by a slash ("/") then the total number of
2265 connections on all servers of the same backend.
2266
2267 - a variable "qcur" indicating the current number of requests in the
2268 server's queue.
2269
2270 Example of a header received by the application server :
2271 >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \
2272 scur=13/22; qcur=0
2273
2274 See also : "option httpchk", "http-check disable-on-404"
2275
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02002276http-request { allow | deny | auth [realm <realm>] }
Cyril Bontéf0c60612010-02-06 14:44:47 +01002277 [ { if | unless } <condition> ]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002278 Access control for Layer 7 requests
2279
2280 May be used in sections: defaults | frontend | listen | backend
2281 no | yes | yes | yes
2282
2283 These set of options allow to fine control access to a
2284 frontend/listen/backend. Each option may be followed by if/unless and acl.
2285 First option with matched condition (or option without condition) is final.
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02002286 For "deny" a 403 error will be returned, for "allow" normal processing is
2287 performed, for "auth" a 401/407 error code is returned so the client
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002288 should be asked to enter a username and password.
2289
2290 There is no fixed limit to the number of http-request statements per
2291 instance.
2292
2293 Example:
Cyril Bonté78caf842010-03-10 22:41:43 +01002294 acl nagios src 192.168.129.3
2295 acl local_net src 192.168.0.0/16
2296 acl auth_ok http_auth(L1)
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002297
Cyril Bonté78caf842010-03-10 22:41:43 +01002298 http-request allow if nagios
2299 http-request allow if local_net auth_ok
2300 http-request auth realm Gimme if local_net auth_ok
2301 http-request deny
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002302
Cyril Bonté78caf842010-03-10 22:41:43 +01002303 Example:
2304 acl auth_ok http_auth_group(L1) G1
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002305
Cyril Bonté78caf842010-03-10 22:41:43 +01002306 http-request auth unless auth_ok
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002307
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02002308 See also : "stats http-request", section 3.4 about userlists and section 7
2309 about ACL usage.
Willy Tarreauef781042010-01-27 11:53:01 +01002310
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01002311id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02002312 Set a persistent ID to a proxy.
2313 May be used in sections : defaults | frontend | listen | backend
2314 no | yes | yes | yes
2315 Arguments : none
2316
2317 Set a persistent ID for the proxy. This ID must be unique and positive.
2318 An unused ID will automatically be assigned if unset. The first assigned
2319 value will be 1. This ID is currently only returned in statistics.
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01002320
2321
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002322ignore-persist { if | unless } <condition>
2323 Declare a condition to ignore persistence
2324 May be used in sections: defaults | frontend | listen | backend
2325 no | yes | yes | yes
2326
2327 By default, when cookie persistence is enabled, every requests containing
2328 the cookie are unconditionally persistent (assuming the target server is up
2329 and running).
2330
2331 The "ignore-persist" statement allows one to declare various ACL-based
2332 conditions which, when met, will cause a request to ignore persistence.
2333 This is sometimes useful to load balance requests for static files, which
2334 oftenly don't require persistence. This can also be used to fully disable
2335 persistence for a specific User-Agent (for example, some web crawler bots).
2336
2337 Combined with "appsession", it can also help reduce HAProxy memory usage, as
2338 the appsession table won't grow if persistence is ignored.
2339
2340 The persistence is ignored when an "if" condition is met, or unless an
2341 "unless" condition is met.
2342
2343 See also : "force-persist", "cookie", and section 7 about ACL usage.
2344
2345
Willy Tarreau2769aa02007-12-27 18:26:09 +01002346log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002347log <address> <facility> [<level> [<minlevel>]]
Willy Tarreau2769aa02007-12-27 18:26:09 +01002348 Enable per-instance logging of events and traffic.
2349 May be used in sections : defaults | frontend | listen | backend
2350 yes | yes | yes | yes
2351 Arguments :
2352 global should be used when the instance's logging parameters are the
2353 same as the global ones. This is the most common usage. "global"
2354 replaces <address>, <facility> and <level> with those of the log
2355 entries found in the "global" section. Only one "log global"
2356 statement may be used per instance, and this form takes no other
2357 parameter.
2358
2359 <address> indicates where to send the logs. It takes the same format as
2360 for the "global" section's logs, and can be one of :
2361
2362 - An IPv4 address optionally followed by a colon (':') and a UDP
2363 port. If no port is specified, 514 is used by default (the
2364 standard syslog port).
2365
2366 - A filesystem path to a UNIX domain socket, keeping in mind
2367 considerations for chroot (be sure the path is accessible
2368 inside the chroot) and uid/gid (be sure the path is
2369 appropriately writeable).
2370
2371 <facility> must be one of the 24 standard syslog facilities :
2372
2373 kern user mail daemon auth syslog lpr news
2374 uucp cron auth2 ftp ntp audit alert cron2
2375 local0 local1 local2 local3 local4 local5 local6 local7
2376
2377 <level> is optional and can be specified to filter outgoing messages. By
2378 default, all messages are sent. If a level is specified, only
2379 messages with a severity at least as important as this level
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002380 will be sent. An optional minimum level can be specified. If it
2381 is set, logs emitted with a more severe level than this one will
2382 be capped to this level. This is used to avoid sending "emerg"
2383 messages on all terminals on some default syslog configurations.
2384 Eight levels are known :
Willy Tarreau2769aa02007-12-27 18:26:09 +01002385
2386 emerg alert crit err warning notice info debug
2387
2388 Note that up to two "log" entries may be specified per instance. However, if
2389 "log global" is used and if the "global" section already contains 2 log
2390 entries, then additional log entries will be ignored.
2391
2392 Also, it is important to keep in mind that it is the frontend which decides
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002393 what to log from a connection, and that in case of content switching, the log
2394 entries from the backend will be ignored. Connections are logged at level
2395 "info".
2396
2397 However, backend log declaration define how and where servers status changes
2398 will be logged. Level "notice" will be used to indicate a server going up,
2399 "warning" will be used for termination signals and definitive service
2400 termination, and "alert" will be used for when a server goes down.
2401
2402 Note : According to RFC3164, messages are truncated to 1024 bytes before
2403 being emitted.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002404
2405 Example :
2406 log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002407 log 127.0.0.1:514 local0 notice # only send important events
2408 log 127.0.0.1:514 local0 notice notice # same but limit output level
Willy Tarreau2769aa02007-12-27 18:26:09 +01002409
2410
2411maxconn <conns>
2412 Fix the maximum number of concurrent connections on a frontend
2413 May be used in sections : defaults | frontend | listen | backend
2414 yes | yes | yes | no
2415 Arguments :
2416 <conns> is the maximum number of concurrent connections the frontend will
2417 accept to serve. Excess connections will be queued by the system
2418 in the socket's listen queue and will be served once a connection
2419 closes.
2420
2421 If the system supports it, it can be useful on big sites to raise this limit
2422 very high so that haproxy manages connection queues, instead of leaving the
2423 clients with unanswered connection attempts. This value should not exceed the
2424 global maxconn. Also, keep in mind that a connection contains two buffers
2425 of 8kB each, as well as some other data resulting in about 17 kB of RAM being
2426 consumed per established connection. That means that a medium system equipped
2427 with 1GB of RAM can withstand around 40000-50000 concurrent connections if
2428 properly tuned.
2429
2430 Also, when <conns> is set to large values, it is possible that the servers
2431 are not sized to accept such loads, and for this reason it is generally wise
2432 to assign them some reasonable connection limits.
2433
2434 See also : "server", global section's "maxconn", "fullconn"
2435
2436
2437mode { tcp|http|health }
2438 Set the running mode or protocol of the instance
2439 May be used in sections : defaults | frontend | listen | backend
2440 yes | yes | yes | yes
2441 Arguments :
2442 tcp The instance will work in pure TCP mode. A full-duplex connection
2443 will be established between clients and servers, and no layer 7
2444 examination will be performed. This is the default mode. It
2445 should be used for SSL, SSH, SMTP, ...
2446
2447 http The instance will work in HTTP mode. The client request will be
2448 analyzed in depth before connecting to any server. Any request
2449 which is not RFC-compliant will be rejected. Layer 7 filtering,
2450 processing and switching will be possible. This is the mode which
2451 brings HAProxy most of its value.
2452
2453 health The instance will work in "health" mode. It will just reply "OK"
2454 to incoming connections and close the connection. Nothing will be
2455 logged. This mode is used to reply to external components health
2456 checks. This mode is deprecated and should not be used anymore as
2457 it is possible to do the same and even better by combining TCP or
2458 HTTP modes with the "monitor" keyword.
2459
2460 When doing content switching, it is mandatory that the frontend and the
2461 backend are in the same mode (generally HTTP), otherwise the configuration
2462 will be refused.
2463
2464 Example :
2465 defaults http_instances
2466 mode http
2467
2468 See also : "monitor", "monitor-net"
2469
Willy Tarreau0ba27502007-12-24 16:55:16 +01002470
Cyril Bontéf0c60612010-02-06 14:44:47 +01002471monitor fail { if | unless } <condition>
Willy Tarreau2769aa02007-12-27 18:26:09 +01002472 Add a condition to report a failure to a monitor HTTP request.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002473 May be used in sections : defaults | frontend | listen | backend
2474 no | yes | yes | no
Willy Tarreau0ba27502007-12-24 16:55:16 +01002475 Arguments :
2476 if <cond> the monitor request will fail if the condition is satisfied,
2477 and will succeed otherwise. The condition should describe a
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002478 combined test which must induce a failure if all conditions
Willy Tarreau0ba27502007-12-24 16:55:16 +01002479 are met, for instance a low number of servers both in a
2480 backend and its backup.
2481
2482 unless <cond> the monitor request will succeed only if the condition is
2483 satisfied, and will fail otherwise. Such a condition may be
2484 based on a test on the presence of a minimum number of active
2485 servers in a list of backends.
2486
2487 This statement adds a condition which can force the response to a monitor
2488 request to report a failure. By default, when an external component queries
2489 the URI dedicated to monitoring, a 200 response is returned. When one of the
2490 conditions above is met, haproxy will return 503 instead of 200. This is
2491 very useful to report a site failure to an external component which may base
2492 routing advertisements between multiple sites on the availability reported by
2493 haproxy. In this case, one would rely on an ACL involving the "nbsrv"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002494 criterion. Note that "monitor fail" only works in HTTP mode.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002495
2496 Example:
2497 frontend www
Willy Tarreau2769aa02007-12-27 18:26:09 +01002498 mode http
Willy Tarreau0ba27502007-12-24 16:55:16 +01002499 acl site_dead nbsrv(dynamic) lt 2
2500 acl site_dead nbsrv(static) lt 2
2501 monitor-uri /site_alive
2502 monitor fail if site_dead
2503
Willy Tarreau2769aa02007-12-27 18:26:09 +01002504 See also : "monitor-net", "monitor-uri"
2505
2506
2507monitor-net <source>
2508 Declare a source network which is limited to monitor requests
2509 May be used in sections : defaults | frontend | listen | backend
2510 yes | yes | yes | no
2511 Arguments :
2512 <source> is the source IPv4 address or network which will only be able to
2513 get monitor responses to any request. It can be either an IPv4
2514 address, a host name, or an address followed by a slash ('/')
2515 followed by a mask.
2516
2517 In TCP mode, any connection coming from a source matching <source> will cause
2518 the connection to be immediately closed without any log. This allows another
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002519 equipment to probe the port and verify that it is still listening, without
Willy Tarreau2769aa02007-12-27 18:26:09 +01002520 forwarding the connection to a remote server.
2521
2522 In HTTP mode, a connection coming from a source matching <source> will be
2523 accepted, the following response will be sent without waiting for a request,
2524 then the connection will be closed : "HTTP/1.0 200 OK". This is normally
2525 enough for any front-end HTTP probe to detect that the service is UP and
2526 running without forwarding the request to a backend server.
2527
2528 Monitor requests are processed very early. It is not possible to block nor
2529 divert them using ACLs. They cannot be logged either, and it is the intended
2530 purpose. They are only used to report HAProxy's health to an upper component,
2531 nothing more. Right now, it is not possible to set failure conditions on
2532 requests caught by "monitor-net".
2533
Willy Tarreau95cd2832010-03-04 23:36:33 +01002534 Last, please note that only one "monitor-net" statement can be specified in
2535 a frontend. If more than one is found, only the last one will be considered.
2536
Willy Tarreau2769aa02007-12-27 18:26:09 +01002537 Example :
2538 # addresses .252 and .253 are just probing us.
2539 frontend www
2540 monitor-net 192.168.0.252/31
2541
2542 See also : "monitor fail", "monitor-uri"
2543
2544
2545monitor-uri <uri>
2546 Intercept a URI used by external components' monitor requests
2547 May be used in sections : defaults | frontend | listen | backend
2548 yes | yes | yes | no
2549 Arguments :
2550 <uri> is the exact URI which we want to intercept to return HAProxy's
2551 health status instead of forwarding the request.
2552
2553 When an HTTP request referencing <uri> will be received on a frontend,
2554 HAProxy will not forward it nor log it, but instead will return either
2555 "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
2556 conditions defined with "monitor fail". This is normally enough for any
2557 front-end HTTP probe to detect that the service is UP and running without
2558 forwarding the request to a backend server. Note that the HTTP method, the
2559 version and all headers are ignored, but the request must at least be valid
2560 at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
2561
2562 Monitor requests are processed very early. It is not possible to block nor
2563 divert them using ACLs. They cannot be logged either, and it is the intended
2564 purpose. They are only used to report HAProxy's health to an upper component,
2565 nothing more. However, it is possible to add any number of conditions using
2566 "monitor fail" and ACLs so that the result can be adjusted to whatever check
2567 can be imagined (most often the number of available servers in a backend).
2568
2569 Example :
2570 # Use /haproxy_test to report haproxy's status
2571 frontend www
2572 mode http
2573 monitor-uri /haproxy_test
2574
2575 See also : "monitor fail", "monitor-net"
2576
Willy Tarreau0ba27502007-12-24 16:55:16 +01002577
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002578option abortonclose
2579no option abortonclose
2580 Enable or disable early dropping of aborted requests pending in queues.
2581 May be used in sections : defaults | frontend | listen | backend
2582 yes | no | yes | yes
2583 Arguments : none
2584
2585 In presence of very high loads, the servers will take some time to respond.
2586 The per-instance connection queue will inflate, and the response time will
2587 increase respective to the size of the queue times the average per-session
2588 response time. When clients will wait for more than a few seconds, they will
Willy Tarreau198a7442008-01-17 12:05:32 +01002589 often hit the "STOP" button on their browser, leaving a useless request in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002590 the queue, and slowing down other users, and the servers as well, because the
2591 request will eventually be served, then aborted at the first error
2592 encountered while delivering the response.
2593
2594 As there is no way to distinguish between a full STOP and a simple output
2595 close on the client side, HTTP agents should be conservative and consider
2596 that the client might only have closed its output channel while waiting for
2597 the response. However, this introduces risks of congestion when lots of users
2598 do the same, and is completely useless nowadays because probably no client at
2599 all will close the session while waiting for the response. Some HTTP agents
Willy Tarreaud72758d2010-01-12 10:42:19 +01002600 support this behaviour (Squid, Apache, HAProxy), and others do not (TUX, most
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002601 hardware-based load balancers). So the probability for a closed input channel
Willy Tarreau198a7442008-01-17 12:05:32 +01002602 to represent a user hitting the "STOP" button is close to 100%, and the risk
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002603 of being the single component to break rare but valid traffic is extremely
2604 low, which adds to the temptation to be able to abort a session early while
2605 still not served and not pollute the servers.
2606
2607 In HAProxy, the user can choose the desired behaviour using the option
2608 "abortonclose". By default (without the option) the behaviour is HTTP
2609 compliant and aborted requests will be served. But when the option is
2610 specified, a session with an incoming channel closed will be aborted while
2611 it is still possible, either pending in the queue for a connection slot, or
2612 during the connection establishment if the server has not yet acknowledged
2613 the connection request. This considerably reduces the queue size and the load
2614 on saturated servers when users are tempted to click on STOP, which in turn
Willy Tarreaud72758d2010-01-12 10:42:19 +01002615 reduces the response time for other users.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002616
2617 If this option has been enabled in a "defaults" section, it can be disabled
2618 in a specific instance by prepending the "no" keyword before it.
2619
2620 See also : "timeout queue" and server's "maxconn" and "maxqueue" parameters
2621
2622
Willy Tarreau4076a152009-04-02 15:18:36 +02002623option accept-invalid-http-request
2624no option accept-invalid-http-request
2625 Enable or disable relaxing of HTTP request parsing
2626 May be used in sections : defaults | frontend | listen | backend
2627 yes | yes | yes | no
2628 Arguments : none
2629
2630 By default, HAProxy complies with RFC2616 in terms of message parsing. This
2631 means that invalid characters in header names are not permitted and cause an
2632 error to be returned to the client. This is the desired behaviour as such
2633 forbidden characters are essentially used to build attacks exploiting server
2634 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
2635 server will emit invalid header names for whatever reason (configuration,
2636 implementation) and the issue will not be immediately fixed. In such a case,
2637 it is possible to relax HAProxy's header name parser to accept any character
2638 even if that does not make sense, by specifying this option.
2639
2640 This option should never be enabled by default as it hides application bugs
2641 and open security breaches. It should only be deployed after a problem has
2642 been confirmed.
2643
2644 When this option is enabled, erroneous header names will still be accepted in
2645 requests, but the complete request will be captured in order to permit later
2646 analysis using the "show errors" request on the UNIX stats socket. Doing this
2647 also helps confirming that the issue has been solved.
2648
2649 If this option has been enabled in a "defaults" section, it can be disabled
2650 in a specific instance by prepending the "no" keyword before it.
2651
2652 See also : "option accept-invalid-http-response" and "show errors" on the
2653 stats socket.
2654
2655
2656option accept-invalid-http-response
2657no option accept-invalid-http-response
2658 Enable or disable relaxing of HTTP response parsing
2659 May be used in sections : defaults | frontend | listen | backend
2660 yes | no | yes | yes
2661 Arguments : none
2662
2663 By default, HAProxy complies with RFC2616 in terms of message parsing. This
2664 means that invalid characters in header names are not permitted and cause an
2665 error to be returned to the client. This is the desired behaviour as such
2666 forbidden characters are essentially used to build attacks exploiting server
2667 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
2668 server will emit invalid header names for whatever reason (configuration,
2669 implementation) and the issue will not be immediately fixed. In such a case,
2670 it is possible to relax HAProxy's header name parser to accept any character
2671 even if that does not make sense, by specifying this option.
2672
2673 This option should never be enabled by default as it hides application bugs
2674 and open security breaches. It should only be deployed after a problem has
2675 been confirmed.
2676
2677 When this option is enabled, erroneous header names will still be accepted in
2678 responses, but the complete response will be captured in order to permit
2679 later analysis using the "show errors" request on the UNIX stats socket.
2680 Doing this also helps confirming that the issue has been solved.
2681
2682 If this option has been enabled in a "defaults" section, it can be disabled
2683 in a specific instance by prepending the "no" keyword before it.
2684
2685 See also : "option accept-invalid-http-request" and "show errors" on the
2686 stats socket.
2687
2688
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002689option allbackups
2690no option allbackups
2691 Use either all backup servers at a time or only the first one
2692 May be used in sections : defaults | frontend | listen | backend
2693 yes | no | yes | yes
2694 Arguments : none
2695
2696 By default, the first operational backup server gets all traffic when normal
2697 servers are all down. Sometimes, it may be preferred to use multiple backups
2698 at once, because one will not be enough. When "option allbackups" is enabled,
2699 the load balancing will be performed among all backup servers when all normal
2700 ones are unavailable. The same load balancing algorithm will be used and the
2701 servers' weights will be respected. Thus, there will not be any priority
2702 order between the backup servers anymore.
2703
2704 This option is mostly used with static server farms dedicated to return a
2705 "sorry" page when an application is completely offline.
2706
2707 If this option has been enabled in a "defaults" section, it can be disabled
2708 in a specific instance by prepending the "no" keyword before it.
2709
2710
2711option checkcache
2712no option checkcache
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002713 Analyze all server responses and block requests with cacheable cookies
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002714 May be used in sections : defaults | frontend | listen | backend
2715 yes | no | yes | yes
2716 Arguments : none
2717
2718 Some high-level frameworks set application cookies everywhere and do not
2719 always let enough control to the developer to manage how the responses should
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002720 be cached. When a session cookie is returned on a cacheable object, there is a
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002721 high risk of session crossing or stealing between users traversing the same
2722 caches. In some situations, it is better to block the response than to let
2723 some sensible session information go in the wild.
2724
2725 The option "checkcache" enables deep inspection of all server responses for
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002726 strict compliance with HTTP specification in terms of cacheability. It
Willy Tarreau198a7442008-01-17 12:05:32 +01002727 carefully checks "Cache-control", "Pragma" and "Set-cookie" headers in server
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002728 response to check if there's a risk of caching a cookie on a client-side
2729 proxy. When this option is enabled, the only responses which can be delivered
Willy Tarreau198a7442008-01-17 12:05:32 +01002730 to the client are :
2731 - all those without "Set-Cookie" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002732 - all those with a return code other than 200, 203, 206, 300, 301, 410,
Willy Tarreau198a7442008-01-17 12:05:32 +01002733 provided that the server has not set a "Cache-control: public" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002734 - all those that come from a POST request, provided that the server has not
2735 set a 'Cache-Control: public' header ;
2736 - those with a 'Pragma: no-cache' header
2737 - those with a 'Cache-control: private' header
2738 - those with a 'Cache-control: no-store' header
2739 - those with a 'Cache-control: max-age=0' header
2740 - those with a 'Cache-control: s-maxage=0' header
2741 - those with a 'Cache-control: no-cache' header
2742 - those with a 'Cache-control: no-cache="set-cookie"' header
2743 - those with a 'Cache-control: no-cache="set-cookie,' header
2744 (allowing other fields after set-cookie)
2745
2746 If a response doesn't respect these requirements, then it will be blocked
Willy Tarreau198a7442008-01-17 12:05:32 +01002747 just as if it was from an "rspdeny" filter, with an "HTTP 502 bad gateway".
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002748 The session state shows "PH--" meaning that the proxy blocked the response
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002749 during headers processing. Additionally, an alert will be sent in the logs so
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002750 that admins are informed that there's something to be fixed.
2751
2752 Due to the high impact on the application, the application should be tested
2753 in depth with the option enabled before going to production. It is also a
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002754 good practice to always activate it during tests, even if it is not used in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002755 production, as it will report potentially dangerous application behaviours.
2756
2757 If this option has been enabled in a "defaults" section, it can be disabled
2758 in a specific instance by prepending the "no" keyword before it.
2759
2760
2761option clitcpka
2762no option clitcpka
2763 Enable or disable the sending of TCP keepalive packets on the client side
2764 May be used in sections : defaults | frontend | listen | backend
2765 yes | yes | yes | no
2766 Arguments : none
2767
2768 When there is a firewall or any session-aware component between a client and
2769 a server, and when the protocol involves very long sessions with long idle
2770 periods (eg: remote desktops), there is a risk that one of the intermediate
2771 components decides to expire a session which has remained idle for too long.
2772
2773 Enabling socket-level TCP keep-alives makes the system regularly send packets
2774 to the other end of the connection, leaving it active. The delay between
2775 keep-alive probes is controlled by the system only and depends both on the
2776 operating system and its tuning parameters.
2777
2778 It is important to understand that keep-alive packets are neither emitted nor
2779 received at the application level. It is only the network stacks which sees
2780 them. For this reason, even if one side of the proxy already uses keep-alives
2781 to maintain its connection alive, those keep-alive packets will not be
2782 forwarded to the other side of the proxy.
2783
2784 Please note that this has nothing to do with HTTP keep-alive.
2785
2786 Using option "clitcpka" enables the emission of TCP keep-alive probes on the
2787 client side of a connection, which should help when session expirations are
2788 noticed between HAProxy and a client.
2789
2790 If this option has been enabled in a "defaults" section, it can be disabled
2791 in a specific instance by prepending the "no" keyword before it.
2792
2793 See also : "option srvtcpka", "option tcpka"
2794
2795
Willy Tarreau0ba27502007-12-24 16:55:16 +01002796option contstats
2797 Enable continuous traffic statistics updates
2798 May be used in sections : defaults | frontend | listen | backend
2799 yes | yes | yes | no
2800 Arguments : none
2801
2802 By default, counters used for statistics calculation are incremented
2803 only when a session finishes. It works quite well when serving small
2804 objects, but with big ones (for example large images or archives) or
2805 with A/V streaming, a graph generated from haproxy counters looks like
2806 a hedgehog. With this option enabled counters get incremented continuously,
2807 during a whole session. Recounting touches a hotpath directly so
2808 it is not enabled by default, as it has small performance impact (~0.5%).
2809
2810
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02002811option dontlog-normal
2812no option dontlog-normal
2813 Enable or disable logging of normal, successful connections
2814 May be used in sections : defaults | frontend | listen | backend
2815 yes | yes | yes | no
2816 Arguments : none
2817
2818 There are large sites dealing with several thousand connections per second
2819 and for which logging is a major pain. Some of them are even forced to turn
2820 logs off and cannot debug production issues. Setting this option ensures that
2821 normal connections, those which experience no error, no timeout, no retry nor
2822 redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
2823 mode, the response status code is checked and return codes 5xx will still be
2824 logged.
2825
2826 It is strongly discouraged to use this option as most of the time, the key to
2827 complex issues is in the normal logs which will not be logged here. If you
2828 need to separate logs, see the "log-separate-errors" option instead.
2829
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002830 See also : "log", "dontlognull", "log-separate-errors" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02002831 logging.
2832
2833
Willy Tarreau